博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
反ring3 hook demo ,直接从dll文件修复 dll的code段,实现反hook
阅读量:5095 次
发布时间:2019-06-13

本文共 8711 字,大约阅读时间需要 29 分钟。

// CounterHook.cpp : Defines the entry point for the console application.//#include "stdafx.h"#include 
     
      void showInfo(LPWSTR strInfo){	OutputDebugStringW(strInfo);}typedef HANDLE (WINAPI* pfnCreateEvent)(	LPSECURITY_ATTRIBUTES lpEventAttributes,	BOOL bManualReset,	BOOL bInitialState,	LPWSTR lpName	);pfnCreateEvent lpFunCreateEvent ;HANDLE  __declspec(naked) WINAPI MyCreateEvent(	LPSECURITY_ATTRIBUTES lpEventAttributes,	BOOL bManualReset,	BOOL bInitialState,	LPWSTR lpName	){			_asm  	{  						 mov         edi,edi  		 push        ebp  		 mov         ebp,esp  		 		 jmp		 lpFunCreateEvent			}  	}typedef int (WINAPI* pfnMessageBoxW)(HWND hWnd,LPWSTR lpText,LPWSTR lpCaption,UINT uType);pfnMessageBoxW lpMessageBoxW ;int __declspec(naked) WINAPI MyMessageBox(HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType){	_asm{			mov         edi,edi  			push        ebp  			mov         ebp,esp  			jmp		 lpMessageBoxW	}}void HookCreateEventW(){	BYTE NewBytes[5] = {0xe9,0x0,0x0,0x0,0x0};	HMODULE h= LoadLibraryW(L"kernel32.dll");			lpFunCreateEvent = (pfnCreateEvent) GetProcAddress(h,"CreateEventW");    	*(DWORD*)(NewBytes + 1) = (DWORD)MyCreateEvent-(DWORD)lpFunCreateEvent-5;    	WriteProcessMemory(INVALID_HANDLE_VALUE,(LPVOID)lpFunCreateEvent,NewBytes,5,NULL);	lpFunCreateEvent = (pfnCreateEvent)((LPBYTE)lpFunCreateEvent +5 );}void HookMessageBoxW(){	BYTE NewBytes[5] = {0xe9,0x0,0x0,0x0,0x0};	HMODULE h= LoadLibraryW(L"user32.dll");	lpMessageBoxW = (pfnMessageBoxW) GetProcAddress(h,"MessageBoxW");	*(DWORD*)(NewBytes + 1) = (DWORD)MyMessageBox-(DWORD)lpMessageBoxW-5;    	WriteProcessMemory(INVALID_HANDLE_VALUE,(LPVOID)lpMessageBoxW,NewBytes,5,NULL);	lpMessageBoxW = (pfnMessageBoxW)((LPBYTE)lpMessageBoxW +5 );}void CounterHookdll(LPWSTR strDllName){	WCHAR wszModuleName[MAX_PATH];	DWORD dwZeroMem[64];	DWORD dwFileSizeH;	DWORD dwFileSizeL;	IMAGE_DOS_HEADER* dosHead;	IMAGE_NT_HEADERS* peHead;	IMAGE_SECTION_HEADER* sections;	int sectionCount ;	HMODULE h = LoadLibraryW(strDllName);	GetModuleFileName(h,wszModuleName,MAX_PATH);	ZeroMemory(dwZeroMem,sizeof(dwZeroMem));	HANDLE hFile = CreateFile(wszModuleName,GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL|FILE_ATTRIBUTE_SYSTEM, NULL);	DWORD dwError = GetLastError();	if (hFile != INVALID_HANDLE_VALUE)	{		dwFileSizeL = GetFileSize(hFile,&dwFileSizeH);		HANDLE hMap = CreateFileMappingW(hFile,NULL,PAGE_READONLY|SEC_IMAGE,dwFileSizeH,dwFileSizeL,NULL);		DWORD dwError = GetLastError();		if (hMap!= NULL)		{			LPVOID lpBuffer =MapViewOfFile(hMap,FILE_MAP_READ,0,0,0);			//lpBuffer = h ;									if ((*(LPWORD)lpBuffer) == 0x5a4d/* && ((LPBYTE)lpBuffer+ (*(LPDWORD)((LPBYTE)lpBuffer+0x3c))==0x4550*/)			{				// 				DWORD dwOffset = *(LPDWORD)((LPBYTE)lpBuffer+0x3c);				// 				if (*(LPWORD)((LPBYTE)lpBuffer+dwOffset) == 0x4550)				// 				{				// 									// 				}				dosHead = (IMAGE_DOS_HEADER*)lpBuffer;				peHead = (IMAGE_NT_HEADERS*)((LPBYTE)lpBuffer+dosHead->e_lfanew);				sectionCount = peHead->FileHeader.NumberOfSections;				sections = (IMAGE_SECTION_HEADER*)((LPBYTE)peHead+sizeof(IMAGE_NT_HEADERS));				for (int i=0;i
      
       Name));					if ((sections+i)->Name[1]=='t')					{						DWORD dwWriteStart ,dwWriteEnd ;						DWORD dwCodeSize = (sections+i)->SizeOfRawData ;						DWORD dwVirtualAddress =  (sections+i)->VirtualAddress ;						LPBYTE lpCodeAddr = (LPBYTE)lpBuffer+dwVirtualAddress ;						int j = 0;						for ( ;j

  

今天对CounterHookdll 进行了兼容性改进:

1. 对写入地址end的获取进行了优化改进

2. 增加hash计算,判断写入是否成功

3. 发现被inlinehook的dll

增加些打印信息

void CounterHookdll(LPWSTR strDllName){    WCHAR wszModuleName[MAX_PATH];        DWORD dwZeroMem[4];    DWORD dwFileSizeH;    DWORD dwFileSizeL;    IMAGE_DOS_HEADER* dosHead;    IMAGE_NT_HEADERS* peHead;    IMAGE_SECTION_HEADER* sections;    int sectionCount ;    HMODULE h = LoadLibraryW(strDllName);    if (h == INVALID_HANDLE_VALUE)    {        return ;    }    GetModuleFileName(h,wszModuleName,MAX_PATH);    printf("\r\n\r\n%S\r\n",wszModuleName);    ZeroMemory(dwZeroMem,sizeof(dwZeroMem));    HANDLE hFile = CreateFile(wszModuleName,GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL|FILE_ATTRIBUTE_SYSTEM, NULL);    DWORD dwError = GetLastError();    if (hFile != INVALID_HANDLE_VALUE)    {        dwFileSizeL = GetFileSize(hFile,&dwFileSizeH);        wsprintf(wszModuleName,L"names%d",rand());        printf("map-name %S\r\n",wszModuleName);        HANDLE hMap = CreateFileMappingW(hFile,NULL,PAGE_READONLY|SEC_IMAGE,dwFileSizeH,dwFileSizeL,wszModuleName);        DWORD dwError = GetLastError();        if (hMap!= NULL)        {            LPVOID lpBuffer =MapViewOfFile(hMap,FILE_MAP_READ,0,0,0);            //lpBuffer = h ;                                    if ((*(LPWORD)lpBuffer) == 0x5a4d/* && ((LPBYTE)lpBuffer+ (*(LPDWORD)((LPBYTE)lpBuffer+0x3c))==0x4550*/)            {                //                 DWORD dwOffset = *(LPDWORD)((LPBYTE)lpBuffer+0x3c);                //                 if (*(LPWORD)((LPBYTE)lpBuffer+dwOffset) == 0x4550)                //                 {                //                                     //                 }                dosHead = (IMAGE_DOS_HEADER*)lpBuffer;                peHead = (IMAGE_NT_HEADERS*)((LPBYTE)lpBuffer+dosHead->e_lfanew);                sectionCount = peHead->FileHeader.NumberOfSections;                sections = (IMAGE_SECTION_HEADER*)((LPBYTE)peHead+sizeof(IMAGE_NT_HEADERS));                for (int i=0;i
     
      Name));                    if ((sections+i)->Name[1]=='t')                    {                        DWORD dwWriteStart ,dwWriteEnd ;                        DWORD dwCodeSize = (sections+i)->SizeOfRawData ;                        DWORD dwVirtualAddress =  (sections+i)->VirtualAddress ;                        LPBYTE lpCodeAddr = (LPBYTE)lpBuffer+dwVirtualAddress ;                        int j = 0;                        for ( ;j
      
        dwWriteStart; )                                {//                                     if (*(LPDWORD)(lpCodeAddr+e) == 0 && *(LPDWORD)(lpCodeAddr+e+16)==0)//                                     {//                                         dwWriteEnd = e ;//                                     }                                    if (!IsBadReadPtr( lpCodeAddr+e,sizeof(dwZeroMem)) && memcmp(lpCodeAddr+e,dwZeroMem,sizeof(dwZeroMem))==0)                                    {                                        printf("find End  \r\n");                                        dwWriteEnd = e ;                                        break;                                    }                                    e-=sizeof(dwZeroMem);                                }                                //dwCodeSize +=5;                                DWORD dwOldAtr=0;                                DWORD dwMem,dwMem2,dwHHash,dwFileHash ,dwMemSize;                                dwMem = (DWORD)h+dwVirtualAddress+dwWriteStart;                                dwMem2 = (DWORD)((LPBYTE)lpCodeAddr+dwWriteStart );                                dwMemSize = dwWriteEnd-dwWriteStart;                                dwHHash = CalcHash((LPBYTE)dwMem,dwMemSize);                                dwFileHash = CalcHash((LPBYTE)dwMem2,dwMemSize);                                printf("MODULE hash %d  FILE hash %d \r\n",dwHHash,dwFileHash);                                if (dwHHash!= dwFileHash)                                {                                    printf("XXXXXXXXXXXX find inline hook **************** \r\n");                                }                                printf("Will WriteMemory Size %d \r\n",dwMemSize);                                if(WriteProcessMemory(INVALID_HANDLE_VALUE,(LPVOID)dwMem,(LPVOID)dwMem2,dwWriteEnd-dwWriteStart,NULL))                                {                                    dwHHash = CalcHash((LPBYTE)dwMem,dwMemSize);                                    if (dwHHash != dwFileHash)                                    {                                        printf("WriteMemory OK but hash is incorrect!");                                    }                                    printf(" WriteMemory OK\r\n");                                }else                                {                                    printf(" WriteMemory Failed\r\n");                                }                                break;                            }                                                    }                        break;                    }                }                //UnmapViewOfFile(lpBuffer);            }        }        CloseHandle(hFile);    }}

 

转载于:https://www.cnblogs.com/M4ster/p/counter_hook.html

你可能感兴趣的文章
Activity传递参数——传递简单数据
查看>>
Top Android App使用的组件
查看>>
Debounce 和 Throttle 的原理及实现---防止频繁触发某事件
查看>>
leetcode [309]Best Time to Buy and Sell Stock with Cooldown
查看>>
在C#中,前面不足位数要补零的Tips
查看>>
数据库系统概念学习 02. 关系模型概述
查看>>
poj2356 Find a multiple(抽屉原理|鸽巢原理)
查看>>
PHP cURL 函数
查看>>
Docker控制组
查看>>
vue学习:props,scope,slot,ref,is,slot,sync等知识点
查看>>
[NOIP10.5模拟赛]1.a题解--离散化+异或线段树
查看>>
模拟电子40课--比较器
查看>>
主席树
查看>>
12-18数据访问
查看>>
【实战编程】编写0号中断处理程序
查看>>
Object 类
查看>>
ECharts-初始化方法参数不能传入jquery对象
查看>>
vi配置
查看>>
分治算法(二)
查看>>
UVA-340 Master-Mind Hints
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2024-11-17 04:31:48   当前IP: 3.137.214.139   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我