首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
[分享]HOOK API LIB 0.3 for VC
发表于: 2007-8-27 08:41 12185

[分享]HOOK API LIB 0.3 for VC

海风月影 活跃值
22
2007-8-27 08:41
12185

Thanks to xIkUg,sucsor,一个刀客,dongcan

#include <windows.h>
#include <stdio.h>

#pragma comment (linker, "/Filealign:0x200")

#pragma comment(linker, "/SECTION:.text,REW" ) //设PE节:.text,可读可执行
#pragma comment(linker, "/MERGE:.data=.text") //合并到.text
#pragma comment(linker, "/MERGE:.rdata=.text")//合并到.text
#pragma comment(linker, "/subsystem:windows /entry:main")

boolean IsMe=false;

int GetOpCodeSize(PVOID Start);
boolean SetOnBefore(PCHAR DllName,PCHAR ApiName,PVOID HookProc);
boolean SetOnAfter(PCHAR DllName,PCHAR ApiName,PVOID HookProc);
void My_WriteProcessMemory(DWORD Eax,DWORD RetAddr,HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesWritten);

static unsigned long MaskTable[518]={
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00008000, 0x00008000, 0x00000000, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00008000, 0x00008000, 0x00000000, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00008000, 0x00008000, 0x00000000, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00008000, 0x00008000, 0x00000000, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00008000, 0x00008000, 0x00000008, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00008000, 0x00008000, 0x00000008, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00008000, 0x00008000, 0x00000008, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00008000, 0x00008000, 0x00000008, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00004000, 0x00004000,
0x00000008, 0x00000008, 0x00001008, 0x00000018,
0x00002000, 0x00006000, 0x00000100, 0x00004100,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000100, 0x00000100, 0x00000100, 0x00000100,
0x00000100, 0x00000100, 0x00000100, 0x00000100,
0x00000100, 0x00000100, 0x00000100, 0x00000100,
0x00000100, 0x00000100, 0x00000100, 0x00000100,
0x00004100, 0x00006000, 0x00004100, 0x00004100,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00002002, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000020, 0x00000020, 0x00000020, 0x00000020,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000100, 0x00002000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000100, 0x00000100, 0x00000100, 0x00000100,
0x00000100, 0x00000100, 0x00000100, 0x00000100,
0x00002000, 0x00002000, 0x00002000, 0x00002000,
0x00002000, 0x00002000, 0x00002000, 0x00002000,
0x00004100, 0x00004100, 0x00000200, 0x00000000,
0x00004000, 0x00004000, 0x00004100, 0x00006000,
0x00000300, 0x00000000, 0x00000200, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00000100, 0x00000100, 0x00000000, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00000100, 0x00000100, 0x00000100, 0x00000100,
0x00000100, 0x00000100, 0x00000100, 0x00000100,
0x00002000, 0x00002000, 0x00002002, 0x00000100,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000008, 0x00000000, 0x00000008, 0x00000008,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0xFFFFFFFF,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0x00002000, 0x00002000, 0x00002000, 0x00002000,
0x00002000, 0x00002000, 0x00002000, 0x00002000,
0x00002000, 0x00002000, 0x00002000, 0x00002000,
0x00002000, 0x00002000, 0x00002000, 0x00002000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00000000, 0x00000000, 0x00000000, 0x00004000,
0x00004100, 0x00004000, 0xFFFFFFFF, 0xFFFFFFFF,
0x00000000, 0x00000000, 0x00000000, 0x00004000,
0x00004100, 0x00004000, 0xFFFFFFFF, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0xFFFFFFFF, 0xFFFFFFFF, 0x00004100, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0x00000000, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF
};

static BYTE JMPGate[5] = {
  0xE9, 0x00, 0x00, 0x00, 0x00   // JMP XXXXXXXX
};

int GetOpCodeSize(PVOID Start)
{
  DWORD* Tlb=(DWORD*)MaskTable;
  PBYTE pOPCode;
  DWORD t, c;
  BYTE dh, dl, al;
  int OpCodeSize =-1;

  t = 0;
  pOPCode = (PBYTE) Start;
  c = 0;

  do {
    t &= 0x0F7;
    c = *(BYTE *) pOPCode++;
    t |= Tlb[c] ;
  } while( ((t & 0x000000FF) & 8) != 0);

  if ((c == 0x0F6) || (c == 0x0F7))
  {
    t |= 0x00004000;
    if ( (0x38 & *(BYTE *) pOPCode++) == 0)
      t |= 0x00008000;
  }
  else if (c == 0x0CD)
  {
    t |= 0x00000100;
    if ( (*(BYTE *) pOPCode++) == 0x20)
      t |= 0x00000400;
  }
  else if (c == 0x0F)
  {
    al = *(BYTE *) pOPCode++;
    t |= Tlb[al + 0x100];
    if (t == 0xFFFFFFFF)
      return OpCodeSize;
  }

  if ((((t & 0x0000FF00) >> 8) & 0x80) != 0)
  {
    dh = (t & 0x0000FF00) >> 8;
    dh ^= 0x20;
    if ((c & 1) == 0)
      dh ^= 0x21;
    t &= 0xFFFF00FF;
    t |= (dh << 8);
  }

  if ((((t & 0x0000FF00) >> 8) & 0x40) != 0 )
  {
    al = *(BYTE *) pOPCode++;
    c = (DWORD)al;
    c |= (al << 8);
    c &= 0xC007;
    if ( (c & 0x0000FF00) != 0xC000 )
    {
      if ( ((t & 0x000000FF) & 0x10) == 0)
      {
          if ((c & 0x000000FF) == 4)
          {
            al = *(BYTE *) pOPCode++;
            al &= 7;
            c &= 0x0000FF00;
            c |= al;
          }
         
          if ((c & 0x0000FF00) != 0x4000)
          {
            if ((c & 0x0000FF00) == 0x8000)   t |= 4;
            else if (c==5) t |= 4;
          }
          else
            t |= 1;
      }
      else
      {
          if (c != 6)
          {
            if((c & 0x0000FF00) == 0x4000)
              t |= 1;
            else if ((c & 0x0000FF00) == 0x8000)
              t |= 2;
          }
          else
            t |= 2;
      }
    }
  }

  if ((((t & 0x000000FF)) & 0x20) != 0)
  {
    dl = t & 0x000000FF;
    dl ^= 2;
    t &= 0xFFFFFF00;
    t |= dl;
    if ((dl & 0x10) == 0)
    {
      dl ^= 6;
      t &= 0xFFFFFF00;
      t |= dl;
    }
  }
  if ((((t & 0x0000FF00) >> 8) & 0x20) != 0)
  {
    dh = (t & 0x0000FF00) >> 8;
    dh ^= 2;
    t &= 0xFFFF00FF;
    t |= (dh << 8);
    if ((dh & 0x10) == 0)
    {
      if (dh & 0x40) //是否是 0x6x
          dh ^= (t & 0xFF);   // 这句修改了一下,修正了几个指令的计算
      t &= 0xFFFFFF00;
      t |= dh;
    }
  }

  OpCodeSize = (DWORD) pOPCode - (DWORD) Start;
  t &= 0x707;
  OpCodeSize += t & 0x000000FF;
  OpCodeSize += (t & 0x0000FF00) >> 8;

  if (((*(char*)Start) & 0x000000FF) == 0x66) // 单独处理 66 开头的问题
    if ( OpCodeSize >= 6)   //1字节66 ,1字节操作码,4字节操作数,因此至少要大于等于6以上
      OpCodeSize -= 2;   //减2处理 ,将 dword 型转成 word 型

  return OpCodeSize;
}

__declspec(naked) void HookBeforeStub()
{
Stub_Begin:
  __asm
  {
    jmp Code_Begin
    mov eax, offset Stub_Begin
    mov eax, offset Stub_Data
    mov eax, offset Stub_End
    mov eax, offset SaveEntry  
Code_Begin:
    call next1
next1:
    pop ecx
    sub ecx, offset next1
    lea ecx, [ecx + Stub_Data]
    mov eax, [ecx + 4]
    mov [ecx + eax * 4 + 0x8],esp
    inc [ecx + 4]
    call [ecx]

    call next2
next2:
    pop ecx
    sub ecx, offset next2
    lea ecx, [ecx + Stub_Data]
    dec [ecx +4]
    mov eax, [ecx + 4]
    mov esp, [ecx + eax * 4 + 0x8]
SaveEntry:
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
   
    _asm _emit 0xE9
    int 3
    int 3
    int 3
    int 3
Stub_Data:
HookProc:  
    int 3
    int 3
    int 3
    int 3 //HookProc的地址,计算后填入
pEsp:   
    _emit 0
    _emit 0
    _emit 0
    _emit 0//第一个变量,指向该返回的哪个Esp,初始化指向下面一行~~,一开始要清0
SaveEsp:  
    int 3
    int 3
    int 3
    int 3 //开始保存Esp的值

Stub_end:
  }
}

__declspec(naked) void HookAfterStub()
{
Stub_Begin:
  __asm  
  {
  jmp Code_Begin
    mov eax, offset Stub_Begin
    mov eax, offset Stub_Data
    mov eax, offset Stub_End
    mov eax, offset SaveEntry
    mov eax, offset After_Code
Code_Begin:

  call next1
next1:
  pop ecx
  sub ecx,offset next1
  lea edx,[ecx + Stub_Data]
  mov eax, [edx + 8]
  mov [edx + eax * 8 + 0xC],esp
  push [esp]
  pop dword ptr [edx + eax * 8 + 0x10]
  inc [edx + 8]

  lea edx,[ecx + After_Code]
  mov [esp],edx

SaveEntry:
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
   
    _asm _emit 0xE9
    int 3
    int 3
    int 3
    int 3
After_Code:
  sub esp,100
  call next2
next2:
  pop ecx
  add esp,100
  sub ecx,offset next2
  lea edx,[ecx + Stub_Data]
  mov [edx + 4] ,eax
  dec [edx + 8]
  mov eax, [edx + 8]
  mov ecx, [edx + eax * 8 + 0xC]
  mov [edx + eax * 8 + 0xC],esp
  mov esp,ecx
  mov ecx, [edx + eax * 8 + 0x10]
  inc [edx + 8]
  mov [esp],ecx
  push [edx + 4]
  call [edx]

  call next3
next3:
  pop ecx
  sub ecx,offset next3
  lea edx, [ecx + Stub_Data]
  mov [edx + 4],eax
  dec [edx + 8]
  mov eax, [edx + 8]
  mov esp, [edx + eax * 8 + 0xC]
  push [edx + eax * 8 + 0x10]
  mov eax,[edx + 4]
  retn

Stub_Data:
HookProc:  
    int 3
    int 3
    int 3
    int 3 //HookProc的地址,计算后填入
SaveRetthing:
    int 3
    int 3
    int 3
    int 3 //临时保存返回值
pEsp:   
    _emit 0
    _emit 0
    _emit 0
    _emit 0//指向该返回的哪个Esp,初始化指向SaveEsp一行~~,一开始要清0
SaveEsp:
    int 3
    int 3
    int 3
    int 3 //SaveEsp
SaveRet:
    int 3
    int 3
    int 3
    int 3 //SaveRet

Stub_end:

  }  
}

boolean SetOnAfter(PCHAR DllName,PCHAR ApiName,PVOID HookProc)
{
  PVOID   ApiEntry;
  HMODULE DllHandle;
  int ReplaceCodeSize;
  BYTE OpCode[16];
LPVOID StubPtr;
  DWORD Addr;
  DWORD RetSize=0;  

  DWORD SizeOfStub =0;
  DWORD DeltaData = 0;
  DWORD SaveEntry = 0;
  DWORD AfterCode = 0;

  DllHandle = GetModuleHandle(DllName);
  if (DllHandle ==0)
  {
    DllHandle = LoadLibrary(DllName);
    if (DllHandle ==0) return false;
  }

  ApiEntry = GetProcAddress(DllHandle,ApiName);
  if (ApiEntry == NULL) return false;

  ReplaceCodeSize = GetOpCodeSize(ApiEntry);

  while (ReplaceCodeSize < 5)
    ReplaceCodeSize += GetOpCodeSize((PVOID)((DWORD)ApiEntry + (DWORD)ReplaceCodeSize));

  if (ReplaceCodeSize > 16) return false;

  if (VirtualProtect(ApiEntry,ReplaceCodeSize,PAGE_READWRITE,NULL))
    return false;

  CopyMemory(OpCode, ApiEntry, ReplaceCodeSize);

  DeltaData = *(DWORD *)((DWORD)HookAfterStub + 0x8) - *(DWORD *) ((DWORD)HookAfterStub + 0x3);
  SizeOfStub = *(DWORD *)((DWORD)HookAfterStub + 0x0D) - *(DWORD *) ((DWORD)HookAfterStub + 0x3);
  SaveEntry = *(DWORD *)((DWORD)HookAfterStub + 0x12) - *(DWORD *) ((DWORD)HookAfterStub + 0x3);
  AfterCode = *(DWORD *)((DWORD)HookAfterStub + 0x17) - *(DWORD *) ((DWORD)HookAfterStub + 0x3);

  StubPtr = VirtualAlloc(NULL, SizeOfStub + 0x100*8, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

  if (StubPtr == NULL) return false;

  CopyMemory(StubPtr, HookAfterStub, SizeOfStub);
   
  Addr = (DWORD)HookProc;
  *(DWORD *) ((DWORD)StubPtr + DeltaData) = Addr;

  Addr = (DWORD)ApiEntry + ReplaceCodeSize - (DWORD)StubPtr - AfterCode;
  *(DWORD *) ((DWORD)StubPtr + AfterCode - 4) = Addr;

  CopyMemory((LPVOID)((DWORD)StubPtr + SaveEntry), OpCode, ReplaceCodeSize);

  Addr = (DWORD)StubPtr - (DWORD)ApiEntry - 5;
  *(DWORD*)(JMPGate + 1) = Addr;

  WriteProcessMemory(GetCurrentProcess(), ApiEntry, JMPGate, sizeof(JMPGate), (DWORD*)RetSize);

  return true;
}

boolean SetOnBefore(PCHAR DllName,PCHAR ApiName,PVOID HookProc)
{
  PVOID   ApiEntry;
  HMODULE DllHandle;
  int ReplaceCodeSize;
  BYTE OpCode[16];
LPVOID StubPtr;
  DWORD Addr;
  DWORD RetSize =0;

  DWORD SizeOfStub =0;
  DWORD DeltaData = 0;
  DWORD SaveEntry = 0;

  DllHandle = GetModuleHandle(DllName);
  if (DllHandle ==0)
  {
    DllHandle = LoadLibrary(DllName);
    if (DllHandle ==0) return false;
  }

  ApiEntry = GetProcAddress(DllHandle,ApiName);
  if (ApiEntry == NULL) return false;

  ReplaceCodeSize = GetOpCodeSize(ApiEntry);

  while (ReplaceCodeSize < 5)
    ReplaceCodeSize += GetOpCodeSize((PVOID)((DWORD)ApiEntry + (DWORD)ReplaceCodeSize));

  if (ReplaceCodeSize > 16) return false;

  if (VirtualProtect(ApiEntry,ReplaceCodeSize,PAGE_READWRITE,NULL))
    return false;

  CopyMemory(OpCode, ApiEntry, ReplaceCodeSize);

  DeltaData = *(DWORD *)((DWORD)HookBeforeStub + 0x8) - *(DWORD *) ((DWORD)HookBeforeStub + 0x3);
  SizeOfStub = *(DWORD *)((DWORD)HookBeforeStub + 0x0D) - *(DWORD *) ((DWORD)HookBeforeStub + 0x3);
  SaveEntry = *(DWORD *)((DWORD)HookBeforeStub + 0x12) - *(DWORD *) ((DWORD)HookBeforeStub + 0x3);

  StubPtr = VirtualAlloc(NULL, SizeOfStub + 0x100*4, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

  if (StubPtr == NULL) return false;

  CopyMemory(StubPtr, HookBeforeStub, SizeOfStub);

  Addr = (DWORD)HookProc;
  *(DWORD *) ((DWORD)StubPtr + DeltaData) = Addr;

  Addr = (DWORD)ApiEntry + ReplaceCodeSize - (DWORD)StubPtr - DeltaData;
  *(DWORD *) ((DWORD)StubPtr + DeltaData - 4) = Addr;

  CopyMemory((LPVOID)((DWORD)StubPtr + SaveEntry), OpCode, ReplaceCodeSize);

  Addr = (DWORD)StubPtr - (DWORD)ApiEntry - 5;
  *(DWORD*)(JMPGate + 1) = Addr;

  WriteProcessMemory(GetCurrentProcess(), ApiEntry, JMPGate, sizeof(JMPGate), (DWORD*)RetSize);

  return true;
}

void My_WriteProcessMemory(DWORD Eax,DWORD RetAddr,HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesWritten)
{
  DWORD RetSize =0;
  char Text [255] = {0};
  if (!IsMe)
  {
    IsMe =true;
    sprintf(Text,"EAX = %2X ,RetAddr = %2X",Eax,RetAddr);
    MessageBox (NULL,Text,"RetAddr",NULL);
    WriteProcessMemory(GetCurrentProcess(), (LPVOID)0x40108A, JMPGate, sizeof(JMPGate), (DWORD*)RetSize);
    IsMe = false;
  }
}

int main()
{
  DWORD RetSize =0;
  SetOnAfter("Kernel32.dll","WriteProcessMemory",My_WriteProcessMemory);

  WriteProcessMemory(GetCurrentProcess(), (LPVOID)0x40108f, JMPGate, sizeof(JMPGate), (DWORD*)RetSize);

  MessageBoxA(NULL,"Safe Here!!!","Very Good!!",NULL);
  return 0;
}


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 7
支持
分享
最新回复 (13)
海风月影
雪    币: 7309
活跃值: (3788)
能力值: (RANK:1130 )
在线值:
发帖
回帖
粉丝
私信
2
本版本主要更新,实现hook时可以重入,在debugman测试了,基本能用

用法简单说一下,和以前的不一样

如果是SetOnBefore,原来的函数要加上 DWORD RetAddr,这个是原来的返回地址
例如
HMODULE WINAPI LoadLibraryA(
LPCTSTR lpFileName
)

自己的要这么写
HMODULE WINAPI My_LoadLibraryA(
DWORD RetAddr,
LPCTSTR lpFileName
)

如果是SetOnAfter,要加2个参数,依次为DWORD EAX,DWORD RetAddr,EAX是执行完API的返回值
HMODULE WINAPI My_LoadLibraryA(
DWORD EAX,
DWORD RetAddr,
LPCTSTR lpFileName
)
2007-8-27 08:42
0
Aker
雪    币: 2134
活跃值: (14)
能力值: (RANK:170 )
在线值:
发帖
回帖
粉丝
私信
3
MaskTable和GetOpCodeSize那看不动,注释一点,把整体思路理出来,这样容易看动;)非常感谢你的分享
2007-8-27 09:25
0
海风月影
雪    币: 7309
活跃值: (3788)
能力值: (RANK:1130 )
在线值:
发帖
回帖
粉丝
私信
4
这2部分没有更新,是西裤逆向的aspr里面的代码,大概就是反汇编引擎的一小部分,通过掩码来查找长度
2007-8-27 10:31
0
softdiy
雪    币: 201
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
学习啦,可惜看不懂
2007-8-27 10:56
0
garasmc
雪    币: 114
活跃值: (16)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
6
好东西,谢谢分享!
但在写My_API时,必须要有个全局变量IsMe来避免误伤..........否则就死循环了
2007-8-27 20:48
0
ertyui
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
7
先收藏了,很多地方还看不懂。
2007-9-22 20:16
0
elance
雪    币: 716
活跃值: (162)
能力值: ( LV9,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
8
以前怎么没发现这个好东西?
2007-9-24 18:26
0
火影
雪    币: 332
活跃值: (30)
能力值: ( LV12,RANK:460 )
在线值:
发帖
回帖
粉丝
私信
9
LZ注释一下吧,太复杂了
2007-9-24 21:46
0
dongcan
雪    币: 215
活跃值: (25)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
10
经过测试。。。。楼主的方法有问题
用两个指令mov dword ptr [mem],0 和 mov [esi+eax],0 来测试。。
出现问题。。并且就是+注释的那句。。出问题。。
我尝试了0-255的xor,没有相同的xor值。。。
=============
第二页有答案啦
===========
.
2007-12-15 01:11
0
dongcan
雪    币: 215
活跃值: (25)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
11
总算搞定了。。。楼主。。准备发布v0.4了呵

if ((dh & 0x10) == 0)
    {
      if (dh & 0x40) //是否是 0x6x
          dh ^= (t&0xFF);   //哈哈。。随便乱猜的,但是居然人品爆发给蒙对了,几个命令都正确
      t &= 0xFFFFFF00;
      t |= dh;
    }
2007-12-15 03:32
0
海风月影
雪    币: 7309
活跃值: (3788)
能力值: (RANK:1130 )
在线值:
发帖
回帖
粉丝
私信
12
感谢提醒~~~~
2007-12-15 14:27
0
北极星2003
雪    币: 1852
活跃值: (504)
能力值: (RANK:1010 )
在线值:
发帖
回帖
粉丝
私信
13
这帖子什么时候沉下去的,没给精华太失误了
2007-12-16 21:39
0
liuzewei
雪    币: 324
活跃值: (91)
能力值: ( LV9,RANK:140 )
在线值:
发帖
回帖
粉丝
私信
14
谢谢分享!一定要顶```对这样的精神非常欣赏!呵呵!
2007-12-22 11:39
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//