《陷阱式HookAPI总结.doc》由会员分享,可在线阅读,更多相关《陷阱式HookAPI总结.doc(5页珍藏版)》请在金锄头文库上搜索。
1、unit HookAPIUnit1;interfaceuses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls;type TForm1 = class(TForm) Button1: TButton; Button2: TButton; ListBox1: TListBox; Label1: TLabel; Button3: TButton; Button4: TButton; Button5: TButton; procedure Button1Click
2、(Sender: TObject); procedure Button2Click(Sender: TObject); procedure FormCreate(Sender: TObject); procedure Button3Click(Sender: TObject); procedure Button4Click(Sender: TObject); procedure Button5Click(Sender: TObject); private Private declarations public Public declarations end;var Form1: TForm1;
3、 function MyMessageBox(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT):Integer; stdcall; procedure EnableDebugPriviledge(); / EnableDebugPriviledge();函数在实验成功后已显多余,当时纯粹是考虑了可能出现的权限不足的情况implementationvaroldAddressEntry:array1.5of Byte;newAddressEntry:array1.5of Byte=($E9,$00,$00,$00,$00); /修改前5字
4、节JMPRelativeAddress:DWord;padressOfMessageBoxA:Pointer;oldPageAttrib:cardinal;pByte:Byte;NumberOfBytesBeenRead,NumberOfBytesWriten:DWord; procedure ChangePageAttribToReadWrite(pBaseAddress:Pointer); begin if VirtualProtect(pBaseAddress,8,PAGE_READWRITE,oldPageAttrib)=false then begin showMessage(fai
5、led to ChangePageAttribToReadWrite); end; end;function MyMessageBox(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT):Integer; stdcall; begin Form1.ListBox1.Items.Add(Hooked MessageBox Function!); if lpCaption=Notifation then /实验证明,如果Hook成功,MessageBox的所有参数都会传递给这个自定义的拦截函数。在这里可以判断比较传递来的参数,再决定如果进行
6、下面的操作。 begin Form1.ListBox1.Items.Add(param of the MessageBox Function was replaced!); end;end;procedure EnableDebugPriviledge();varhToken:Thandle;returnLength:Cardinal;Lid:int64;NewTokenPriviledge,OldTokenPriviledge:_TOKEN_PRIVILEGES;begin if OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,hT
7、oken)=false then begin showMessage(failed to OpenProcessToken!); end; if LookupPrivilegeValue(nil,SeDebugPrivilege,Lid)=false then begin showMessage(failed to LookupPrivilegeValue!); end; NewTokenPriviledge.PrivilegeCount:=1; NewTokenPriviledge.Privileges0.Luid:=Lid; NewTokenPriviledge.Privileges0.A
8、ttributes:=SE_PRIVILEGE_ENABLED; if AdjustTokenPrivileges(hToken,false,NewTokenPriviledge,sizeof(_TOKEN_PRIVILEGES),OldTokenPriviledge,returnLength)=false then begin showMessage(failed to AdjustTokenPrivileges!); end;end;$R *.dfmprocedure TForm1.Button1Click(Sender: TObject);beginMessageBox(form1.Ha
9、ndle,Using MessageBox Function,Notifation,MB_OK);end;procedure TForm1.Button2Click(Sender: TObject);vardllHandle:THandle;i:integer;beginEnableDebugPriviledge();if OpenProcess(PROCESS_ALL_ACCESS,true,getCurrentProcessID()=NULL thenbeginListBox1.Items.Add(failed to OpenProcess!);end;/经实验,进程内Hook,以上Ena
10、bleDebugPriviledge与OpenProcess函数可以去掉。如果出现因权限不够引起的错误,可调用OpenProcess 获得PROCESS_VM_OPERATION或PROCESS_VM_WRITE权限,或者调用VirtualProtect函数修改虚拟内存空间的读写属性。dllHandle:=loadLibrary(user32.dll);if dllHandle=0 thenbeginListBox1.Items.Add(failed to loadLibrary!);endelseListBox1.Items.Add(succeeded to loadLibrary!+ +u
11、ser32.dll Module handle value is +inttostr(cardinal(dllHandle); padressOfMessageBoxA:=GetProcAddress(dllHandle,Pchar(MessageBoxA); if padressOfMessageBoxA=nil then begin ListBox1.Items.Add(failed to GetProcAddress!); end else ListBox1.Items.Add(succeeded to GetProcAddress! +MessageBoxA adress is+int
12、tostr(cardinal(padressOfMessageBoxA); if ReadProcessMemory(getCurrentProcess(),padressOfMessageBoxA,oldAddressEntry,5,NumberOfBytesBeenRead)=false then begin ListBox1.Items.Add(failed to ReadProcessMemory!); end else ListBox1.Items.Add(succeeded to ReadProcessMemory!);/以上显示错误与成功信息有利于排除调用API函数后可能出现的错
13、误RelativeAddress:=DWord(MyMessageBox)-DWord(padressOfMessageBoxA)-5; /上条语句为偏移地址的计算pByte:=RelativeAddress; /请特别注意:JMP XXXXX 的地址是一个相对地址!for i := 2 to 5 dobeginnewAddressEntryi:=pByte;inc(pByte) ;end; if WriteProcessMemory(getCurrentProcess(),padressOfMessageBoxA,newAddressEntry,5,NumberOfBytesWriten)=
14、false then begin ListBox1.Items.Add(failed to WriteProcessMemory!+ +Error Code+ +inttostr(getLastError(); end else ListBox1.Items.Add(succeeded to WriteProcessMemory!); end;procedure TForm1.FormCreate(Sender: TObject);beginLabel1.Width:=300;end;procedure TForm1.Button5Click(Sender: TObject);beginWriteProcessMemory(getCurrentProcess(),padressOfMessageBoxA,oldAddressEntry,5,NumberOfBytesWriten);end;end.执行后的实际情况如上图所示。本进程内的HOOk成功之后,进程外的hook也变得相对容易,所以进程外HookAPI不再赘述经实验,如果要拦截CreateProcess函数,需要拦截Cre
