首页
社区
课程
招聘
[讨论]本地 api hook有什么用啊?
发表于: 2008-10-12 19:36 5699

[讨论]本地 api hook有什么用啊?

2008-10-12 19:36
5699
看了一段代码,写得很不错.
但这样的本地api有什么用啊?

;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
; FileName: msgbox2.asm
; Function: Demo how to hook MessageBoxA locally
;   Author: Purple Endurer
;
; log
;--------------------------------------------------
; 2006-07-10 Optimized code
; 2006-07-08 Created, success under Windows XP +SP1
;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
.586p
.model flat, stdcall
option casemap: none

include \masm32\include\windows.inc

include \masm32\include\kernel32.inc
include \masm32\include\user32.inc

includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib

m_m2m MACRO d1, d2
    push d2
    pop  d1
ENDM


MEMORY_BASIC_INFORMATION_SIZE  EQU 28

.data
  g_szUser32dll  DB "user32.dll", 0
  g_szMsgBox  DB "MessageBoxA", 0
  g_szHookedOK db " has been hooked OK!", 0

.data?
  g_dwOld_protect  DD ?
  g_lpfnMessagBox dword ?
  g_dbOldCode db 10 dup(?)
  g_dwReaded dword ?
  g_hCurProc HANDLE ?

.code

start:
do_hook:
  invoke GetModuleHandle, ADDR g_szUser32dll
  invoke GetProcAddress, eax, ADDR g_szMsgBox
  mov  edi, eax            ;finally got MessageBoxA address
  mov  g_lpfnMessagBox, eax

  push 0
  push OFFSET g_szMsgBox
  push OFFSET g_szMsgBox
  push 0
  call g_lpfnMessagBox  ;确认得到MessageBoxA的地址

  invoke GetCurrentProcess
  mov    g_hCurProc, eax

    ; BOOL ReadProcessMemory(
    ;     HANDLE hProcess,    // handle of the process whose memory is read  
    ;     LPCVOID lpBaseAddress,    // address to start reading
    ;     LPVOID lpBuffer,    // address of buffer to place read data
    ;     DWORD nSize,    // number of bytes to read
    ;     LPDWORD lpNumberOfBytesRead     // address of number of bytes read
    ; );
  invoke ReadProcessMemory, eax, g_lpfnMessagBox, ADDR g_dbOldCode, 10, ADDR g_dwReaded

  test eax, eax
  jz   @FinalMsgBox

  invoke VirtualAlloc, 0, MEMORY_BASIC_INFORMATION_SIZE, MEM_COMMIT, PAGE_READWRITE

  test  eax, eax
  jz    @FinalMsgBox

  mov  esi, eax      ;allocation for MBI
  invoke VirtualQuery, edi, esi, MEMORY_BASIC_INFORMATION_SIZE

    ;typedef struct _MEMORY_BASIC_INFORMATION { // mbi  
    ;    PVOID BaseAddress;            // base address of region 
    ;    PVOID AllocationBase;         // allocation base address 
    ;    DWORD AllocationProtect;      // initial access protection 
    ;    DWORD RegionSize;             // size, in bytes, of region 
    ;    DWORD State;                  // committed, reserved, free 
    ;    DWORD Protect;                // current access protection 
    ;    DWORD Type;                   // type of pages 
    ;} MEMORY_BASIC_INFORMATION; 

  test  eax, eax
  jz    @free_mem

  invoke  FlushInstructionCache, g_hCurProc, edi, 5  ;just to be sure

  lea   eax,[esi+014h]
  push  eax
  push  PAGE_EXECUTE_READWRITE
  lea   eax, [esi+0Ch]
  push  [eax]
  push  [esi]
  call  VirtualProtect
  ;we will change protection for a moment, so we will be able to write there
  
  test  eax, eax
  jz  @free_mem

  mov  byte ptr [edi], 0E9h   ;写入jmp跳转指令
  mov  eax, OFFSET @newMsgBox ;计算跳转地址  
  sub  eax, edi
  sub  eax, 5
  inc  edi
  stosd     ;传送32位跳转地址

  push  OFFSET g_dwOld_protect
  lea   eax, [esi+014h]
  push  [eax]
  lea   eax, [esi+0Ch]
  push  [eax]
  push  [esi]
  call  VirtualProtect    ;return back the protection of page

@free_mem:
  push  MEM_RELEASE
  push  0
  push  esi
  call  VirtualFree  ;free memory

@FinalMsgBox:
  invoke MessageBoxA, 0, ADDR g_szMsgBox, ADDR g_szMsgBox, 0
  invoke ExitProcess, 0

@newMsgBox: ;004010CD
  ;mov  [esp+16], MB_ICONINFORMATION    ;修改信息ICON
  m_m2m [esp+16], MB_ICONINFORMATION
  ;mov   [esp+12], OFFSET g_szHookedOK  ;修改标题
  mov eax, [esp+8]      ;修改信息内容
  invoke lstrcat, eax, ADDR g_szHookedOK

 ; BOOL WriteProcessMemory(
 ;     HANDLE hProcess,    // handle to process whose memory is written to  
 ;     LPVOID lpBaseAddress,    // address to start writing to 
 ;     LPVOID lpBuffer,    // pointer to buffer to write data to
 ;     DWORD nSize,    // number of bytes to write
 ;     LPDWORD lpNumberOfBytesWritten     // actual number of bytes written 
 ; );
  invoke WriteProcessMemory, g_hCurProc, g_lpfnMessagBox, ADDR g_dbOldCode, 10, ADDR g_dwReaded
  jmp g_lpfnMessagBox   ;push   g_lpfnMessagBox
                        ;ret; 10H

end start

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (5)
雪    币: 207
活跃值: (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
期待解答....
2008-10-12 20:26
0
雪    币: 66
活跃值: (16)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
3
local hook都会了,global还会远吗?
2008-10-12 20:32
0
雪    币: 207
活跃值: (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
就这样.. ?  


2008-10-13 07:55
0
雪    币: 201
活跃值: (31)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
改变软件执行逻辑什么的。如果在安全上,API HOOK可以用来在用户级上做行为监控。微软有一套官方的SDK:Detour。http://research.microsoft.com/sn/detours
2008-10-28 10:06
0
雪    币: 220
活跃值: (28)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
界面库用的就是本地hook
2008-11-1 21:54
0
游客
登录 | 注册 方可回帖
返回
//