Inline hook messageboxa

This article briefly introduces the inline hook and uses messageboxa for testing.

Inline hook is actually JMP for JMP. It is not difficult to understand. Before starting the code, let's talk about the implementation of the simple inline hook.

1. The hook function consists of five bytes. Five are enough to write a JMP command.

2. Before writing the JMP command, it is saved in 5 bytes. It is generally saved using arrays.

Byte old_bytes [5] = {0x0 };

3. Remove memory Protection

Virtualprotect ();

4. JMP goes to our function, address = myfunction-oldfunction;

See (1.) E9 is the JMP command machine code, followed by address = myfunction-oldfunction; to get the difference.

5. Save the next address of the write jump address.

Here I choose to use the eax register to send and jump back the address, and use the Assembly to represent the following

_ ASM

{

MoV eax, oldaddress

Add eax, 5

JMP eax

}

Store the machine code of the assembly code above with an 8-byte array.

Byte jmp_back [8] = {0xb8, 0x0 0x0 0x40, 0x0, 0xff, 0xe0, 0x0 };

6. Restore memory Protection

Virtualprotect ();

The above is a simple inline hook. Generally, inline hooks start with five bytes through the hook function, because it will not be very troublesome to process. But it is relatively easy to be detected by tools. It is a classic inline hook function.

Before hook

After hook

The biggest problem with the inline hook is the stack balance. After the stack balance is well handled, there is no problem with any hook.

The following is a very deep hook code, which is not explained in detail. If you have any problems, please comment on it.

# Include "stdafx. H "# include <windows. h> byte old_bytes [5] = {0x0}; // Save the five byte jmp_to [5] = {0xe9, 0x0 0 0x0}; // The jump address byte jmp_back [8] = {0x0b8, 0x0, 0x0, 0x40, 0x0, 0x0ff, 0x0e0, 0}; // jump back to the original function DWORD oldaddress = 0; // The function is mainly used as a stepping stone to apply for a space, to enter the returned data, and then jump back to the original messageboxa function. _ Declspec (naked) void jmp_to_old (hwnd, lpctstr lptext, lpctstr lpcaption, uint utype) {__asm {__emit 0x90 _ emit 0x90 _ emit 0x90 _ emit 0x90 _ emit 0x90 _ emit 0x90 _ emit 0x90 _ emit 0x90 _ emit 0 x 90} // after this function is hooked, functions that you can do. Finally, the JMP jump to the stepping stone function to restore the stack balance of the original messageboxa function _ declspec (naked) void fun1 (hwnd, lpctstr lptext, lpctstr lpcaption, uint utype) {printf ("hook success! \ N ") ;__ ASM {JMP jmp_to_old} int main (INT argc, char * argv []) {DWORD oldprotect; // memory Protection Type oldaddress = (ulong) messageboxa; // take the address memcpy (old_bytes, (Pulong) (ulong) messageboxa + 0x32), 5); // Save the five bytes to be hooked, here is the bias of messageboxa + 0x32, which is quite deep. * (Pulong) (jmp_to + 1) = (ulong) fun1-(ulong) (oldaddress + 0x32 + 5); // jump address * (Pulong) (jmp_back + 1) = (ulong) (oldaddress + 0x32 + 5); // The jump back address virtualprotect (Pulong) oldaddress, 0x100, page_execute_readwrite, & oldprotect); memcpy (Pulong) (ulong) oldaddress + 0x32), jmp_to, 5); // implements hookmessageboxa. Virtualprotect (Pulong) oldaddress, 0x100, oldprotect, null); virtualprotect (Pulong) jmp_to_old, 0x100, regular, & oldprotect); memcpy (Pulong) jmp_to_old, old_bytes, 5); // enter the stepping stone function to restore the stack balance of messageboxa. Memcpy (Pulong) (ulong) jmp_to_old + 5), jmp_back, 8); // write jump. Jump back to messageboxa and finish the process perfectly. Virtualprotect (Pulong) jmp_to_old, 0x100, oldprotect, & oldprotect); messageboxa (null, "second", "", null); // checks whether the hook is successful. Return 0 ;}

Before hook

After hook

Fun1 scenario. Simple output hook success.

Jmp_to_old is the stepping stone function. Restore the stack and jump back.

Final output

The above are some notes on the way to study. If you have any mistakes, I hope you can point them out.

Reprinted please indicate the source: http://blog.csdn.net/z6470975