-
-
[求助]为什么这个API HOOK不能成功呢????大家进来看一下源代码
-
发表于:
2008-7-24 16:48
4230
-
[求助]为什么这个API HOOK不能成功呢????大家进来看一下源代码
代码:
.386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
.data
szdll db 'user32.dll',0
szMsgBox db 'MessageBoxA',0
addressAPI dd ?
ddjmp db 5 dup (?)
sztext db 'successful',0
sztitle db 'congratulation',0
.code
a10: invoke Beep,1000,1000 ;如果HOOK 成功就用声音提示一下
mov edx,addressAPI
mov bl,[esi] ;还原读出来的5个字节
mov [edx],bl
mov ebx,[esi+1]
mov [edx+1],ebx
jmp edx ;跳去执行MessageBoxA函数
start:
invoke LoadLibrary,offset szdll
invoke GetProcAddress,eax,offset szMsgBox
mov addressAPI,eax
push eax
invoke VirtualProtect,eax,5,PAGE_EXECUTE_READWRITE,PAGE_EXECUTE_READ ;改掉内存保护属性,就是调用这个函数失败了
invoke GetLastError
pop eax
lea esi,offset ddjmp ;读出函数头的前5个字节
mov bl,[eax]
mov [esi],bl
mov ebx,[eax+1]
mov [esi+1],ebx
;-----------------------------------
mov edi,offset a10 ;插入一条JMP指令
mov BYTE ptr [eax],0e9h ;这条指令产生异常,就是内存的保护属性没改成功的原因
sub edi,addressAPI
mov [eax+1],edi
invoke MessageBoxA,0,offset sztext,offset sztitle,0
invoke ExitProcess,0
end start
请大家帮忙看一下
[课程]Linux pwn 探索篇!