// CounterHook.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include <Windows.h> void showInfo(LPWSTR strInfo) { OutputDebugStringW(strInfo); } typedef HANDLE (WINAPI* pfnCreateEvent)( LPSECURITY_ATTRIBUTES lpEventAttributes, BOOL bManualReset, BOOL bInitialState, LPWSTR lpName ); pfnCreateEvent lpFunCreateEvent ; HANDLE __declspec(naked) WINAPI MyCreateEvent( LPSECURITY_ATTRIBUTES lpEventAttributes, BOOL bManualReset, BOOL bInitialState, LPWSTR lpName ) { _asm { mov edi,edi push ebp mov ebp,esp jmp lpFunCreateEvent } } typedef int (WINAPI* pfnMessageBoxW)(HWND hWnd,LPWSTR lpText,LPWSTR lpCaption,UINT uType); pfnMessageBoxW lpMessageBoxW ; int __declspec(naked) WINAPI MyMessageBox(HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType) { _asm{ mov edi,edi push ebp mov ebp,esp jmp lpMessageBoxW } } void HookCreateEventW() { BYTE NewBytes[5] = {0xe9,0x0,0x0,0x0,0x0}; HMODULE h= LoadLibraryW(L"kernel32.dll"); lpFunCreateEvent = (pfnCreateEvent) GetProcAddress(h,"CreateEventW"); *(DWORD*)(NewBytes + 1) = (DWORD)MyCreateEvent-(DWORD)lpFunCreateEvent-5; WriteProcessMemory(INVALID_HANDLE_VALUE,(LPVOID)lpFunCreateEvent,NewBytes,5,NULL); lpFunCreateEvent = (pfnCreateEvent)((LPBYTE)lpFunCreateEvent +5 ); } void HookMessageBoxW() { BYTE NewBytes[5] = {0xe9,0x0,0x0,0x0,0x0}; HMODULE h= LoadLibraryW(L"user32.dll"); lpMessageBoxW = (pfnMessageBoxW) GetProcAddress(h,"MessageBoxW"); *(DWORD*)(NewBytes + 1) = (DWORD)MyMessageBox-(DWORD)lpMessageBoxW-5; WriteProcessMemory(INVALID_HANDLE_VALUE,(LPVOID)lpMessageBoxW,NewBytes,5,NULL); lpMessageBoxW = (pfnMessageBoxW)((LPBYTE)lpMessageBoxW +5 ); } void CounterHookdll(LPWSTR strDllName) { WCHAR wszModuleName[MAX_PATH]; DWORD dwZeroMem[64]; DWORD dwFileSizeH; DWORD dwFileSizeL; IMAGE_DOS_HEADER* dosHead; IMAGE_NT_HEADERS* peHead; IMAGE_SECTION_HEADER* sections; int sectionCount ; HMODULE h = LoadLibraryW(strDllName); GetModuleFileName(h,wszModuleName,MAX_PATH); ZeroMemory(dwZeroMem,sizeof(dwZeroMem)); HANDLE hFile = CreateFile(wszModuleName,GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL|FILE_ATTRIBUTE_SYSTEM, NULL); DWORD dwError = GetLastError(); if (hFile != INVALID_HANDLE_VALUE) { dwFileSizeL = GetFileSize(hFile,&dwFileSizeH); HANDLE hMap = CreateFileMappingW(hFile,NULL,PAGE_READONLY|SEC_IMAGE,dwFileSizeH,dwFileSizeL,NULL); DWORD dwError = GetLastError(); if (hMap!= NULL) { LPVOID lpBuffer =MapViewOfFile(hMap,FILE_MAP_READ,0,0,0); //lpBuffer = h ; if ((*(LPWORD)lpBuffer) == 0x5a4d/* && ((LPBYTE)lpBuffer+ (*(LPDWORD)((LPBYTE)lpBuffer+0x3c))==0x4550*/) { // DWORD dwOffset = *(LPDWORD)((LPBYTE)lpBuffer+0x3c); // if (*(LPWORD)((LPBYTE)lpBuffer+dwOffset) == 0x4550) // { // // } dosHead = (IMAGE_DOS_HEADER*)lpBuffer; peHead = (IMAGE_NT_HEADERS*)((LPBYTE)lpBuffer+dosHead->e_lfanew); sectionCount = peHead->FileHeader.NumberOfSections; sections = (IMAGE_SECTION_HEADER*)((LPBYTE)peHead+sizeof(IMAGE_NT_HEADERS)); for (int i=0;i<sectionCount;i++) { //printf((char*)((sections+i)->Name)); if ((sections+i)->Name[1]==‘t‘) { DWORD dwWriteStart ,dwWriteEnd ; DWORD dwCodeSize = (sections+i)->SizeOfRawData ; DWORD dwVirtualAddress = (sections+i)->VirtualAddress ; LPBYTE lpCodeAddr = (LPBYTE)lpBuffer+dwVirtualAddress ; int j = 0; for ( ;j<dwCodeSize;j++) { // find first WINAPI if(*(LPDWORD)(lpCodeAddr+j) ==0x8b55ff8b) { dwWriteStart = j ; for(int e=dwWriteStart;e<dwCodeSize;e++ ) { // if (*(LPDWORD)(lpCodeAddr+e) == 0 && *(LPDWORD)(lpCodeAddr+e+16)==0) // { // dwWriteEnd = e ; // } if (memcmp(lpCodeAddr+e,dwZeroMem,sizeof(dwZeroMem))==0) { dwWriteEnd = e ; break; } } //dwCodeSize +=5; DWORD dwOldAtr=0; DWORD dwMem,dwMem2 ; dwMem = (DWORD)h+dwVirtualAddress+dwWriteStart; dwMem2 = (DWORD)((LPBYTE)lpCodeAddr+dwWriteStart ); if(WriteProcessMemory(INVALID_HANDLE_VALUE,(LPVOID)dwMem,(LPVOID)dwMem2,dwWriteEnd-dwWriteStart,NULL)) { printf(" WriteMemory OK"); }else { printf(" WriteMemory Failed"); } return ; } } } } } } } } int _tmain(int argc, _TCHAR* argv[]) { HANDLE hEvent ; HookCreateEventW(); CounterHookdll(L"kernel32.dll"); hEvent = CreateEventW(NULL,FALSE,FALSE,L"Good"); printf("hEvent= 0x%08x",hEvent); HookMessageBoxW(); CounterHookdll(L"user32.dll"); MessageBoxW(NULL,L"GOOD",L"Good",0); getchar(); return 0; }
时间: 2024-10-04 15:07:06