[下载]Ultimate Hooking Engine-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (2)
yijun8354 雪币： 1925 活跃值： (906) 能力值： ( LV9，RANK：490 ) 在线值：发帖 22 回帖 784 粉丝 1 关注私信	yijun8354 12 2 楼 [QUOTE=;]...[/QUOTE] 谢谢分享～～ 2007-5-31 20:27 0
laomms 雪币： 560 活跃值： (379) 能力值： ( LV13，RANK：1370 ) 在线值：发帖 83 回帖 384 粉丝 11 关注私信	laomms 34 3 楼翻译了一下,MASM版本: include cacl5bytes.asm hookapi proc invoke OutputInfo, hOutputCtl, CTEXT("Ultimate Hooking Engine") jmp __execute loader: pusha call mainloader popa goback: push 0deadc0deh retn __execute: ;mov ctx.ContextFlags, CONTEXT_FULL invoke CreateProcessA, CTEXT("I:\Ultimate Hooking Engine\hook\test.exe"), 0,0,0,0, CREATE_SUSPENDED, 0,0, offset sinfo, offset pinfo test eax, eax jz __killprocess INVOKE VirtualAllocEx, pinfo.hProcess, 0, 1000h, MEM_COMMIT, PAGE_EXECUTE_READWRITE mov stubmemory, eax INVOKE GetThreadContext, pinfo.hThread, offset ctx mov eax, ctx.regEax mov eax, stubmemory mov ctx.regEax, eax INVOKE SetThreadContext, pinfo.hThread, offset ctx invoke OutputInfo, hOutputCtl, CTEXT(" Executing target...") invoke lstrcpy,addr dllname,CTEXT("hookdll.dll") m2m NewLoadLibraryA, LoadLibraryA m2m NewVirtualAlloc, VirtualAlloc m2m NewVirtualProtect, VirtualProtect m2m NewGetProcAddress, GetProcAddress invoke OutputInfo, hOutputCtl, CTEXT(" Injecting code into target...") INVOKE WriteProcessMemory, pinfo.hProcess, stubmemory, offset loader, loader_size, 0 invoke OutputInfo, hOutputCtl, CTEXT(" Resuming target...") INVOKE ResumeThread, pinfo.hThread @exit: ret __killprocess: invoke OutputInfo, hOutputCtl, CTEXT("[X] can't create process... did you type correct name?") jmp @exit __usage: invoke OutputInfo, hOutputCtl, CTEXT("[X] wrong arguments!!") jmp @exit hookapi endp mainloader proc call delta delta: pop ebp sub ebp, offset delta ;加载DLL lea eax, [ebp+dllname] ;"hookdll.dll" push eax call [ebp+NewLoadLibraryA] ;LoadLibraryA加载DLL mov [ebp+dllbase], eax ;获取DLL句柄,EAX=10000000,4D 5A 90 00 03 test eax, eax ;如果没有则提示加载失败 jz nohookmain call WalkDllsAndHook ;执行HOOKAPI xor ecx, ecx sub ecx, 87868600h push ecx xor ecx, 16101B6Dh push ecx xor ecx, 0FD060DFBh push ecx push esp push [ebp+dllbase] call [ebp+NewGetProcAddress] ;GetProcAddress找到API lea esp, dword ptr [esp+0Ch] test eax, eax jz nohookmain ;如果没有则提示查找失败 call eax ;如果有调用该API nohookmain: retn mainloader endp WalkDllsAndHook proc mov ebx, [ebp+dllbase] ;DLL基址MZ add ebx, [ebx+3ch] ;+3C获取PE头地址 ,000000E8 mov ebx, [ebx+78h] ;导出表 ,0000AFB0 add ebx, [ebp+dllbase] xor eax, eax mov esi, [ebx+20h] ;API名称 add esi, [ebp+dllbase] cyclenames: mov ecx, [esi] add ecx, [ebp+dllbase] ;ecx为API名称 cmp dword ptr[ecx], 'KOOH' ;前缀是否为HOOK jne nextname ;循环取API名称 pusha mov [ebp+currenthookexport], ecx ;ecx为函数名称 mov esi, ecx add esi, 5 ;扣除"HOOK-" 5个字母 lea edi, [ebp+dllname] ;DLL名称 copydllname: lodsb stosb cmp al, '_' ;中间是否含有'_' jne copydllname ;循环查找 mov byte ptr[edi-1], 0 ;找到'_'后换成0 lea edi, [ebp+apiname] ;装入API名称 copystring ;拷贝剩下的API名称 lea eax, [ebp+dllname] ;装入中间的名称,即系统API:kernel32 push eax call [ebp+NewLoadLibraryA] ;LoadLibraryA加载系统API mov [ebp+currentdllbase], eax ;kernel32的基址 push [ebp+currenthookexport] ;API全称"HOOK_kernel32_CreateFileA" push [ebp+dllbase] ;DLL基址 call [ebp+NewGetProcAddress] ;GetProcAddress找到API mov [ebp+currenthookexport], eax ;mydll.HOOK_kernel32_CreateFileA放入currenthookexport lea eax, [ebp+apiname] ;API名称:CreateFileA push eax push [ebp+currentdllbase] ;kernel32的基址 call [ebp+NewGetProcAddress] ;kernel32.CreateFileA函数 mov esi, eax lea eax, [ebp+detoured] ;Detoured_CreateFileA" push eax push [ebp+dllbase] ;DLL基址 call [ebp+NewGetProcAddress] ;mydll.Detoured_CreateFileA test eax, eax jz nodetoured push eax ;mydll.Detoured_CreateFileA push [ebp+currenthookexport] ;mydll.HOOK_kernel32_CreateFileA push esi ;kernel32.CreateFileA call InstallDetour jmp skip0 nodetoured: lea ecx, [ebp+dummy] push ecx push [ebp+currenthookexport] push esi call InstallDetour skip0: popa nextname: inc eax add esi, 4 cmp eax, [ebx+18h] ;ed_numberofnames jb cyclenames @exit: ret WalkDllsAndHook endp InstallDetour proc api_address:dword,new_address:dword,detour_variable:dword local local_delta:dword local dummyvar:dword pusha get_delta xchg eax, ebx lea ecx, dummyvar push ecx push PAGE_EXECUTE_READWRITE push 1000h push api_address ;kernel32.CreateFileA call [ebx+NewVirtualProtect] ;kernel32.VirtualProtect cmp [ebx+detour_buffer], 0 jne skip_alloc push PAGE_EXECUTE_READWRITE push 1000h push 1000h push 0 call [ebx+NewVirtualAlloc] ;申请内存 mov [ebx+detour_buffer], eax skip_alloc: mov esi, api_address ;kernel32.CreateFileA mov edi, [ebx+detour_buffer] xor ecx, ecx get_5bytes: push esi ;kernel32.CreateFileA call cacl_bytes add esi, eax add ecx, eax cmp ecx, 5 jb get_5bytes mov esi, api_address ;kernel32.CreateFileA push ecx ;5 rep movsb pop ecx push edi push eax mov edi, api_address ;kernel32.CreateFileA mov al, 90h ;替换成nop rep stosb ;DLL基址替换成5个90 pop eax pop edi mov byte ptr[edi], 0e9h ;jmp命令 add edi, 5 sub esi, edi mov dword ptr[edi-4], esi ;0EF9FFFB install_hook: mov eax, detour_variable ;Mydll.Detoured_CreateFileA push [ebx+detour_buffer] pop dword ptr[eax] mov eax, api_address ;kernel32.CreateFileA mov ecx, new_address ;mydll.HOOK_kernel32_CreateFileA mov byte ptr[eax], 0e9h add eax, 5 ;恢复kernel32.CreateFileA sub ecx, eax mov dword ptr[eax-4], ecx mov [ebx+detour_buffer], edi popa leave retn 0ch InstallDetour endp DLL源码:: .386 .model flat, stdcall option casemap: none include windows.inc include user32.inc include kernel32.inc includelib user32.lib includelib kernel32.lib public C Detoured_MessageBoxA public C Detoured_GetModuleHandleA .data? Detoured_MessageBoxA dd ? Detoured_GetModuleHandleA dd ? .code DllEntry proc hInstance:HINSTANCE, reason:DWORD, reserved1:DWORD .if reason==DLL_PROCESS_ATTACH mov eax,TRUE .endif ret DllEntry Endp HOOK_user32_MessageBoxA proc hwnd:DWORD, text:DWORD, about:DWORD, icon:DWORD push icon push about push text push hwnd call Detoured_MessageBoxA ret HOOK_user32_MessageBoxA endp HOOK_kernel32_GetModuleHandleA proc modulename:dword push modulename call Detoured_GetModuleHandleA ret HOOK_kernel32_GetModuleHandleA endp HOOK_kernel32_ExitProcess proc exitcode:dword invoke TerminateProcess, -1, exitcode ret HOOK_kernel32_ExitProcess endp End DllEntry -----------------------mydll.Inc------------- HOOK_kernel32_GetModuleHandleA proto HOOK_user32_MessageBoxA proto HOOK_kernel32_ExitProcess proto Detoured_GetModuleHandleA proto Detoured_MessageBoxA proto ------------------------mydll.Def------------- EXPORTS HOOK_user32_MessageBoxA HOOK_kernel32_GetModuleHandleA HOOK_kernel32_ExitProcess Detoured_GetModuleHandleA Detoured_MessageBoxA 2007-6-15 10:41 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (2)
yijun8354 雪币： 1925 活跃值： (906) 能力值： ( LV9，RANK：490 ) 在线值：发帖 22 回帖 784 粉丝 1 关注私信	yijun8354 12 2 楼 [QUOTE=;]...[/QUOTE] 谢谢分享～～ 2007-5-31 20:27 0
laomms 雪币： 560 活跃值： (379) 能力值： ( LV13，RANK：1370 ) 在线值：发帖 83 回帖 384 粉丝 11 关注私信	laomms 34 3 楼翻译了一下,MASM版本: include cacl5bytes.asm hookapi proc invoke OutputInfo, hOutputCtl, CTEXT("Ultimate Hooking Engine") jmp __execute loader: pusha call mainloader popa goback: push 0deadc0deh retn __execute: ;mov ctx.ContextFlags, CONTEXT_FULL invoke CreateProcessA, CTEXT("I:\Ultimate Hooking Engine\hook\test.exe"), 0,0,0,0, CREATE_SUSPENDED, 0,0, offset sinfo, offset pinfo test eax, eax jz __killprocess INVOKE VirtualAllocEx, pinfo.hProcess, 0, 1000h, MEM_COMMIT, PAGE_EXECUTE_READWRITE mov stubmemory, eax INVOKE GetThreadContext, pinfo.hThread, offset ctx mov eax, ctx.regEax mov eax, stubmemory mov ctx.regEax, eax INVOKE SetThreadContext, pinfo.hThread, offset ctx invoke OutputInfo, hOutputCtl, CTEXT(" Executing target...") invoke lstrcpy,addr dllname,CTEXT("hookdll.dll") m2m NewLoadLibraryA, LoadLibraryA m2m NewVirtualAlloc, VirtualAlloc m2m NewVirtualProtect, VirtualProtect m2m NewGetProcAddress, GetProcAddress invoke OutputInfo, hOutputCtl, CTEXT(" Injecting code into target...") INVOKE WriteProcessMemory, pinfo.hProcess, stubmemory, offset loader, loader_size, 0 invoke OutputInfo, hOutputCtl, CTEXT(" Resuming target...") INVOKE ResumeThread, pinfo.hThread @exit: ret __killprocess: invoke OutputInfo, hOutputCtl, CTEXT("[X] can't create process... did you type correct name?") jmp @exit __usage: invoke OutputInfo, hOutputCtl, CTEXT("[X] wrong arguments!!") jmp @exit hookapi endp mainloader proc call delta delta: pop ebp sub ebp, offset delta ;加载DLL lea eax, [ebp+dllname] ;"hookdll.dll" push eax call [ebp+NewLoadLibraryA] ;LoadLibraryA加载DLL mov [ebp+dllbase], eax ;获取DLL句柄,EAX=10000000,4D 5A 90 00 03 test eax, eax ;如果没有则提示加载失败 jz nohookmain call WalkDllsAndHook ;执行HOOKAPI xor ecx, ecx sub ecx, 87868600h push ecx xor ecx, 16101B6Dh push ecx xor ecx, 0FD060DFBh push ecx push esp push [ebp+dllbase] call [ebp+NewGetProcAddress] ;GetProcAddress找到API lea esp, dword ptr [esp+0Ch] test eax, eax jz nohookmain ;如果没有则提示查找失败 call eax ;如果有调用该API nohookmain: retn mainloader endp WalkDllsAndHook proc mov ebx, [ebp+dllbase] ;DLL基址MZ add ebx, [ebx+3ch] ;+3C获取PE头地址 ,000000E8 mov ebx, [ebx+78h] ;导出表 ,0000AFB0 add ebx, [ebp+dllbase] xor eax, eax mov esi, [ebx+20h] ;API名称 add esi, [ebp+dllbase] cyclenames: mov ecx, [esi] add ecx, [ebp+dllbase] ;ecx为API名称 cmp dword ptr[ecx], 'KOOH' ;前缀是否为HOOK jne nextname ;循环取API名称 pusha mov [ebp+currenthookexport], ecx ;ecx为函数名称 mov esi, ecx add esi, 5 ;扣除"HOOK-" 5个字母 lea edi, [ebp+dllname] ;DLL名称 copydllname: lodsb stosb cmp al, '_' ;中间是否含有'_' jne copydllname ;循环查找 mov byte ptr[edi-1], 0 ;找到'_'后换成0 lea edi, [ebp+apiname] ;装入API名称 copystring ;拷贝剩下的API名称 lea eax, [ebp+dllname] ;装入中间的名称,即系统API:kernel32 push eax call [ebp+NewLoadLibraryA] ;LoadLibraryA加载系统API mov [ebp+currentdllbase], eax ;kernel32的基址 push [ebp+currenthookexport] ;API全称"HOOK_kernel32_CreateFileA" push [ebp+dllbase] ;DLL基址 call [ebp+NewGetProcAddress] ;GetProcAddress找到API mov [ebp+currenthookexport], eax ;mydll.HOOK_kernel32_CreateFileA放入currenthookexport lea eax, [ebp+apiname] ;API名称:CreateFileA push eax push [ebp+currentdllbase] ;kernel32的基址 call [ebp+NewGetProcAddress] ;kernel32.CreateFileA函数 mov esi, eax lea eax, [ebp+detoured] ;Detoured_CreateFileA" push eax push [ebp+dllbase] ;DLL基址 call [ebp+NewGetProcAddress] ;mydll.Detoured_CreateFileA test eax, eax jz nodetoured push eax ;mydll.Detoured_CreateFileA push [ebp+currenthookexport] ;mydll.HOOK_kernel32_CreateFileA push esi ;kernel32.CreateFileA call InstallDetour jmp skip0 nodetoured: lea ecx, [ebp+dummy] push ecx push [ebp+currenthookexport] push esi call InstallDetour skip0: popa nextname: inc eax add esi, 4 cmp eax, [ebx+18h] ;ed_numberofnames jb cyclenames @exit: ret WalkDllsAndHook endp InstallDetour proc api_address:dword,new_address:dword,detour_variable:dword local local_delta:dword local dummyvar:dword pusha get_delta xchg eax, ebx lea ecx, dummyvar push ecx push PAGE_EXECUTE_READWRITE push 1000h push api_address ;kernel32.CreateFileA call [ebx+NewVirtualProtect] ;kernel32.VirtualProtect cmp [ebx+detour_buffer], 0 jne skip_alloc push PAGE_EXECUTE_READWRITE push 1000h push 1000h push 0 call [ebx+NewVirtualAlloc] ;申请内存 mov [ebx+detour_buffer], eax skip_alloc: mov esi, api_address ;kernel32.CreateFileA mov edi, [ebx+detour_buffer] xor ecx, ecx get_5bytes: push esi ;kernel32.CreateFileA call cacl_bytes add esi, eax add ecx, eax cmp ecx, 5 jb get_5bytes mov esi, api_address ;kernel32.CreateFileA push ecx ;5 rep movsb pop ecx push edi push eax mov edi, api_address ;kernel32.CreateFileA mov al, 90h ;替换成nop rep stosb ;DLL基址替换成5个90 pop eax pop edi mov byte ptr[edi], 0e9h ;jmp命令 add edi, 5 sub esi, edi mov dword ptr[edi-4], esi ;0EF9FFFB install_hook: mov eax, detour_variable ;Mydll.Detoured_CreateFileA push [ebx+detour_buffer] pop dword ptr[eax] mov eax, api_address ;kernel32.CreateFileA mov ecx, new_address ;mydll.HOOK_kernel32_CreateFileA mov byte ptr[eax], 0e9h add eax, 5 ;恢复kernel32.CreateFileA sub ecx, eax mov dword ptr[eax-4], ecx mov [ebx+detour_buffer], edi popa leave retn 0ch InstallDetour endp DLL源码:: .386 .model flat, stdcall option casemap: none include windows.inc include user32.inc include kernel32.inc includelib user32.lib includelib kernel32.lib public C Detoured_MessageBoxA public C Detoured_GetModuleHandleA .data? Detoured_MessageBoxA dd ? Detoured_GetModuleHandleA dd ? .code DllEntry proc hInstance:HINSTANCE, reason:DWORD, reserved1:DWORD .if reason==DLL_PROCESS_ATTACH mov eax,TRUE .endif ret DllEntry Endp HOOK_user32_MessageBoxA proc hwnd:DWORD, text:DWORD, about:DWORD, icon:DWORD push icon push about push text push hwnd call Detoured_MessageBoxA ret HOOK_user32_MessageBoxA endp HOOK_kernel32_GetModuleHandleA proc modulename:dword push modulename call Detoured_GetModuleHandleA ret HOOK_kernel32_GetModuleHandleA endp HOOK_kernel32_ExitProcess proc exitcode:dword invoke TerminateProcess, -1, exitcode ret HOOK_kernel32_ExitProcess endp End DllEntry -----------------------mydll.Inc------------- HOOK_kernel32_GetModuleHandleA proto HOOK_user32_MessageBoxA proto HOOK_kernel32_ExitProcess proto Detoured_GetModuleHandleA proto Detoured_MessageBoxA proto ------------------------mydll.Def------------- EXPORTS HOOK_user32_MessageBoxA HOOK_kernel32_GetModuleHandleA HOOK_kernel32_ExitProcess Detoured_GetModuleHandleA Detoured_MessageBoxA 2007-6-15 10:41 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复