.data
hInstance dd 0 ;Dll's module handle
jmpurl db 0B8H,090h,090h,090h,090h,0FFH,0E0H,090h,090h,090h,090h,090h,090h,090h,090h,090h,090h,090h,090h,090h
.data? ;This is Share , Link.exe Add "/SECTION:.bss,S" (RadASM is "/SECTION:.bss|S")
hHook dd ? ;hookid is Share
.code
SetProcLong proc uses edx edi ,lpLong:DWORD,lpNewLong:DWORD,lpNewPro:DWORD
LOCAL Lenth,hMainHeap,lpMainHeap,hProcess,lpApi
LOCAL szBuf[20]:BYTE
push lpLong
pop lpApi
invoke GetCurrentProcessId
invoke OpenProcess,PROCESS_VM_OPERATION or PROCESS_VM_WRITE,FALSE,eax
mov hProcess ,eax
;jmp wirte
Get_instr_len:
.while TRUE
invoke Getinstrlen ,lpApi
add Lenth,eax
add lpApi,eax
.break .if (Lenth>7)
.endw
.if lpNewPro!=NULL
invoke GetProcessHeap
mov hMainHeap,eax
invoke HeapAlloc,hMainHeap,0,Lenth+6
mov lpMainHeap,eax
push edi
;lpNewPro_out
lea edi,lpNewPro
mov [edi],eax
;write_api_bak:
xor edi,edi
.while TRUE
mov al, BYTE ptr [lpLong+edi]
add edi,1
mov BYTE ptr szBuf[edi], al
.break .if (edi>Lenth)
.endw
;set jmp xxx
lea edx,szBuf
mov BYTE ptr [edx+Lenth],0e9h ;jmp
mov eax,lpLong
add eax,Lenth
mov DWORD ptr [edx+Lenth+1],eax
;write NewPro
xor edi,edi
mov eax,lpLong
mov edi,Lenth
add edi,eax
invoke WriteProcessMemory,hProcess, edi ,addr szBuf ,7 ,NULL
.endif
wirte:
lea edx,jmpurl
mov eax,lpNewLong
mov DWORD ptr [edx+1],eax ;xxx
pop edx
invoke WriteProcessMemory,hProcess, lpLong ,addr jmpurl ,Lenth ,NULL
invoke CloseHandle,hProcess
mov eax,TRUE
ret
SetProcLong endp
这个函数的作用是HOOK API
程序首先OpenProcess打开虚拟页面写权限
然后 用反汇编引擎LED32里的Getinstrlen循环判断首地址开始的完整指令长度,addr,直到大于7个字节,这样获得一超过7个字节的几条完整指令的长度,为 Lenth
然后申请一段空间,并输出地址到参数,把原函数(API)开始的 Lenth 长度代码循环写入申请的空间,在写入 jmp, lpLong + Lenth ,实现模拟原函数执行的功能
然后修改函数的开始为
mov eax,XXXX
jmp eax
nop
....
其中 XXXX 为hook处理函数地址,我们的API
这段代码肯定还可以优化,也可能存在错误,欢迎大家指正,谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
