I rely on it. This is the longest time I 've been depressed for a while. I don't know how many days I 've been watching, searching, and asking ,, it is also a good thing to force myself to have some understanding of PE format and assembly. Finally, I still failed to solve it myself ,, it was a help from a big brother named dumb English in vchelp. He changed the program and thanked him !!!
I am still not clear about the concept of module ,,
Now let's look back at Liang zhaoxinshu and the programs in Windows core programming. The windows core programming means that we should first use createconlhelp32snapshot (th32cs_snapmodule, 0) to get all the modules ,, there are a lot of DLL used in each module, and then use the hook program to hook messageboxa in user32.dll in these DLL ,, change the thunk item of messageboxa in IAT of another module to point to its mymessagebox, and insert a DLL into it, still learning), mymessagebox is in it. in this way, when other processes call messageboxa, they will be transferred to mymessagebox In the inserted DLL to implement hook, but the program does not hook its own module, that is, calling messageboxa by yourself is not affected ,,
Liang's book doesn't mean this (I have returned the book, but I can't remember it). Obviously, he copied it, and he hasn't understood it yet ,, (heaven, is this true ?),, He is almost the same as an important part of the Windows core programming program. He also hangs the messageboxa of all other modules, and does not stick his own ,, then I thought that I would turn to mymessagebox when I used messageboxa again. I mean to him, because he didn't seem to mention inserting DLL in that program ,, in addition, you should first save the function address in the form of Proc lpadder = messageboxa;, and a loop will appear when your program is used ,,, in fact, this is useless. Without the IAT of the module, the entry address of messageboxa will never change !!! Of course, I am also depressed here, because, in a single step, I obviously saw that the writeprocessmemory function was successfully executed ,, the content of the address pointing to Thunk is changed to its own mymessagebox address, but I do not know that the module is not mine ,, we can see from the address value that the IAT of my module is around 0x00040000, but it is changed to 0x77 ,, because the baseaddress of those modules is 0x77 ******* or something, it is obvious that it is not the IAT of the program. Therefore, messageboxa in your own program is not affected at all ,, however, the IAT of other modules has been modified, and, ha, and the error is here. After understanding this, the program can be executed according to its own ideas.
Two programs are all posted
By the way
_ Imp _ messageboxa @ 16:
00425324 05 10 40 00 32 add eax, 32004010 H
00425329 12 E1 ADC ah, Cl
001_32b 77 00 ja user32_null_thunk_data + 1 (001_32d)
001_32d 00 00 add byte PTR [eax], Al
Do not think that it is really an Assembly statement. It doesn't work at all. It works only for the hexadecimal numbers. The subsequent Assembly statements are translated by the VC ,, at first, he was confused. Now he doesn't understand the compilation principle, but he probably loads all the PE programs into the virtual space.
In addition, my c skills are poor. I am dizzy when several pointers come down ,,, this part must pass through !!!!!!!!!!!!!!!!!!
# Include "stdio. H"
# Include "windows. H"
# Include "imagehlp. H"
# Include "tlhelp32.h"
# Pragma comment (Lib, "imagehlp. lib ")
# Pragma comment (Lib, "kernel32.lib ")
Typedef struct _ apihook32_entry
{
Lpctstr pszapiname;
Lpctstr pszcallermodulename;
Proc pfnoriginapiaddress;
Proc pfndummyfuncaddress;
Hmodule hmodcallermodule;
} Apihook32_entry, * papihook32_entry;
Typedef int (winapi * pfnmsga) (hwnd, lpctstr, lpctstr, uint );
Bool _ setapihookup (papihook32_entry phk)
{
Pimage_thunk_data pthunk, pthunk1;
Ulong size;
Pimage_import_descriptor pimportdesc = (pimage_import_descriptor) imagedirectoryentrytodata (
Phk-> hmodcallermodule,
True,
Image_directory_entry_import,
& Size );
If (pimportdesc = NULL ){
Return false;
}
// Traverse DLL, the first loop
For (; pimportdesc-> name; pimportdesc ++ ){
Pstr pszdllname = (lpstr) (pbyte) phk-> hmodcallermodule + pimportdesc-> name );
If (lstrcmpa (pszdllname, phk-> pszcallermodulename) = 0) break; // found
}
If (pimportdesc-> name = 0 ){
Return false;
}
Printf ("************************************* * *********/N "); /////////////
Pthunk = (pimage_thunk_data) (pbyte) phk-> hmodcallermodule + pimportdesc-> firstthunk); // IAT
Pthunk1 = (pimage_thunk_data) (pbyte) phk-> hmodcallermodule + pimportdesc-> originalfirstthunk); // int
For (; pthunk1-> U1. function; pthunk1 ++ ){
Proc * ppfn1 = (Proc *) (DWORD) phk-> hmodcallermodule + (DWORD) pthunk1-> U1. Function + 2 );
Printf ("% s/n", ppfn1); // hint is a word so + 2
}
For (; pthunk-> U1. function; pthunk ++ ){
Proc LP;
Proc * PPFN = (Proc *) & pthunk-> U1. function;
Printf ("% x/N", pthunk-> U1. function );////////////
Printf ("% x/N", phk-> hmodcallermodule );
// Compare to see if it is the function to be searched. If yes, rewrite the address.
If (* PPFN = phk-> pfnoriginapiaddress ){
Writeprocessmemory (getcurrentprocess (),
PPFN,
& (Phk-> pfndummyfuncaddress ),
Sizeof (phk-> pfndummyfuncaddress ),
Null );
Lp = messageboxa;
Return true;
}
}
Printf ("/n ");/////////////
Return true;
}
//------------------------------------------------------------------------------
Bool setwindowsapihook (papihook32_entry phk)
{
Memory_basic_information minfo;
Hmodule hmodhookdll;
Handle hsnapshot;
Bool Bok;
Moduleentry32 me = {sizeof (moduleentry32 )};
If (phk-> pszapiname = NULL | phk-> pszcallermodulename = NULL
| Phk-> pfnoriginapiaddress = NULL ){
Return false;
}
_ Setapihookup (phk );
Return false;
}
//------------------------------------------------------------------------------
Bool unhookwindowsapihooks (papihook32_entry lphk)
{
Proc temp;
Temp = lphk-> pfnoriginapiaddress;
Lphk-> pfnoriginapiaddress = lphk-> pfndummyfuncaddress;
Lphk-> pfndummyfuncaddress = temp;
Return setwindowsapihook (lphk );
}
//------------------------------------------------------------------------------
// Save the original address
Proc lpadder;
// Proc lpadder1;
Int winapi mymessageboxa (hwnd, lpctstr lptext, lpctstr lpcaption, uint utype)
{
Return (pfnmsga) lpadder) (null, "new", "new", mb_ OK );
}
//------------------------------------------------------------------------------
Int main (void)
{
Apihook32_entry PE;
Lpadder = (Proc) messageboxa;
// Lpadder = getprocaddress (getmodulehandle ("user32.dll"), "messageboxa ");
// Printf ("% x/N", lpadder1, lpadder );
PE. pszapiname = "messageboxa ";
PE. pszcallermodulename = "user32.dll"; // case sensitive
PE. pfnoriginapiaddress = lpadder;
PE. pfndummyfuncaddress = (Proc) mymessageboxa;
PE. hmodcallermodule = getmodulehandle (null );
// Messageboxw (null, l "hi", l "hi", mb_ OK );
Setwindowsapihook (& PE );
Messageboxa (null, "old", "old", mb_ OK );
Unhookwindowsapihooks (& PE );
Messageboxa (null, "old", "old", mb_ OK );
}
This is a correct one. Hook yourself. The setwindowsapihook that makes fun of yourself is almost useless, and the content in it is useless to hook your own program.
# Include "stdio. H"
# Include "windows. H"
# Include "imagehlp. H"
# Include "tlhelp32.h"
# Pragma comment (Lib, "imagehlp. lib ")
# Pragma comment (Lib, "kernel32.lib ")
Proc lpadder;
Typedef struct _ apihook32_entry
{
Lpctstr pszapiname;
Lpctstr pszcallermodulename;
Proc pfnoriginapiaddress;
Proc pfndummyfuncaddress;
Hmodule hmodcallermodule;
} Apihook32_entry, * papihook32_entry;
Bool _ setapihookup (papihook32_entry phk)
{
Pimage_thunk_data pthunk, pthunk1;
Ulong size;
Pimage_import_descriptor pimportdesc = (pimage_import_descriptor) imagedirectoryentrytodata (
Phk-> hmodcallermodule,
True,
Image_directory_entry_import,
& Size );
If (pimportdesc = NULL ){
Return false;
}
// Traverse DLL, the first loop
For (; pimportdesc-> name; pimportdesc ++ ){
Pstr pszdllname = (lpstr) (pbyte) phk-> hmodcallermodule + pimportdesc-> name );
// If (lstrcmpa (pszdllname, phk-> pszcallermodulename) = 0) break; // found
//}
If (pimportdesc-> name = 0 ){
Return false;
}
Printf ("************************************* * *********/N "); /////////////
Pthunk = (pimage_thunk_data) (pbyte) phk-> hmodcallermodule + pimportdesc-> firstthunk); // IAT
Pthunk1 = (pimage_thunk_data) (pbyte) phk-> hmodcallermodule + pimportdesc-> originalfirstthunk); // int
// For (; pthunk1-> U1. function; pthunk1 ++ ){
// Proc * ppfn1 = (Proc *) (DWORD) phk-> hmodcallermodule + (DWORD) pthunk1-> U1. Function + 2 );
// If (strcmp (char *) ppfn1, "messageboxw") = 0 ){
// Printf ("% s/n", ppfn1 );
// Printf ("% s/n", pszdllname );
//}
//}
For (; pthunk-> U1. function; pthunk ++ ){
Proc * PPFN = (Proc *) & pthunk-> U1. function;
Proc * ppfn1 = (Proc *) (DWORD) phk-> hmodcallermodule + (DWORD) pthunk1-> U1. Function + 2 );
If (1) {// strcmp (char *) ppfn1, "messageboxw") = 0 ){
Printf ("% s/n", ppfn1 );
Printf ("% s/n", pszdllname );
Printf ("% x/N", phk-> hmodcallermodule );
}
Pthunk1 ++;
// Printf ("% x/N", pthunk-> U1. function );////////////
// Compare to see if it is the function to be searched. If yes, rewrite the address.
If (DWORD) pthunk-> U1. Function = (DWORD) lpadder ){
Proc LP;
Writeprocessmemory (getcurrentprocess (),
PPFN,
& (Phk-> pfndummyfuncaddress ),
Sizeof (phk-> pfndummyfuncaddress ),
Null );
Lp = messageboxw;
Return true;
}
}
Printf ("/n ");/////////////
}///////////////////
Return true;
}
//------------------------------------------------------------------------------
Bool setwindowsapihook (papihook32_entry phk)
{
Memory_basic_information minfo;
Hmodule hmodhookdll;
Handle hsnapshot;
Bool Bok;
Moduleentry32 me = {sizeof (moduleentry32 )};
If (phk-> pszapiname = NULL | phk-> pszcallermodulename = NULL
| Phk-> pfnoriginapiaddress = NULL ){
Return false;
}
If (phk-> hmodcallermodule = NULL ){
// Obtain the information of a page starting with the _ setapihookup address
Virtualquery (_ setapihookup, & minfo, sizeof (minfo ));
Hmodhookdll = (hmodule) minfo. allocationbase;
Hsnapshot = createconlhelp32snapshot (th32cs_snapmodule, 0 );
Bok = module32first (hsnapshot, & Me );
While (Bok ){
If (Me. hmodule! = Hmodhookdll ){
Phk-> hmodcallermodule = me. hmodule;
_ Setapihookup (phk );
}
Bok = module32next (hsnapshot, & Me );
}
Phk-> hmodcallermodule = NULL;
Return false;
} Else {
Return _ setapihookup (phk );
}
Return false;
}
//------------------------------------------------------------------------------
Bool unhookwindowsapihooks (papihook32_entry lphk)
{
// Proc temp;
// Temp = lphk-> pfnoriginapiaddress;
// Lphk-> pfnoriginapiaddress = lphk-> pfndummyfuncaddress;
// Lphk-> pfndummyfuncaddress = temp;
Return setwindowsapihook (lphk );
}
//------------------------------------------------------------------------------
// Save the original address
// Proc lpadder1;
Int winapi mymessageboxa (hwnd, lpctstr lptext, lpctstr lpcaption, uint utype)
{
Return lpadder (null, "new", "new", mb_ OK );
}
//------------------------------------------------------------------------------
Int main (void)
{
Apihook32_entry PE;
Lpadder = messageboxw;
// Lpadder = getprocaddress (getmodulehandle ("user32.dll"), "messageboxa ");
// Printf ("% x/N", lpadder1, lpadder );
PE. pszapiname = "messageboxw ";
PE. pszcallermodulename = "user32.dll"; // case sensitive
PE. pfnoriginapiaddress = lpadder;
PE. pfndummyfuncaddress = mymessageboxa;
PE. hmodcallermodule = getmodulehandle (null );
// Printf ("% x/N", PE. hmodcallermodule); // 400000
Setwindowsapihook (& PE );
Messageboxa (null, "old", "old", mb_ OK );
Unhookwindowsapihooks (& PE );
Messageboxa (null, "old", "old", mb_ OK );
}
//------------------------------------------------------------------------------
This is the original one. You can hook all the hooks with a slight change :)