Shulou(Shulou.com)06/01 Report--

/ * * implement hook OpenProcess to implement ring3 protection process, C++ complete code, * * /

# include

PIMAGE_IMPORT_BY_NAME pImportByName = NULL

PIMAGE_THUNK_DATA pOriginalThunk = NULL

PIMAGE_THUNK_DATA pFirstThunk = NULL

/ / the core function of IAT HOOK,

Int IatHook (const char* DllName, const char* FunName,DWORD RealAddr)

/ / your own OpenProcess function,

HANDLE WINAPI MyOpenProcess (DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId)

DWORD MyOpenProcessAddr = (DWORD) MyOpenProcess

/ / the real OpenProcess function pointer,

Typedef HANDLE (WINAPI * RealOpenProcess) (DWORD,BOOL,DWORD)

RealOpenProcess pRealOpenProcess = (RealOpenProcess) OpenProcess

/ / DLL MAIN function,

BOOL WINAPI DllMain (HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved)

{

If (fdwReason==DLL_PROCESS_ATTACH)

{

IatHook ("Kernel32.dll", "OpenProcess", MyOpenProcessAddr)

}

Return TRUE

}

/ * the implementation part of the MyOpenProcess function * /

HANDLE WINAPI MyOpenProcess (DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)

{

/ / to get the window handle system API function to protect the title of the process, use:: to distinguish it from the class extension function.

/ / use TEXT macros, HWND window handles,

HWND HProtect =:: FindWindow (NULL,TEXT ("Windows current all processes"))

If (! HProtect)

{

Return (pRealOpenProcess (dwDesiredAccess,bInheritHandle,dwProcessId))

} / / if it does not exist, call return

/ / get the ID of the process that created this window, save it in & ProtectId address,

DWORD ProtectId; / / find the creator of a window (thread or process)

GetWindowThreadProcessId (HProtect,&ProtectId)

If (ProtectId = = dwProcessId) / / dwProcessId is the process ID to be terminated by the task manager

{

Return 0; / / return error code 0 if our process ends.

}

Return (pRealOpenProcess (dwDesiredAccess,bInheritHandle,dwProcessId))

}

/ * the implementation part of the IAT HOOK function * /

Int IatHook (const char* DllName, const char* FunName,DWORD RealAddr)

{

/ * * find the same DLL * * /

HANDLE pBegin = GetModuleHandle (NULL)

PBYTE pBegin2 = (PBYTE) pBegin

PIMAGE_DOS_HEADER DOS = PIMAGE_DOS_HEADER (pBegin2)

PIMAGE_NT_HEADERS NT = PIMAGE_NT_HEADERS (pBegin2+DOS- > e_lfanew)

PIMAGE_OPTIONAL_HEADER OPTION = & (NT- > OptionalHeader)

PIMAGE_IMPORT_DESCRIPTOR IMPORT = PIMAGE_IMPORT_DESCRIPTOR (OPTION- > DataDirectory [1] .VirtualAddress + pBegin2)

While (IMPORT- > Name)

{

Char* OurDllName = (char*) (IMPORT- > Name + pBegin2)

If (0 = = strcmpi (DllName, OurDllName))

{

Break

}

IMPORT++

}

/ * find the same API function * * /

PIMAGE_IMPORT_BY_NAME pImportByName = NULL

PIMAGE_THUNK_DATA pOriginalThunk = NULL

PIMAGE_THUNK_DATA pFirstThunk = NULL

POriginalThunk = (PIMAGE_THUNK_DATA) (IMPORT- > OriginalFirstThunk + pBegin2)

PFirstThunk = (PIMAGE_THUNK_DATA) (IMPORT- > FirstThunk + pBegin2)

While (pOriginalThunk- > u1.Function) / / remember it is Function

{

DWORD U1 = pOriginalThunk- > u1.ordinary; / / remember it is Ordinal

If ((U1 & IMAGE_ORDINAL_FLAG)! = IMAGE_ORDINAL_FLAG) / / indicates that MSB is not 1 and is not imported by serial number

{

PImportByName = (PIMAGE_IMPORT_BY_NAME) ((DWORD) pOriginalThunk- > u1.AddressOfData + pBegin2)

Char* OurFunName = (char*) (pImportByName- > Name); / / the following calculation is also possible

/ / char* OurFunName2 = (char*) ((DWORD) pOriginalThunk- > u1.AddressOfData + pBegin2 + 2)

If (0 = = strcmpi (FunName,OurFunName))

{

/ / get the memory information starting with pFirstThunk and save it to the MEMORY_BASIC_INFORMATION structure

MEMORY_BASIC_INFORMATION mbi_thunk

VirtualQuery (pFirstThunk, & mbi_thunk, sizeof (MEMORY_BASIC_INFORMATION))

/ / VirtualProtect (mbi_thunk.BaseAddress,mbi_thunk.RegionSize, PAGE_READWRITE, & mbi_thunk.Protect)

/ / modify the protection property of memory starting with pFirstThunk to PAGE_READWRITE and save the original protection attribute to & dwOLD

DWORD dwOLD

VirtualProtect (pFirstThunk,sizeof (DWORD), PAGE_READWRITE,&dwOLD)

/ / change the address of the real OpenProcess to the address of the MyOpenProcess function written by yourself,

PFirstThunk- > u1.Function = (PDWORD) RealAddr; / / key places

/ / restore the protection properties of the previously changed memory to others' own,

VirtualProtect (pFirstThunk,sizeof (DWORD), dwOLD,0)

Break

}

}

POriginalThunk++

PFirstThunk++

}

Return 0

}

/ * end * /

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.