Ring3下Inline Hook API

用CreateFile为例子，讲解一下Ring3下的Inline Hook API，基本原理很简单
1、获取CreateFile函数的地址
2、读取CreateFile函数的前8个字节
3、将CreateFile函数的前8个字节，修改成mov eax,我的函数地址 jmp eax
4、进入我的函数地址之后，记得恢复CreateFile函数原来的8个字节，不然没法正常使用CreateFile
代码如下：

#include <windows.h>  
#include <stdio.h>  
#include <iostream.h>  
#include <tchar.h>  
  
//修改API入口为 mov eax, 00400000;jmp eax是程序能跳转到自己的函数  
BYTE NewBytes[8] = {0xB8, 0x0, 0x0, 0x40, 0x0, 0xFF, 0xE0, 0x0};  
BYTE OldBytes[8] = {0};  
  
FARPROC CreateFile_Addr;  
  
HANDLE WINAPI MyCreateFile(  
        __in          LPCTSTR lpFileName,  
        __in          DWORD dwDesiredAccess,  
        __in          DWORD dwShareMode,  
        __in          LPSECURITY_ATTRIBUTES lpSecurityAttributes,  
        __in          DWORD dwCreationDisposition,  
        __in          DWORD dwFlagsAndAttributes,  
        __in          HANDLE hTemplateFile  
        )  
{  
    MessageBox(0,"MyCreateFile",0,0);  
    //恢复API头8个字节  
    WriteProcessMemory( INVALID_HANDLE_VALUE, (void*)CreateFile_Addr,  
        (void*)OldBytes, 8, NULL);  
  
    printf("lpFileName is %s\n",lpFileName);  
  
    //调用正确的函数  
    HANDLE hFile=CreateFileA(lpFileName,dwDesiredAccess,dwShareMode,  
        lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);  
          
    //写入跳转语句，继续Hook  
       WriteProcessMemory(INVALID_HANDLE_VALUE, (void*)CreateFile_Addr,  
       (void*)NewBytes, 8, NULL);  
  
    return hFile;  
}  
  
  
void main()  
{  
    HMODULE hModule_Kernel32 = LoadLibrary("Kernel32.dll");  
    CreateFile_Addr = GetProcAddress(hModule_Kernel32, "CreateFileA");  
  
    printf("CreateFileA_Addr is %x\n",CreateFile_Addr);  
    printf("MyCreateFile Addr is %x\n",MyCreateFile);  
      
    //读CreateFile函数的前8个字节  
    if(ReadProcessMemory(INVALID_HANDLE_VALUE,CreateFile_Addr,OldBytes,8,NULL)==0)  
    {  
        printf("ReadProcessMemory error\n");  
        return;  
    }  
      
    printf("OldBytes is %x%x%x%x%x%x%x%x\n",OldBytes[0],OldBytes[1],OldBytes[2],  
        OldBytes[3],OldBytes[4],OldBytes[5],OldBytes[6],OldBytes[7]);  
      
    //将NewBytes改成My函数地址  
    *(DWORD*)(NewBytes + 1) = (DWORD)MyCreateFile;  
      
    printf("NewBytes is %x%x%x%x%x%x%x%x\n",NewBytes[0],NewBytes[1],NewBytes[2],NewBytes[3],  
        NewBytes[4],NewBytes[5],NewBytes[6],NewBytes[7]);  
      
    //写入跳转，开始Hook  
    WriteProcessMemory(INVALID_HANDLE_VALUE,CreateFile_Addr,NewBytes,8,NULL);  
  
    //调用CreateFileA测试一下。  
    HANDLE hFile=CreateFileA("C:\\1.txt",GENERIC_ALL,FILE_SHARE_READ,0,CREATE_ALWAYS,0,0);  
    CloseHandle(hFile);  
}

#include <windows.h>

#include <stdio.h>

#include <iostream.h>

#include <tchar.h>

//修改API入口为 mov eax, 00400000;jmp eax是程序能跳转到自己的函数

BYTE NewBytes[8] = {0xB8, 0x0, 0x0, 0x40, 0x0, 0xFF, 0xE0, 0x0};

BYTE OldBytes[8] = {0};

FARPROC CreateFile_Addr;

HANDLE WINAPI MyCreateFile(

__in LPCTSTR lpFileName,

__in DWORD dwDesiredAccess,

__in DWORD dwShareMode,

__in LPSECURITY_ATTRIBUTES lpSecurityAttributes,

__in DWORD dwCreationDisposition,

__in DWORD dwFlagsAndAttributes,

__in HANDLE hTemplateFile

)

{

MessageBox(0,"MyCreateFile",0,0);

//恢复API头8个字节

WriteProcessMemory( INVALID_HANDLE_VALUE, (void*)CreateFile_Addr,

(void*)OldBytes, 8, NULL);

printf("lpFileName is %s\n",lpFileName);

//调用正确的函数

HANDLE hFile=CreateFileA(lpFileName,dwDesiredAccess,dwShareMode,

lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);

//写入跳转语句，继续Hook

WriteProcessMemory(INVALID_HANDLE_VALUE, (void*)CreateFile_Addr,

(void*)NewBytes, 8, NULL);

return hFile;

}

void main()

{

HMODULE hModule_Kernel32 = LoadLibrary("Kernel32.dll");

CreateFile_Addr = GetProcAddress(hModule_Kernel32, "CreateFileA");

printf("CreateFileA_Addr is %x\n",CreateFile_Addr);

printf("MyCreateFile Addr is %x\n",MyCreateFile);

//读CreateFile函数的前8个字节

if(ReadProcessMemory(INVALID_HANDLE_VALUE,CreateFile_Addr,OldBytes,8,NULL)==0)

{

printf("ReadProcessMemory error\n");

return;

}

printf("OldBytes is %x%x%x%x%x%x%x%x\n",OldBytes[0],OldBytes[1],OldBytes[2],

OldBytes[3],OldBytes[4],OldBytes[5],OldBytes[6],OldBytes[7]);

//将NewBytes改成My函数地址

*(DWORD*)(NewBytes + 1) = (DWORD)MyCreateFile;

printf("NewBytes is %x%x%x%x%x%x%x%x\n",NewBytes[0],NewBytes[1],NewBytes[2],NewBytes[3],

NewBytes[4],NewBytes[5],NewBytes[6],NewBytes[7]);

//写入跳转，开始Hook

WriteProcessMemory(INVALID_HANDLE_VALUE,CreateFile_Addr,NewBytes,8,NULL);

//调用CreateFileA测试一下。

HANDLE hFile=CreateFileA("C:\\1.txt",GENERIC_ALL,FILE_SHARE_READ,0,CREATE_ALWAYS,0,0);

CloseHandle(hFile);

}

转载请注明：exchen's blog » Ring3下Inline Hook API

与本文相关的文章

Hi，您需要填写昵称和邮箱！