2005年07月28日

hook任意指定进程,用remote code injection的方法,执行code后就在指定的进程中了,在loAd hook需要的dll进去,然后hook,,,不知道他们用的方法是不是这样

通过hook Alloc和free,来观察指定的程序是不是有内寸泄露的问题,,hook好以后,执行程序,在关闭,,观察这个过程

2005年07月24日

原来想的hook其实是错的,,这次想弄的hook Api总是不稳定,,,不知道该怎样调试,,贴到这里,,

#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
#include <imagehlp.h>

#pragma comment (lib,"imagehlp.lib")
LRESULT CALLBACK GetMsgProc(
  int nCode,      // hook code
  WPARAM wParam,  // current-process flag
  LPARAM lParam   // address of structure with message data
);

 
__declspec(dllexport)
DWORD WINAPI func(int MouseX,int MouseY);

__declspec(dllexport)
DWORD WINAPI setmessAgehook(BOOL);

__declspec(dllexport)
void ReplAceIATEntryInOneMod(PCSTR pszCAlleeModName,
        PROC pfnCurrent, PROC pfnNew, HMODULE hmodCAller);
__declspec(dllexport) 
int myMessAgeBoxA(        
 HWND hWnd,
    LPCTSTR lpText,
    LPCTSTR lpCaption,
    UINT uType
);
__declspec(dllexport)
BOOL myTextOutA(
  HDC hdc,           // handle to device context
  int nXStart,       // x-coordinate of starting position
  int nYStart,       // y-coordinate of starting position
  LPCTSTR lpString,  // pointer to string
  int cbString       // number of characters in string
);
__declspec(dllexport)
BOOL myTextOutW(
  HDC hdc,           // handle to device context
  int nXStart,       // x-coordinate of starting position
  int nYStart,       // y-coordinate of starting position
  LPCWSTR lpString,  // pointer to string
  int cbString       // number of characters in string
);
__declspec(dllexport)
BOOL myExtTextOutA(
  HDC hdc,          // handle to device context
  int X,            // x-coordinate of reference point
  int Y,            // y-coordinate of reference point
  UINT fuOptions,   // text-output options
  CONST RECT *lprc, // optional clipping and/or opaquing rectangle
  LPCTSTR lpString, // points to string
  UINT cbCount,     // number of characters in string
  CONST INT *lpDx   // pointer to array of intercharacter spacing
                    // values
);
__declspec(dllexport)
BOOL myExtTextOutW(
  HDC hdc,          // handle to device context
  int X,            // x-coordinate of reference point
  int Y,            // y-coordinate of reference point
  UINT fuOptions,   // text-output options
  CONST RECT *lprc, // optional clipping and/or opaquing rectangle
  LPCWSTR lpString, // points to string
  UINT cbCount,     // number of characters in string
  CONST INT *lpDx   // pointer to array of intercharacter spacing
                    // values
);

__inline int hookoneApi(char* fromdll,PROC oldAddress,PROC newAddress);
__inline int unhookoneApi(char* fromdll,PROC oldAddress,PROC newAddress);

//——————————————————————–
typedef int (*MESSAGEBOXA)(         
 HWND hWnd,
    LPCTSTR lpText,
    LPCTSTR lpCaption,
    UINT uType
);
typedef BOOL (*TEXTOUTA)(
  HDC hdc,           // handle to device context
  int nXStart,       // x-coordinate of starting position
  int nYStart,       // y-coordinate of starting position
  LPCTSTR lpString,  // pointer to string
  int cbString       // number of characters in string
);
typedef BOOL (*TEXTOUTW)(
  HDC hdc,           // handle to device context
  int nXStart,       // x-coordinate of starting position
  int nYStart,       // y-coordinate of starting position
  LPCWSTR lpString,  // pointer to string
  int cbString       // number of characters in string
);

typedef BOOL (*EXTTEXTOUTA)(
  HDC hdc,          // handle to device context
  int X,            // x-coordinate of reference point
  int Y,            // y-coordinate of reference point
  UINT fuOptions,   // text-output options
  CONST RECT *lprc, // optional clipping and/or opaquing rectangle
  LPCTSTR lpString, // points to string
  UINT cbCount,     // number of characters in string
  CONST INT *lpDx   // pointer to array of intercharacter spacing
                    // values
);
typedef BOOL (*EXTTEXTOUTW)(
  HDC hdc,          // handle to device context
  int X,            // x-coordinate of reference point
  int Y,            // y-coordinate of reference point
  UINT fuOptions,   // text-output options
  CONST RECT *lprc, // optional clipping and/or opaquing rectangle
  LPCWSTR lpString, // points to string
  UINT cbCount,     // number of characters in string
  CONST INT *lpDx   // pointer to array of intercharacter spacing
                    // values
);

//——————————————————————–
//
#pragma data_seg(".sdata")
char   globAlbuff[1024];
BOOL   g_hook = FALSE;//TRUE表示可以hook,FALSE表示已经hook了
int    g_mousex,g_mousey;

#pragma data_seg()
HHOOK hHook;
MESSAGEBOXA  pOldMessAgeBoxA,pNewMessAgeBoxA;
TEXTOUTA  pOldTextOutA,pNewTextOutA;
TEXTOUTW  pOldTextOutW,pNewTextOutW;
EXTTEXTOUTA  pOldExtTextOutA,pNewExtTextOutA;
EXTTEXTOUTW  pOldExtTextOutW,pNewExtTextOutW;

UINT   uMsg = 0;
HINSTANCE  hWndProcHookDLL = NULL;
//——————————————————————–


BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReAson,LPVOID lpvReserved)
{
 switch (fdwReAson){
  
 case DLL_PROCESS_ATTACH:
  {
   hWndProcHookDLL = hinstDLL;

   pOldTextOutA = (TEXTOUTA)GetProcAddress(LoadLibrary("GDI32.dll"),"TextOutA");
   pNewTextOutA = (TEXTOUTA)GetProcAddress(hWndProcHookDLL,"myTextOutA");
   pOldTextOutW = (TEXTOUTW)GetProcAddress(LoadLibrary("GDI32.dll"),"TextOutW");
   pNewTextOutW = (TEXTOUTW)GetProcAddress(hWndProcHookDLL,"myTextOutW");
   pOldExtTextOutA = (EXTTEXTOUTA)GetProcAddress(LoadLibrary("GDI32.dll"),"ExtTextOutA");
   pNewExtTextOutA = (EXTTEXTOUTA)GetProcAddress(hWndProcHookDLL,"myExtTextOutA");
   //pOldExtTextOutW = (EXTTEXTOUTW)ExtTextOutW;
   pOldExtTextOutW = (EXTTEXTOUTW)GetProcAddress(LoadLibrary("GDI32.dll"),"ExtTextOutW");
   if (pOldExtTextOutW == NULL) MessageBox(NULL,"wrong","",0);
   pNewExtTextOutW = (EXTTEXTOUTW)GetProcAddress(hWndProcHookDLL,"myExtTextOutW");
   
   
   uMsg = RegisterWindowMessage("uay");
   
   
   
   /*POINT ptWindow;
   ptWindow.x = 30;
   ptWindow.y = 30;
   HWND hWindow = WindowFromPoint(ptWindow);
   if (hWindow == NULL ) MessageBox(NULL,"get window wrong","",0);
   SendMessage(hWindow,WM_PAINT,30,30);
   */
   break;
  }
 case DLL_THREAD_ATTACH:
  break;
 case DLL_THREAD_DETACH:
  break;
 case DLL_PROCESS_DETACH:
  break;
 }
 return TRUE;
}
//——————————————————————–
void ReplAceIATEntryInOneMod(PCSTR pszCAlleeModName,
        PROC pfnCurrent, PROC pfnNew, HMODULE hmodCAller)
{
 //MessageBox(NULL,"in replAceIA…..","",0);
 ULONG      ulSize;
 PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
 pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hmodCAller,TRUE,
  IMAGE_DIRECTORY_ENTRY_IMPORT,&ulSize);
 if (pImportDesc == NULL){
  //MessageBox(NULL,"1","wrong",0);
  return;
 }
 
 for(;pImportDesc->Name;pImportDesc++){
  PSTR pszModNAme = (PSTR)((PBYTE)hmodCAller + pImportDesc->Name);
  if (lstrcmpi(pszModNAme,pszCAlleeModName) == 0){
   break;//found
  }
 }
 if (pImportDesc->Name == 0){
  //MessageBox(NULL,"2","wrong",0);
  return ;
 }
 
 PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)
  ((PBYTE) hmodCAller + pImportDesc->FirstThunk );
 for (;pThunk->u1 .Function ;pThunk++){
  PROC* ppfn = (PROC*)&pThunk->u1 .Function ;
  BOOL bFound = (*ppfn == pfnCurrent);
  if (bFound){
   //MessageBox(NULL,"found","",0);
   char temp[128];
   sprintf(temp,"ExtTextOutW:%x",ExtTextOutW);
   char module[128];
   GetModuleFileName(hmodCAller,module,128);
   //MessageBox(NULL,temp,module,0);
   WriteProcessMemory(GetCurrentProcess(),ppfn,&pfnNew,sizeof(pfnNew),NULL);
   //char temp[128];
   sprintf(temp,"ExtTextOutW:%x",ExtTextOutW);
   //char module[128];
   //GetModuleFileName(hmodCAller,module,128);
   //MessageBox(NULL,temp,module,0);
  }
 }

 
}
//——————————————————————–
LRESULT CALLBACK GetMsgProc(
  int nCode,      // hook code
  WPARAM wParam,  // current-process flag
  LPARAM lParam   // address of structure with message data
)
{
 
 MSG msg = *(MSG*)lParam;

 if ((g_hook == TRUE) && msg.message == uMsg){
  //MessageBox(NULL,"in proc","",0);
  /*
  pOldTextOutA = (TEXTOUTA)GetProcAddress(LoadLibrary("GDI32.dll"),"TextOutA");
  pNewTextOutA = (TEXTOUTA)GetProcAddress(hWndProcHookDLL,"myTextOutA");
  pOldTextOutW = (TEXTOUTW)GetProcAddress(LoadLibrary("GDI32.dll"),"TextOutW");
  pNewTextOutW = (TEXTOUTW)GetProcAddress(hWndProcHookDLL,"myTextOutW");
  pOldExtTextOutA = (EXTTEXTOUTA)GetProcAddress(LoadLibrary("GDI32.dll"),"ExtTextOutA");
  pNewExtTextOutA = (EXTTEXTOUTA)GetProcAddress(hWndProcHookDLL,"myExtTextOutA");
  pOldExtTextOutW = (EXTTEXTOUTW)GetProcAddress(LoadLibrary("GDI32.dll"),"ExtTextOutW");
  if (pOldExtTextOutW == NULL) MessageBox(NULL,"wrong","",0);
  pNewExtTextOutW = (EXTTEXTOUTW)GetProcAddress(hWndProcHookDLL,"myExtTextOutW");
  *///在dll刚加到进程中,由dllmAin来完成这些


  //hookoneApi("GDI32.dll",(PROC)pOldTextOutA,(PROC)pNewTextOutA);
  //hookoneApi("GDI32.dll",(PROC)pOldTextOutW,(PROC)pNewTextOutW);
  //hookoneApi("GDI32.dll",(PROC)pOldExtTextOutA,(PROC)pNewExtTextOutA);
  char temp[128];
  sprintf(temp,"ExtTextOutW:%x",pNewExtTextOutW);
  //MessageBox(NULL,temp,"",0);
  hookoneApi("GDI32.dll",(PROC)pOldExtTextOutW,(PROC)((int)pNewExtTextOutW-10));
  
  //char module[128];
  //GetModuleFileName(hmodCAller,module,128);
  //MessageBox(NULL,temp,"",0);
  
  g_hook = FALSE;
 }
 
 return CallNextHookEx(hHook,nCode,wParam,lParam);
}
//——————————————————————–
__declspec(dllexport)
int myMessAgeBoxA(          HWND hWnd,
    LPCTSTR lpText,
    LPCTSTR lpCaption,
    UINT uType
)
{
 
 return pOldMessAgeBoxA(hWnd,"shit","shit",uType);
}
//——————————————————————–
__declspec(dllexport)
BOOL myTextOutA(
  HDC hdc,           // handle to device context
  int nXStart,       // x-coordinate of starting position
  int nYStart,       // y-coordinate of starting position
  LPCTSTR lpString,  // pointer to string
  int cbString       // number of characters in string
)
{
 //strncpy(globAlbuff,lpString,1024);
 //return pOldTextOutA(hdc,nXStart,nYStart,lpString,cbString);
 unhookoneApi("GDI32.dll",(PROC)pOldTextOutA,(PROC)pNewTextOutA);
 //MessageBox(NULL,globAlbuff,"myTextOutA",0);
 return TextOutA(hdc,nXStart,nYStart,lpString,cbString);
}
//——————————————————————–
__declspec(dllexport)
BOOL myTextOutW(
  HDC hdc,           // handle to device context
  int nXStart,       // x-coordinate of starting position
  int nYStart,       // y-coordinate of starting position
  LPCWSTR lpString,  // pointer to string
  int cbString       // number of characters in string
)
{
 //MessageBox(NULL,globAlbuff,"myTextOutW",0);
 //strncpy(globAlbuff,lpString,1024);
 //return pOldTextOutW(hdc,nXStart,nYStart,lpString,cbString);
 unhookoneApi("GDI32.dll",(PROC)pOldTextOutW,(PROC)pNewTextOutW);
 //
 return TextOutW(hdc,nXStart,nYStart,lpString,cbString);;
}
//——————————————————————–
__declspec(dllexport)
DWORD WINAPI func(int MouseX,int MouseY)
{
 /*POINT  ptWindow;
 ptWindow.x = MouseX;
 ptWindow.y = MouseY;
 HWND hWindow = WindowFromPoint(ptWindow);
 //PostMessage(hWindow,WM_USER+100,MouseX,MouseY);
*/

 //MessageBox(NULL,"ok","",0);
 g_hook = TRUE;
 g_mousex = MouseX;
 g_mousey = MouseY;
 POINT ptWindow;
 ptWindow.x = MouseX;
 ptWindow.y = MouseY;
 HWND hWindow = WindowFromPoint(ptWindow);
 if (hWindow == NULL ) MessageBox(NULL,"get window wrong","",0);
 DWORD dwProcessId;
 GetWindowThreadProcessId(hWindow, &dwProcessId);
 if (dwProcessId == GetCurrentProcessId()){
  pOldExtTextOutW = (EXTTEXTOUTW)GetProcAddress(LoadLibrary("GDI32.dll"),"ExtTextOutW");
  if (pOldExtTextOutW == NULL) MessageBox(NULL,"wrong","",0);
  pNewExtTextOutW = myExtTextOutW;

  //hookoneApi("GDI32.dll",(PROC)pOldTextOutA,(PROC)pNewTextOutA);
  //hookoneApi("GDI32.dll",(PROC)pOldTextOutW,(PROC)pNewTextOutW);
  //hookoneApi("GDI32.dll",(PROC)pOldExtTextOutA,(PROC)pNewExtTextOutA);
  hookoneApi("GDI32.dll",(PROC)pOldExtTextOutW,(PROC)pNewExtTextOutW);
  //这里hook messAgeBox还没有解决
  g_hook = FALSE;
 }
 else{
  SendMessage(hWindow,uMsg,0,0);
  PostMessage(hWindow,uMsg,0,0);
 }

 return 0;
}
//——————————————————————–
__inline int hookoneApi(char* fromdll,PROC oldAddress,PROC newAddress)
{
 //MessageBox(NULL,"in hookoneApi","",0);
 HANDLE snAp = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,0); 
 MODULEENTRY32 me;
 Module32First(snAp,&me);
 //char temp[1024];
 ReplAceIATEntryInOneMod(fromdll,
  (PROC)oldAddress, (PROC)newAddress,me.hModule  );
 while(Module32Next(snAp,&me)){
  //GetModuleFileName(me.hModule ,temp,1024);
  //MessageBox(NULL,temp,"",0);
  ReplAceIATEntryInOneMod(fromdll,
   (PROC)oldAddress, (PROC)newAddress,me.hModule  );
  
 }
 return 0;
}
//——————————————————————–
__inline int unhookoneApi(char* fromdll,PROC oldAddress,PROC newAddress)
{
 return hookoneApi(fromdll,(PROC)newAddress,(PROC)oldAddress);
}
//——————————————————————–
__declspec(dllexport)
DWORD WINAPI setmessAgehook(BOOL hook)
{
 if (hook){
  hHook = SetWindowsHookEx(WH_GETMESSAGE,GetMsgProc,hWndProcHookDLL,0);
 }
 else {
  if (hHook != NULL) UnhookWindowsHookEx(hHook);
 }
 return 0;
}
//——————————————————————–
__declspec(dllexport)
BOOL myExtTextOutA(
  HDC hdc,          // handle to device context
  int X,            // x-coordinate of reference point
  int Y,            // y-coordinate of reference point
  UINT fuOptions,   // text-output options
  CONST RECT *lprc, // optional clipping and/or opaquing rectangle
  LPCTSTR lpString, // points to string
  UINT cbCount,     // number of characters in string
  CONST INT *lpDx   // pointer to array of intercharacter spacing
                    // values
)
{
 unhookoneApi("GDI32.dll",(PROC)pOldExtTextOutA,(PROC)pNewExtTextOutA);

 /*FILE* fp;
 fp = fopen("d:\\result.txt","a");
 //fputs((char*)lpString,fp);
 fprintf(fp,"%s\n",lpString);
 fclose(fp);
 */
 return ExtTextOutA(hdc,X,Y,fuOptions,lprc,lpString,cbCount,lpDx);
 //
 //MessageBox(NULL,"hook ok","myExtTextOutA",0);
 //return TRUE;
}
//——————————————————————–
__declspec(dllexport)
BOOL myExtTextOutW(
  HDC hdc,          // handle to device context
  int X,            // x-coordinate of reference point
  int Y,            // y-coordinate of reference point
  UINT fuOptions,   // text-output options
  CONST RECT *lprc, // optional clipping and/or opaquing rectangle
  LPCWSTR lpString, // points to string
  UINT cbCount,     // number of characters in string
  CONST INT *lpDx   // pointer to array of intercharacter spacing
                    // values
)
{
 //unhookoneApi("GDI32.dll",(PROC)pOldExtTextOutW,(PROC)pNewExtTextOutW);
 //MessageBoxW(NULL,lpString,L"myExtTextOutW",0);
 unhookoneApi("GDI32.dll",(PROC)pOldExtTextOutW,(PROC)pNewExtTextOutW);
 
 FILE* fp;
 fp = fopen("d:\\result.txt","a");
 //fputs((char*)lpString,fp);
 fprintf(fp,"pOldExtTextOutW:%x\nExtTextOut%x\npNewTextOutW:%x\n\n",(int)pOldExtTextOutW,(int)ExtTextOutW,(int)pNewTextOutW);
 pOldExtTextOutW = (EXTTEXTOUTW)GetProcAddress(LoadLibrary("GDI32.dll"),"ExtTextOutW");
 fprintf(fp,"pOldExtTextOutW:%x\n",(int)pOldExtTextOutW);
 fclose(fp);
 //lpString = L"真的?";
 

 //return ((EXTTEXTOUTW)((int)pOldExtTextOutW+10))(hdc,X,Y,fuOptions,lprc,lpString,cbCount,lpDx);
 return pOldExtTextOutW(hdc,X,Y,fuOptions,lprc,lpString,cbCount,lpDx);

 //
 //return TRUE;
}
//——————————————————————–

本来的打算是通过给出一对坐标,确定坐标所在位置下的窗口,,,hook textout和exttextout,,把屏幕上的文字取出来,,在程序的开始用setwindowshookex先hook windows消息,,得到窗口的句柄后就可以向该窗口发自定义的消息,,,这里用registerwindowmessAge来自定义消息,,WM_USER+100这样的消息只能用在同一个应用程序里.因为hook了windows的消息,当消息发像指定的窗口时,,就会被拦到,进入到当时setwindowhookex时注册的过程函数中,这时候,就在目标窗口的进程中了,,然后就可以用<windows 核心编程>里的方法来hook Api,,,,这里还有一个地方就是有时候只sendmessAge或postmessAge,消息总是传递不过去,,必须两个都写上,,不明白为什么.还有,在目标进程里用gerprocAddress得到的自己的hook函数,如myExtTextOutW,,与在这个函数中用(int)myExtTextOutW得到的值总是相差10字节

2005年07月19日

第一级:神人,天资过人而又是技术狂热者同时还拥有过人的商业头脑,高瞻远瞩,技术过人,大器也。如丁磊,求伯君。
第二级:高人,有天赋,技术过人但没有过人的商业头脑,通常此类人不是顶尖黑客就是技术总监之流。
第三级:牛人,技术精湛,熟悉行业知识,敢于创新,有自己的公司和软件产品。
第四级:工头,技术精湛,有领导团队的能力,此类人大公司项目经理居多。
第五级:技术工人,技术精湛,熟悉行业知识但领导能力欠加,此类人大多为系分人员或资深程序员,基本上桀骜不逊,自视清高,不愿于一般技术人员为伍,在论坛上基本以高手面目出现。
第六级:熟练工人,技术有广度无深度,喜欢钻研但浅尝辄止。此类人大多为老程序员,其中一部分喜欢利用工具去查找网上有漏洞的服务器,干点坏事以获取成绩感。如果心情好,在论坛上他们会回答菜鸟的大部分问题。此级别为软件业苦力的重要组成部分。

第七级:工人,某些技术较熟练但缺乏深度和广度,此类人大多为程序员级别,经常在论坛上提问偶尔也回答菜鸟的问题。为软件产业苦力的主要组成部分。
第八级:菜鸟,入门时间不长,在论坛上会反复提问很初级的问题,有一种唐僧的精神。虽然招人烦但基本很可爱。只要认真钻研,一两年后就能升级到上一层。

第九级:大忽悠,利用中国教育的弊病,顶着一顶高学历的帽子,在小公司里混个软件部经理,设计不行,代码不行,只会胡乱支配下属,拍领导马屁,在领导面前胡吹海侃,把自己打扮成技术高手的模样。把勾心斗角的办公室文化引入技术部门,实在龌龊!

第十级:驴或傻X,会写SELECT语句就说自己精通ORALCE,连寄存器有几种都不知道就说自己懂汇编,建议全部送到日本当IT产业工人,挣了日本人的钱还严重打击日本的软件业!
其中又以前两级和后两级最为难得,其余级别只要努力,皆有可能达到。