Windows下的函数hook技术
2007-01-26 02:36
351 查看
讨论了Windows下hook函数的几种方法。提供了一个hook TextOutA的完整例子。通过CreateRemoteThread的方法把hook dll注入到一个普通的应用程序中。Hooking Imported Functions by name调用 imported functions'时的步骤/实现在程序中调用从其它模块引入的函数的方法和普通的函数调用有所不同。对于普通的函数调用,直接使用call address来调用即可,但是对于imported functions ,在编译的时候compiler/link 并不知道实际的函数实现会被加载到那个地址,函数实现在那个地址在运行的时候才会确定。对于imported functions ,首先是call 引入表中的一个函数,在运行时再初始化引入表,使用 jmp 跳转到真实的函数实现。
引入表:
The PE file IMAGE_IMPORT_DESCRIPTOR structure, which holds all the information about functions imported from a specific DLL, has pointers to two arrays in the executable. These arrays are called import address tables (IATs), or sometimes thunk data arrays. The first pointer references the real IAT, which the program loader fixes up when the executable is loaded. The second pointer references the original IAT, which is untouched by the loader and lists the imported functions.
实现原理
找到PE文件的Image_Import_Descriptor 结构
找到Original LAT和Real LAT.
通过要hook 的函数的名字在Original LAT找到要hook的imported function在数组中的index.
保存并修改Real LAT在相应index的function address
(refer to John Robbins, BugsLayerUtil.dll)
。有两种可能的办法处理这种情况:
第一种方法,遍历进程空间,发现call 指定函数的地方替换为 call hookFunction. 太麻烦,而且不安全。
第二种方法,改写要hook的函数FuncA
。比较好的方法
实现HookFuncA ,最后的实现垫入n个nop.
找到要hook的函数FuncA 的绝对地址,改写前5 个字节为jmp hookFuncA( 假定前5 个字节为n 个完整的指令)
把FuncA的前5个字节拷贝到hookFuncA 的后面,在加上一条指令 jmp funcA+5.
----Code of HookDLL.dll, 可以通过CreateRemoteThread的方法把hook dll注入到一个普通的应用程序中。
// HookDLL.cpp : Defines the entry point for the DLL application.
//
#include "stdafx.h"
#include "HookDLL.h"
#include "Log.h"
//forward declare.
LRESULT WINAPI InstallTextoutHook();
LRESULT WINAPI UninstallTextoutHook();
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
if (InstallTextoutHook())
{
WriteLog("Install hook success./n");
}else
{
WriteLog("Intall hook failed./n");
}
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
if (UninstallTextoutHook())
{
WriteLog("Uninstall hook success./n");
}else
{
WriteLog("Unintall hook failed./n");
}
break;
}
return TRUE;
}
#define DWORD_PTR DWORD*
#define __LOCAL_SIZE 40h
#define NAKED_PROLOG() /
DWORD_PTR dwRet ; /
DWORD_PTR dwESI ; /
{ /
__asm PUSH EBP /* Set up the standard frame.*//
__asm MOV EBP , ESP /
__asm SUB ESP , __LOCAL_SIZE /* Save room for the local *//
/* variables. *//
__asm MOV EAX , EBP /* EBP has the stack coming *//
/* into the fn. in it. *//
__asm ADD EAX , 4 /* Account for PUSH EBP *//
__asm MOV EAX , [EAX] /* Get return address. *//
__asm MOV [dwRet] , EAX /* Save return address. *//
__asm MOV [dwESI] , ESI /* Save ESI so chkesp in dbg *//
/* builds works. *//
}// The common epilog part that can be shared between the stdcall and
// cdecl hook functions.
#define EPILOG_COMMON() /
{ /
__asm MOV ESI , [dwESI] /* Restore ESI. *//
__asm ADD ESP , __LOCAL_SIZE /* Take away local var space *//
__asm MOV ESP, EBP /* Restore standard frame. *//
__asm POP EBP /
}
#define COPY_CODE_LENGTH 5
BYTE g_abOriCode[COPY_CODE_LENGTH];
BYTE g_abJmpCode[COPY_CODE_LENGTH];
PROC g_oriTextout;
BOOL g_blHooked = FALSE;
LRESULT WINAPI InstallTextoutHook()
{
if (g_blHooked)
return TRUE;
//Get TextOutA's address.
HMODULE hGdi32 = ::LoadLibrary(_T("Gdi32.dll"));
g_oriTextout = GetProcAddress(hGdi32, _T("TextOutA"));
if (NULL == g_oriTextout)
return FALSE;
//Get the hook'a address.
HMODULE hModule = GetModuleHandle(_T("HookDLL.dll"));
if (NULL == hModule)
return FALSE;
DWORD dwHookAddr = NULL;
__asm
{
mov esi, offset HookLabel;
mov edi, 0x10000000;//0x10000000 is the dll's base address.
sub esi, edi;
add esi, hModule;
mov [dwHookAddr], esi;
}
//Get the NOP's address.
DWORD dwNOPAddr = NULL;
__asm
{
mov esi, offset NOPLabel;
mov edi, 0x10000000;//0x10000000 is the dll's base address.
sub esi, edi;
add esi, hModule;
mov [dwNOPAddr], esi;
}
//Save the first 5 byte of TextOutA to g_abOriCode
__asm
{
mov esi, g_oriTextout;
lea edi, g_abOriCode;
cld;
movsd;
movsb;
}
//Generate the jmp Hook function.
g_abJmpCode[0] = 0xe9;
__asm
{
mov eax, dwHookAddr;
mov ebx, g_oriTextout;
add ebx, 5;
sub eax, ebx;
mov dword ptr[g_abJmpCode+1], eax;
}
//Write the jump instruction to the textoutA.
DWORD dwProcessId = GetCurrentProcessId();
HANDLE hProcess = OpenProcess (PROCESS_ALL_ACCESS,
FALSE, dwProcessId);
if (NULL == hProcess)
return FALSE;
DWORD dwOldFlag;
VirtualProtectEx(hProcess, g_oriTextout, 5, PAGE_READWRITE, &dwOldFlag);
WriteProcessMemory(hProcess, g_oriTextout, g_abJmpCode, sizeof(g_abJmpCode), NULL);
VirtualProtectEx(hProcess, g_oriTextout, 5, dwOldFlag, NULL);
//Write g_abOriTextout to the end of Hook function(NOP addr), then write the jmp instruction.
VirtualProtectEx(hProcess, (LPVOID)dwNOPAddr, 10, PAGE_READWRITE, &dwOldFlag);
WriteProcessMemory(hProcess, (LPVOID)dwNOPAddr, g_abOriCode, sizeof(g_abOriCode), NULL);
//Generate the jmp TextoutA + 5
__asm
{
mov eax, g_oriTextout;
mov ebx, dwNOPAddr;
add ebx, 5;
sub eax, ebx;
mov dword ptr[g_abJmpCode+1], eax;
}
WriteProcessMemory(hProcess, (LPVOID)(dwNOPAddr+5), g_abJmpCode, sizeof(g_abJmpCode), NULL);
VirtualProtectEx(hProcess, (LPVOID)dwNOPAddr, 10, dwOldFlag, NULL);
g_blHooked = TRUE;
if(TRUE)
return TRUE;
HookLabel:
NAKED_PROLOG ( ) ;
int nx, ny;
LPCSTR lp;
lp = NULL;
_asm
{
mov esi, ebp;
add esi, 0Ch;
lea edi, nx;
movsd;
lea edi, ny;
movsd;
lea edi, lp;
movsd;
}
WriteLog_F("Try to ouput /"%s/" at (%d,%d)/n", lp, nx, ny);
// Do the common epilog.
EPILOG_COMMON ( ) ;
NOPLabel:
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
}
LRESULT WINAPI UninstallTextoutHook()
{
if (!g_blHooked)
return FALSE;
//Restore the first 5 bytes code of TextOutA
DWORD dwProcessId = GetCurrentProcessId();
HANDLE hProcess = OpenProcess (PROCESS_ALL_ACCESS,
FALSE, dwProcessId);
if (NULL == hProcess)
return FALSE;
DWORD dwOldFlag;
VirtualProtectEx(hProcess, g_oriTextout, 5, PAGE_READWRITE, &dwOldFlag);
WriteProcessMemory(hProcess, g_oriTextout, g_abOriCode, sizeof(g_abOriCode), NULL);
VirtualProtectEx(hProcess, g_oriTextout, 5, dwOldFlag, NULL);
g_blHooked = FALSE;
return TRUE;
}
引入表:
The PE file IMAGE_IMPORT_DESCRIPTOR structure, which holds all the information about functions imported from a specific DLL, has pointers to two arrays in the executable. These arrays are called import address tables (IATs), or sometimes thunk data arrays. The first pointer references the real IAT, which the program loader fixes up when the executable is loaded. The second pointer references the original IAT, which is untouched by the loader and lists the imported functions.
实现原理
找到PE文件的Image_Import_Descriptor 结构
找到Original LAT和Real LAT.
通过要hook 的函数的名字在Original LAT找到要hook的imported function在数组中的index.
保存并修改Real LAT在相应index的function address
(refer to John Robbins, BugsLayerUtil.dll)
Hooking Imported Functions by ordinal
原理和 Hook Imported functions by name 一样,只是是通过要 hook 的函数的 ordinal 在 original LAT 中找到index.Hooking a function in this dll
当一个DLL 是通过LoadLibrary 载入的时候,我们无法通过hook imported function 的方法的hook它中的function。有两种可能的办法处理这种情况:
第一种方法,遍历进程空间,发现call 指定函数的地方替换为 call hookFunction. 太麻烦,而且不安全。
第二种方法,改写要hook的函数FuncA
。比较好的方法
实现HookFuncA ,最后的实现垫入n个nop.
找到要hook的函数FuncA 的绝对地址,改写前5 个字节为jmp hookFuncA( 假定前5 个字节为n 个完整的指令)
把FuncA的前5个字节拷贝到hookFuncA 的后面,在加上一条指令 jmp funcA+5.
----Code of HookDLL.dll, 可以通过CreateRemoteThread的方法把hook dll注入到一个普通的应用程序中。
// HookDLL.cpp : Defines the entry point for the DLL application.
//
#include "stdafx.h"
#include "HookDLL.h"
#include "Log.h"
//forward declare.
LRESULT WINAPI InstallTextoutHook();
LRESULT WINAPI UninstallTextoutHook();
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
if (InstallTextoutHook())
{
WriteLog("Install hook success./n");
}else
{
WriteLog("Intall hook failed./n");
}
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
if (UninstallTextoutHook())
{
WriteLog("Uninstall hook success./n");
}else
{
WriteLog("Unintall hook failed./n");
}
break;
}
return TRUE;
}
#define DWORD_PTR DWORD*
#define __LOCAL_SIZE 40h
#define NAKED_PROLOG() /
DWORD_PTR dwRet ; /
DWORD_PTR dwESI ; /
{ /
__asm PUSH EBP /* Set up the standard frame.*//
__asm MOV EBP , ESP /
__asm SUB ESP , __LOCAL_SIZE /* Save room for the local *//
/* variables. *//
__asm MOV EAX , EBP /* EBP has the stack coming *//
/* into the fn. in it. *//
__asm ADD EAX , 4 /* Account for PUSH EBP *//
__asm MOV EAX , [EAX] /* Get return address. *//
__asm MOV [dwRet] , EAX /* Save return address. *//
__asm MOV [dwESI] , ESI /* Save ESI so chkesp in dbg *//
/* builds works. *//
}// The common epilog part that can be shared between the stdcall and
// cdecl hook functions.
#define EPILOG_COMMON() /
{ /
__asm MOV ESI , [dwESI] /* Restore ESI. *//
__asm ADD ESP , __LOCAL_SIZE /* Take away local var space *//
__asm MOV ESP, EBP /* Restore standard frame. *//
__asm POP EBP /
}
#define COPY_CODE_LENGTH 5
BYTE g_abOriCode[COPY_CODE_LENGTH];
BYTE g_abJmpCode[COPY_CODE_LENGTH];
PROC g_oriTextout;
BOOL g_blHooked = FALSE;
LRESULT WINAPI InstallTextoutHook()
{
if (g_blHooked)
return TRUE;
//Get TextOutA's address.
HMODULE hGdi32 = ::LoadLibrary(_T("Gdi32.dll"));
g_oriTextout = GetProcAddress(hGdi32, _T("TextOutA"));
if (NULL == g_oriTextout)
return FALSE;
//Get the hook'a address.
HMODULE hModule = GetModuleHandle(_T("HookDLL.dll"));
if (NULL == hModule)
return FALSE;
DWORD dwHookAddr = NULL;
__asm
{
mov esi, offset HookLabel;
mov edi, 0x10000000;//0x10000000 is the dll's base address.
sub esi, edi;
add esi, hModule;
mov [dwHookAddr], esi;
}
//Get the NOP's address.
DWORD dwNOPAddr = NULL;
__asm
{
mov esi, offset NOPLabel;
mov edi, 0x10000000;//0x10000000 is the dll's base address.
sub esi, edi;
add esi, hModule;
mov [dwNOPAddr], esi;
}
//Save the first 5 byte of TextOutA to g_abOriCode
__asm
{
mov esi, g_oriTextout;
lea edi, g_abOriCode;
cld;
movsd;
movsb;
}
//Generate the jmp Hook function.
g_abJmpCode[0] = 0xe9;
__asm
{
mov eax, dwHookAddr;
mov ebx, g_oriTextout;
add ebx, 5;
sub eax, ebx;
mov dword ptr[g_abJmpCode+1], eax;
}
//Write the jump instruction to the textoutA.
DWORD dwProcessId = GetCurrentProcessId();
HANDLE hProcess = OpenProcess (PROCESS_ALL_ACCESS,
FALSE, dwProcessId);
if (NULL == hProcess)
return FALSE;
DWORD dwOldFlag;
VirtualProtectEx(hProcess, g_oriTextout, 5, PAGE_READWRITE, &dwOldFlag);
WriteProcessMemory(hProcess, g_oriTextout, g_abJmpCode, sizeof(g_abJmpCode), NULL);
VirtualProtectEx(hProcess, g_oriTextout, 5, dwOldFlag, NULL);
//Write g_abOriTextout to the end of Hook function(NOP addr), then write the jmp instruction.
VirtualProtectEx(hProcess, (LPVOID)dwNOPAddr, 10, PAGE_READWRITE, &dwOldFlag);
WriteProcessMemory(hProcess, (LPVOID)dwNOPAddr, g_abOriCode, sizeof(g_abOriCode), NULL);
//Generate the jmp TextoutA + 5
__asm
{
mov eax, g_oriTextout;
mov ebx, dwNOPAddr;
add ebx, 5;
sub eax, ebx;
mov dword ptr[g_abJmpCode+1], eax;
}
WriteProcessMemory(hProcess, (LPVOID)(dwNOPAddr+5), g_abJmpCode, sizeof(g_abJmpCode), NULL);
VirtualProtectEx(hProcess, (LPVOID)dwNOPAddr, 10, dwOldFlag, NULL);
g_blHooked = TRUE;
if(TRUE)
return TRUE;
HookLabel:
NAKED_PROLOG ( ) ;
int nx, ny;
LPCSTR lp;
lp = NULL;
_asm
{
mov esi, ebp;
add esi, 0Ch;
lea edi, nx;
movsd;
lea edi, ny;
movsd;
lea edi, lp;
movsd;
}
WriteLog_F("Try to ouput /"%s/" at (%d,%d)/n", lp, nx, ny);
// Do the common epilog.
EPILOG_COMMON ( ) ;
NOPLabel:
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
_asm NOP
}
LRESULT WINAPI UninstallTextoutHook()
{
if (!g_blHooked)
return FALSE;
//Restore the first 5 bytes code of TextOutA
DWORD dwProcessId = GetCurrentProcessId();
HANDLE hProcess = OpenProcess (PROCESS_ALL_ACCESS,
FALSE, dwProcessId);
if (NULL == hProcess)
return FALSE;
DWORD dwOldFlag;
VirtualProtectEx(hProcess, g_oriTextout, 5, PAGE_READWRITE, &dwOldFlag);
WriteProcessMemory(hProcess, g_oriTextout, g_abOriCode, sizeof(g_abOriCode), NULL);
VirtualProtectEx(hProcess, g_oriTextout, 5, dwOldFlag, NULL);
g_blHooked = FALSE;
return TRUE;
}
相关文章推荐
- Windows下的函数hook技术
- Windows下的函数hook技术
- 基于HOOK和MMF的Windows密码渗透技术 (转载)
- Hook API相关技术以及例子,Hook API的原理其实是通过核心函数强制修改原API的头部指针
- 初识Windows HOOK 钩子技术
- windows 编程钩子技术初尝(hook)
- 如何通过HOOK改变windows的API函数(找到函数的相对偏移)
- Windows下Hook API技术 inline hook
- windows hook技术入门
- XP下的进程静音技术(遍历进程,遍历输入模块,遍历输入函数,找到函数并HOOK) good
- windows技术----HOOK技术学习
- windows hook技术入门
- windows键盘的过滤(HOOK分发函数)
- 基于HOOK和MMF的Windows密码渗透技术
- Hook技术之消息拦截(Windows Hook )
- <学习笔记>Windows驱动开发技术详解__派遣函数
- 基于HOOK和MMF的Windows密码渗透技术
- 基于HOOK和MMF的Windows密码渗透技术
- <学习笔记>Windows驱动开发技术详解__派遣函数
- Windows下Hook API技术 inline hook