Shulou(Shulou.com)06/01 Report--

HOOK-implement Messagebox of other processes in HOOK,

The way of thinking is as follows:

1. The writing of DLL (implementing IAT hook),

2 DLL injection tools (remote threading technology and simple knowledge of MFC controls),

(3) simple test program,

1. Write dll,

There was a previous article HOOK-IAT HOOK this process MessageBox, some of the code here is the same, after all, they are all IAT HOOK,

DLL also has an entry function DllMain like exe has a main or WinMain entry function, but many DLL that only contain resource information do not have a DllMain function. The prototype is as follows

BOOL WINAPI DllMain (HINSTANCE hInstance, ULONG ulReason, LPVOID Reserved)

When to call Dllmain,

The second parameter of DllMain, fdwReason, indicates why the system called Dll,

DLL_PROCESS_ATTACH, use this parameter to drop dllmain when a DLL file is mapped to the address space of a process

When the same DLL is mapped again, the DllMain function will not be adjusted and will only increase the number of dll,

DLL_PROCESS_DETACH, FreeLibrary when DLL is unmapped from the address space of the process

Unmap DLL at the end of the process (not if TerminateProcess is used)

DLL_THREAD_ATTACH, when a process creates a thread, it is different from DLL_PROCESS_ATTACH

This parameter is used to call Dllmain whenever a thread is created

DLL_THREAD_DETACH if the thread calls ExitThread to end the thread (when the thread function returns, the system will automatically call ExitThread), if TerminateThread will not call DllMain.

Here you choose to write the DllMain function as follows

BOOL WINAPI DllMain (HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)

{

If (fdwReason= = DLL_PROCESS_ATTACH) / / call DllMain when loading dll

_ beginthread (ThreadProc,0,NULL); / / create thread

Return TRUE

}

That is to say, when dll is loaded (LoadLirary), the ThreadProc thread function is created in DllMain, and the ThreadProc function is the core code of our IAT HOOK,

ThreadProc function: the function is an application-defined function that serves as the starting address of a thread,

To Hook Messagebox, you need to write your own Messagebox as follows:

Int _ _ stdcall HookMBox (HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType)

{

Return MessageBox (NULL, "! HOOK to MessageBox", "HOOK", MB_OK); / / prove the success of Hook

}

Complete our ITA HOOK code in the thread function:

1 get the module base address of this process HANDLE pBegin = GetModuleHandle (NULL)

2 initialize the PE structure to get the address of IAT

PBYTE pBegin2 = (PBYTE) pBegin

PIMAGE_DOS_HEADER DOS = PIMAGE_DOS_HEADER (pBegin2)

PIMAGE_NT_HEADERS NT = PIMAGE_NT_HEADERS (pBegin2+DOS- > e_lfanew)

PIMAGE_OPTIONAL_HEADER OPTION = & (NT- > OptionalHeader)

PIMAGE_IMPORT_DESCRIPTOR IMPORT = PIMAGE_IMPORT_DESCRIPTOR (OPTION- > DataDirectory [1] .VirtualAddress + pBegin2)

3 traverses to find the content of IMPORT- > FirstThunk when it is equal to the address of the real MessageBox

The real MessageBoxA address is obtained before the program, namely DWORD RealBox = (DWORD) MessageBox,

While (pOriginalThunk- > u1.Function) / / remember it is Function

{

PDWORD lpAddr = (DWORD *) (pBegin2+ (DWORD) IMPORT- > FirstThunk)

If (* lpAddr = = RealBox)

{

After finding it, we find the location of the MessageBox of this PE in its IAT, and then change it.

If you modify the memory, first of all, the protection property of the memory must be readable and writable, so use the following API

DWORD dwOLD

MEMORY_BASIC_INFORMATION mbi

/ / the information about the memory to be modified is stored in the MEMORY_BASIC_INFORMATION structure

VirtualQuery (lpAddr, & mbi, sizeof (mbi))

/ / modify this memory protection property and store the original protection attribute in & dwOLD

VirtualProtect (lpAddr, sizeof (DWORD), PAGE_READWRITE, & dwOLD)

/ / write the address of our own HookMBox function to this memory,

WriteProcessMemory (GetCurrentProcess (), lpAddr, ADD, sizeof (DWORD), NULL)

/ / write back the saved original memory protection properties,

VirtualProtect (lpAddr, sizeof (DWORD), dwOLD, 0)

Break

}

POriginalThunk++

}

IMPORT++

}

After writing this DLL file, continue to record and inject DLL (remote threading technology,)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.