编写dll处理hook逻辑,注入到目标进程,实现api hook。
Windows10 notepad,通过hook kernel32.dll.WriteFile,实现小写字母转大写保存到文件。
hook前kernel32.dll.WriteFile入口:
kernel32.dll.WriteFile在调用时入口是条jmp指令
跳转后
hook时通过GetProcAddress得到的是jmp处的地址,在jmp指令周边有一些int 3指令,这些空间可以用来做一些跳转操作。
#include "pch.h" #include <tchar.h> #define DLLNAME "kernel32.dll" #define WRITEFILE "WriteFile" BYTE g_pOrgBytes[6] = { 0 }; FARPROC g_writefile = GetProcAddress(GetModuleHandleA(DLLNAME), WRITEFILE); //此函数用来将api前5个字节改为jmp xxxx BOOL hook_by_code(FARPROC pfnOrg, PROC pfnNew, PBYTE pOrgBytes) { DWORD dwOldProtect, dwAddress; BYTE pBuf[6] = { 0xE9,0,0,0,0, 0x90}; PBYTE pByte; pByte = (PBYTE)pfnOrg; if (pByte[0] == 0xE9)//若已被勾取,则返回False return FALSE; VirtualProtect((LPVOID)pfnOrg, 12, PAGE_EXECUTE_READWRITE, &dwOldProtect);//为了修改字节,先向内存添加“写”的属性 memcpy(pOrgBytes, pfnOrg, 6);//备份原有代码 dwAddress = (DWORD64)pfnNew - (DWORD64)pfnOrg - 5;//计算JMP地址 => XXXX = pfnNew - pfnOrg - 5 memcpy(&pBuf[1], &dwAddress, 4);//E9,剩下后面4个字节为跳转的地址 memcpy(pfnOrg, pBuf, 6);//复制指令,跳转到hook逻辑 memcpy(&pByte[6], pOrgBytes, 6);//后面的int 3指令进行修改,跳转到原api逻辑 pByte[8] -= 6;//修正跳转偏移 VirtualProtect((LPVOID)pfnOrg, 12, dwOldProtect, &dwOldProtect);//恢复内存属性 return TRUE; } BOOL unhook_by_code(FARPROC pFunc, PBYTE pOrgBytes) { DWORD dwOldProtect; PBYTE pByte; pByte = (PBYTE)pFunc; if (pByte[0] != 0xE9)//若已脱钩,则返回False return FALSE; VirtualProtect((LPVOID)pFunc, 6, PAGE_EXECUTE_READWRITE, &dwOldProtect);//向内存添加“写”的属性,为恢复原代码做准备 memcpy(pFunc, pOrgBytes, 6);//脱钩 VirtualProtect((LPVOID)pFunc, 6, dwOldProtect, &dwOldProtect);//恢复内存属性 return TRUE; } //WINBASEAPI //BOOL //WINAPI //WriteFile( // _In_ HANDLE hFile, // _In_reads_bytes_opt_(nNumberOfBytesToWrite) LPCVOID lpBuffer, // _In_ DWORD nNumberOfBytesToWrite, // _Out_opt_ LPDWORD lpNumberOfBytesWritten, // _Inout_opt_ LPOVERLAPPED lpOverlapped //); typedef BOOL(WINAPI* PFWriteFile)( _In_ HANDLE hFile, _In_reads_bytes_opt_(nNumberOfBytesToWrite) LPCVOID lpBuffer, _In_ DWORD nNumberOfBytesToWrite, _Out_opt_ LPDWORD lpNumberOfBytesWritten, _Inout_opt_ LPOVERLAPPED lpOverlapped ); BOOL WINAPI MyWriteFile( _In_ HANDLE hFile, _In_reads_bytes_opt_(nNumberOfBytesToWrite) LPCVOID lpBuffer, _In_ DWORD nNumberOfBytesToWrite, _Out_opt_ LPDWORD lpNumberOfBytesWritten, _Inout_opt_ LPOVERLAPPED lpOverlapped) { PBYTE ptr = (PBYTE)g_writefile; //unhook_by_code(g_writefile, g_pOrgBytes); BOOL ret = TRUE; char* pc = (char*)lpBuffer; while (*pc) { if (*pc >= ‘a‘ && *pc <= ‘z‘) { *pc -= 0x20; } pc++; } ret = ((PFWriteFile)(ptr+6))(hFile, lpBuffer, nNumberOfBytesToWrite, lpNumberOfBytesWritten, lpOverlapped);//原入口偏移+6处是修正的原jmp指令 //hook_by_code(g_writefile, (PROC)MyWriteFile, g_pOrgBytes); return ret; } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: hook_by_code(g_writefile,(PROC)MyWriteFile, g_pOrgBytes); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: break; case DLL_PROCESS_DETACH: unhook_by_code(g_writefile,g_pOrgBytes); break; } return TRUE; }
hook效果: