首页
论坛
课程
招聘
[分享]HOOK API LIB 0.3 for VC
2007-8-27 08:41 10463

[分享]HOOK API LIB 0.3 for VC

2007-8-27 08:41
10463
Thanks to xIkUg,sucsor,一个刀客,dongcan

#include <windows.h>
#include <stdio.h>

#pragma comment (linker, "/Filealign:0x200")

#pragma comment(linker, "/SECTION:.text,REW" ) //设PE节:.text,可读可执行
#pragma comment(linker, "/MERGE:.data=.text") //合并到.text
#pragma comment(linker, "/MERGE:.rdata=.text")//合并到.text
#pragma comment(linker, "/subsystem:windows /entry:main")

boolean IsMe=false;

int GetOpCodeSize(PVOID Start);
boolean SetOnBefore(PCHAR DllName,PCHAR ApiName,PVOID HookProc);
boolean SetOnAfter(PCHAR DllName,PCHAR ApiName,PVOID HookProc);
void My_WriteProcessMemory(DWORD Eax,DWORD RetAddr,HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesWritten);

static unsigned long MaskTable[518]={
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00008000, 0x00008000, 0x00000000, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00008000, 0x00008000, 0x00000000, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00008000, 0x00008000, 0x00000000, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00008000, 0x00008000, 0x00000000, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00008000, 0x00008000, 0x00000008, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00008000, 0x00008000, 0x00000008, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00008000, 0x00008000, 0x00000008, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00008000, 0x00008000, 0x00000008, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00004000, 0x00004000,
0x00000008, 0x00000008, 0x00001008, 0x00000018,
0x00002000, 0x00006000, 0x00000100, 0x00004100,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000100, 0x00000100, 0x00000100, 0x00000100,
0x00000100, 0x00000100, 0x00000100, 0x00000100,
0x00000100, 0x00000100, 0x00000100, 0x00000100,
0x00000100, 0x00000100, 0x00000100, 0x00000100,
0x00004100, 0x00006000, 0x00004100, 0x00004100,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00002002, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000020, 0x00000020, 0x00000020, 0x00000020,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000100, 0x00002000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000100, 0x00000100, 0x00000100, 0x00000100,
0x00000100, 0x00000100, 0x00000100, 0x00000100,
0x00002000, 0x00002000, 0x00002000, 0x00002000,
0x00002000, 0x00002000, 0x00002000, 0x00002000,
0x00004100, 0x00004100, 0x00000200, 0x00000000,
0x00004000, 0x00004000, 0x00004100, 0x00006000,
0x00000300, 0x00000000, 0x00000200, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00000100, 0x00000100, 0x00000000, 0x00000000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00000100, 0x00000100, 0x00000100, 0x00000100,
0x00000100, 0x00000100, 0x00000100, 0x00000100,
0x00002000, 0x00002000, 0x00002002, 0x00000100,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000008, 0x00000000, 0x00000008, 0x00000008,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0xFFFFFFFF,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0x00002000, 0x00002000, 0x00002000, 0x00002000,
0x00002000, 0x00002000, 0x00002000, 0x00002000,
0x00002000, 0x00002000, 0x00002000, 0x00002000,
0x00002000, 0x00002000, 0x00002000, 0x00002000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00000000, 0x00000000, 0x00000000, 0x00004000,
0x00004100, 0x00004000, 0xFFFFFFFF, 0xFFFFFFFF,
0x00000000, 0x00000000, 0x00000000, 0x00004000,
0x00004100, 0x00004000, 0xFFFFFFFF, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0xFFFFFFFF, 0xFFFFFFFF, 0x00004100, 0x00004000,
0x00004000, 0x00004000, 0x00004000, 0x00004000,
0x00004000, 0x00004000, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0x00000000, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
0xFFFFFFFF, 0xFFFFFFFF
};

static BYTE JMPGate[5] = {
  0xE9, 0x00, 0x00, 0x00, 0x00   // JMP XXXXXXXX
};

int GetOpCodeSize(PVOID Start)
{
  DWORD* Tlb=(DWORD*)MaskTable;
  PBYTE pOPCode;
  DWORD t, c;
  BYTE dh, dl, al;
  int OpCodeSize =-1;

  t = 0;
  pOPCode = (PBYTE) Start;
  c = 0;

  do {
    t &= 0x0F7;
    c = *(BYTE *) pOPCode++;
    t |= Tlb[c] ;
  } while( ((t & 0x000000FF) & 8) != 0);

  if ((c == 0x0F6) || (c == 0x0F7))
  {
    t |= 0x00004000;
    if ( (0x38 & *(BYTE *) pOPCode++) == 0)
      t |= 0x00008000;
  }
  else if (c == 0x0CD)
  {
    t |= 0x00000100;
    if ( (*(BYTE *) pOPCode++) == 0x20)
      t |= 0x00000400;
  }
  else if (c == 0x0F)
  {
    al = *(BYTE *) pOPCode++;
    t |= Tlb[al + 0x100];
    if (t == 0xFFFFFFFF)
      return OpCodeSize;
  }

  if ((((t & 0x0000FF00) >> 8) & 0x80) != 0)
  {
    dh = (t & 0x0000FF00) >> 8;
    dh ^= 0x20;
    if ((c & 1) == 0)
      dh ^= 0x21;
    t &= 0xFFFF00FF;
    t |= (dh << 8);
  }

  if ((((t & 0x0000FF00) >> 8) & 0x40) != 0 )
  {
    al = *(BYTE *) pOPCode++;
    c = (DWORD)al;
    c |= (al << 8);
    c &= 0xC007;
    if ( (c & 0x0000FF00) != 0xC000 )
    {
      if ( ((t & 0x000000FF) & 0x10) == 0)
      {
          if ((c & 0x000000FF) == 4)
          {
            al = *(BYTE *) pOPCode++;
            al &= 7;
            c &= 0x0000FF00;
            c |= al;
          }
         
          if ((c & 0x0000FF00) != 0x4000)
          {
            if ((c & 0x0000FF00) == 0x8000)   t |= 4;
            else if (c==5) t |= 4;
          }
          else
            t |= 1;
      }
      else
      {
          if (c != 6)
          {
            if((c & 0x0000FF00) == 0x4000)
              t |= 1;
            else if ((c & 0x0000FF00) == 0x8000)
              t |= 2;
          }
          else
            t |= 2;
      }
    }
  }

  if ((((t & 0x000000FF)) & 0x20) != 0)
  {
    dl = t & 0x000000FF;
    dl ^= 2;
    t &= 0xFFFFFF00;
    t |= dl;
    if ((dl & 0x10) == 0)
    {
      dl ^= 6;
      t &= 0xFFFFFF00;
      t |= dl;
    }
  }
  if ((((t & 0x0000FF00) >> 8) & 0x20) != 0)
  {
    dh = (t & 0x0000FF00) >> 8;
    dh ^= 2;
    t &= 0xFFFF00FF;
    t |= (dh << 8);
    if ((dh & 0x10) == 0)
    {
      if (dh & 0x40) //是否是 0x6x
          dh ^= (t & 0xFF);   // 这句修改了一下,修正了几个指令的计算
      t &= 0xFFFFFF00;
      t |= dh;
    }
  }

  OpCodeSize = (DWORD) pOPCode - (DWORD) Start;
  t &= 0x707;
  OpCodeSize += t & 0x000000FF;
  OpCodeSize += (t & 0x0000FF00) >> 8;

  if (((*(char*)Start) & 0x000000FF) == 0x66) // 单独处理 66 开头的问题
    if ( OpCodeSize >= 6)   //1字节66 ,1字节操作码,4字节操作数,因此至少要大于等于6以上
      OpCodeSize -= 2;   //减2处理 ,将 dword 型转成 word 型

  return OpCodeSize;
}

__declspec(naked) void HookBeforeStub()
{
Stub_Begin:
  __asm
  {
    jmp Code_Begin
    mov eax, offset Stub_Begin
    mov eax, offset Stub_Data
    mov eax, offset Stub_End
    mov eax, offset SaveEntry  
Code_Begin:
    call next1
next1:
    pop ecx
    sub ecx, offset next1
    lea ecx, [ecx + Stub_Data]
    mov eax, [ecx + 4]
    mov [ecx + eax * 4 + 0x8],esp
    inc [ecx + 4]
    call [ecx]

    call next2
next2:
    pop ecx
    sub ecx, offset next2
    lea ecx, [ecx + Stub_Data]
    dec [ecx +4]
    mov eax, [ecx + 4]
    mov esp, [ecx + eax * 4 + 0x8]
SaveEntry:
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
   
    _asm _emit 0xE9
    int 3
    int 3
    int 3
    int 3
Stub_Data:
HookProc:  
    int 3
    int 3
    int 3
    int 3 //HookProc的地址,计算后填入
pEsp:   
    _emit 0
    _emit 0
    _emit 0
    _emit 0//第一个变量,指向该返回的哪个Esp,初始化指向下面一行~~,一开始要清0
SaveEsp:  
    int 3
    int 3
    int 3
    int 3 //开始保存Esp的值

Stub_end:
  }
}

__declspec(naked) void HookAfterStub()
{
Stub_Begin:
  __asm  
  {
  jmp Code_Begin
    mov eax, offset Stub_Begin
    mov eax, offset Stub_Data
    mov eax, offset Stub_End
    mov eax, offset SaveEntry
    mov eax, offset After_Code
Code_Begin:

  call next1
next1:
  pop ecx
  sub ecx,offset next1
  lea edx,[ecx + Stub_Data]
  mov eax, [edx + 8]
  mov [edx + eax * 8 + 0xC],esp
  push [esp]
  pop dword ptr [edx + eax * 8 + 0x10]
  inc [edx + 8]

  lea edx,[ecx + After_Code]
  mov [esp],edx

SaveEntry:
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
   
    _asm _emit 0xE9
    int 3
    int 3
    int 3
    int 3
After_Code:
  sub esp,100
  call next2
next2:
  pop ecx
  add esp,100
  sub ecx,offset next2
  lea edx,[ecx + Stub_Data]
  mov [edx + 4] ,eax
  dec [edx + 8]
  mov eax, [edx + 8]
  mov ecx, [edx + eax * 8 + 0xC]
  mov [edx + eax * 8 + 0xC],esp
  mov esp,ecx
  mov ecx, [edx + eax * 8 + 0x10]
  inc [edx + 8]
  mov [esp],ecx
  push [edx + 4]
  call [edx]

  call next3
next3:
  pop ecx
  sub ecx,offset next3
  lea edx, [ecx + Stub_Data]
  mov [edx + 4],eax
  dec [edx + 8]
  mov eax, [edx + 8]
  mov esp, [edx + eax * 8 + 0xC]
  push [edx + eax * 8 + 0x10]
  mov eax,[edx + 4]
  retn

Stub_Data:
HookProc:  
    int 3
    int 3
    int 3
    int 3 //HookProc的地址,计算后填入
SaveRetthing:
    int 3
    int 3
    int 3
    int 3 //临时保存返回值
pEsp:   
    _emit 0
    _emit 0
    _emit 0
    _emit 0//指向该返回的哪个Esp,初始化指向SaveEsp一行~~,一开始要清0
SaveEsp:
    int 3
    int 3
    int 3
    int 3 //SaveEsp
SaveRet:
    int 3
    int 3
    int 3
    int 3 //SaveRet

Stub_end:

  }  
}

boolean SetOnAfter(PCHAR DllName,PCHAR ApiName,PVOID HookProc)
{
  PVOID   ApiEntry;
  HMODULE DllHandle;
  int ReplaceCodeSize;
  BYTE OpCode[16];
LPVOID StubPtr;
  DWORD Addr;
  DWORD RetSize=0;  

  DWORD SizeOfStub =0;
  DWORD DeltaData = 0;
  DWORD SaveEntry = 0;
  DWORD AfterCode = 0;

  DllHandle = GetModuleHandle(DllName);
  if (DllHandle ==0)
  {
    DllHandle = LoadLibrary(DllName);
    if (DllHandle ==0) return false;
  }

  ApiEntry = GetProcAddress(DllHandle,ApiName);
  if (ApiEntry == NULL) return false;

  ReplaceCodeSize = GetOpCodeSize(ApiEntry);

  while (ReplaceCodeSize < 5)
    ReplaceCodeSize += GetOpCodeSize((PVOID)((DWORD)ApiEntry + (DWORD)ReplaceCodeSize));

  if (ReplaceCodeSize > 16) return false;

  if (VirtualProtect(ApiEntry,ReplaceCodeSize,PAGE_READWRITE,NULL))
    return false;

  CopyMemory(OpCode, ApiEntry, ReplaceCodeSize);

  DeltaData = *(DWORD *)((DWORD)HookAfterStub + 0x8) - *(DWORD *) ((DWORD)HookAfterStub + 0x3);
  SizeOfStub = *(DWORD *)((DWORD)HookAfterStub + 0x0D) - *(DWORD *) ((DWORD)HookAfterStub + 0x3);
  SaveEntry = *(DWORD *)((DWORD)HookAfterStub + 0x12) - *(DWORD *) ((DWORD)HookAfterStub + 0x3);
  AfterCode = *(DWORD *)((DWORD)HookAfterStub + 0x17) - *(DWORD *) ((DWORD)HookAfterStub + 0x3);

  StubPtr = VirtualAlloc(NULL, SizeOfStub + 0x100*8, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

  if (StubPtr == NULL) return false;

  CopyMemory(StubPtr, HookAfterStub, SizeOfStub);
   
  Addr = (DWORD)HookProc;
  *(DWORD *) ((DWORD)StubPtr + DeltaData) = Addr;

  Addr = (DWORD)ApiEntry + ReplaceCodeSize - (DWORD)StubPtr - AfterCode;
  *(DWORD *) ((DWORD)StubPtr + AfterCode - 4) = Addr;

  CopyMemory((LPVOID)((DWORD)StubPtr + SaveEntry), OpCode, ReplaceCodeSize);

  Addr = (DWORD)StubPtr - (DWORD)ApiEntry - 5;
  *(DWORD*)(JMPGate + 1) = Addr;

  WriteProcessMemory(GetCurrentProcess(), ApiEntry, JMPGate, sizeof(JMPGate), (DWORD*)RetSize);

  return true;
}

boolean SetOnBefore(PCHAR DllName,PCHAR ApiName,PVOID HookProc)
{
  PVOID   ApiEntry;
  HMODULE DllHandle;
  int ReplaceCodeSize;
  BYTE OpCode[16];
LPVOID StubPtr;
  DWORD Addr;
  DWORD RetSize =0;

  DWORD SizeOfStub =0;
  DWORD DeltaData = 0;
  DWORD SaveEntry = 0;

  DllHandle = GetModuleHandle(DllName);
  if (DllHandle ==0)
  {
    DllHandle = LoadLibrary(DllName);
    if (DllHandle ==0) return false;
  }

  ApiEntry = GetProcAddress(DllHandle,ApiName);
  if (ApiEntry == NULL) return false;

  ReplaceCodeSize = GetOpCodeSize(ApiEntry);

  while (ReplaceCodeSize < 5)
    ReplaceCodeSize += GetOpCodeSize((PVOID)((DWORD)ApiEntry + (DWORD)ReplaceCodeSize));

  if (ReplaceCodeSize > 16) return false;

  if (VirtualProtect(ApiEntry,ReplaceCodeSize,PAGE_READWRITE,NULL))
    return false;

  CopyMemory(OpCode, ApiEntry, ReplaceCodeSize);

  DeltaData = *(DWORD *)((DWORD)HookBeforeStub + 0x8) - *(DWORD *) ((DWORD)HookBeforeStub + 0x3);
  SizeOfStub = *(DWORD *)((DWORD)HookBeforeStub + 0x0D) - *(DWORD *) ((DWORD)HookBeforeStub + 0x3);
  SaveEntry = *(DWORD *)((DWORD)HookBeforeStub + 0x12) - *(DWORD *) ((DWORD)HookBeforeStub + 0x3);

  StubPtr = VirtualAlloc(NULL, SizeOfStub + 0x100*4, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

  if (StubPtr == NULL) return false;

  CopyMemory(StubPtr, HookBeforeStub, SizeOfStub);

  Addr = (DWORD)HookProc;
  *(DWORD *) ((DWORD)StubPtr + DeltaData) = Addr;

  Addr = (DWORD)ApiEntry + ReplaceCodeSize - (DWORD)StubPtr - DeltaData;
  *(DWORD *) ((DWORD)StubPtr + DeltaData - 4) = Addr;

  CopyMemory((LPVOID)((DWORD)StubPtr + SaveEntry), OpCode, ReplaceCodeSize);

  Addr = (DWORD)StubPtr - (DWORD)ApiEntry - 5;
  *(DWORD*)(JMPGate + 1) = Addr;

  WriteProcessMemory(GetCurrentProcess(), ApiEntry, JMPGate, sizeof(JMPGate), (DWORD*)RetSize);

  return true;
}

void My_WriteProcessMemory(DWORD Eax,DWORD RetAddr,HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesWritten)
{
  DWORD RetSize =0;
  char Text [255] = {0};
  if (!IsMe)
  {
    IsMe =true;
    sprintf(Text,"EAX = %2X ,RetAddr = %2X",Eax,RetAddr);
    MessageBox (NULL,Text,"RetAddr",NULL);
    WriteProcessMemory(GetCurrentProcess(), (LPVOID)0x40108A, JMPGate, sizeof(JMPGate), (DWORD*)RetSize);
    IsMe = false;
  }
}

int main()
{
  DWORD RetSize =0;
  SetOnAfter("Kernel32.dll","WriteProcessMemory",My_WriteProcessMemory);

  WriteProcessMemory(GetCurrentProcess(), (LPVOID)0x40108f, JMPGate, sizeof(JMPGate), (DWORD*)RetSize);

  MessageBoxA(NULL,"Safe Here!!!","Very Good!!",NULL);
  return 0;
}

2021 KCTF 秋季赛 防守篇-征题倒计时(11月14日截止)!

收藏
点赞0
打赏
分享
最新回复 (13)
雪    币: 1931
活跃值: 活跃值 (853)
能力值: (RANK:770 )
在线值:
发帖
回帖
粉丝
海风月影 活跃值 18 2007-8-27 08:42
2
0
本版本主要更新,实现hook时可以重入,在debugman测试了,基本能用

用法简单说一下,和以前的不一样

如果是SetOnBefore,原来的函数要加上 DWORD RetAddr,这个是原来的返回地址
例如
HMODULE WINAPI LoadLibraryA(
LPCTSTR lpFileName
)

自己的要这么写
HMODULE WINAPI My_LoadLibraryA(
DWORD RetAddr,
LPCTSTR lpFileName
)

如果是SetOnAfter,要加2个参数,依次为DWORD EAX,DWORD RetAddr,EAX是执行完API的返回值
HMODULE WINAPI My_LoadLibraryA(
DWORD EAX,
DWORD RetAddr,
LPCTSTR lpFileName
)
雪    币: 2071
活跃值: 活跃值 (10)
能力值: (RANK:170 )
在线值:
发帖
回帖
粉丝
Aker 活跃值 4 2007-8-27 09:25
3
0
MaskTable和GetOpCodeSize那看不动,注释一点,把整体思路理出来,这样容易看动;)非常感谢你的分享
雪    币: 1931
活跃值: 活跃值 (853)
能力值: (RANK:770 )
在线值:
发帖
回帖
粉丝
海风月影 活跃值 18 2007-8-27 10:31
4
0
这2部分没有更新,是西裤逆向的aspr里面的代码,大概就是反汇编引擎的一小部分,通过掩码来查找长度
雪    币: 201
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
softdiy 活跃值 2007-8-27 10:56
5
0
学习啦,可惜看不懂
雪    币: 114
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
garasmc 活跃值 2007-8-27 20:48
6
0
好东西,谢谢分享!
但在写My_API时,必须要有个全局变量IsMe来避免误伤..........否则就死循环了
雪    币: 200
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
ertyui 活跃值 2007-9-22 20:16
7
0
先收藏了,很多地方还看不懂。
雪    币: 655
活跃值: 活跃值 (57)
能力值: ( LV9,RANK:250 )
在线值:
发帖
回帖
粉丝
elance 活跃值 6 2007-9-24 18:26
8
0
以前怎么没发现这个好东西?
雪    币: 235
活跃值: 活跃值 (10)
能力值: ( LV12,RANK:460 )
在线值:
发帖
回帖
粉丝
火影 活跃值 11 2007-9-24 21:46
9
0
LZ注释一下吧,太复杂了
雪    币: 209
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
dongcan 活跃值 2007-12-15 01:11
10
0
经过测试。。。。楼主的方法有问题
用两个指令mov dword ptr [mem],0 和 mov [esi+eax],0 来测试。。
出现问题。。并且就是+注释的那句。。出问题。。
我尝试了0-255的xor,没有相同的xor值。。。
=============
第二页有答案啦
===========
.
雪    币: 209
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
dongcan 活跃值 2007-12-15 03:32
11
0
总算搞定了。。。楼主。。准备发布v0.4了呵

if ((dh & 0x10) == 0)
    {
      if (dh & 0x40) //是否是 0x6x
          dh ^= (t&0xFF);   //哈哈。。随便乱猜的,但是居然人品爆发给蒙对了,几个命令都正确
      t &= 0xFFFFFF00;
      t |= dh;
    }
雪    币: 1931
活跃值: 活跃值 (853)
能力值: (RANK:770 )
在线值:
发帖
回帖
粉丝
海风月影 活跃值 18 2007-12-15 14:27
12
0
感谢提醒~~~~
雪    币: 1613
活跃值: 活跃值 (33)
能力值: (RANK:1010 )
在线值:
发帖
回帖
粉丝
北极星2003 活跃值 25 2007-12-16 21:39
13
0
这帖子什么时候沉下去的,没给精华太失误了
雪    币: 293
活跃值: 活跃值 (37)
能力值: ( LV9,RANK:140 )
在线值:
发帖
回帖
粉丝
liuzewei 活跃值 3 2007-12-22 11:39
14
0
谢谢分享!一定要顶```对这样的精神非常欣赏!呵呵!
游客
登录 | 注册 方可回帖
返回