大家好,下面代码有些问题出错,求解..
(将下面代码编译成DLL作为注册表APPINIT_DLLS加载..)
随便将一个程序改名为1.exe运行..程序会出错..
将一个程序改为2.exe运行,会通过线程弹一个MessageBox出来..内容是2..
ps:我是将system32下的calc.exe复制两份分别改名为1.exe和2.exe
我用OD跟了下..在程序名为1.exe时,Hook 了GetModuleHandleA 的函数里(即HookGetModuleHandleA)创建线程时指定的函数(ShowMessageBox_1)被JmpGetModuleHandle_OriginalFunction改了跳回原GetModuleHandleA的一个jmp了..
请问为什么这样的阿? 我调用VirtualProtect修改的是JmpGetModuleHandle_OriginalFunction的10个字节阿.为什么会把ShowMessageBox_1这个也修了?
求解..
#include <windows.h>
typedef HMODULE (__stdcall *PGETMODULEHANDLE)(LPCTSTR lpModuleName);
typedef HMODULE (__stdcall *PLOADLIBRARY)(LPCTSTR lpFileName);
PGETMODULEHANDLE pGetModuleHandle = NULL;
PLOADLIBRARY pLoadLirary = NULL;
PUCHAR pGetModuleHandle_OriginalFunctionByte = NULL;
PUCHAR pLoadLibrary_OriginalFunctionByte = NULL;
BOOL g_bGetModuleHandleFlag = FALSE;
BOOL g_bLoadLibraryFlag = FALSE;
BOOL CutLastStringByChar(char *pszNeedCutStr, char *pszHaveCutStr, char cCutChar)
{
BOOL bRet = FALSE;
int nSize = 0;
int nIndex = 0;
if ( NULL == pszNeedCutStr )
goto Return;
nSize = (int)strlen(pszNeedCutStr);
nIndex = nSize;
while ( pszNeedCutStr[nIndex -1] != cCutChar )
{
--nIndex;
if( nIndex < 1 )
break;
}
if ( nIndex < nSize )
{
if ( NULL != pszHaveCutStr )
strncpy(pszHaveCutStr, pszNeedCutStr + nIndex, (int)strlen(pszNeedCutStr + nIndex) + sizeof(char));
}
if ( nIndex > 0 )
pszNeedCutStr[nIndex - 1] = 0x00;
bRet = TRUE;
Return:
return bRet;
}
__declspec(naked) VOID APIENTRY JmpGetModuleHandle_OriginalFunction()
{
__asm
{
__emit 0x90
__emit 0x90
__emit 0x90
__emit 0x90
__emit 0x90
__emit 0x90
__emit 0x90
__emit 0x90
__emit 0x90
__emit 0x90
}
}
__declspec(naked) VOID APIENTRY JmpLoadLibrary_OriginalFunction()
{
__asm
{
__emit 0x90
__emit 0x90
__emit 0x90
__emit 0x90
__emit 0x90
__emit 0x90
__emit 0x90
__emit 0x90
__emit 0x90
__emit 0x90
}
}
DWORD WINAPI ShowMessageBox_1()
{
DWORD dwResult = 0;
MessageBox(NULL, "1", "1", MB_OK);
return dwResult;
}
DWORD WINAPI ShowMessageBox_2()
{
DWORD dwResult = 0;
MessageBox(NULL, "2", "2", MB_OK);
return dwResult;
}
HMODULE WINAPI HookGetModuleHandleA(LPCTSTR lpModuleName)
{
HMODULE hModule = NULL;
HANDLE hThread = NULL;
DWORD dwStrlen = 0;
DWORD dwReturnAddress = 0;
DWORD dwThreadId = 0;
DWORD dwOldProtect = 0;
DWORD dwJmpOffset = 0;
char szModuleFileName[MAX_PATH] = {0};
char szProcessName[MAX_PATH] = {0};
ZeroMemory(szModuleFileName, MAX_PATH);
ZeroMemory(szProcessName, MAX_PATH);
GetModuleFileName(NULL, szModuleFileName, MAX_PATH);
CutLastStringByChar(szModuleFileName, szProcessName, '\\');
if ( 0 == _strnicmp("my.exe", szProcessName, strlen("my.exe")) )
{
if ( FALSE == g_bGetModuleHandleFlag )
{
hThread = CreateThread(NULL, 0, (PTHREAD_START_ROUTINE)ShowMessageBox_MY, NULL, 0, &dwThreadId);
if ( NULL != hThread )
g_bGetModuleHandleFlag = TRUE;
}
}
if ( FALSE == VirtualProtect((PUCHAR)JmpGetModuleHandle_OriginalFunction, 10,
PAGE_EXECUTE_READWRITE, &dwOldProtect) )
goto Return;
dwJmpOffset = (DWORD)((PUCHAR)pGetModuleHandle -
(PUCHAR)JmpGetModuleHandle_OriginalFunction - 5);
memcpy((PUCHAR)JmpGetModuleHandle_OriginalFunction,
pGetModuleHandle_OriginalFunctionByte, 5);
*(PUCHAR)((PUCHAR)JmpGetModuleHandle_OriginalFunction + 5) = 0xE9;
*(PDWORD)((PUCHAR)JmpGetModuleHandle_OriginalFunction + 6) = dwJmpOffset;
__asm
{
push lpModuleName
call JmpGetModuleHandle_OriginalFunction
mov hModule,eax
}
Return:
return hModule;
}
HMODULE WINAPI HookLoadLibraryA(LPCTSTR lpFileName)
{
HMODULE hModule = NULL;
HANDLE hThread = NULL;
DWORD dwStrlen = 0;
DWORD dwReturnAddress = 0;
DWORD dwThreadId = 0;
DWORD dwOldProtect = 0;
DWORD dwJmpOffset = 0;
char szModuleFileName[MAX_PATH] = {0};
char szProcessName[MAX_PATH] = {0};
ZeroMemory(szModuleFileName, MAX_PATH);
ZeroMemory(szProcessName, MAX_PATH);
GetModuleFileName(NULL, szModuleFileName, MAX_PATH);
CutLastStringByChar(szModuleFileName, szProcessName, '\\');
if ( 0 == _strnicmp("elementclient.exe", szProcessName, strlen("elementclient.exe")) )
{
if ( FALSE == g_bLoadLibraryFlag )
{
hThread = CreateThread(NULL, 0, (PTHREAD_START_ROUTINE)ShowMessageBox_ElementClient, NULL, 0, &dwThreadId);
if ( NULL != hThread )
g_bLoadLibraryFlag = TRUE;
}
}
if ( FALSE == VirtualProtect((PUCHAR)JmpLoadLibrary_OriginalFunction, 10,
PAGE_EXECUTE_READWRITE, &dwOldProtect) )
goto Return;
dwJmpOffset = (DWORD)((PUCHAR)pLoadLirary -
(PUCHAR)JmpLoadLibrary_OriginalFunction - 5);
memcpy((PUCHAR)JmpLoadLibrary_OriginalFunction,
pLoadLibrary_OriginalFunctionByte, 5);
*(PUCHAR)((PUCHAR)JmpLoadLibrary_OriginalFunction + 5) = 0xE9;
*(PDWORD)((PUCHAR)JmpLoadLibrary_OriginalFunction + 6) = dwJmpOffset;
__asm
{
push lpFileName
call JmpLoadLibrary_OriginalFunction
mov hModule,eax
}
Return:
return hModule;
}
BOOL WINAPI DllMain(HANDLE hinstDLL, DWORD dwReason, LPVOID lpvReserved)
{
BOOL bResult = TRUE;
if ( DLL_PROCESS_ATTACH == dwReason )
{
HMODULE hLibrary = NULL;
BOOL bRetValue = FALSE;
DWORD dwOldProtect = 0;
DWORD dwJmpOffset = 0;
char szModuleFileName[MAX_PATH] = {0};
char szProcssName[MAX_PATH] = {0};
ZeroMemory(szModuleFileName, MAX_PATH);
ZeroMemory(szProcssName, MAX_PATH);
hLibrary = LoadLibrary("Kernel32.dll");
if ( NULL == hLibrary )
goto Return;
GetModuleFileName(NULL, szModuleFileName, MAX_PATH);
CutLastStringByChar(szModuleFileName, szProcssName, '\\');
if ( 0 == _strnicmp("1.exe", szProcssName, strlen("1.exe")) )
{
pGetModuleHandle = (PGETMODULEHANDLE)GetProcAddress(hLibrary, "GetModuleHandleA");
if ( NULL == pGetModuleHandle )
goto Return;
bRetValue = VirtualProtect((PUCHAR)pGetModuleHandle, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);
if ( FALSE == bRetValue )
goto Return;
pGetModuleHandle_OriginalFunctionByte = (PUCHAR)LocalAlloc(LMEM_ZEROINIT, 5);
if ( NULL == pGetModuleHandle_OriginalFunctionByte )
goto Return;
memcpy(pGetModuleHandle_OriginalFunctionByte, (PUCHAR)pGetModuleHandle, 5);
*(PUCHAR)pGetModuleHandle = 0xE9;
*(PDWORD)((PUCHAR)pGetModuleHandle + 1) = (DWORD)((PUCHAR)HookGetModuleHandleA -
(PUCHAR)pGetModuleHandle - 5);
}
else if ( 0 == _strnicmp("2.exe", szProcssName, strlen("2.exe")) )
{
pLoadLirary = (PLOADLIBRARY)GetProcAddress(hLibrary, "LoadLibraryA");
if ( NULL == pLoadLirary )
goto Return;
bRetValue = VirtualProtect((PUCHAR)pLoadLirary, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);
if ( FALSE == bRetValue )
goto Return;
pLoadLibrary_OriginalFunctionByte = (PUCHAR)LocalAlloc(LMEM_ZEROINIT, 5);
if ( NULL == pLoadLibrary_OriginalFunctionByte )
goto Return;
memcpy(pLoadLibrary_OriginalFunctionByte, (PUCHAR)pLoadLirary, 5);
*(PUCHAR)pLoadLirary = 0xE9;
*(PDWORD)((PUCHAR)pLoadLirary + 1) = (DWORD)((PUCHAR)HookLoadLibraryA -
(PUCHAR)pLoadLirary - 5);
}
Return:
if ( NULL != hLibrary )
{
FreeLibrary(hLibrary);
hLibrary = NULL;
}
bResult = TRUE;
}
if ( DLL_PROCESS_DETACH == dwReason )
{
if ( NULL != pGetModuleHandle_OriginalFunctionByte )
{
LocalFree(pGetModuleHandle_OriginalFunctionByte);
pGetModuleHandle_OriginalFunctionByte = NULL;
}
if ( NULL != pLoadLibrary_OriginalFunctionByte )
{
LocalFree(pLoadLibrary_OriginalFunctionByte);
pLoadLibrary_OriginalFunctionByte = NULL;
}
}
return bResult;
}
[课程]FART 脱壳王!加量不加价!FART作者讲授!