Windows message hooks are generally familiar. It's a lot of useful, familiar to have-use the keyboard hook to get the target process keyboard input, so that all kinds of passwords to achieve unspeakable purposes. Friends want to let his software is not the global hook monitoring, there is no way to achieve it? The answer is yes, but there are flaws. Start with a simple look at how the global hook is injected into another process. The message hook is provided by the WIN32 subsystem, and its core part provides the user with a system service to set up the message hook through Ntusersetwindowshookex, and the user registers the global hook through it. When the system gets some events, such as the user button, the keyboard driver the scan code into the win32k of the keyevent processing function, processing function to determine whether there is a corresponding hook, callhook. At this point, the system obtains the hook object information, if the target process does not load the corresponding DLL, then mount it (using the KeUserModeCallback "invoke" user routine, which is different from the APC call, it is the clone interrupt return environment, its invocation is "immediate" nature). After entering the kiusercallbackdispatcher of the user state, KiUserCallbackDispatcher gets the function, parameter, etc. of the call according to the passed data, and then calls. For the above example, to load the hook DLL, the call is LOADLIBRARYEXW, then into the Ldrloaddll, after the load is returned, the following steps are not described. From the above discussion we can come up with the simplest intrusion scheme: hook the corresponding API before loading the hook DLL to make the load fail, but there is a flaw: the system does not give up because of a failure, and every time a message arises to call hook, the system tries to load the DLL in your process, This has a little effect on performance, but it should not be felt. The remaining problem is that not all LOADLIBRARYEXW should be intercepted, this is easy to solve, such as the return address of the judgement. Here is an example fragment that can be added to allow some of the hook DLLs that are allowed to load to be loaded. Here the Hook API uses Microsoft's detours library, which can be modified by itself. The following is the program code: TypeDef hmodule (__stdcall *loadlib) (lpcwstr lpwlibfilename, HANDLE hfile, DWORD dwflags); extern "C" {detour_trampoline (hmodule __stdcall Real_loadlibraryexw (lpcwstr lpwlibfilename, HANDLE hfile, DWORD dwFlags ), LOADLIBRARYEXW); ULONG user32 = 0; hmodule __stdcall Mine_loadlibraryexw (lpcwstr lpwlibfilename, HANDLE hfile, DWORD dwflags) {ULONG addr; _asm mov eax, [ebp+ 4] _asm mov addr, eax if ((User32 & 0xffff0000) = = (addr & 0xffff0000)) {return 0;} hmodule res = (Loadlib (REAL_LOADLIBRARYEXW)) (Lpwlibfilename, hfile, dwflags); return res; BOOL Processattach () {detourfunctionwithtrampoline (pbyte) REAL_LOADLIBRARYEXW, (pbyte) MINE_LOADLIBRARYEXW); return TRUE; BOOL Processdetach () {detourremove (pbyte) REAL_LOADLIBRARYEXW, (pbyte) MINE_LOADLIBRARYEXW); Canti_hookapp::canti_hookapp ()///Call Processattach {User32 = (ULONG) getmodulehandle ("User32.dll") before using user interface services; Processattach (); (Responsible editor: ZHAOHB) to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) The original: Prevent the intrusion of global hook back to network security home
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.