Hook的多种方式

inlineHook

原理:

在入口点加一段jmp指令,跳转到hook的函数

hook自定义函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#include <iostream>
#include <stdio.h>
#include <Windows.h>


void sayHello()
{
    printf("hello");
}

void bye()
{
    printf("bye");
}


void installHook() {
    unsigned char jmpcode[10] = {0};

    //jmp指令在x86下第一个字节是0xE9
    jmpcode[0] = 0xE9;
    //计算偏移量,+5因为jmp指令5个字节
    int offset = (int)bye - ((int)sayHello + 5);

    //offset值为1680
    //printf("Offset: %d\n", offset);

    
    *(int*)&jmpcode[1] = offset;

    //jmpcode array: E9 90 06 00 00 00 00 00 00 00
    //十进制:1680 十六进制:690 逆序插入

   /* printf("jmpcode array: ");
    for (int i = 0; i < 10; ++i) {
        printf("%02X ", jmpcode[i]);
    }
    printf("\n");*/

    DWORD oldProtect = 0;

    //默认可读可执行 需要改可写否则005c
    VirtualProtect(sayHello, 4096, PAGE_EXECUTE_READWRITE, &oldProtect);

    memcpy(sayHello, jmpcode, 5);



}

int main()
{
    installHook();
    //bye();
    sayHello();
}

结果:

image-20240722100811069

hook系统函数

hook MessageBoxA

正常的MessageBoxA函数调用

1
2
3
4
int main()
{
    MessageBoxA(NULL, "MSB Title", "MSB Msg", MB_OK);
}

image-20240722132450886

对MessageBoxA函数进行HOOK在调用时输出其他内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#include <iostream>
#include <Windows.h>
#include <stdint.h>

int
WINAPI
MessageBoxHook(
    _In_opt_ HWND hWnd,
    _In_opt_ LPCSTR lpText,
    _In_opt_ LPCSTR lpCaption,
    _In_ UINT uType) 
{
    printf("%s:%s\n",lpText,lpCaption);
    return 0;
};


void installHook()
{
    unsigned char jmpcode[10] = { 0 };
    jmpcode[0] = 0xE9;

    int offset = (int)MessageBoxHook - ((int)MessageBoxA + 5);

    *(int*)&jmpcode[1] = offset;

    DWORD oldProtect = 0;

    VirtualProtect(MessageBoxA, 4096, PAGE_EXECUTE_READWRITE, &oldProtect);

    memcpy(MessageBoxA, jmpcode, 5);


}



int main()
{
    installHook();
    

    MessageBoxA(NULL, "MSB Title", "MSB Msg", MB_OK);
}

image-20240722134248222

hook通用函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#include <iostream>
#include <Windows.h>
#include <stdint.h>

int
WINAPI
MessageBoxHook(
    _In_opt_ HWND hWnd,
    _In_opt_ LPCSTR lpText,
    _In_opt_ LPCSTR lpCaption,
    _In_ UINT uType)
{
    printf("%s:%s\n",lpText,lpCaption);
    return 0;
};


void installHook(void* target, void* old)
{
    unsigned char jmpcode[10] = { 0 };
    jmpcode[0] = 0xE9;

    int offset = (int)target - ((int)old + 5);

    *(int*)&jmpcode[1] = offset;

    DWORD oldProtect = 0;

    VirtualProtect(MessageBoxA, 4096, PAGE_EXECUTE_READWRITE, &oldProtect);

    memcpy(MessageBoxA, jmpcode, 5);


}



int main()
{
    installHook(MessageBoxHook,MessageBoxA);


    MessageBoxA(NULL, "MSB Title", "MSB Msg", MB_OK);
}

出现问题:Hook原函数会无限循环,需新建中间表进行转换

有点难写,参考现成的Hook项目

image-20240722134609582

IATHook

__END__