這麼多高手在這裡,哎,小弟願意向各位高手學習。
Api攔截並不是一個新的技術,很多商業軟件都采用這種技術。對windows的Api函數的攔截,不外乎兩種方法,第一種是Mr. Jeffrey Richter 的修改exe文件的模塊輸入節,種方法,很安全,但很復雜,而且有些exe文件,沒有Dll的輸入符號的列表,有可能出現攔截不到的情況。第二種方法就是常用的JMP XXX的方法,雖然很古老,卻很簡單實用。
本文一介紹第二種方法在Win2k下的使用。第二種方法,Win98/me 下因為進入Ring0級的方法很多,有LDT,IDT,Vxd等方法,很容易在內存中動態修改代碼,但在Win2k下,這些方法都不能用,寫WDM太過復雜,表面上看來很難實現,
其實不然。Win2k為我們提供了一個強大的內存Api操作函數---VirtualProtectEx,WriteProcessMemeory,ReadProcessMemeory,有了它們我們就能在內存中動態修改代碼了,其原型為:
BOOL VirtualProtectEx(
HANDLE hProcess, // 要修改內存的進程句柄
LPVOID lpAddress, // 要修改內存的起始地址
DWORD dwSize, // 修改內存的字節
DWORD flNewProtect, // 修改後的內存屬性
PDWORD lpflOldProtect // 修改前的內存屬性的地址
);
BOOL WriteProcessMemory(
HANDLE hProcess, // 要寫進程的句柄
LPVOID lpBaseAddress, // 寫內存的起始地址
LPVOID lpBuffer, // 寫入數據的地址
DWORD nSize, // 要寫的字節數
LPDWORD lpNumberOfBytesWritten // 實際寫入的子節數
);
BOOL ReadProcessMemory(
HANDLE hProcess, // 要讀進程的句柄
LPCVOID lpBaseAddress, // 讀內存的起始地址
LPVOID lpBuffer, // 讀入數據的地址
DWORD nSize, // 要讀入的字節數
LPDWORD lpNumberOfBytesRead // 實際讀入的子節數
);
具體的參數請參看MSDN幫助。在Win2k下因為Dll和所屬進程在同一地址空間,這點又和Win9x/me存在所有進程存在共享的地址空間不同,
因此,必須通過鉤子函數和遠程注入進程的方法,現以一個簡單采用鉤子函數對MessageBoxA進行攔截例子來說明:
其中Dll文件為:
//---------------------------------------------------------------------------
#include <windows.h>
//---------------------------------------------------------------------------
// Important note about DLL memory management when your DLL uses the
// static version of the RunTime Library:
//
// If your DLL exports any functions that pass String objects (or structs/
// classes containing nested Strings) as parameter or function results,
// you will need to add the library MEMMGR.LIB to both the DLL project and
// any other projects that use the DLL. You will also need to use MEMMGR.LIB
// if any other projects which use the DLL will be performing new or delete
// operations on any non-TObject-derived classes which are exported from the
// DLL. Adding MEMMGR.LIB to your project will change the DLL and its calling
// EXE's to use the BORLNDMM.DLL as their memory manager. In these cases,
// the file BORLNDMM.DLL should be deployed along with your DLL.
//
// To avoid using BORLNDMM.DLL, pass string information using "char *" or
// ShortString parameters.
//
// If your DLL uses the dynamic version of the RTL, you do not need to
// explicitly add MEMMGR.LIB as this will be done implicitly for you
//---------------------------------------------------------------------------
#pragma argsused
HHOOK g_hHook;
HINSTANCE g_hinstDll;
FARPROC fpMessageBoxA;
HMODULE hModule ;
BYTE OldMessageBoxACode[5], NewMessageBoxACode[5];
DWORD dwIdOld, dwIdNew;
BOOL bHook = false;
void HookOn();
void HookOff();
BOOL Init();
int WINAPI MyMessageBoxA(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
//---------------------------------------------------------------------------
// 空的鉤子函數
LRESULT WINAPI Hook(int nCode, WPARAM wParam, LPARAM lParam)
{
return(CallNextHookEx(g_hHook, nCode, wParam, lParam));
}
//---------------------------------------------------------------------------
// 輸出,安裝空的鉤子函數
extern "C" __declspec(dllexport) __stdcall
BOOL InstallHook()
{
g_hinstDll = LoadLibrary("project1.dll"); // 這裡的文件名為Dll本身的文件名
g_hHook = SetWindowsHookEx(WH_GETMESSAGE, (HOOKPROC)Hook, g_hinstDll, 0);
if (!g_hHook)
{
MessageBoxA(NULL, "SET ERROR", "ERROR", MB_OK);
return(false);
}
return(true);
}
//---------------------------------------------------------------------------
// 輸出,Uninstall鉤子函數
extern "C" __declspec(dllexport) __stdcall
BOOL UninstallHook()
{
return(UnhookWindowsHookEx(g_hHook));
}
//---------------------------------------------------------------------------
// 初始化得到MessageBoxA的地址,並生成Jmp XXX(MyMessageBoxA)的跳轉指令
BOOL Init()
{
hModule = LoadLibrary("user32.dll");
fpMessageBoxA = GetProcAddress(hModule, "GetSystemDirectoryA");
if(fpMessageBoxA == NULL)
return false;
_asm
{
pushad
lea edi, OldMessageBoxACode
mov esi, fpMessageBoxA
cld
movsd
movsb
popad
}
NewMessageBoxACode[0] = 0xe9; // jmp MyMessageBoxA的相對地址的指令
_asm
{
lea eax, MyGetSystemDirectory
mov ebx, fpMessageBoxA
sub eax, ebx
sub eax, 5
mov dword ptr [NewMessageBoxACode + 1], eax
}
dwIdNew = GetCurrentProcessId(); // 得到所屬進程的ID
dwIdOld = dwIdNew;
HookOn(); // 開始攔截
return(true);
}
//---------------------------------------------------------------------------
// 首先關閉攔截,然後才能調用被攔截的Api 函數
int WINAPI MyMessageBoxA(HWND hWnd, LPCTSTR lpText,LPCTSTR lpCaption, UINT uType)
{
int nReturn;
HookOff();
nReturn = MessageBoxA(hWnd, "來自鉤子中的內容", lpCaption, MB_OK | MB_ICONINFORMATION);
HookOn();
return(nReturn);
}
//---------------------------------------------------------------------------
// 本文代碼由ccrun整理並在BCB 6.0環境下調試通過。
// Welcome to C++ Builder 研究
// http://www.ccrun.com
//---------------------------------------------------------------------------
void HookOn()
{
HANDLE hProc;
dwIdOld = dwIdNew;
// 得到所屬進程的句柄
hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, dwIdOld);
// 修改所屬進程中MessageBoxA的前5個字節的屬性為可寫
VirtualProtectEx(hProc, fpMessageBoxA, 5, PAGE_READWRITE,&dwIdOld);
// 將所屬進程中MessageBoxA的前5個字節改為JMP 到MyMessageBoxA
WriteProcessMemory(hProc, fpMessageBoxA, NewMessageBoxACode, 5, 0);
// 修改所屬進程中MessageBoxA的前5個字節的屬性為原來的屬性
VirtualProtectEx(hProc, fpMessageBoxA, 5, dwIdOld, &dwIdOld);
bHook=true;
}
//---------------------------------------------------------------------------
// 將所屬進程中JMP MyMessageBoxA的代碼改為Jmp MessageBoxA
void HookOff()
{
HANDLE hProc;
dwIdOld = dwIdNew;
hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, dwIdOld);
VirtualProtectEx(hProc, fpMessageBoxA,5, PAGE_READWRITE, &dwIdOld);
WriteProcessMemory(hProc, fpMessageBoxA, OldMessageBoxACode, 5, 0);
VirtualProtectEx(hProc, fpMessageBoxA, 5, dwIdOld, &dwIdOld);
bHook = false;
}
//---------------------------------------------------------------------------
int WINAPI DllEntryPoint(HINSTANCE hinst, unsigned long reason, void* lpReserved)
{
switch (reason)
{
case DLL_PROCESS_ATTACH:
if(!Init())
{
MessageBoxA(NULL,"Init","ERROR",MB_OK);
return(false);
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
if(bHook)
UninstallHook();
break;
}
return TRUE;
}
// 測試文件:
extern "C" __declspec(dllimport) __stdcall
BOOL InstallHook();
extern "C" __declspec(dllimport) __stdcall
BOOL UninstallHook();
//---------------------------------------------------------------------------
__fastcall TForm1::TForm1(TComponent* Owner)
: TForm(Owner)
{
}
//---------------------------------------------------------------------------
// 本文代碼由ccrun整理並在BCB 6.0環境下調試通過。
// Welcome to C++ Builder 研究
// http://www.ccrun.com
//---------------------------------------------------------------------------
void __fastcall TForm1::Button1Click(TObject *Sender)
{
if(!InstallHook())
{
Label1->Caption = "Hook Error!";
}
MessageBoxA(NULL, "內容", "標題", MB_OK);
// 可以看見"內容變成了"來自鉤子中的內容"
if(!UninstallHook())
{
Label1->Caption = "Uninstall Error!";
}
}
//---------------------------------------------------------------------------
