Сообщение Re[2]: Добавление ДЛЛ и перехват API функций от 05.02.2015 17:53
Изменено 06.02.2015 5:31 urban1981
Счастлиая библиотека для тех кому интерсно пока компилирую только не запускаю:
// Dll777.cpp: определяет точку входа для приложения DLL.
//
#undef UNICODE
#include "stdafx.h"
#include <windows.h>
#include <map>
#include <atlbase.h>
#include <atlstr.h>
#include "Logger.h"
#include <Tlhelp32.h>
#include <cstdio>
#pragma comment ( lib , "toolhelp.lib" )
#ifdef UNDER_NT
# include <tchar.h>
#endif
typedef struct _CALLBACKINFO
{
HANDLE hProc; //Процесс назначения
FARPROC pfn; //функция, которая вызывается в процессе назначения
PVOID pvArg0; //arg0 data
}
CALLBACKINFO;
typedef CALLBACKINFO *PCALLBACKINFO;
extern "C"
{
BOOL SetKMode ( BOOL fMode );
DWORD SetProcPermissions ( DWORD );
LPVOID MapPtrToProcess ( LPVOID lpv, HANDLE hProc );
DWORD PerformCallBack4 ( PCALLBACKINFO pcbi, ... );//Выполнить функцию внутри процесса
HLOCAL LocalAllocInProcess ( DWORD, DWORD, HPROCESS );
VOID LocalFreeInProcess ( HLOCAL, HPROCESS );
}
#define SIZE 6 //Number of bytes needed to redirect
typedef HANDLE ( WINAPI *pCreateFileW )( LPWSTR lpFileName, unsigned long int dwDesiredAccess, unsigned long int dwShareMode, LPSECURITY_ATTRIBUTES lpsa, unsigned long int dwCreationDisposition, unsigned long int dwFlagsAndAttributes, LPVOID hTemplateFile );
typedef BOOL ( WINAPI *pReadFile ) ( LPVOID hFile, LPVOID lpBuffer, unsigned long int nNumberOfBytesToRead, unsigned long int * lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped );
typedef BOOL ( WINAPI *pWriteFile ) ( LPVOID hFile, LPVOID lpBuffer, unsigned long int nNumberOfBytesToWrite, unsigned long int * lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped );
HANDLE __stdcall APIHook_CreateFileW(
LPWSTR lpFileName,
unsigned long int dwDesiredAccess,
unsigned long int dwShareMode,
LPSECURITY_ATTRIBUTES lpsa,
unsigned long int dwCreationDisposition,
unsigned long int dwFlagsAndAttributes,
LPVOID hTemplateFile
);
BOOL __stdcall APIHook_ReadFile (
LPVOID hFile,
LPVOID lpBuffer,
unsigned long int nNumberOfBytesToRead,
unsigned long int * lpNumberOfBytesRead,
LPOVERLAPPED lpOverlapped
);
BOOL __stdcall APIHook_WriteFile (
LPVOID hFile,
LPVOID lpBuffer,
unsigned long int nNumberOfBytesToWrite,
unsigned long int * lpNumberOfBytesWritten,
LPOVERLAPPED lpOverlapped
);
void BeginRedirect ( LPVOID );
pCreateFileW pOrigCFWAddress = NULL;
pReadFile pOrigRFAddress = NULL;
pWriteFile pOrigWFAddress = NULL;
BYTE oldBytes [ SIZE ] = { 0 };
BYTE JMP [ SIZE ] = { 0 };
DWORD oldProtect, myProtect = PAGE_EXECUTE_READWRITE; //Protection settings on memory
char debugBuffer [ 128 ];
BOOL APIENTRY DllMain ( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved )
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH:
pOrigRFAddress = ( pReadFile ) GetProcAddress ( GetModuleHandle ( L"coredll.dll" ), L"ReadFile" );
if ( pOrigRFAddress != NULL )
BeginRedirect ( APIHook_ReadFile );
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
default:
return FALSE;
break;
}
return TRUE;
}
HANDLE __stdcall APIHook_CreateFileW( LPWSTR lpFileName, unsigned long int dwDesiredAccess, unsigned long int dwShareMode, LPSECURITY_ATTRIBUTES lpsa, unsigned long int dwCreationDisposition, unsigned long int dwFlagsAndAttributes, LPVOID hTemplateFile )
{
HANDLE hFile = CreateFileW ( lpFileName, dwDesiredAccess, dwShareMode, lpsa, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile );
if ( hFile != INVALID_HANDLE_VALUE && wcsstr ( lpFileName, L"COM" ) == lpFileName )
{
//files[hFile] = lpFileName;
//logger.write(files[hFile], "CreateFileW");
logger.write ( lpFileName , "CreateFileW" );
}
return hFile;
}
BOOL __stdcall APIHook_ReadFile ( LPVOID hFile, LPVOID lpBuffer, unsigned long int nNumberOfBytesToRead, unsigned long int * lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped )
{
BOOL result = ReadFile ( hFile, lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped );
//Files::iterator it = files.find(hFile);
//if(result == TRUE && it != files.end())
if ( result == TRUE )
{
//logger.write(it->second, "ReadFile", lpBuffer, *lpNumberOfBytesRead);
logger.write ( ( LPWSTR ) hFile , "ReadFile", lpBuffer, *lpNumberOfBytesRead );
}
return result;
}
BOOL __stdcall APIHook_WriteFile ( LPVOID hFile, LPVOID lpBuffer, unsigned long int nNumberOfBytesToWrite, unsigned long int * lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped )
{
BOOL result = WriteFile ( hFile, lpBuffer, nNumberOfBytesToWrite, lpNumberOfBytesWritten, lpOverlapped );
//Files::iterator it = files.find( hFile);
//if(it != files.end())
{
//logger.write(it->second, result == TRUE ? "WriteFile OK" : "WriteFile ERROR", lpBuffer, nNumberOfBytesToWrite);
logger.write( ( LPWSTR ) hFile , result == TRUE ? "WriteFile OK" : "WriteFile ERROR", lpBuffer, nNumberOfBytesToWrite);
}
return result;
}
void BeginRedirect ( LPVOID newFunction )
{
/*HANDLE Proc = GetCurrentProcess ( ) ;
CALLBACKINFO ci;
void *pReadFile = GetProcAddress ( GetModuleHandle ( L"coredll.dll" ), L"ReadFile" );
HANDLE hReadFile = GetModuleHandle ( L"coredll.dll" ), L"ReadFile" );
ci.hProc = Proc;
ci.pfn = ( FARPROC ) MapPtrToProcess ( pReadFile, Proc );
ci.pvArg0 = Ptr;
PerformCallBack4 ( &ci );
CloseHandle ( Proc );*/
//memcpy(&JMP[1], &JMPSize, 4);
//sprintf_s ( debugBuffer, 128, L"pOrigMBAddress: %x", pOrigRFAddress );
//LPCWSTR str = TEXT ( debugBuffer );
//OutputDebugString ( debugBuffer );
BYTE tempJMP[SIZE] = { 0xE9, 0x90, 0x90, 0x90, 0x90, 0xC3 }; //JMP <NOP> RET for now
memcpy ( JMP, tempJMP, SIZE ); //Copy into global for convenience later
DWORD JMPSize = ( ( DWORD ) newFunction - ( DWORD ) pOrigRFAddress - 5 ); //Get address difference
VirtualProtect ( ( LPVOID ) pOrigRFAddress, SIZE, PAGE_EXECUTE_READWRITE, &oldProtect );
//Изменение настроек памяти, чтобы убедиться, мы можем написать скачок
memcpy ( oldBytes, pOrigRFAddress, SIZE ); //Copy old bytes before writing JMP
//sprintf_s( debugBuffer, 128, "Old bytes: %x%x%x%x%x", oldBytes[0], oldBytes[1], oldBytes[2], oldBytes[3], oldBytes[4], oldBytes[5]);
//OutputDebugString(debugBuffer);
memcpy ( &JMP [ 1 ], &JMPSize, 4 ); //Write the address to JMP to
//sprintf_s(debugBuffer, 128, "JMP: %x%x%x%x%x", JMP[0], JMP[1],JMP[2], JMP[3], JMP[4], JMP[5]);
//OutputDebugString(debugBuffer);
memcpy ( pOrigRFAddress, JMP, SIZE ); //Write it in process memory
VirtualProtect ( ( LPVOID ) pOrigRFAddress, SIZE, oldProtect, NULL ); //Change setts b*/
}Счастливая библиотека для тех кому интерсно пока компилирую только не запускаю:
// Dll777.cpp: определяет точку входа для приложения DLL.
//
#undef UNICODE
#include "stdafx.h"
#include <windows.h>
#include <map>
#include <atlbase.h>
#include <atlstr.h>
#include "Logger.h"
#include <Tlhelp32.h>
#include <cstdio>
#pragma comment ( lib , "toolhelp.lib" )
#ifdef UNDER_NT
# include <tchar.h>
#endif
typedef struct _CALLBACKINFO
{
HANDLE hProc; //Процесс назначения
FARPROC pfn; //функция, которая вызывается в процессе назначения
PVOID pvArg0; //arg0 data
}
CALLBACKINFO;
typedef CALLBACKINFO *PCALLBACKINFO;
extern "C"
{
BOOL SetKMode ( BOOL fMode );
DWORD SetProcPermissions ( DWORD );
LPVOID MapPtrToProcess ( LPVOID lpv, HANDLE hProc );
DWORD PerformCallBack4 ( PCALLBACKINFO pcbi, ... );//Выполнить функцию внутри процесса
HLOCAL LocalAllocInProcess ( DWORD, DWORD, HPROCESS );
VOID LocalFreeInProcess ( HLOCAL, HPROCESS );
}
#define SIZE 6 //Number of bytes needed to redirect
typedef HANDLE ( WINAPI *pCreateFileW )( LPWSTR lpFileName, unsigned long int dwDesiredAccess, unsigned long int dwShareMode, LPSECURITY_ATTRIBUTES lpsa, unsigned long int dwCreationDisposition, unsigned long int dwFlagsAndAttributes, LPVOID hTemplateFile );
typedef BOOL ( WINAPI *pReadFile ) ( LPVOID hFile, LPVOID lpBuffer, unsigned long int nNumberOfBytesToRead, unsigned long int * lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped );
typedef BOOL ( WINAPI *pWriteFile ) ( LPVOID hFile, LPVOID lpBuffer, unsigned long int nNumberOfBytesToWrite, unsigned long int * lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped );
HANDLE __stdcall APIHook_CreateFileW(
LPWSTR lpFileName,
unsigned long int dwDesiredAccess,
unsigned long int dwShareMode,
LPSECURITY_ATTRIBUTES lpsa,
unsigned long int dwCreationDisposition,
unsigned long int dwFlagsAndAttributes,
LPVOID hTemplateFile
);
BOOL __stdcall APIHook_ReadFile (
LPVOID hFile,
LPVOID lpBuffer,
unsigned long int nNumberOfBytesToRead,
unsigned long int * lpNumberOfBytesRead,
LPOVERLAPPED lpOverlapped
);
BOOL __stdcall APIHook_WriteFile (
LPVOID hFile,
LPVOID lpBuffer,
unsigned long int nNumberOfBytesToWrite,
unsigned long int * lpNumberOfBytesWritten,
LPOVERLAPPED lpOverlapped
);
void BeginRedirect ( LPVOID );
pCreateFileW pOrigCFWAddress = NULL;
pReadFile pOrigRFAddress = NULL;
pWriteFile pOrigWFAddress = NULL;
BYTE oldBytes [ SIZE ] = { 0 };
BYTE JMP [ SIZE ] = { 0 };
DWORD oldProtect, myProtect = PAGE_EXECUTE_READWRITE; //Protection settings on memory
char debugBuffer [ 128 ];
BOOL APIENTRY DllMain ( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved )
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH:
pOrigRFAddress = ( pReadFile ) GetProcAddress ( GetModuleHandle ( L"coredll.dll" ), L"ReadFile" );
if ( pOrigRFAddress != NULL )
BeginRedirect ( APIHook_ReadFile );
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
default:
return FALSE;
break;
}
return TRUE;
}
HANDLE __stdcall APIHook_CreateFileW( LPWSTR lpFileName, unsigned long int dwDesiredAccess, unsigned long int dwShareMode, LPSECURITY_ATTRIBUTES lpsa, unsigned long int dwCreationDisposition, unsigned long int dwFlagsAndAttributes, LPVOID hTemplateFile )
{
HANDLE hFile = CreateFileW ( lpFileName, dwDesiredAccess, dwShareMode, lpsa, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile );
if ( hFile != INVALID_HANDLE_VALUE && wcsstr ( lpFileName, L"COM" ) == lpFileName )
{
//files[hFile] = lpFileName;
//logger.write(files[hFile], "CreateFileW");
logger.write ( lpFileName , "CreateFileW" );
}
return hFile;
}
BOOL __stdcall APIHook_ReadFile ( LPVOID hFile, LPVOID lpBuffer, unsigned long int nNumberOfBytesToRead, unsigned long int * lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped )
{
BOOL result = ReadFile ( hFile, lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped );
//Files::iterator it = files.find(hFile);
//if(result == TRUE && it != files.end())
if ( result == TRUE )
{
//logger.write(it->second, "ReadFile", lpBuffer, *lpNumberOfBytesRead);
logger.write ( ( LPWSTR ) hFile , "ReadFile", lpBuffer, *lpNumberOfBytesRead );
}
return result;
}
BOOL __stdcall APIHook_WriteFile ( LPVOID hFile, LPVOID lpBuffer, unsigned long int nNumberOfBytesToWrite, unsigned long int * lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped )
{
BOOL result = WriteFile ( hFile, lpBuffer, nNumberOfBytesToWrite, lpNumberOfBytesWritten, lpOverlapped );
//Files::iterator it = files.find( hFile);
//if(it != files.end())
{
//logger.write(it->second, result == TRUE ? "WriteFile OK" : "WriteFile ERROR", lpBuffer, nNumberOfBytesToWrite);
logger.write( ( LPWSTR ) hFile , result == TRUE ? "WriteFile OK" : "WriteFile ERROR", lpBuffer, nNumberOfBytesToWrite);
}
return result;
}
void BeginRedirect ( LPVOID newFunction )
{
/*HANDLE Proc = GetCurrentProcess ( ) ;
CALLBACKINFO ci;
void *pReadFile = GetProcAddress ( GetModuleHandle ( L"coredll.dll" ), L"ReadFile" );
HANDLE hReadFile = GetModuleHandle ( L"coredll.dll" ), L"ReadFile" );
ci.hProc = Proc;
ci.pfn = ( FARPROC ) MapPtrToProcess ( pReadFile, Proc );
ci.pvArg0 = Ptr;
PerformCallBack4 ( &ci );
CloseHandle ( Proc );*/
//memcpy(&JMP[1], &JMPSize, 4);
//sprintf_s ( debugBuffer, 128, L"pOrigMBAddress: %x", pOrigRFAddress );
//LPCWSTR str = TEXT ( debugBuffer );
//OutputDebugString ( debugBuffer );
BYTE tempJMP[SIZE] = { 0xE9, 0x90, 0x90, 0x90, 0x90, 0xC3 }; //JMP <NOP> RET for now
memcpy ( JMP, tempJMP, SIZE ); //Copy into global for convenience later
DWORD JMPSize = ( ( DWORD ) newFunction - ( DWORD ) pOrigRFAddress - 5 ); //Get address difference
VirtualProtect ( ( LPVOID ) pOrigRFAddress, SIZE, PAGE_EXECUTE_READWRITE, &oldProtect );
//Изменение настроек памяти, чтобы убедиться, мы можем написать скачок
memcpy ( oldBytes, pOrigRFAddress, SIZE ); //Copy old bytes before writing JMP
//sprintf_s( debugBuffer, 128, "Old bytes: %x%x%x%x%x", oldBytes[0], oldBytes[1], oldBytes[2], oldBytes[3], oldBytes[4], oldBytes[5]);
//OutputDebugString(debugBuffer);
memcpy ( &JMP [ 1 ], &JMPSize, 4 ); //Write the address to JMP to
//sprintf_s(debugBuffer, 128, "JMP: %x%x%x%x%x", JMP[0], JMP[1],JMP[2], JMP[3], JMP[4], JMP[5]);
//OutputDebugString(debugBuffer);
memcpy ( pOrigRFAddress, JMP, SIZE ); //Write it in process memory
VirtualProtect ( ( LPVOID ) pOrigRFAddress, SIZE, oldProtect, NULL ); //Change setts b*/
}