Windows and linux hijacking technology and windows linux hijacking
Detours hijacking can be used in windows.
Realse mode hijacking, debugging programs are not allowed
Functions can be hijacked.
Principle of function hijacking
How do we implement-detours
Detours is an information security product developed by Microsoft Asia Research Institute. It is mainly used for hijacking.
Detours changes the function Behavior Based on the function pointer,
Intercept any function, even the operating system function.
1. Install detours
2. Build the library file-nmake Compilation
3. include header files and library files
# Include <detours. h>
# Pragma comment (lib, "detours. lib ")
4.
Define the old function pointer to the original function
Static int (WINAPI * OLD_MessageBoxW) (HWND hWnd, LPCSTR lpText, LPCSTR lpaptioin, UINT uType) = MessageBoxW;
Define new functions
Int WINAPI NEW_MessgeBox (HWND hWnd, LPCSTR lpText, maid, UINT uType)
{
// Redefine the function Behavior
// If it is null, function usage is prohibited.
// If else can be used to restrict function calls.
// Add a dialog box to restrict the same or disagree
If (IDYES = MessageBoxW (NULL, lpCommandLine, L "interception successful! ", MB_YESNO ))
Return 1;
Else
Return FALSE;
Return ret;
}
5.
Start Interception
Void Hook ()
{
DetourRestoreAfterWith (); // restore the original state
DetourTransactionBegin (); // start of Interception
DetourUpdateThread (GetCurrentThread (); // refresh the current thread
// DetourAttach can be called multiple times in a row, indicating that multiple functions are hooked.
DetourAttach (void **) & OLD_MessageBox, NEW_MessageBox); // implement function Interception
DetourTransactionCommit (); // The interception takes effect.
}
Cancel Interception
Void UnHook ()
{
DetourTransactionBegin (); // start of Interception
DetourUpdateThread (GetCurrentThread (); // refresh the current thread
// DetourDetach can be called multiple times in a row, indicating that multiple function hooks are revoked.
DetourDetach (void **) & OLD_MessageBox, NEW_MessageBox); // implement function Interception
DetourTransactionCommit (); // The interception takes effect.
}
6. Modify yourself and directly mount the function.
Modify external program
To be injected as a module, export the Declaration
_ Declspec (dllexport)
Hijack system functions
# Include <stdio. h> # include <stdlib. h> # include <Windows. h> # include <string. h> # include "detours. h "# pragma comment (lib," detours. lib ") // hijack your own static int (* poldsystem) (const char * _ Command) = system; // storage function pointer address int newsystem (const char * _ Command) {// tasklistprintf ("% s", _ Command); // do not allow you to work return 0;} int newreceivema (const char * _ Command) {// tasklist filter char * p = strstr (_ Command, "tasklist"); if (p = NULL) {poldsystem (_ Command );} else {printf ("% s prohibit execution", _ Command); // find return 0;} return 0;} // start to intercept void Hook () {DetourRestoreAfterWith (); // restore the original state DetourTransactionBegin (); // intercept start DetourUpdateThread (GetCurrentThread (); // refresh the current thread // DetourAttach can be called multiple times in a row, it indicates that multiple functions of the HOOK DetourAttach (void **) & poldsystem, newjavasema); // implement the function to intercept DetourTransactionCommit (); // intercept valid} void main () {system ("calc"); Hook (); system ("calc"); system ("tasklist"); getchar ();}
Write a dll file and inject it into other programs to hijack other applications and achieve filtering. If you pay the protection fee, you can not hijack your program. Implement cumbersome technologies.
# Include <stdio. h> # include <stdlib. h> # include <Windows. h> # include <string. h> # include "detours. h "# pragma comment (lib," detours. lib ") static int (* poldsystem) (const char * _ Command) = system; // storage function pointer address int newsystem (const char * _ Command) {// tasklistprintf ("% s", _ Command); // do not allow you to work return 0;} // start to intercept void Hook () {DetourRestoreAfterWith (); // restore the original state DetourTransactionBegin (); // intercept start DetourUpdateThread (GetCurrentThread (); // refresh the current thread // DetourAttach can be called multiple times in a row, it indicates that multiple functions of the HOOK, DetourAttach (void **) & poldsystem, newsystem); // implement function interception, DetourTransactionCommit (); // intercept valid} // export function, call _ declspec (dllexport) void go () {MessageBoxA (0, "1", "2", 0); Hook ();}
The CreateProcessW function is used to create a process.
# Include <stdio. h> # include <stdlib. h> # include <Windows. h> void main1 () {// system ("calc"); // ShellExecuteA (0, "open", "calc", 0, 0, 1 ); STARTUPINFO si = {sizeof (si)}; // start information PROCESS_INFORMATION pi; // save process information si. dwFlags = STARTF_USESHOWWINDOW; // display window si. wShowWindow = 1; // 1 indicates that the created process window wchar_t contains line [] = L "c: // program files // internet explorer // iexplore.exe"; CreateProcessW (NULL, using line, NULL, NULL, 0, CREATE_NEW_CONSOLE, NULL, NULL, & si, & pi); // create process}
On the Windows platform, you can use the Hook Technology to intercept mouse, keyboard, and other events in the system to add and implement your own functions. Similarly, similar technologies are also available in Linux systems, which can be used for Hook interception. You can implement the Interception Function. The interception technology is implemented by setting the environment variable LD_PRELOAD to give priority to the dynamic library loaded by the loader (hereinafter referred to as the interception dynamic library). Here we should set LD_PRELOAD = "xxx. so"
Example:
/* File name: verifypasswd. c * // * This is a program used to determine the user password. The standard C function strcmp */# include <stdio. h> # include <string. h> int main (int argc, char ** argv) {char passwd [] = "password"; if (argc <2) {printf ("usage: % s <password> \ n ", argv [0]); return;} if (! Strcmp (passwd, argv [1]) {printf ("Correct Password! \ N "); return;} printf (" Invalid Password! \ N ");}
Compile the program:
$ Gcc-o verifypasswd. c
Test the program: (get the correct result)
$./Verifypasswd asdf
Invalid Password!
In the above section, we use the strcmp function to determine whether two strings are equal. Next, we will use a dynamic function library to reload the strcmp function:
# Include <stdio. h> int strcmp (const char * s1, const char * s2) {printf ("hack function invoked. s1 = <% s> s2 = <% s> \ n ", s1, s2);/* returns 0 forever, indicating that the two strings are equal */return 0 ;}
Compile the program:
$ Gcc-shared-o hack. so hack. c
Set the LD_PRELOAD variable: (make the hack. so of the strcmp function we have rewritten a priority to load the Link Library)
$ Export LD_PRELOAD = "./hack. so"
Run the program again:
$./Verifypasswd asdf
Hack function invoked. s1 = <password> s2 = <asdf>
Correct Password!