Hook APIs of other processes

Source: Internet
Author: User
Tags pkill

Hook is a technology that has existed for a long time in windows.
Hook is generally divided into two types
1. Hook message
2. HOOK API
This topic is about hook api. (If you are a hook expert, don't read it)
At the beginning of learning HOOK-API, it was often done by "overwriting addresses" and "modifying IAT.
Through these two technologies, we can basically hook the API functions of this process. However, I'm a little sorry when I'm happy,
How can I hook APIs of other processes? How can I hook an API function globally?
The following is a simple implementation of "hook other process API functions. (Hook the messageboxa function of another process)

Two technologies are used in this section.
1. Remote thread Injection
2. Modify IAT, HOOK-API

The Code is as follows:
Three files in total
Install. C injection program
Fundll. cpp DLL Program
Test. cpp Test Program

// ------------------------- Install. c --------------------------
//
// Write by gxter
// Install. c

# Include "windows. H"
# Include "tlhelp32.h"

# Pragma comment (Lib, "th32.lib ")

Const char * pkill = "fundll. dll"; // path of the DLL file

// This path is very interesting. It is relative to the target process, not its own process.
// Therefore, you must write an absolute path and a relative path relative to the target process.
// If writing a path relative to itself is troublesome, the DLL file cannot be found in this program.

Char * prosess = "test.exe"; // process name to be injected (target process name)

Int main ()
{
Handle hsnap;
Handle hkernel32; // handle of the injected Process
Processentry32 PE;
Bool bnext;
Handle htoken;
Token_privileges TP;
Luid;
Lpvoid P;
Farproc PFN;

If (! Openprocesstoken (getcurrentprocess (), token_adjust_privileges | token_query, & htoken ))
{
Return 1;
}

If (! Lookupprivilegevalue (null, se_debug_name, & luid ))
{
Return 1;
}

TP. privilegecount = 1;
TP. Privileges [0]. Attributes = se_privilege_enabled;
TP. Privileges [0]. luid = luid;

If (! Adjusttokenprivileges (htoken, 0, & TP, sizeof (token_privileges), null, null ))
{
Return 1;
}

PE. dwsize = sizeof (PE );
Hsnap = createconlhelp32snapshot (th32cs_snapprocess, 0 );
Bnext = process32first (hsnap, & PE );
While (bnext)
{
If (! Stricmp (PE. szexefile, prosess) // --->
{
Hkernel32 = OpenProcess (process_create_thread | process_vm_write | process_vm_operation, 1, PE. th32processid );
Break;
}
Bnext = process32next (hsnap, & PE );
}

Closehandle (hsnap );

P = virtualallocex (hkernel32, null, strlen (pkill), mem_commit, page_readwrite );
Writeprocessmemory (hkernel32, P, pkill, strlen (pkill), null );
PFN = getprocaddress (getmodulehandle ("kernel32.dll"), "loadlibrarya ");
Createremotethread (hkernel32, null, 0, PFN, P, null, 0 );

Return 0;
}

// ---------------------- Fundll. cpp -----------------------------
//
// Write by gxter
//
// Fundll. cpp

# Include "windows. H"
# Include "process. H"
# Include "tlhelp32.h"
# Include "stdio. H"

# Pragma comment (Lib, "th32.lib ")

Pimage_dos_header pdosheader;
Pimage_nt_headers pntheaders;
Pimage_optional_header poptheader;
Pimage_import_descriptor pimportdescriptor;
Pimage_thunk_data pthunkdata;
Pimage_import_by_name pimportbyname;
Hmodule hmod;

// Define the messageboxa function prototype
Typedef int (winapi * pfnmessagebox) (hwnd, lpcstr, lpcstr, uint utype );
Int winapi messageboxproxy (in hwnd, in lpcstr lptext, In maid, in uint utype );

Int * ADDR = (int *) messageboxa; // The entry address for saving the Function
Int * myaddr = (int *) messageboxproxy;

Void threadproc (void * PARAM); // thread function

Bool winapi dllmain (hinstance hinstdll, DWORD fdwreason, lpvoid lpvreserved)
{
If (fdwreason = dll_process_attach)
_ Beginthread (threadproc, 0, null );

Return true;
}

// End the process function

Void threadproc (void * PARAM)
{
// ------------ Hook api ----------------
Hmod = getmodulehandle (null );

Pdosheader = (pimage_dos_header) hmod;
Pntheaders = (pimage_nt_headers) (byte *) hmod + pdosheader-> e_lfanew );
Poptheader = (pimage_optional_header) & (pntheaders-> optionalheader );

Pimportdescriptor = (pimage_import_descriptor) (byte *) hmod + poptheader-> datadirectory [1]. virtualaddress );

While (pimportdescriptor-> firstthunk)
{
Char * dllname = (char *) (byte *) hmod + pimportdescriptor-> name );

Pthunkdata = (pimage_thunk_data) (byte *) hmod + pimportdescriptor-> originalfirstthunk );

Int NO = 1;
While (pthunkdata-> u1.function)
{
Char * funname = (char *) (byte *) hmod + (DWORD) pthunkdata-> u1.addressofdata + 2 );
Pdword lpaddr = (DWORD *) (byte *) hmod + (DWORD) pimportdescriptor-> firstthunk) + (no-1 );

// Modify the memory part
If (* lpaddr) = (INT) ADDR)
{
// Modify the attributes of the Memory Page
DWORD dwold;
Memory_basic_information MBI;
Virtualquery (lpaddr, & MBI, sizeof (MBI ));
Virtualprotect (lpaddr, sizeof (DWORD), page_readwrite, & dwold );

Writeprocessmemory (getcurrentprocess (),
Lpaddr, & myaddr, sizeof (DWORD), null );
// Restore the attributes of the Memory Page
Virtualprotect (lpaddr, sizeof (DWORD), dwold, 0 );
}
//---------
No ++;
Pthunkdata ++;
}

Pimportdescriptor ++;
}
// ------------------- Hook end -----------------
}

// New MessageBox Function
Int winapi messageboxproxy (in hwnd, in lpcstr lptext, In maid, in uint utype)
{
Return (pfnmessagebox) ADDR) (null, "gxter_test", "gxter_title", 0 );
// Write the processing code for this API function.
}

// ---------------------------- Test. cpp ------------------------------------
//
// Write by gxter
// Test. cpp

# Include "stdio. H"
# Include "windows. H"

Int main ()
{
Printf ("test ---/N ");
While (1)
{
Getchar ();
Messageboxa (null, "original function", "09 hookdemo", 0 );
}
Return 0;
}

// --------------------------- The-end --------------------------------------

Test process: Run test first, do not close (set the target), and then run install (for injection ). But pay attention to the fundll and test file locations.

The above code is written to hook APIs of other processes.
However, there is another problem: "Global hook of API functions ". My idea is to inject all processes.
You just need to simply change the code above to implement it. It seems like the implementation process of the setwindowshookex function.
The above is my idea. Please make an axe if you have any mistakes.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.