概述:按照个人理解的来概述就是,将我们自己的一个dll注入到目标进程中去。这样目标进程就运行了我们的dll,在我们的dll中劫持目标函数的跳转指令----也就是目标进程在执行某一个函数时被我们拦截了,改成执行我们的函数。 详细:
本教程边写代码边解释,运行环境VS2012+Qt
源码链接http://download.csdn.net/download/sky_calls/10264654
第一步、创建一个目标进程TargetProcess
其实就是一个很简单的写串口操作 创建过程省略,代码如下
关键函数解释
void TargetProcess::writeCom() { HANDLE hCom; //串口句柄 hCom=CreateFile(L"COM1",//COM口 GENERIC_READ|GENERIC_WRITE, //允许读和写 0, //独占方式 NULL, OPEN_EXISTING, //打开而不是创建 0, //同步方式 NULL); if(hCom==(HANDLE)-1) return;
SetupComm(hCom,1024,1024); //输出缓冲区的大小是1024 COMMTIMEOUTS TimeOuts; //设定读超时 TimeOuts.ReadIntervalTimeout=1000; TimeOuts.ReadTotalTimeoutMultiplier=500; TimeOuts.ReadTotalTimeoutConstant=5000; //设定写超时 TimeOuts.WriteTotalTimeoutMultiplier=500; TimeOuts.WriteTotalTimeoutConstant=2000; SetCommTimeouts(hCom,&TimeOuts); //设置超时 DCB dcb; GetCommState(hCom,&dcb); dcb.BaudRate=9600; //波特率为9600 dcb.ByteSize=8; //每个字节有8位 dcb.Parity='\0'; //无奇偶校验位 dcb.StopBits='\0'; //两个停止位 SetCommState(hCom,&dcb); PurgeComm(hCom,PURGE_TXCLEAR|PURGE_RXCLEAR);
//同步写串口 char lpOutBuffer[100]; QString tmpContent = "hello com1"; memcpy_s(lpOutBuffer, 100, tmpContent.toStdString().c_str(), tmpContent.length()); lpOutBuffer[tmpContent.length()] = 0; DWORD dwBytesWrite=100; COMSTAT ComStat; DWORD dwErrorFlags; BOOL bWriteStat; ClearCommError(hCom,&dwErrorFlags,&ComStat); bWriteStat=WriteFile(hCom,lpOutBuffer,dwBytesWrite,& dwBytesWrite,NULL);
PurgeComm(hCom, PURGE_TXABORT| PURGE_RXABORT|PURGE_TXCLEAR|PURGE_RXCLEAR);
CloseHandle(hCom); }
第二步、创建要注入的dll工程 ApiHook
要注入的这个dll库必须有DllMain函数作为入口,否则dll里面的劫持操作无法完成 这里我参考了 http://www.cokco.cn/thread-9360-1-1.html 关键代码如下 typedef struct
{
LPCSTR lpFunctionName; // name of api 要拦截的函数名字
LPCTSTR lpDllName; // name of dll that has the api要拦截函数所属dll
LPVOID lpRecallfn; // recall function address 自定义的替换函数
LPVOID lpApiAddr; // api address 原始函数地址
PBYTE pOrgfnMem; // memory to save first few bytes of api and execute jmp code 原始函数跳转指令
int nOrgfnMemSize; // size of pOrgfnMem 跳转指令的大小
} RECALL_API_INFO, *PRECALL_API_INFO;
// hook apis infomation
RECALL_API_INFO g_arHookAPIs[] =
{
"CreateFileA", "Kernel32.dll",
MyCreateFileA, CreateFileA, NULL, 0,
"CreateFileW", "Kernel32.dll",
MyCreateFileW, CreateFileW, NULL, 0,
"WriteFile", "Kernel32.dll",
MyWriteFile, WriteFile, NULL, 0,
"WriteFileEx", "Kernel32.dll",
MyWriteFileEx, WriteFileEx, NULL, 0
}; bool hookApi(PRECALL_API_INFO pApiRecall) // 参数为所劫持的函数信息
{
if (pApiRecall == NULL)
return false;
// 得到目标函数锁在的库名称
HMODULE hModule = LoadLibrary(pApiRecall->lpDllName);
if (!hModule)
return false;
// 得到目标函数在库里面的位置
FARPROC pfnStartAddr = (FARPROC)GetProcAddress(hModule, pApiRecall->lpFunctionName);
pApiRecall->lpApiAddr = pfnStartAddr; // 将目标函数保存起来,这一步可能不需要,没试下
if (!pfnStartAddr)
return false;
int nSize = 0;
int nDisassemblerLen = 0;
while(nSize < 5)
{
// GetOpCodeSize can get the assembly code size 得到跳转指令的大小 详见GetOpCodeSize的源文件解释
nDisassemblerLen = GetOpCodeSize((BYTE*)(pfnStartAddr) + nSize);
PrintMsg("nDisassemblerLen val %d\r\n", nDisassemblerLen);
nSize = nDisassemblerLen + nSize;
}
PrintMsg("nSize val %d\r\n", nSize);
DWORD dwProtect = 0;
if (!VirtualProtect(pfnStartAddr, nSize, PAGE_EXECUTE_READWRITE, &dwProtect)) // 修改内存地址的属性,将原目标函数地址跳转指令改为可读写模式
return false;
// be sure that we must change pOrgfnMem's protect, because the code in pOrgfnMem
// also need to execute
pApiRecall->pOrgfnMem = new BYTE[5 + nSize]; // 这个内存区域将保存原内存的跳转指令
DWORD dwMemProtect = 0;
if (!VirtualProtect(pApiRecall->pOrgfnMem, 5 + nSize, PAGE_EXECUTE_READWRITE, &dwMemProtect))
{
delete [] pApiRecall->pOrgfnMem;
pApiRecall->pOrgfnMem = NULL;
return false;
}
pApiRecall->nOrgfnMemSize = 5 + nSize;
// 下面这几行就是将原函数的跳转指令储存在pOrgfnMem里面,因为在调用了自定义函数后还要调用原函数,以免影响目标进程的功能
memcpy(pApiRecall->pOrgfnMem, pfnStartAddr, nSize);
*(BYTE*)(pApiRecall->pOrgfnMem + nSize) = 0xE9;
*(DWORD*)(pApiRecall->pOrgfnMem + nSize + 1) = (DWORD)pfnStartAddr + nSize - (DWORD)(pApiRecall->pOrgfnMem + 5 + nSize);
*(BYTE*)(pfnStartAddr) = 0xE9;
*(DWORD*)((BYTE*)pfnStartAddr + 1) = (DWORD)pApiRecall->lpRecallfn - ((DWORD)pfnStartAddr + 5); // lpRecallfn,这是我们自定义的函数,这段语句的作业是用我们自定义的函数覆盖原函数,例如MyWriteFile将会覆盖WriteFile
memset((BYTE*)pfnStartAddr + 5, 0x90, nSize - 5);
// be sure that we must set the rest to 0x90(assembly code for nop, do nothing,
// and occupy one byte), because we should't change the assembly code
VirtualProtect(pfnStartAddr, nSize, dwProtect, &dwProtect); // 将新函数的跳转指令的内存属性修改为原来的样子,可查看VirtualProtect的作用
return true;
}
第三步、创建注入工程 TestBqDll
执行进程注入操作
操作如下
// 提升进程的权限,不过好像不是必须的
bool promotePrivilege()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if ( !OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)
)
{
return false;
}
if( !LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue) )
{
CloseHandle(hToken);
return false;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if( !AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL) )
{
CloseHandle(hToken);
return false;
}
return true;
}
// 根据进程的名称获得进程ID,因为进程注入需要进程的ID号
void GetTargetProcessIds(std::string inTarget, std::vector<int > &outIds)
{
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hProcessSnap == INVALID_HANDLE_VALUE)
return;
BOOL bProcess = Process32First(hProcessSnap, &pe32);
int targetNameLen = inTarget.length();
while(bProcess)
{
int searchLen = wcslen(pe32.szExeFile);
if (targetNameLen == searchLen)
{
bool isEqualName = true;
for (int i = 0; i < targetNameLen; ++i)
{
if (inTarget[i] != pe32.szExeFile[i])
{
isEqualName = false;
break;
}
}
if (isEqualName)
outIds.push_back(pe32.th32ProcessID);
}
// 继续查找
bProcess = Process32Next(hProcessSnap,&pe32);
}
CloseHandle(hProcessSnap);
}
// 进程注入
bool InjectDllByProcessID(const std::wstring dllPath, unsigned long inProcessID)
{
wchar_t* DirPath = new wchar_t[MAX_PATH];
wchar_t* FullPath = new wchar_t[MAX_PATH];
GetCurrentDirectory(MAX_PATH, DirPath);
swprintf_s(FullPath, MAX_PATH, dllPath.c_str(), DirPath);
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |
PROCESS_VM_WRITE, FALSE, inProcessID);
if (hProcess == NULL)
{
delete[] DirPath;
delete[] FullPath;
return false;
}
LPVOID LoadLibraryAddr = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"),
"LoadLibraryW");
if (LoadLibraryAddr == NULL)
{
CloseHandle(hProcess);
delete[] DirPath;
delete[] FullPath;
return false;
}
LPVOID LLParam = (LPVOID)VirtualAllocEx(hProcess, NULL, (wcslen(FullPath) + 1) * sizeof(wchar_t),
MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, LLParam, FullPath, (wcslen(FullPath) + 1)* sizeof(wchar_t), NULL);
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibraryAddr,
LLParam, NULL, NULL);
// 等待远程线程结束
::WaitForSingleObject(hRemoteThread, INFINITE);
// 清理
::VirtualFreeEx(hProcess, LLParam, (wcslen(FullPath) + 1), MEM_DECOMMIT);
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
delete[] DirPath;
delete[] FullPath;
return true;
}
void TestBqDll::inject()
{
promotePrivilege();
std::vector<int > processIds;
//GetTargetProcessIds("PosTouch.exe", processIds);
GetTargetProcessIds("TargetProcess.exe", processIds);
QString _workPath = QCoreApplication::applicationDirPath();
QString dllPath = _workPath + "/ApiHook.dll";
if (processIds.size() > 0)
InjectDllByProcessID(dllPath.toStdWString(), processIds[0]);
}
源码链接http://download.csdn.net/download/sky_calls/10264654