首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
[求助]远程线程注入HOOK API在Debug下和release下的问题
发表于: 2008-6-8 22:40 7486

[求助]远程线程注入HOOK API在Debug下和release下的问题

glorywu 活跃值
2008-6-8 22:40
7486
demo.dll  ------- dll
hook.exe  ------- 注入程序
test.exe  ------- 测试程序

运行hook.exe 把demo.dll注入test.exe,使得test里面的MessageBox()函数,运行我的demo.dll里的函数。
这个程序在debug下成功。但是,在release下却没有反应,test.exe仍然运行的是原来的函数。

内存的属性页页改过的。
p = VirtualAllocEx(hKernel32, NULL, strlen(pDllName)+1, MEM_COMMIT ¦MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hKernel32, p, pDllName, strlen(pDllName)+1, NULL);
pfn = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
CreateRemoteThread(hKernel32, NULL, 0, (LPTHREAD_START_ROUTINE)pfn, p, NULL, 0);

就是不知道为什么在release下不成功!
希望各位有经验的人可以指点一下,谢谢大家。
---------------------------
附程序代码

//------------------------- test.cpp ------------------------//
#include <stdio.h>
#include <windows.h>

void main()
{
while(1)
{
getchar();
MessageBox(NULL, "a", "b", 0);
}
}

//------------------------- hook.cpp ------------------------//
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>

#pragma comment(lib, "th32.lib")

char *pDllName = "Demo.dll";

char *pProcess = "Test.exe";

int main()
{
HANDLE hSnap;
HANDLE hKernel32;
PROCESSENTRY32 pe;
BOOL bNext;
BOOL bFound = 0;
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID Luid;
LPVOID p;
FARPROC pfn;

if(!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES ¦TOKEN_QUERY,
&hToken))
{
printf("OpenProcessToken error!\n");
return 1;
}

if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Luid))
{
printf("LookupPrivilegeValue error!\n");
return 1;
}

tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = Luid;

if(!AdjustTokenPrivileges(hToken,
0,
&tp,
sizeof(TOKEN_PRIVILEGES),
NULL,
NULL))
{
printf("AdjustTokenPrivileges error!\n");
return 1;
}

pe.dwSize = sizeof(pe);
hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
bNext = Process32First(hSnap, &pe);
while(bNext)
{
if(!stricmp(pe.szExeFile, pProcess))
{
hKernel32 = OpenProcess(
//PROCESS_CREATE_THREAD ¦PROCESS_VM_WRITE ¦PROCESS_VM_OPERATION,
PROCESS_ALL_ACCESS,
FALSE,
pe.th32ProcessID);
bFound = 1;
break;
}
bNext = Process32Next(hSnap, &pe);
}

CloseHandle(hSnap);

if(bFound)
{
p = VirtualAllocEx(hKernel32, NULL, strlen(pDllName)+1, MEM_COMMIT ¦MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hKernel32, p, pDllName, strlen(pDllName)+1, NULL);
pfn = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
CreateRemoteThread(hKernel32, NULL, 0, (LPTHREAD_START_ROUTINE)pfn, p, NULL, 0);
}
else
printf("Not found the process!\n");

return 0;
}

//------------------------- hook.cpp ------------------------//
#include <windows.h>
#include <process.h>
#include <tlhelp32.h>
#include <stdio.h>

#pragma comment(lib, "th32.lib")

PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pNTHeaders;
PIMAGE_OPTIONAL_HEADER pOptHeader;
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor;
PIMAGE_THUNK_DATA pThunkData;
PIMAGE_IMPORT_BY_NAME pImportName;
HMODULE hMod;

// 定义MessageBoxA函数原型

typedef int (WINAPI *PFNMESSAGEBOX)(HWND, LPCSTR, LPCSTR, UINT uType);
int WINAPI MessageBoxProxy(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType);

int * addr1 = (int *)MessageBox;    //保存函数的入口地址
int * myAddr = (int *)MessageBoxProxy;

/*
typedef int (WINAPI *PFNWRITEFILE)(HANDLE hFile,
  LPCVOID lpBuffer,
  DWORD nNumberOfBytesToWrite,
  LPDWORD lpNumberOfBytesWritten,
  LPOVERLAPPED lpOverlapper);

int WINAPI MyWriteFile(HANDLE hFile,
  LPCVOID lpBuffer,
  DWORD nNumberOfBytesToWrite,
  LPDWORD lpNumberOfBytesWritten,
  LPOVERLAPPED lpOverlapper);

int * Addr = (int *)WriteFile;
int * myAddr = (int *)MyWriteFile;
*/
// 线程函数
void ThreadProc(void *param);

BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD fdwReason, LPVOID lpReserved)
{
if(fdwReason == DLL_PROCESS_ATTACH)
{
// _beginthread(ThreadProc, 0, NULL);
}

return TRUE;
}

void ThreadProc(void *Param)
{
hMod = GetModuleHandle(NULL);

pDosHeader = (PIMAGE_DOS_HEADER)hMod;
pNTHeaders = (PIMAGE_NT_HEADERS)((BYTE *)hMod + pDosHeader->e_lfanew);
pOptHeader = (PIMAGE_OPTIONAL_HEADER)&(pNTHeaders->OptionalHeader);

pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((BYTE *)hMod + pOptHeader->DataDirectory[1].VirtualAddress);

while(pImportDescriptor->FirstThunk)
{
char* DllName = (char *)((BYTE *)hMod + pImportDescriptor->Name);

pThunkData = (PIMAGE_THUNK_DATA)((BYTE *)hMod + pImportDescriptor->OriginalFirstThunk);

int no = 1;
while(pThunkData->u1.Function)
{
PDWORD lpAddr = (DWORD *)((BYTE *)hMod + (DWORD)pImportDescriptor->FirstThunk) + (no-1);

if((*lpAddr) == (int)addr1)
{
// 修改内存页属性
DWORD dwOld;
MEMORY_BASIC_INFORMATION mbi;
VirtualQuery(lpAddr, &mbi, sizeof(mbi));
VirtualProtect(lpAddr, sizeof(DWORD), PAGE_READWRITE, &dwOld);

WriteProcessMemory(GetCurrentProcess(), lpAddr, &myAddr, sizeof(DWORD), NULL);

// 恢复内存页属性
VirtualProtect(lpAddr, sizeof(DWORD), dwOld, 0);
}
no++;
pThunkData++;
}
pImportDescriptor++;
}
}
/*
int WINAPI MyWriteFile(HANDLE hFile,
  LPCVOID lpBuffer,
  DWORD nNumberOfBytesToWrite,
  LPDWORD lpNumberOfBytesWritten,
  LPOVERLAPPED lpOverlapper)
{
MessageBox(NULL, "MyWriteFile", "mywritefile", 0);
return ((PFNWRITEFILE)Addr)(hFile,
lpBuffer,
nNumberOfBytesToWrite,
lpNumberOfBytesWritten,
lpOverlapper);
}
*/

int WINAPI MessageBoxProxy(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType)
{
    return      ((PFNMESSAGEBOX)addr1)(NULL, "gxter_test", "gxter_title", 0);
    //这个地方可以写出对这个API函数的处理代码
}

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (3)
caocunt
雪    币: 215
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
请把你的编译好的exe分别上传一份.
r和d版编译器处理的不一样,你有没有用OD分别跟踪一下?
2008-6-9 20:19
0
glorywu
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
已经解决,谢谢。
2008-6-11 21:23
0
jasonnbfan
雪    币: 949
活跃值: (18)
能力值: ( LV9,RANK:330 )
在线值:
发帖
回帖
粉丝
私信
4
能吧程序打包份传上来么
2008-7-27 23:12
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//