首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
[求助]r3下inline hook的恢复问题
发表于: 2009-9-21 01:48 7190

[求助]r3下inline hook的恢复问题

keaigt 活跃值
2009-9-21 01:48
7190
在恢复Hook之后测试的程序就会提示ESP错误 自己单步跟到USER32.dll下发现hook恢复之后的前5字节与不HOOK也是一致的...牛人帮解释一下

代码如下
HHOOK hHookMsg = NULL;	
HINSTANCE    hInstDLL = NULL;	//the handle of dll!

typedef int (WINAPI *HookMessageBox)(
  HWND,          // handle of owner window
  LPCTSTR,     // address of text in message box
  LPCTSTR,  // address of title of message box
  UINT          // style of message box
);

unsigned char	JmpCode[]={0xE9,0x00,0x00,0x00,0x00};
unsigned char	SrcCode[]={0x8B,0xFF,0x55,0x8B,0xEC};
HookMessageBox  OldMessageBox;

void Jmps()
{
	DWORD OldProtect = NULL;

	VirtualProtect( OldMessageBox ,
		5 ,
		PAGE_EXECUTE_READWRITE ,
		&OldProtect
		);

	unsigned char *p = (unsigned char *)OldMessageBox;
	
	for (int i=0 ;  i < 5 ; i++ )
	{
		p[i] = JmpCode[i];
	}

	VirtualProtect( OldMessageBox ,
		5 ,
		OldProtect ,
		&OldProtect 
		);
}

void Srcs()
{
	DWORD OldProtect = NULL;
	VirtualProtect( OldMessageBox ,
		5 ,
		PAGE_EXECUTE_READWRITE ,
		&OldProtect
		);

	unsigned char *p = (unsigned char *)OldMessageBox;
	
	for (int i=0 ;  i < 5 ; i++ )
	{
		p[i] = SrcCode[i];
	}

	VirtualProtect( OldMessageBox ,
		5 ,
		OldProtect ,
		&OldProtect 
		);
}

int MyMessageBox(
  HWND hWnd,          // handle of owner window
  LPCTSTR lpText,     // address of text in message box
  LPCTSTR lpCaption,  // address of title of message box
  UINT uType          // style of message box
)
{
	Srcs();//恢复
	return OldMessageBox(hWnd,"Inline Hook",lpCaption,0);
}

int StartHookMessageBox()
{
	HMODULE hMsgina = GetModuleHandle("USER32.dll");
	if ( hMsgina == NULL)
	{
		return 0 ;
	}

	OldMessageBox = (HookMessageBox)GetProcAddress(hMsgina ,"MessageBoxA" );

	if (OldMessageBox == NULL)
	{
		return 0 ;
	}

	unsigned char *p = (unsigned char *)OldMessageBox;

	for (int i=0 ;  i < 4 ; i++ )
	{
		if (p[i] != SrcCode[i])
		{
			return 0;
		}
	}
	
	int *OpCode = (int *)&JmpCode[1];
	
	int Code = (int)&MyMessageBox - (int)OldMessageBox - 5;


	*OpCode = Code;


	Jmps();
	return 0;
}

BOOL APIENTRY DllMain( HANDLE hModule, 
                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		{
			hInstDLL = (HINSTANCE)hModule;
			StartHookMessageBox();
			break;
		}
	}
    return TRUE;
}

LRESULT WINAPI MsgHookProc(int code, WPARAM wParam, LPARAM lParam)
{
	//note :on windows 2k ,the 1st paramter to CallNextHookEx can be NULL
	//On win 98 ,it must be the hook handle
	return(CallNextHookEx(NULL,code,wParam,lParam));
}

BOOL InstallEngine(DWORD strPath)
{
	//安装钩子
	hHookMsg = SetWindowsHookEx(WH_GETMESSAGE,MsgHookProc,hInstDLL,0);//0 mean hook all process
	if (hHookMsg == NULL)
		return FALSE;

	return TRUE;
}

[课程]Linux pwn 探索篇!

收藏
免费 0
支持
分享
最新回复 (2)
sding
雪    币: 239
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
int MyMessageBox(
  HWND hWnd,          // handle of owner window
  LPCTSTR lpText,     // address of text in message box
  LPCTSTR lpCaption,  // address of title of message box
  UINT uType          // style of message box
)
{
  Srcs();//恢复
  return OldMessageBox(hWnd,"Inline Hook",lpCaption,0);
}

堆栈没有平衡,FAKE的MESSAGEBOX应该写成__declspec(naked) 调用方式

__declspec(naked) int MyMessageBox(
                   HWND hWnd,          // handle to owner window
                   LPCTSTR lpText,     // text in message box
                   LPCTSTR lpCaption,  // message box title
                   UINT uType          // message box style
                  )
2009-9-21 10:11
0
keaigt
雪    币: 203
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
感谢 已经解决了 的确是堆栈不平衡问题 自己幼稚了 呵呵
2009-9-21 13:39
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//