API HOOK之註冊表簡單監控

一、HOOK DLL的編寫：

#include <windows.h>#include <Tlhelp32.h>#include <stdio.h>//==========================================================================================HINSTANCE glhInstance=NULL; //DLL執行個體控制代碼 BYTE g_OldRegCreateKeyExCode[5] = {0}; //存放函數地址BYTE g_NewRegCreateKeyExCode[5] = {0}; //存放函數地址FARPROC FuncAddr = NULL;                //函數地址DWORD PID=0;                            //進程PIDint count=0;HANDLE hProcess;//==========================================================================================typedef struct tagReg_Info    //存放 RegCreateKeyEx() 的資訊{HKEY hKey;                // handle to an open keyLPCTSTR lpSubKey;         // address of subkey nameDWORD Reserved;           // reservedLPTSTR lpClass;           // address of class stringDWORD dwOptions;          // special options flagREGSAM samDesired;        // desired security accessLPSECURITY_ATTRIBUTES lpSecurityAttributes;// address of key security structurePHKEY phkResult;          // address of buffer for opened handleLPDWORD lpdwDisposition;   // address of disposition value buffer   }Reg_Info;Reg_Info RegInfo;//==========================================================================================#pragma data_seg("mydata") HHOOK hook=NULL;         //安裝的滑鼠勾子控制代碼  #pragma data_seg() #pragma comment(linker,"/SECTION:mydata,RWS") //==========================================================================================_declspec (dllexport) bool Inject();_declspec (dllexport) bool SetHook();_declspec (dllexport) bool UnSetHook();bool Init();LONG MyRegCreateKeyEx(  HKEY hKey,                // handle to an open key  LPCTSTR lpSubKey,         // address of subkey name  DWORD Reserved,           // reserved  LPTSTR lpClass,           // address of class string  DWORD dwOptions,          // special options flag  REGSAM samDesired,        // desired security access  LPSECURITY_ATTRIBUTES lpSecurityAttributes,  // address of key security structure  PHKEY phkResult,          // address of buffer for opened handle  LPDWORD lpdwDisposition   // address of disposition value buffer  );LONG HookOff();LRESULT CALLBACK ShellProc(   int nCode,      // hook code   WPARAM wParam,  // event-specific information   LPARAM lParam   // event-specific information   );//==========================================================================================//==========================================================================================BOOL WINAPI DllMain(HINSTANCE hinstDLL,  // handle to DLL moduleDWORD fdwReason,     // reason for calling functionLPVOID lpvReserved   // reserved){glhInstance=hinstDLL;    return 1;}//==========================================================================================_declspec (dllexport) bool Inject(){Init();    //hProcess = OpenProcess(PROCESS_ALL_ACCESS,0, PID); if(hProcess == NULL) {return false; }CRITICAL_SECTION cs;InitializeCriticalSection(&cs);EnterCriticalSection(&cs);DWORD PROTECT=0;VirtualProtectEx(hProcess, FuncAddr, 5, PAGE_READWRITE, &PROTECT);          //申請CreateWindowExA地址處的寫入權限，WriteProcessMemory(hProcess, FuncAddr, g_NewRegCreateKeyExCode, 5, NULL);   //然後寫入跳轉代碼，然後恢複許可權VirtualProtectEx(hProcess, FuncAddr, 5, PROTECT, &PROTECT);   LeaveCriticalSection(&cs);    DeleteCriticalSection(&cs);CloseHandle(hProcess);   return true;}//==========================================================================================_declspec (dllexport) bool SetHook(){hook=SetWindowsHookEx(WH_SHELL,ShellProc,glhInstance,0);if(NULL==hook){::MessageBox(NULL,"SetWindowsHookEx!","Error!",MB_ICONERROR);return false;}return true;}//==========================================================================================//==========================================================================================_declspec (dllexport) bool UnSetHook(){bool ret=false;if(hook){ret=UnhookWindowsHookEx(hook);if(!ret){::MessageBox(NULL,"UnhookWindowsHookEx!","Error!",MB_ICONERROR);return false;}return true;}return false;}LRESULT CALLBACK ShellProc(int nCode, WPARAM wParam,LPARAM lParam){if(nCode==HSHELL_WINDOWCREATED)     //  HOOK的目的只在於映射進DLL，這裡後面的處理也可以，{PID=GetCurrentProcessId();   //  但是這裡只做API注入，就不用了hProcess = OpenProcess(PROCESS_ALL_ACCESS,0, PID); Init();Inject();}return CallNextHookEx(hook,nCode,wParam,lParam); }//==================================================================================//==================================================================================LONG MyRegCreateKeyEx(  HKEY hKey,                // handle to an open key  LPCTSTR lpSubKey,         // address of subkey name  DWORD Reserved,           // reserved  LPTSTR lpClass,           // address of class string  DWORD dwOptions,          // special options flag  REGSAM samDesired,        // desired security access  LPSECURITY_ATTRIBUTES lpSecurityAttributes,  // address of key security structure  PHKEY phkResult,          // address of buffer for opened handle  LPDWORD lpdwDisposition   // address of disposition value buffer  ){char str[1000]={0};  if(HKEY_LOCAL_MACHINE==hKey){sprintf(str,"註冊表位置: HKEY_LOCAL_MACHINE\\%s \nRegedit is being Created !",lpSubKey); }if(HKEY_USERS==hKey){sprintf(str,"註冊表位置: HKEY_USERS\\%s \nRegedit is being Created !",lpSubKey); }if(HKEY_CLASSES_ROOT==hKey){sprintf(str,"註冊表位置: HKEY_CLASSES_ROOT\\%s \nRegedit is being Created !",lpSubKey); }if(HKEY_CURRENT_CONFIG==hKey){sprintf(str,"註冊表位置: HKEY_CURRENT_CONFIG\\%s \nRegedit is being Created !",lpSubKey); }/**/else        //  if(HKEY_CURRENT_USER==hKey)         ((HKEY) (ULONG_PTR)((LONG)0x80000001)){sprintf(str,"註冊表位置: HKEY_CURRENT_USER\\%s \nRegedit is being Created !\nPID: %ld",lpSubKey,PID); }if(count<1){::MessageBox(NULL,str,"warning",MB_ICONWARNING);}    count++;/*HANDLE hFile=CreateFile("C:\\RegLog.txt",GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);if(hFile){::MessageBox(NULL,"CreateFile Error","warning",MB_ICONWARNING);}  if(SetFilePointer(hFile,0,NULL,FILE_END)==0xFFFFFFFF)  {  ::MessageBox(NULL,"SetFilePointer Error","warning",MB_ICONWARNING);  }  OVERLAPPED olp;  olp.hEvent=NULL;  olp.OffsetHigh=0;  if(!WriteFileEx(hFile,str,strlen(str)+1,&olp,NULL)){::MessageBox(NULL,"SetFilePointer Error","warning",MB_ICONWARNING);}*/    ZeroMemory(&RegInfo,sizeof(RegInfo));RegInfo.dwOptions=dwOptions;       // 儲存傳入的資訊：RegInfo.hKey=hKey;RegInfo.lpClass=lpClass;RegInfo.lpdwDisposition=lpdwDisposition;RegInfo.lpSecurityAttributes=lpSecurityAttributes;RegInfo.lpSubKey=lpSubKey;RegInfo.phkResult=phkResult;RegInfo.Reserved=Reserved;RegInfo.samDesired=samDesired;HookOff();Sleep(1000);LONG  ret=RegCreateKeyEx(RegInfo.hKey,RegInfo.lpSubKey,RegInfo.Reserved,RegInfo.lpClass,RegInfo.dwOptions,RegInfo.samDesired,RegInfo.lpSecurityAttributes,RegInfo.phkResult,RegInfo.lpdwDisposition);Sleep(1000);Inject();return ret;}//==================================================================================LONG HookOff(){//hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, PID); if(hProcess == NULL) {return (LONG)1; }//寫入原CreateWindowExA的5個位元組代碼 CRITICAL_SECTION cs;InitializeCriticalSection(&cs);EnterCriticalSection(&cs);   DWORD PROTECT=0;   VirtualProtectEx(hProcess, FuncAddr, 5, PAGE_READWRITE, &PROTECT);    WriteProcessMemory(hProcess, FuncAddr, g_OldRegCreateKeyExCode, 5, NULL);    VirtualProtectEx(hProcess, FuncAddr, 5, PROTECT, &PROTECT);      LeaveCriticalSection(&cs);   DeleteCriticalSection(&cs);             //CloseHandle(hProcess);     return (LONG)1;}bool Init(){   //FuncAddr = GetProcAddress(LoadLibrary("Advapi32.dll"),"RegCreateKeyExW");   FuncAddr = GetProcAddress(LoadLibrary("Advapi32.dll"),"RegCreateKeyExA");   if(NULL==FuncAddr)   return false;      CRITICAL_SECTION cs;   InitializeCriticalSection(&cs);   EnterCriticalSection(&cs);      _asm    {    lea edi, g_OldRegCreateKeyExCode   mov esi, FuncAddr    cld    movsd //將CreateWindowExA地址起始的4個位元組(dword)寫入g_OldCreateWindowExACode    movsb //將CreateWindowExA+4地址起始處的1個位元組(byte)寫入g_OldCreateWindowExACode+4    }    //jmp xxxxxxxx的機器碼為e9xxxxxxxx，其中e9後的xxxxxxxx為相對跳轉位移，共5個位元組   g_NewRegCreateKeyExCode[0] = 0xe9;    _asm    {    lea eax, MyRegCreateKeyEx   //   mov ebx, FuncAddr       sub eax, ebx    sub eax, 5 //獲得相對跳轉位移  //位移地址 = 我們函數的地址 - 原API函數的地址 - 5   mov dword ptr [g_NewRegCreateKeyExCode + 1], eax    }   LeaveCriticalSection(&cs);   DeleteCriticalSection(&cs);   }

二、監控程式（略）

調用DLL中的函數即可，可以自行擴充hook的函數，這裡只hook了 RegCreateKeyEx

（菜鳥所作，如有錯誤，懇請指出。謝謝）