Windows MiniHook HookAPIDemo

Posted 冰翔不败传说

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Windows MiniHook HookAPIDemo相关的知识,希望对你有一定的参考价值。

远程注入DLL部分


// InjectTestDlg.h : 头文件
//

#pragma once
#include "UUBaseDefine.h"


// CInjectTestDlg 对话框
class CInjectTestDlg : public CDialogEx
{
// 构造
public:
	CInjectTestDlg(CWnd* pParent = NULL);	// 标准构造函数

// 对话框数据
#ifdef AFX_DESIGN_TIME
	enum { IDD = IDD_INJECTTEST_DIALOG };
#endif

	protected:
	virtual void DoDataExchange(CDataExchange* pDX);	// DDX/DDV 支持


// 实现
protected:
	HICON m_hIcon;
	DWORD m_processIDAry[100];
	int m_processCount;
	RefString m_dllPath;
	// 生成的消息映射函数
	virtual BOOL OnInitDialog();
	afx_msg void OnSysCommand(UINT nID, LPARAM lParam);
	afx_msg void OnPaint();
	afx_msg HCURSOR OnQueryDragIcon();
	DECLARE_MESSAGE_MAP()
	void clearProcessID();
	void injectByProcessName(const WCHAR* procesName);
	void injectByProcessID(DWORD processID, PTHREAD_START_ROUTINE loadLibraryFunction);
	void uninjectAllProcess();
public:
	afx_msg void OnBnClickedInject();	
	afx_msg void OnBnClickedUninject();
	void log(const WCHAR* data);
};

// InjectTestDlg.cpp : 实现文件
//

#include "stdafx.h"
#include "InjectTest.h"
#include "InjectTestDlg.h"
#include "afxdialogex.h"
#include "UUBaseDefine.h"
#include <shlwapi.h>
#include <Tlhelp32.h>

#ifdef _DEBUG
#define new DEBUG_NEW
#endif




// 用于应用程序“关于”菜单项的 CAboutDlg 对话框

class CAboutDlg : public CDialogEx
{
public:
	CAboutDlg();

// 对话框数据
#ifdef AFX_DESIGN_TIME
	enum { IDD = IDD_ABOUTBOX };
#endif

	protected:
	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV 支持

// 实现
protected:
	DECLARE_MESSAGE_MAP()
};

CAboutDlg::CAboutDlg() : CDialogEx(IDD_ABOUTBOX)
{
}

void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
	CDialogEx::DoDataExchange(pDX);
}

BEGIN_MESSAGE_MAP(CAboutDlg, CDialogEx)
END_MESSAGE_MAP()


// CInjectTestDlg 对话框



CInjectTestDlg::CInjectTestDlg(CWnd* pParent /*=NULL*/)
	: CDialogEx(IDD_INJECTTEST_DIALOG, pParent)
{
	m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}

void CInjectTestDlg::DoDataExchange(CDataExchange* pDX)
{
	CDialogEx::DoDataExchange(pDX);
}

BEGIN_MESSAGE_MAP(CInjectTestDlg, CDialogEx)
	ON_WM_SYSCOMMAND()
	ON_WM_PAINT()
	ON_WM_QUERYDRAGICON()
	ON_BN_CLICKED(ID_INJECT, &CInjectTestDlg::OnBnClickedInject)
	ON_BN_CLICKED(ID_UNINJECT, &CInjectTestDlg::OnBnClickedUninject)
END_MESSAGE_MAP()


// CInjectTestDlg 消息处理程序

//
//提升进程特权
//
bool AdjustProcessPrivileges(HANDLE hProcess, LPCTSTR PrivilegeName)
{

	HANDLE hToken;
	bool bRet = false;
	TOKEN_PRIVILEGES tkp = { 0 };	
	//
	//得到进程的令牌句柄;
	//
	if (!OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
	{		
		goto Exit;

	}
	//
	获得本地机唯一的标识,查询权限
	//
	LookupPrivilegeValue(NULL, PrivilegeName, &tkp.Privileges[0].Luid);
	tkp.PrivilegeCount = 1;
	tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), (PTOKEN_PRIVILEGES)NULL, 0); //调整获得的权限
	
	bRet = true;
Exit:
	return bRet;
}

BOOL CInjectTestDlg::OnInitDialog()
{
	CDialogEx::OnInitDialog();

	// 将“关于...”菜单项添加到系统菜单中。

	// IDM_ABOUTBOX 必须在系统命令范围内。
	ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
	ASSERT(IDM_ABOUTBOX < 0xF000);

	CMenu* pSysMenu = GetSystemMenu(FALSE);
	if (pSysMenu != NULL)
	{
		BOOL bNameValid;
		CString strAboutMenu;
		bNameValid = strAboutMenu.LoadString(IDS_ABOUTBOX);
		ASSERT(bNameValid);
		if (!strAboutMenu.IsEmpty())
		{
			pSysMenu->AppendMenu(MF_SEPARATOR);
			pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
		}
	}

	// 设置此对话框的图标。  当应用程序主窗口不是对话框时,框架将自动
	//  执行此操作
	SetIcon(m_hIcon, TRUE);			// 设置大图标
	SetIcon(m_hIcon, FALSE);		// 设置小图标

	// TODO: 在此添加额外的初始化代码
	CWnd* hWnd = GetDlgItem(ID_EDIT);
	//hWnd->SetWindowTextW(L"WindowsHookTest.exe");
	hWnd->SetWindowTextW(L"chrome.exe");
	//提权
	if (!AdjustProcessPrivileges(GetCurrentProcess(), L"UUDebugPrivilege"))
	{
		MessageBoxW(L"提权失败", L"提示", MB_OK);
	}
	clearProcessID();
	m_dllPath = WKFileUtil::getFilePath(L"HookDLL.dll");
	return TRUE;  // 除非将焦点设置到控件,否则返回 TRUE
}

void CInjectTestDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
	if ((nID & 0xFFF0) == IDM_ABOUTBOX)
	{
		CAboutDlg dlgAbout;
		dlgAbout.DoModal();
	}
	else
	{
		CDialogEx::OnSysCommand(nID, lParam);
	}
}

// 如果向对话框添加最小化按钮,则需要下面的代码
//  来绘制该图标。  对于使用文档/视图模型的 MFC 应用程序,
//  这将由框架自动完成。

void CInjectTestDlg::OnPaint()
{
	if (IsIconic())
	{
		CPaintDC dc(this); // 用于绘制的设备上下文

		SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), 0);

		// 使图标在工作区矩形中居中
		int cxIcon = GetSystemMetrics(SM_CXICON);
		int cyIcon = GetSystemMetrics(SM_CYICON);
		CRect rect;
		GetClientRect(&rect);
		int x = (rect.Width() - cxIcon + 1) / 2;
		int y = (rect.Height() - cyIcon + 1) / 2;

		// 绘制图标
		dc.DrawIcon(x, y, m_hIcon);
	}
	else
	{
		CDialogEx::OnPaint();
	}
}

//当用户拖动最小化窗口时系统调用此函数取得光标
//显示。
HCURSOR CInjectTestDlg::OnQueryDragIcon()
{
	return static_cast<HCURSOR>(m_hIcon);
}

void CInjectTestDlg::clearProcessID()
{
	memset(m_processIDAry, 0, sizeof(DWORD) * 100);
	m_processCount = 0;
}

void CInjectTestDlg::injectByProcessName(const WCHAR* procesName)
{
	PROCESSENTRY32 pe;
	HANDLE thSnapshot;
	const char   *pPName = NULL;
	BOOL retval, bFind = false;
	thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (thSnapshot == INVALID_HANDLE_VALUE)
		return;

	pe.dwSize = sizeof(PROCESSENTRY32);
	retval = Process32First(thSnapshot, &pe);
	while (retval)
	{
		RefString name = new WKString(pe.szExeFile);
		if (name->equalsIgnoreCase(procesName))
		{
			m_processIDAry[m_processCount] = pe.th32ProcessID;
			m_processCount++;

		}
		retval = Process32Next(thSnapshot, &pe);
		pe.dwSize = sizeof(PROCESSENTRY32);
	}	
	if (thSnapshot)
		CloseHandle(thSnapshot);

	if (m_processCount == 0)
	{
		log(L"目标程序还没有打开");
		return;
	}

	PTHREAD_START_ROUTINE function = NULL;
	function = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryW");
	if (function == NULL)
	{
		log(L"找到函数LoadLibraryW错误");
		return;
	}
	for (int i = 0; i < m_processCount;i++)
	{
		injectByProcessID(m_processIDAry[i], function);
	}	
}

void CInjectTestDlg::injectByProcessID(DWORD processID, PTHREAD_START_ROUTINE loadLibraryFunction)
{
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, processID); //CREATE_THREAD_ACCESS
	if (!hProcess)
	{
		log(L"OpenProcess错误");
		return;
	}
	int size = (m_dllPath->length() + 1) * sizeof(WCHAR);
	LPVOID newBuf = VirtualAllocEx(hProcess, NULL, size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
	BOOL success = WriteProcessMemory(hProcess, (LPVOID)newBuf, (LPVOID)m_dllPath->chars(), size, NULL);
	if (!success)
	{
		log(L"WriteProcessMemory错误");
		return;
	}
	DWORD threadID = 0;
	HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, loadLibraryFunction, newBuf, NULL, &threadID);
	if (hThread)
		WaitForSingleObject(hThread, INFINITE);
	VirtualFreeEx(hProcess, newBuf, size, MEM_DECOMMIT);
	if (hThread)
		CloseHandle(hThread);
	if (hProcess)
		CloseHandle(hProcess);
	hThread = NULL;
	hProcess = NULL;
}

void CInjectTestDlg::uninjectAllProcess()
{
	PTHREAD_START_ROUTINE function = NULL;
	function = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "FreeLibrary");

	for (int i = 0; i < m_processCount;i++)
	{
		DWORD processID = m_processIDAry[i];
		HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, processID); //CREATE_THREAD_ACCESS
		if (!hProcess)
		{
			log(L"OpenProcess错误");
			continue;
		}
		//创建进程快照	
		HMODULE module = NULL;
		HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, processID);
		MODULEENTRY32 ME32 = { 0 };
		ME32.dwSize = sizeof(MODULEENTRY32);
		BOOL isNext = Module32First(hSnap, &ME32);
		BOOL flag = FALSE;
		while (isNext)
		{
			RefString moduleName = new WKString(ME32.szModule);
			if (moduleName->equalsIgnoreCase(L"HookDLL.dll"))
			{
				module = ME32.hModule;
				flag = TRUE;
				break;
			}
			isNext = Module32Next(hSnap, &ME32);
		}
		CloseHandle(hSnap);
		if (flag == FALSE)
		{
			continue;			
		}				
		DWORD threadID = 0;
		HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (PTHREAD_START_ROUTINE)function, (LPVOID)module, NULL, &threadID);
		if (hThread)
			WaitForSingleObject(hThread, INFINITE);
		CloseHandle(hThread);
		if (hProcess)
			CloseHandle(hProcess);
	}	
	clearProcessID();
}

void CInjectTestDlg::OnBnClickedInject()
{
	// TODO: 在此添加控件通知处理程序代码
	CWnd* hWnd = GetDlgItem(ID_EDIT);
	WCHAR buf[256] = { 0 };
	hWnd->GetWindowTextW(buf, 256);
	uninjectAllProcess();
	injectByProcessName(buf);	
}

void CInjectTestDlg::log(const WCHAR* data)
{
	MessageBoxW(data, L"提示", MB_OK);
}


void CInjectTestDlg::OnBnClickedUninject()
{
	// TODO: 在此添加控件通知处理程序代码
	uninjectAllProcess();	
}

DLL注入部分

#include <WinSock2.h>
#include "MinHook.h"

void init();
void uninit();

typedef int (WSAAPI* UUConnectFunction)(SOCKET, const struct sockaddr FAR *, int);
UUConnectFunction fpConnect = NULL;
int
WSAAPI
MyConnect(
	_In_ SOCKET s,
	_In_reads_bytes_(namelen) const struct sockaddr FAR * name,
	_In_ int namelen
)
{
	if (name->sa_family == AF_INET)
	{
		SOCKADDR_IN* addr = (SOCKADDR_IN*)name;
		int port = htons(addr->sin_port);
		if (addr->sin_addr.S_un.S_un_b.s_b1 == 172
			&& addr->sin_addr.S_un.S_un_b.s_b2 == 16
			&& addr->sin_addr.S_un.S_un_b.s_b3 == 30
			&& addr->sin_addr.S_un.S_un_b.s_b4 == 20)
		{
			return SOCKET_ERROR;
		}
	}


	return fpConnect(s, name, namelen);
}

BOOL APIENTRY DllMain(HMODULE hModule,
	DWORD  ul_reason_for_call,
	LPVOID lpReserved
)
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	{
		//MessageBoxW(NULL, L"注入", L"提示", MB_OK);
		init();
		break;
	}
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	{
		break;
	}
	case DLL_PROCESS_DETACH:
	{		
		uninit();
		break;
	}
	}
	return TRUE;
}

void init()
{
	if (MH_Initialize() != MH_OK)
	{
		MessageBoxW(NULL, L"MH_Initialize失败", L"提示", MB_OK);
	}
	// Create a hook for MessageBoxW, in disabled state.
	if (MH_CreateHook(&connect, &MyConnect,
		reinterpret_cast<void**>(&fpConnect)) != MH_OK)
	{
		MessageBoxW(NULL, L"MH_CreateHook失败", L"提示", MB_OK);
	}

	// Enable the hook for MessageBoxW.
	if (MH_EnableHook(&connect) != MH_OK)
	{
		MessageBoxW(NULL, L"MH_EnableHook失败", L"提示", MB_OK);
	}
}
void uninit()
{
	if (MH_DisableHook(&connect) != MH_OK)
	{
		MessageBoxW(NULL, L"MH_DisableHook失败", L"提示", MB_OK);
	}
	if (MH_Uninitialize() != MH_OK)
	{
		MessageBoxW(NULL, L"MH_Uninitialize失败", L"提示", MB_OK);
	}
}

Hook Conect函数部分 不允许谷歌浏览器访问172.16.30.20网段

 注入效果

 

 

 Git地址 https://github.com/TsudaKageyu/minhook

以上是关于Windows MiniHook HookAPIDemo的主要内容,如果未能解决你的问题,请参考以下文章

[原创]MinHook测试与分析(x64下 E9,EB,CALL指令测试,且逆推测试微软热补丁)

不止 Windows 10!Windows 7/8 也能免费升级到 Windows 11

Windows 11 即将问世 | Windows 10 和 Windows 11 该如何抉择

windows98

如何让Mac,Windows可以互相远程

渗透学习总结-Windows基础