Windows MiniHook HookAPIDemo
Posted 冰翔不败传说
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Windows MiniHook HookAPIDemo相关的知识,希望对你有一定的参考价值。
远程注入DLL部分
// InjectTestDlg.h : 头文件
//
#pragma once
#include "UUBaseDefine.h"
// CInjectTestDlg 对话框
class CInjectTestDlg : public CDialogEx
{
// 构造
public:
CInjectTestDlg(CWnd* pParent = NULL); // 标准构造函数
// 对话框数据
#ifdef AFX_DESIGN_TIME
enum { IDD = IDD_INJECTTEST_DIALOG };
#endif
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持
// 实现
protected:
HICON m_hIcon;
DWORD m_processIDAry[100];
int m_processCount;
RefString m_dllPath;
// 生成的消息映射函数
virtual BOOL OnInitDialog();
afx_msg void OnSysCommand(UINT nID, LPARAM lParam);
afx_msg void OnPaint();
afx_msg HCURSOR OnQueryDragIcon();
DECLARE_MESSAGE_MAP()
void clearProcessID();
void injectByProcessName(const WCHAR* procesName);
void injectByProcessID(DWORD processID, PTHREAD_START_ROUTINE loadLibraryFunction);
void uninjectAllProcess();
public:
afx_msg void OnBnClickedInject();
afx_msg void OnBnClickedUninject();
void log(const WCHAR* data);
};
// InjectTestDlg.cpp : 实现文件
//
#include "stdafx.h"
#include "InjectTest.h"
#include "InjectTestDlg.h"
#include "afxdialogex.h"
#include "UUBaseDefine.h"
#include <shlwapi.h>
#include <Tlhelp32.h>
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
// 用于应用程序“关于”菜单项的 CAboutDlg 对话框
class CAboutDlg : public CDialogEx
{
public:
CAboutDlg();
// 对话框数据
#ifdef AFX_DESIGN_TIME
enum { IDD = IDD_ABOUTBOX };
#endif
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持
// 实现
protected:
DECLARE_MESSAGE_MAP()
};
CAboutDlg::CAboutDlg() : CDialogEx(IDD_ABOUTBOX)
{
}
void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
}
BEGIN_MESSAGE_MAP(CAboutDlg, CDialogEx)
END_MESSAGE_MAP()
// CInjectTestDlg 对话框
CInjectTestDlg::CInjectTestDlg(CWnd* pParent /*=NULL*/)
: CDialogEx(IDD_INJECTTEST_DIALOG, pParent)
{
m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}
void CInjectTestDlg::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
}
BEGIN_MESSAGE_MAP(CInjectTestDlg, CDialogEx)
ON_WM_SYSCOMMAND()
ON_WM_PAINT()
ON_WM_QUERYDRAGICON()
ON_BN_CLICKED(ID_INJECT, &CInjectTestDlg::OnBnClickedInject)
ON_BN_CLICKED(ID_UNINJECT, &CInjectTestDlg::OnBnClickedUninject)
END_MESSAGE_MAP()
// CInjectTestDlg 消息处理程序
//
//提升进程特权
//
bool AdjustProcessPrivileges(HANDLE hProcess, LPCTSTR PrivilegeName)
{
HANDLE hToken;
bool bRet = false;
TOKEN_PRIVILEGES tkp = { 0 };
//
//得到进程的令牌句柄;
//
if (!OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
goto Exit;
}
//
获得本地机唯一的标识,查询权限
//
LookupPrivilegeValue(NULL, PrivilegeName, &tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), (PTOKEN_PRIVILEGES)NULL, 0); //调整获得的权限
bRet = true;
Exit:
return bRet;
}
BOOL CInjectTestDlg::OnInitDialog()
{
CDialogEx::OnInitDialog();
// 将“关于...”菜单项添加到系统菜单中。
// IDM_ABOUTBOX 必须在系统命令范围内。
ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
ASSERT(IDM_ABOUTBOX < 0xF000);
CMenu* pSysMenu = GetSystemMenu(FALSE);
if (pSysMenu != NULL)
{
BOOL bNameValid;
CString strAboutMenu;
bNameValid = strAboutMenu.LoadString(IDS_ABOUTBOX);
ASSERT(bNameValid);
if (!strAboutMenu.IsEmpty())
{
pSysMenu->AppendMenu(MF_SEPARATOR);
pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
}
}
// 设置此对话框的图标。 当应用程序主窗口不是对话框时,框架将自动
// 执行此操作
SetIcon(m_hIcon, TRUE); // 设置大图标
SetIcon(m_hIcon, FALSE); // 设置小图标
// TODO: 在此添加额外的初始化代码
CWnd* hWnd = GetDlgItem(ID_EDIT);
//hWnd->SetWindowTextW(L"WindowsHookTest.exe");
hWnd->SetWindowTextW(L"chrome.exe");
//提权
if (!AdjustProcessPrivileges(GetCurrentProcess(), L"UUDebugPrivilege"))
{
MessageBoxW(L"提权失败", L"提示", MB_OK);
}
clearProcessID();
m_dllPath = WKFileUtil::getFilePath(L"HookDLL.dll");
return TRUE; // 除非将焦点设置到控件,否则返回 TRUE
}
void CInjectTestDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
if ((nID & 0xFFF0) == IDM_ABOUTBOX)
{
CAboutDlg dlgAbout;
dlgAbout.DoModal();
}
else
{
CDialogEx::OnSysCommand(nID, lParam);
}
}
// 如果向对话框添加最小化按钮,则需要下面的代码
// 来绘制该图标。 对于使用文档/视图模型的 MFC 应用程序,
// 这将由框架自动完成。
void CInjectTestDlg::OnPaint()
{
if (IsIconic())
{
CPaintDC dc(this); // 用于绘制的设备上下文
SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), 0);
// 使图标在工作区矩形中居中
int cxIcon = GetSystemMetrics(SM_CXICON);
int cyIcon = GetSystemMetrics(SM_CYICON);
CRect rect;
GetClientRect(&rect);
int x = (rect.Width() - cxIcon + 1) / 2;
int y = (rect.Height() - cyIcon + 1) / 2;
// 绘制图标
dc.DrawIcon(x, y, m_hIcon);
}
else
{
CDialogEx::OnPaint();
}
}
//当用户拖动最小化窗口时系统调用此函数取得光标
//显示。
HCURSOR CInjectTestDlg::OnQueryDragIcon()
{
return static_cast<HCURSOR>(m_hIcon);
}
void CInjectTestDlg::clearProcessID()
{
memset(m_processIDAry, 0, sizeof(DWORD) * 100);
m_processCount = 0;
}
void CInjectTestDlg::injectByProcessName(const WCHAR* procesName)
{
PROCESSENTRY32 pe;
HANDLE thSnapshot;
const char *pPName = NULL;
BOOL retval, bFind = false;
thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (thSnapshot == INVALID_HANDLE_VALUE)
return;
pe.dwSize = sizeof(PROCESSENTRY32);
retval = Process32First(thSnapshot, &pe);
while (retval)
{
RefString name = new WKString(pe.szExeFile);
if (name->equalsIgnoreCase(procesName))
{
m_processIDAry[m_processCount] = pe.th32ProcessID;
m_processCount++;
}
retval = Process32Next(thSnapshot, &pe);
pe.dwSize = sizeof(PROCESSENTRY32);
}
if (thSnapshot)
CloseHandle(thSnapshot);
if (m_processCount == 0)
{
log(L"目标程序还没有打开");
return;
}
PTHREAD_START_ROUTINE function = NULL;
function = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryW");
if (function == NULL)
{
log(L"找到函数LoadLibraryW错误");
return;
}
for (int i = 0; i < m_processCount;i++)
{
injectByProcessID(m_processIDAry[i], function);
}
}
void CInjectTestDlg::injectByProcessID(DWORD processID, PTHREAD_START_ROUTINE loadLibraryFunction)
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, processID); //CREATE_THREAD_ACCESS
if (!hProcess)
{
log(L"OpenProcess错误");
return;
}
int size = (m_dllPath->length() + 1) * sizeof(WCHAR);
LPVOID newBuf = VirtualAllocEx(hProcess, NULL, size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
BOOL success = WriteProcessMemory(hProcess, (LPVOID)newBuf, (LPVOID)m_dllPath->chars(), size, NULL);
if (!success)
{
log(L"WriteProcessMemory错误");
return;
}
DWORD threadID = 0;
HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, loadLibraryFunction, newBuf, NULL, &threadID);
if (hThread)
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, newBuf, size, MEM_DECOMMIT);
if (hThread)
CloseHandle(hThread);
if (hProcess)
CloseHandle(hProcess);
hThread = NULL;
hProcess = NULL;
}
void CInjectTestDlg::uninjectAllProcess()
{
PTHREAD_START_ROUTINE function = NULL;
function = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "FreeLibrary");
for (int i = 0; i < m_processCount;i++)
{
DWORD processID = m_processIDAry[i];
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, processID); //CREATE_THREAD_ACCESS
if (!hProcess)
{
log(L"OpenProcess错误");
continue;
}
//创建进程快照
HMODULE module = NULL;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, processID);
MODULEENTRY32 ME32 = { 0 };
ME32.dwSize = sizeof(MODULEENTRY32);
BOOL isNext = Module32First(hSnap, &ME32);
BOOL flag = FALSE;
while (isNext)
{
RefString moduleName = new WKString(ME32.szModule);
if (moduleName->equalsIgnoreCase(L"HookDLL.dll"))
{
module = ME32.hModule;
flag = TRUE;
break;
}
isNext = Module32Next(hSnap, &ME32);
}
CloseHandle(hSnap);
if (flag == FALSE)
{
continue;
}
DWORD threadID = 0;
HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (PTHREAD_START_ROUTINE)function, (LPVOID)module, NULL, &threadID);
if (hThread)
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
if (hProcess)
CloseHandle(hProcess);
}
clearProcessID();
}
void CInjectTestDlg::OnBnClickedInject()
{
// TODO: 在此添加控件通知处理程序代码
CWnd* hWnd = GetDlgItem(ID_EDIT);
WCHAR buf[256] = { 0 };
hWnd->GetWindowTextW(buf, 256);
uninjectAllProcess();
injectByProcessName(buf);
}
void CInjectTestDlg::log(const WCHAR* data)
{
MessageBoxW(data, L"提示", MB_OK);
}
void CInjectTestDlg::OnBnClickedUninject()
{
// TODO: 在此添加控件通知处理程序代码
uninjectAllProcess();
}
DLL注入部分
#include <WinSock2.h>
#include "MinHook.h"
void init();
void uninit();
typedef int (WSAAPI* UUConnectFunction)(SOCKET, const struct sockaddr FAR *, int);
UUConnectFunction fpConnect = NULL;
int
WSAAPI
MyConnect(
_In_ SOCKET s,
_In_reads_bytes_(namelen) const struct sockaddr FAR * name,
_In_ int namelen
)
{
if (name->sa_family == AF_INET)
{
SOCKADDR_IN* addr = (SOCKADDR_IN*)name;
int port = htons(addr->sin_port);
if (addr->sin_addr.S_un.S_un_b.s_b1 == 172
&& addr->sin_addr.S_un.S_un_b.s_b2 == 16
&& addr->sin_addr.S_un.S_un_b.s_b3 == 30
&& addr->sin_addr.S_un.S_un_b.s_b4 == 20)
{
return SOCKET_ERROR;
}
}
return fpConnect(s, name, namelen);
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
//MessageBoxW(NULL, L"注入", L"提示", MB_OK);
init();
break;
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
{
break;
}
case DLL_PROCESS_DETACH:
{
uninit();
break;
}
}
return TRUE;
}
void init()
{
if (MH_Initialize() != MH_OK)
{
MessageBoxW(NULL, L"MH_Initialize失败", L"提示", MB_OK);
}
// Create a hook for MessageBoxW, in disabled state.
if (MH_CreateHook(&connect, &MyConnect,
reinterpret_cast<void**>(&fpConnect)) != MH_OK)
{
MessageBoxW(NULL, L"MH_CreateHook失败", L"提示", MB_OK);
}
// Enable the hook for MessageBoxW.
if (MH_EnableHook(&connect) != MH_OK)
{
MessageBoxW(NULL, L"MH_EnableHook失败", L"提示", MB_OK);
}
}
void uninit()
{
if (MH_DisableHook(&connect) != MH_OK)
{
MessageBoxW(NULL, L"MH_DisableHook失败", L"提示", MB_OK);
}
if (MH_Uninitialize() != MH_OK)
{
MessageBoxW(NULL, L"MH_Uninitialize失败", L"提示", MB_OK);
}
}
Hook Conect函数部分 不允许谷歌浏览器访问172.16.30.20网段
注入效果
以上是关于Windows MiniHook HookAPIDemo的主要内容,如果未能解决你的问题,请参考以下文章
[原创]MinHook测试与分析(x64下 E9,EB,CALL指令测试,且逆推测试微软热补丁)
不止 Windows 10!Windows 7/8 也能免费升级到 Windows 11