EasyHook遠(yuǎn)注簡(jiǎn)單監(jiān)控示例

1、假設(shè)我們的工程是要監(jiān)控Troj.exe的行為。A.exe為監(jiān)控應(yīng)用程序，A.exe先遍歷當(dāng)前進(jìn)程，若找到Troj.exe則將B.dll遠(yuǎn)程線程注入到Troj.exe進(jìn)程中PS: XP CreateRemoteThread win7用NT系列函數(shù)，如下： 1 typedef DWORD (WINAPI *PFNTCREATETHREADEX) 2 ( 3 OUT PHANDLE ThreadHandle, 4 ACCESS_MASK DesiredAccess, 5 LPVOID ObjectAttributes, 6 HANDLE ProcessHandle, 7 LPTHREAD_START

2、_ROUTINE lpStartAddress, 8 LPVOID lpParameter, 9 BOOL CreateSuspended, 10 DWORD dwStackSize, 11 DWORD dw1, 12 DWORD dw2, 13 LPVOID Unknown 14 ); 15 16 BOOL IsVistaOrLater() 17 18 OSVERSIONINFO osvi; 19 ZeroMemory(&osvi, sizeof(OSVERSIONINFO); 20 osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);

3、21 GetVersionEx(&osvi); 22 if( osvi.dwMajorVersion >= 6 ) 23 24 return TRUE; 25 26 return FALSE; 27 28 29 BOOL MyCreateRemoteThread(HANDLE hProcess, LPTHREAD_START_ROUTINE pThreadProc, LPVOID pRemoteBuf) 30 31 HANDLE hThread = NULL; 32 FARPROC pFunc = NULL; 33 if( IsVistaOrLater() ) / Vista,

4、7, Server2008 34 35 pFunc = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx"); 36 if( pFunc = NULL ) 37 38 ErrorReport(GetLastError(); 39 40 (PFNTCREATETHREADEX)pFunc)(&hThread, 41 0x1FFFFF, 42 NULL, 43 hProcess, 44 pThreadProc, 45 pRemoteBuf, 46 FALSE, 47 NUL

5、L, 48 NULL, 49 NULL, 50 NULL); 51 if( hThread = NULL ) 52 53 ErrorReport(GetLastError();54 55 56 else / 2000, XP, Server2003 57 58 hThread = CreateRemoteThread(hProcess, 59 NULL, 60 0, 61 pThreadProc, 62 pRemoteBuf, 63 0, 64 NULL); 65 if( hThread = NULL ) 66 67 ErrorReport(GetLastError(); 68 69 70 i

6、f( WAIT_FAILED = WaitForSingleObject(hThread, INFINITE) ) 71 72 ErrorReport(GetLastError();73 74 return TRUE; 75 注入成功后，DLL和A.exe建立命名管道進(jìn)行進(jìn)程間通信。例如，當(dāng)Troj.exe調(diào)用CopyFileW被B.dll攔載時(shí)，發(fā)送相關(guān)數(shù)據(jù)（簡(jiǎn)稱為M結(jié)構(gòu)體）到A.exe文本控件上顯示。M結(jié)構(gòu)體如下構(gòu)造： 1 struct WinExec 2 3 _In_ CHAR lpCmdLine0x400; 4 _In_ UINT uCmdShow; 5 ; 6 7 struct Co

7、pyFileW 8 9 _In_ TCHAR lpExistingFileName0x400;10 _In_ TCHAR lpNewFileName0x400;11 _In_ BOOL bFailIfExists;12 ;13 14 typedef struct _tag_info15 16 DWORD time;17 DWORD Return;18 DWORD Info_Type;19 20 union21 struct WinExec WinExec_;22 struct CopyFileW CopyFileW_;23 ;24 25 taginfo, *ptaginfo;26 27 #de

8、fine WINEXEC_INFO 128 #define COPYFILEW 2  我的這個(gè)實(shí)例很基礎(chǔ)，就攔載Winexec函數(shù)和CopyFileW函數(shù)請(qǐng)先允許我展示幾個(gè)頭文件  hook.hhook.h  head.hhead.h DllMain.cpp 1 #include "Header.h" 2 3 int PrepareRealApiEntry() 4 5 HMODULE hKernel32 = LoadLibrary(L"Kernel32.dll"); 6 if (!(r

9、ealWinExec = (ptrWinExec)GetProcAddress(hKernel32, "WinExec") | 7 !(realCopyFileW = (ptrCopyFileW)GetProcAddress(hKernel32, "CopyFileW") 8 9 ErrorReport(GetLastError();10 11 return 0;12 13 14 void DoHook() 15 16 LhInstallHook(realWinExec, MyWinExec, NULL, hHookWinExec);17 LhSetEx

10、clusiveACL(HookWinExec_ACLEntries, 1, hHookWinExec);18 19 LhInstallHook(realCopyFileW, MyCopyFileW, NULL, hHookCopyFileW);20 LhSetExclusiveACL(HookCopyFileW_ACLEntries, 1, hHookCopyFileW);21 22 23 void DoneHook() 24 25 / this will also invalidate "hHook", because it is a traced handle. 26

11、LhUninstallAllHooks(); 27 28 / this will do nothing because the hook is already removed. 29 30 LhUninstallHook(hHookWinExec);31 LhUninstallHook(hHookCopyFileW);32 33 / now we can safely release the traced handle 34 delete hHookWinExec;35 hHookWinExec = NULL;36 37 delete hHookCopyFileW;38 hHookCopyFi

12、leW = NULL;39 40 / even if the hook is removed, we need to wait for memory release 41 LhWaitForPendingRemovals(); 42 43 44 BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) 45 46 switch (ul_reason_for_call) 47 48 case DLL_PROCESS_ATTACH: 49 50 StartTime = timeGetT

13、ime();51 CreateNamedPipeInServer(); 52 if (PrepareRealApiEntry() != 0) 53 54 return FALSE; 55 56 DoHook(); 57 58 break; 59 60 case DLL_THREAD_ATTACH: 61 62 break; 63 64 case DLL_THREAD_DETACH: 65 66 break; 67 68 69 case DLL_PROCESS_DETACH: 70 71 DoneHook(); 72 break; 73 74 75 return TRUE; 76  h

14、ook_fakefunction.cpp 1 BOOL WINAPI MyCopyFileW( /Mystery of Panda 2 _In_ LPCTSTR lpExistingFileName, 3 _In_ LPCTSTR lpNewFileName, 4 _In_ BOOL bFailIfExists 5 ) 6 7 /進(jìn)入真實(shí)函數(shù)前，跳轉(zhuǎn)到此處 8 bool status = false; 9 status = (realCopyFileW)(lpExistingFileName, lpNewFileName, bFailIfExists);/執(zhí)行真正的CopyFileW函數(shù)10

15、ptaginfo tagstruct;/上述M結(jié)構(gòu)體11 ZeroMemory(tagstruct, sizeof(tagstruct);12 if (!(tagstruct = (ptaginfo)malloc(sizeof(_tag_info)13 14 return status;15 16 HANDLE hThread;17 tagstruct->time = timeGetTime() - StartTime;/填充結(jié)構(gòu)體開始18 tagstruct->Return = status;19 tagstruct->Info_Type = COPYFILEW;20 if

16、 (lpExistingFileName != NULL) /檢查參數(shù) 在實(shí)際調(diào)試中發(fā)現(xiàn)如果不檢查參數(shù)，DLL可能會(huì)崩潰21 22 wcscpy(tagstruct->CopyFileW_.lpExistingFileName, lpExistingFileName);23 24 else25 26 free(tagstruct);27 return status;28 29 tagstruct->CopyFileW_.bFailIfExists = bFailIfExists;30 if (lpNewFileName != NULL) /檢查參數(shù)31 32 wcscpy(tags

17、truct->CopyFileW_.lpNewFileName, lpNewFileName);33 34 else35 36 free(tagstruct);37 return status;38 39 /填充結(jié)構(gòu)體完畢40 hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)WritePipe, (ptaginfo)tagstruct, 0, 0);/創(chuàng)建線程發(fā)送數(shù)據(jù)到管道41 if (hThread)42 43 WaitForSingleObject(hThread, INFINITE);44 CloseHandle(hT

18、hread);45 46 free(tagstruct);47 return status;48 49 50 UINT WINAPI MyWinExec(51 _In_ LPCSTR lpCmdLine,52 _In_ UINT uCmdShow53 )54 55 .56  至此，這個(gè)簡(jiǎn)單監(jiān)控示例就完成了。題外話：這只是應(yīng)用層的最簡(jiǎn)單的鉤子，可以輕易的被繞過。如果在應(yīng)用層上想做的更深一點(diǎn)，例如監(jiān)控troj.exe的進(jìn)程創(chuàng)建，可以考慮鉤R3上的NtCreateUserProcess函數(shù)，下面是網(wǎng)上逆出來的函數(shù)參數(shù) 1 typedef struct _NT_PROC_THREAD_ATT

19、RIBUTE_ENTRY 2 ULONG Attribute; / PROC_THREAD_ATTRIBUTE_XXX，參見MSDN中UpdateProcThreadAttribute的說明 3 SIZE_T Size; / Value的大小 4 ULONG_PTR Value; / 保存4字節(jié)數(shù)據(jù)（比如一個(gè)Handle）或數(shù)據(jù)指針 5 ULONG Unknown; / 總是0，可能是用來返回?cái)?shù)據(jù)給調(diào)用者 6 PROC_THREAD_ATTRIBUTE_ENTRY, *PPROC_THREAD_ATTRIBUTE_ENTRY; 7 8 typedef struct _NT_PROC_THREAD_ATTRIBUTE_LIST 9 ULONG Length; / 結(jié)