-
-
[求助]r3下inline hook的恢复问题
-
发表于:
2009-9-21 01:48
7190
-
在恢复Hook之后测试的程序就会提示ESP错误 自己单步跟到USER32.dll下发现hook恢复之后的前5字节与不HOOK也是一致的...牛人帮解释一下
代码如下
HHOOK hHookMsg = NULL;
HINSTANCE hInstDLL = NULL; //the handle of dll!
typedef int (WINAPI *HookMessageBox)(
HWND, // handle of owner window
LPCTSTR, // address of text in message box
LPCTSTR, // address of title of message box
UINT // style of message box
);
unsigned char JmpCode[]={0xE9,0x00,0x00,0x00,0x00};
unsigned char SrcCode[]={0x8B,0xFF,0x55,0x8B,0xEC};
HookMessageBox OldMessageBox;
void Jmps()
{
DWORD OldProtect = NULL;
VirtualProtect( OldMessageBox ,
5 ,
PAGE_EXECUTE_READWRITE ,
&OldProtect
);
unsigned char *p = (unsigned char *)OldMessageBox;
for (int i=0 ; i < 5 ; i++ )
{
p[i] = JmpCode[i];
}
VirtualProtect( OldMessageBox ,
5 ,
OldProtect ,
&OldProtect
);
}
void Srcs()
{
DWORD OldProtect = NULL;
VirtualProtect( OldMessageBox ,
5 ,
PAGE_EXECUTE_READWRITE ,
&OldProtect
);
unsigned char *p = (unsigned char *)OldMessageBox;
for (int i=0 ; i < 5 ; i++ )
{
p[i] = SrcCode[i];
}
VirtualProtect( OldMessageBox ,
5 ,
OldProtect ,
&OldProtect
);
}
int MyMessageBox(
HWND hWnd, // handle of owner window
LPCTSTR lpText, // address of text in message box
LPCTSTR lpCaption, // address of title of message box
UINT uType // style of message box
)
{
Srcs();//恢复
return OldMessageBox(hWnd,"Inline Hook",lpCaption,0);
}
int StartHookMessageBox()
{
HMODULE hMsgina = GetModuleHandle("USER32.dll");
if ( hMsgina == NULL)
{
return 0 ;
}
OldMessageBox = (HookMessageBox)GetProcAddress(hMsgina ,"MessageBoxA" );
if (OldMessageBox == NULL)
{
return 0 ;
}
unsigned char *p = (unsigned char *)OldMessageBox;
for (int i=0 ; i < 4 ; i++ )
{
if (p[i] != SrcCode[i])
{
return 0;
}
}
int *OpCode = (int *)&JmpCode[1];
int Code = (int)&MyMessageBox - (int)OldMessageBox - 5;
*OpCode = Code;
Jmps();
return 0;
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
hInstDLL = (HINSTANCE)hModule;
StartHookMessageBox();
break;
}
}
return TRUE;
}
LRESULT WINAPI MsgHookProc(int code, WPARAM wParam, LPARAM lParam)
{
//note :on windows 2k ,the 1st paramter to CallNextHookEx can be NULL
//On win 98 ,it must be the hook handle
return(CallNextHookEx(NULL,code,wParam,lParam));
}
BOOL InstallEngine(DWORD strPath)
{
//安装钩子
hHookMsg = SetWindowsHookEx(WH_GETMESSAGE,MsgHookProc,hInstDLL,0);//0 mean hook all process
if (hHookMsg == NULL)
return FALSE;
return TRUE;
}
[课程]Linux pwn 探索篇!