-
-
[原创][Hook][ws2_32.dll]
-
发表于: 2019-1-31 20:38
-
目标程序:ws2_32.dll.
工具:
1.Visual Studio
2.DebugView
知识储备
1.dll的编写和加载流程.
2.Windows核心编程.
3.维基百科:Hooking.
4.Socket网络编程.
目标:
编写dll文件Hook调用ws2_32.dll的Send和Recv函数的程序,截取程序收发的数据包.
PS:当逆向程序时发现有反调试或是加壳,而你又暂时只需要程序的网络模块的收发数据时,Hook程序调用的网络函数是个不错选择.
思路
1.什么是API的Hook,原理和本质是什么,最后如何Hook?
答
- 实例:消息钩子算是Hook的一个实例.
- 原理:对函数内部进行挂钩处理,获取参数甚至修改执行流程跳转到自定义的函数中去执行.
- 本质:修改EIP指向的下一条指令,达到修改正常运行逻辑的目的.
- 操作:在目标函数内部修改字节,写入跳转地址的指令,防止程序崩溃需要在自定义函数中修复原先修改的内容后正常返回.
2.代码的编写流程是如何?
答
- Socket编程:编写两个示例分别调用Send/Recv函数进行通信.
- DLL编程:编写DLL文件获取Send/Recv的函数地址,进行挂钩截获数据.
- 注入利用:DLL的注入技术种类繁多,最为方便快捷有两种,远线程注入和注册表注入.
步骤
一、Socket编程
- Recv_Server
#include "stdafx.h" #define _WINSOCK_DEPRECATED_NO_WARNINGS #include#pragma comment(lib,"ws2_32.lib") VOID eMsg(char* msg); int _tmain(int argc, _TCHAR* argv[]) { //HINSTANCE hlib = LoadLibrary(L"afflux.dll"); //if (!hlib) // error_msg("error:000:loadlibrary_error\n"); //init wsadata WSADATA wsd; int code; code = WSAStartup(MAKEWORD(2, 2), &wsd); if (code == SOCKET_ERROR) eMsg("error:001:init_error\n"); if (HIBYTE(wsd.wVersion) != 2 || LOBYTE(wsd.wVersion) != 2) eMsg("error:002:version_error\n"); //create socket SOCKET sSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sSocket == SOCKET_ERROR) eMsg("error:003:create_socket_error\n"); //bind sockaddr_in Saddr; Saddr.sin_port = htons(0x1234); Saddr.sin_family = AF_INET; Saddr.sin_addr.S_un.S_addr = inet_addr("127.0.0.1"); code = bind(sSocket, (sockaddr*)&Saddr, sizeof(sockaddr)); if (code == SOCKET_ERROR) eMsg("error:004:bind_socket_error\n"); code = listen(sSocket, SOMAXCONN); if (code == SOCKET_ERROR) eMsg("error:005:listen_socket_error\n"); printf("server>>\n"); while (true) { SOCKET Csocket; sockaddr_in Caddr; int CaddrSize = sizeof(Caddr); Csocket = accept(sSocket, (sockaddr*)&Caddr, &CaddrSize); if (Csocket == INVALID_SOCKET) eMsg("error:006:accept_client_error\n"); char buff[100] = ""; code = recv(Csocket, buff, 100, 0); if (code == SOCKET_ERROR) eMsg("error:005:recv_server_error\n"); printf("recv>>%s\n", buff); } return 0; }
- Send_Client
#include "stdafx.h" #define _WINSOCK_DEPRECATED_NO_WARNINGS #include#pragma comment(lib,"ws2_32.lib") VOID eMsg(char* msg); int _tmain(int argc, _TCHAR* argv[]) { //HINSTANCE hlib = LoadLibrary(L"afflux.dll"); //if (!hlib) // error_msg("error:000:loadlibrary_error\n"); //init wsadata WSADATA wsd; int code; code = WSAStartup(MAKEWORD(2, 2), &wsd); if (code == SOCKET_ERROR) eMsg("error:001:init_error\n"); if (HIBYTE(wsd.wVersion) != 2 || LOBYTE(wsd.wVersion) != 2) eMsg("error:002:version_error\n"); printf("Client>>\n"); while (true) { //create socket SOCKET Csocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (Csocket == INVALID_SOCKET) eMsg("error:003:create_socket_error\n"); //link sockaddr_in Saddr; Saddr.sin_addr.S_un.S_addr = inet_addr("127.0.0.1"); Saddr.sin_family = AF_INET; Saddr.sin_port = htons(0x1234); int SaddrSize = sizeof(Saddr); code = connect(Csocket, (sockaddr*)&Saddr, SaddrSize); if (Csocket == INVALID_SOCKET) eMsg("error:004:link_server_error\n"); char buff[100] = ""; printf("input>>"); gets_s(buff, 50); code = send(Csocket, buff, 50, 0); if (code == SOCKET_ERROR) eMsg("error:006:send_data_error\n"); closesocket(Csocket); } return 0; }
二、Hook_Dll编写
[招生]科锐逆向工程师培训(2025年3月11日实地,远程教学同时开班, 第52期)!
最后于 2020-2-20 15:09
被Weaving编辑
,原因:
|
|
|---|---|
|
|
|
|
|
 学习了,多谢楼主分享 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
mark
|
|
|
|
|
|
|
|
|
|
|
|
|
