http://www.csdn 123.com/html/itweb/20130827/83559_83558_83544.htm
免费开源库EasyHook(inline hook),下面是下载地址
http://easyhook.codeplex.com/releases/view/24401 把头文件 lib文件全拷贝在工程文件夹中,把dll拷贝在%system32%中(PS:
64位 应该放在C:\Windows\SysWOW64文件夹中)
好的,现在切入正题。
假设我们的工程是要监控Troj.exe的行为。A.exe为监控应用程序,A.exe先遍历当前进程,若找到Troj.exe则将B.dll远程线程注入到Troj.exe进程中
PS: XP CreateRemoteThread win7用NT系列函数,如下:
1 typedef DWORD (WINAPI *PFNTCREATETHREADEX) 2 ( 3 OUT PHANDLE ThreadHandle, 4 ACCESS_MASK DesiredAccess, 5 LPVOID ObjectAttributes, 6 HANDLE ProcessHandle, 7 LPTHREAD_START_ROUTINE lpStartAddress, 8 LPVOID lpParameter, 9 BOOL CreateSuspended, 10 DWORD dwStackSize, 11 DWORD dw1, 12 DWORD dw2, 13 LPVOID Unknown 14 ); 15 16 BOOL IsVistaOrLater() 17 { 18 OSVERSIONINFO osvi; 19 ZeroMemory(&osvi, sizeof(OSVERSIONINFO)); 20 osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); 21 GetVersionEx(&osvi); 22 if( osvi.dwMajorVersion >= 6 ) 23 { 24 return TRUE; 25 } 26 return FALSE; 27 } 28 29 BOOL MyCreateRemoteThread(HANDLE hProcess, LPTHREAD_START_ROUTINE pThreadProc, LPVOID pRemoteBuf) 30 { 31 HANDLE hThread = NULL; 32 FARPROC pFunc = NULL; 33 if( IsVistaOrLater() ) // Vista, 7, Server2008 34 { 35 pFunc = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx"); 36 if( pFunc == NULL ) 37 { 38 ErrorReport(GetLastError()); 39 } 40 ((PFNTCREATETHREADEX)pFunc)(&hThread, 41 0x1FFFFF, 42 NULL, 43 hProcess, 44 pThreadProc, 45 pRemoteBuf, 46 FALSE, 47 NULL, 48 NULL, 49 NULL, 50 NULL); 51 if( hThread == NULL ) 52 { 53 ErrorReport(GetLastError()); 54 } 55 } 56 else // 2000, XP, Server2003 57 { 58 hThread = CreateRemoteThread(hProcess, 59 NULL, 60 0, 61 pThreadProc, 62 pRemoteBuf, 63 0, 64 NULL); 65 if( hThread == NULL ) 66 { 67 ErrorReport(GetLastError()); 68 } 69 } 70 if( WAIT_FAILED == WaitForSingleObject(hThread, INFINITE) ) 71 { 72 ErrorReport(GetLastError()); 73 } 74 return TRUE; 75 }
注入成功后,DLL和A.exe建立命名管道进行进程间通信。例如,当Troj.exe调用CopyFileW被B.dll拦载时,发送相关数据(简称为M结构体)到A.exe文本控件上显示。
M结构体如下构造:
1 struct WinExec 2 { 3 _In_ CHAR lpCmdLine[0x400]; 4 _In_ UINT uCmdShow; 5 }; 6 7 struct CopyFileW 8 { 9 _In_ TCHAR lpExistingFileName[0x400]; 10 _In_ TCHAR lpNewFileName[0x400]; 11 _In_ BOOL bFailIfExists; 12 }; 13 14 typedef struct _tag_info 15 { 16 DWORD time; 17 DWORD Return; 18 DWORD Info_Type; 19 20 union{ 21 struct WinExec WinExec_; 22 struct CopyFileW CopyFileW_; 23 }; 24 25 }taginfo, *ptaginfo; 26 27 #define WINEXEC_INFO 1 28 #define COPYFILEW 2
我的这个实例很基础,就拦载Winexec函数和CopyFileW函数
请先允许我展示几个头文件
hook.h
1 #pragma once 2 3 4 #ifndef _M_X64 5 #pragma comment(lib, "EasyHook32.lib") 6 #else 7 #pragma comment(lib, "EasyHook64.lib") 8 #endif 9 10 UINT WINAPI MyWinExec( 11 _In_ LPCSTR lpCmdLine, 12 _In_ UINT uCmdShow 13 ); 14 15 typedef UINT (WINAPI * ptrWinExec)( 16 _In_ LPCSTR lpCmdLine, 17 _In_ UINT uCmdShow 18 ); 19 20 extern ptrWinExec realWinExec; 21 22 BOOL WINAPI MyCopyFileW( 23 _In_ LPCTSTR lpExistingFileName, 24 _In_ LPCTSTR lpNewFileName, 25 _In_ BOOL bFailIfExists 26 ); 27 28 typedef BOOL (WINAPI *ptrCopyFileW)( 29 _In_ LPCTSTR lpExistingFileName, 30 _In_ LPCTSTR lpNewFileName, 31 _In_ BOOL bFailIfExists 32 ); 33 34 extern ptrCopyFileW realCopyFileW;