-
-
[原创]为了方便Hook PE,注入DLL
-
2023-1-20 16:09
-
本篇是为了代码逆向还原做铺垫。相当于代码工程开始的环境搭建阶段。最后的Hook还有点问题,需要寻求一些大佬的指点才行。
接下来的内容,其实和之前的[原创]PE注入DLL有很多相似的过程。这是本篇主要重心是放在Hook上。
进入正文:
被Hook的Exe源代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | #include <Windows.h>#include <iostream>using namespace std;int add(int a, int b){ int nResult = a + b; printf("methold add, result: %d\n", nResult); return nResult;}int main(int argc, char* argv[]){ int nResult = add(2, 3); printf("%s %d : %d\n", __FILE__, __LINE__, nResult); return 0;} |
Hook代码,Hook库是使用MinHook,完整代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 | // dllmain.cpp : 定义 DLL 应用程序的入口点。#include "pch.h"#include <Windows.h>#include<stdio.h>#include <iostream>#include "MinHook.h"#pragma comment(lib, "MinHook.x86.lib")extern "C" __declspec(dllexport) int Inject(void* pParam){ printf("%p\n", pParam); return 0;}typedef int (*FUNCTION_add)(int,int);FUNCTION_add fpFunction_add = NULL;FUNCTION_add fpFunctionOrg_add = (FUNCTION_add)0x401010;int DetourFunction_add(int a, int b){ printf("fake function\n"); return 6;}int HookEntry(){ if (MH_Initialize() != MH_OK) { char szDbgInfor[512]{ 0 }; sprintf_s(szDbgInfor, "%s : %d\n", __FILE__, __LINE__); OutputDebugStringA(szDbgInfor); return 1; } //fpFunctionOrg_add = (FUNCTION_add)&add; long lret = 0; // Create a hook for method: add, in disabled state. if ((lret = MH_CreateHook(fpFunctionOrg_add, &DetourFunction_add, reinterpret_cast<LPVOID*>(&fpFunction_add))) != MH_OK) { char szDbgInfor[512]{ 0 }; sprintf_s(szDbgInfor, "%s : %d -->lret = %d, %p,%p\n", __FILE__, __LINE__, lret, &fpFunctionOrg_add, fpFunctionOrg_add); OutputDebugStringA(szDbgInfor); return 1; } if (MH_EnableHook(fpFunctionOrg_add) != MH_OK) { char szDbgInfor[512]{ 0 }; sprintf_s(szDbgInfor, "%s : %d\n", __FILE__, __LINE__); OutputDebugStringA(szDbgInfor); return 1; } char szDbgInfor[512]{ 0 }; sprintf_s(szDbgInfor, "%s : %d\n", __FILE__, __LINE__); OutputDebugStringA(szDbgInfor); return 0;}int HookExit(){ if (MH_DisableHook(fpFunctionOrg_add) != MH_OK) { return 1; } // Uninitialize MinHook. if (MH_Uninitialize() != MH_OK) { return 1; } return 0;}BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ){ switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { char szDbgInfor[512]{ 0 }; sprintf_s(szDbgInfor, "%s : %d\n", __FILE__, __LINE__); OutputDebugStringA(szDbgInfor); HookEntry(); } break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: { HookExit(); } break; } return TRUE;} |
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
最后于 2023-1-20 16:10
被_THINCT编辑
,原因:
|
|
|---|---|
