使用者層下攔截系統api的原理與實現

2021-04-13 08:42:50 字數 4762 閱讀 1906

//

附錄:乙個攔截createfile函式的簡單實現 //

#include

#include

#include

#pragma comment(lib, "psapi.lib")

#pragma comment(lib, "ws2_32.lib")

typedef struct _remoteparam remoteparam, * premoteparam;

typedef handle (__stdcall * pfn_createfile)(lpctstr,dword,dword,lpsecurity_attributes,dword,dword,handle);

typedef int (__stdcall * pfn_messagebox)(hwnd, lpctstr, lpctstr, dword);

typedef bool (__stdcall * pfn_writeproces**emory)(handle,lpvoid,lpcvoid,size_t,size_t*);

typedef handle (__stdcall * pfn_getcurrentprocess)(void);

#define processnum 128

#define mymessagebox "messageboxw"

#define mycreatefile "createfilew"

void hookcreatefile(lpvoid lparam)

pfn_messagebox pfnmessagebox = (pfn_messagebox)prp->dwmessagebox;

int allowflag = pfnmessagebox(null, lpfilename, null, mb_iconinformation | mb_yesno);

if(allowflag == idyes)

__a**

} bool adjustprocessprivileges(lpcstr szprivilegesname)

if(!lookupprivilegevalue(null,szprivilegesname,

&tkp.privileges[0].luid))

tkp.privilegecount = 1;

tkp.privileges[0].attributes = se_privilege_enabled;

if(!adjusttokenprivileges(htoken,false,&tkp,sizeof(tkp),null,null))

closehandle(htoken);

return true; }

void printprocessnamebypid( dword processid )

int main(void)

dword pids[processnum];

dword dwprocessnum = 0;

if(!enumprocesses(pids, sizeof(pids), &dwprocessnum))

for( dword num = 0; num < (dwprocessnum / sizeof(dword)); num++)

printprocessnamebypid(pids[num]);

printf("/nall %d processes running. /n", dwprocessnum / sizeof(dword));

dword dwpid = 0;

printf("/n請輸入要攔截的程序id:");

scanf("%d", &dwpid);

handle htargetprocess = openprocess(process_vm_operation|process_vm_write|process_vm_read, false, dwpid);

if(htargetprocess == null)

dword dwfunaddr = (dword)virtualallocex(htargetprocess, null, 8192,

mem_commit | mem_reserve, page_execute_readwrite);

if((lpvoid)dwfunaddr == null)

dword dwpramaaddr = (dword)virtualallocex(htargetprocess, null, sizeof(remoteparam),

mem_commit | mem_reserve, page_execute_readwrite);

if((lpvoid)dwpramaaddr == null)

dwfunaddr, dwpramaaddr);

remoteparam rparam;

zeromemory(&rparam, sizeof(rparam));

hmodule hkernel32 = loadlibrary("kernel32.dll");

hmodule huser32 = loadlibrary("user32.dll");

rparam.dwcreatefile = (dword)getprocaddress(hkernel32, mycreatefile);

rparam.dwgetcurrentprocess = (dword)getprocaddress(hkernel32, "getcurrentprocess");

rparam.dwwriteproces**emory = (dword)getprocaddress(hkernel32, "writeproces**emory");

rparam.dwmessagebox = (dword)getprocaddress(huser32, mymessagebox);

unsigned char oldcode[10];

unsigned char newcode[10];

int praadd = (int)dwpramaaddr;

int threadadd = (int)dwfunaddr;

newcode[4] = praadd>>24;

newcode[3] = (praadd<<8)>>24;

newcode[2] = (praadd<<16)>>24;

newcode[1] = (praadd<<24)>>24;

newcode[0] = 0x68;

int offsetaddr = threadadd - (int)rparam.dwcreatefile - 10 ;

newcode[9] = offsetaddr>>24;

newcode[8] = (offsetaddr<<8)>>24;

newcode[7] = (offsetaddr<<16)>>24;

newcode[6] = (offsetaddr<<24)>>24;

newcode[5] = 0xe8;

printf("newcode:");

for(int j = 0; j < 10; j++)

printf("0x%.2x ",newcode[j]);

printf("/n/n");

if(!readproces**emory(getcurrentprocess(),

(lpcvoid)rparam.dwcreatefile,

oldcode,

10,&dwpid))

strcat((char*)rparam.szoldcode, (char*)oldcode);

rparam.funaddr = dwfunaddr;

printf(

"rparam.dwcreatefile:%.8x/n"

"rparam.dwmessagebox:%.8x/n"

"rparam.dwgetcurrentprocess:%.8x/n"

"rparam.dwwriteproces**emory:%.8x/n"

"rparam.funaddr:%.8x/n",

rparam.dwcreatefile,

rparam.dwmessagebox,

rparam.dwgetcurrentprocess,

rparam.dwwriteproces**emory,

rparam.funaddr);

printf("rparam.szoldcode:");

for( int i = 0; i< 10; i++)

printf("0x%.2x ", rparam.szoldcode[i]);

printf("/n");

if(!writeproces**emory(htargetprocess, (lpvoid)dwfunaddr, (lpvoid)&hookcreatefile, 8192, &dwpid))

if(!writeproces**emory(htargetprocess, (lpvoid)dwpramaaddr, (lpvoid)&rparam, sizeof(remoteparam), &dwpid))

if(!writeproces**emory(htargetprocess, (lpvoid)rparam.dwcreatefile, (lpvoid)newcode, 10, &dwpid))

printf("/nthat's all, good luck :)/n");

closehandle(htargetprocess);

freelibrary(hkernel32);

return 0;

}  

Windows 2000下Api函式的攔截分析

簡介 api攔截並不是乙個新的技術,很多商業軟體都採用這種技術。對windows的api函式的攔截,不外乎兩種方法,第一種是mr.jeffrey richter 的修改exe檔案的模組輸入節,種方法,很安全,但很複雜,而且有些exe檔案,沒有dll的輸入符號的列表,有可能出現攔截不到的情況。第二種方...

Win2K下的Api函式的攔截

win2k下的api函式的攔截 2007 01 01 17 09 api攔截並不是乙個新的技術,很多商業軟體都採用這種技術。對windows的api函式的攔截,不外乎兩種方法,第一種是mr.jeffrey richter 的修改exe檔案的模組輸入節,種方法,很安全,但很複雜,而且有些exe檔案,沒...

Win2K下的Api函式的攔截

簡介 api攔截並不是乙個新的技術,很多商業軟體都採用這種技術。對windows的api函式的攔截,不外乎兩種方法,第一種是mr.jeffrey richter 的修改exe檔案的模組輸入節,種方法,很安全,但很複雜,而且有些exe檔案,沒有dll的輸入符號的列表,有可能出現攔截不到的情況。第二種方...