[原创]ring3 inline hook demo
文章作者:我非我信息来源:邪恶八进制信息安全团队([url]www.eviloctal.com[/url])
第一次写这种内存补丁一样的东西.开始怎么写都出错.字节码没有对齐..跳转地址算错.等等...后来用ida分析+od调试搞定.(头一次认认真真用od和ida...值得纪念)
测试环境xp sp2+vc6.0
[code]#include <stdio.h>
#include <windows.h>
// 保存原始的5个字节代码
BYTE orig_code[5] = {0x90, 0x90, 0x90, 0x90, 0x90};
// JMP 0xXXXXXXXX
BYTE hook_code[5] = { 0xe9, 0, 0, 0, 0 };
BYTE jmp_orig_code[5] = { 0xe9, 0, 0, 0, 0};
int func();
int fake_func();
void hook_func();
int jmp_back();
int main(int argc, char **argv)
{
int ret;
hook_func();
ret = func();
return ret;
}
int func()
{
printf("I'm func(),I'm called!\r\n");
return 0;
}
void hook_func()
{
DWORD dwOldProtect;
if(!VirtualProtect(func, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect))
{
printf("VirtualProtect error!\r\n");
return;
}
if(!VirtualProtect(jmp_back, 12, PAGE_EXECUTE_READWRITE, &dwOldProtect))
{
printf("VirtualProtect error!\r\n");
return;
}
// 保存原始操作码
memcpy(orig_code, (BYTE *)func, 5);
// 计算fack_func地址
*((ULONG*)(hook_code+1) ) = (ULONG)fake_func - (ULONG)func - 5;
// 修改原始入口
memcpy((BYTE *)func, hook_code, 5);
// 计算跳回地址
*( (ULONG*)(jmp_orig_code+1) ) = (ULONG)func - (ULONG)jmp_back -5;
// 填充jmp_back
memcpy((BYTE *)jmp_back, orig_code, 5);
memcpy((BYTE *)jmp_back+5, jmp_orig_code, 5);
}
__declspec(naked) int jmp_back()
{
__asm
{
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}
int fake_func()
{
int ret;
printf("I'm fake_func(),I'm called!\r\n");
ret = jmp_back();
return ret;
}[/code][img]http://www.phpweblog.net/Images/OutliningIndicators/None.gif[/img]
测试结果:
[attach]8636[/attach]
参考: [url]http://www.whitecell.org/forums/viewthread.php?tid=360[/url] good,exe文件,地址都是固定的。仅仅是demo的话,直接硬编码地址就行。 呵呵,直接硬编码那也太不敬业了不是.
今天重新学了下,加了个LDE,这下字节码对其问题也能运行中解决了 void test()
{
do something...
}
void over()
{
PUINT p = (PUINT)(&p + 2);
*p = (UINT)test;
}
int main(void)
{
over();
return 0;
} 我的xp sp2,vc 6不工作, 加上这个LDE,可能是编译出来字节码没有对其的原因
[code]// LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE
//C Language Edition
//Modified by Joerkky
//version 1.05
DWORD LDE32(void *ADDR)
{
DWORD t1[]={0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,0,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,0,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,0,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,0,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,8,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,8,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,8,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0x4000,0x4000,8,8,0x1008,0x0018,0x2000,0x6000,0x0100,0x4100,0,0,0,0,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x4100,0x6000,0x4100,0x4100,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0,0,0,0,0,0,0,0,0,0,0x2002,0,0,0,0,0,0x0020,0x0020,0x0020,0x0020,0,0,0,0,0x0100,0x2000,0,0,0,0,0,0,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x4100,0x4100,0x0200,0,0x4000,0x4000,0x4100,0x6000,0x0300,0,0x0200,0,0,0,0,0,0x4000,0x4000,0x4000,0x4000,0x0100,0x0100,0,0,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x2000,0x2000,0x2002,0x0100,0,0,0,0,8,0,8,8,0,0,0,0,0,0,0,0,0,0,0x4000,0x4000};
DWORD t0[]={0x4000,0x4000,0x4000,0x4000,-1,-1,0,-1,0,0,0,0,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0,0,0,0x4000,0x4100,0x4000,-1,-1,0,0,0,0x4000,0x4100,0x4000,-1,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,-1,-1,0x4100,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,-1,-1,-1,-1,-1,-1,0,0,0,0,0,0,0,0,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1};
DWORD eax=0,edx=0;
unsigned char *ecx=(unsigned char *)ADDR,*dl=(unsigned char *)&edx,*al=(unsigned char *)&eax;
do {
dl[0]=dl[0]&0xf7;
al[0]=*ecx;
ecx++;
edx=edx|t1[eax];
} while (dl[0]&0x8);
if ((al[0]==0xF6)||(al[0]==0xF7)) {
dl[1]=dl[1]|0x40;
if (!((*ecx)&0x0111000b)) dl[1]=dl[1]|0x80;
}
else
if (al[0]==0xCD) {
dl[1]=dl[1]|1;
if (*ecx==0x20) dl[1]=dl[1]|4;
}
else
if (al[0]==0xF) {
al[0]=*ecx;ecx++;edx=edx|t0[eax];
if (edx==-1) return edx;
}
if (dl[1]&0x80) {
dl[1]=(dl[1])^0x20;
if (!(al[0]&0x00000001b)) dl[1]=dl[1]^0x11;
}
if (dl[1]&0x40) {
al[0]=*ecx;
ecx++;
al[1]=*al;
eax=eax&0xC007;
if(!(al[1]==0xC0))
if (dl[0]&0x10)
if(((al[0]==6)&&(al[1]==0))||(al[1]==0x80))
dl[0]=dl[0]|2;
else
if (al[1]==0x40) dl[0]=dl[0]|1;
else {
if (al[0]==4) {
al[0]=*ecx;
ecx++;
al[0]=al[0]&7;
}
if (al[1]==0x40)
dl[0]=dl[0]|1;
else
if ((al[1]==0x80)||((al[0]==5)&&(al[1]==0)))
dl[0]=dl[0]|4;
}
}
if (dl[0]&0x20) {
dl[0]=dl[0]^2;
if (!(dl[0]&0x10)) dl[0]=dl[0]^6;
}
if (dl[1]&0x20) {
dl[1]=dl[1]^2;
if (!(dl[1]&0x10)) dl[1]=dl[1]^6;
}
eax=(DWORD)ecx-(DWORD)ADDR;
edx=edx&0x707;
al[0]=al[0]+dl[0]+dl[1];
return eax;
}[/code] 请问楼主的编译环境和运行环境是什么啊,我用vc2005+winXp SP2编译出来不对啊 [quote]引用第6楼liyirong于2007-10-30 14:54发表的 :
请问楼主的编译环境和运行环境是什么啊,我用vc2005+winXp SP2编译出来不对啊[/quote]
注意看帖呀,测试环境xp sp2+vc6.0
页:
[1]