上传   管理   搜索   留言
Pudn.com > 下载中心  > 钩子与API截获  > Inline Hook
Inline Hook
x86 inline hook x64 64位HOOK 
下载(2) 赞(0) 踩(0) 评论(0) 收藏(0)
所属分类:钩子与API截获
开发工具:C/C++
文件大小:13899KB
下载次数:2
上传日期:2020-06-15 22:42:05
上 传 者FeJQ
说明:  一个Inline Hook插件,支持32位和64位
(An inline hook plug-in that supports 32-bit and 64 bit)
文件列表:
.vs (0, 2020-02-11)
.vs\Inline Hook (0, 2020-02-11)
.vs\Inline Hook\v16 (0, 2020-03-28)
.vs\Inline Hook\v16\.suo (45568, 2020-03-28)
.vs\Inline Hook\v16\Browse.VC.db (13406208, 2020-03-28)
.vs\Inline Hook\v16\ipch (0, 2020-02-11)
.vs\Inline Hook\v16\ipch\AutoPCH (0, 2020-02-20)
.vs\Inline Hook\v16\ipch\AutoPCH\1ae4de933d227c0a (0, 2020-02-20)
.vs\Inline Hook\v16\ipch\AutoPCH\1ae4de933d227c0a\MAIN.ipch (720896, 2020-02-20)
.vs\Inline Hook\v16\ipch\AutoPCH\3292762c63847d9e (0, 2020-02-19)
.vs\Inline Hook\v16\ipch\AutoPCH\3292762c63847d9e\LED64.ipch (786432, 2020-02-19)
.vs\Inline Hook\v16\ipch\AutoPCH\42063c8a8562b844 (0, 2020-02-20)
.vs\Inline Hook\v16\ipch\AutoPCH\42063c8a8562b844\LED64X64.ipch (16711680, 2020-02-20)
.vs\Inline Hook\v16\ipch\AutoPCH\594d2cbbeb504f1a (0, 2020-02-20)
.vs\Inline Hook\v16\ipch\AutoPCH\594d2cbbeb504f1a\INLINEHOOK.ipch (786432, 2020-02-20)
.vs\Inline Hook\v16\ipch\AutoPCH\98a91de96e9a368f (0, 2020-02-20)
.vs\Inline Hook\v16\ipch\AutoPCH\98a91de96e9a368f\KNHOOK.ipch (16711680, 2020-02-20)
.vs\Inline Hook\v16\ipch\AutoPCH\b34de07e5cdb4569 (0, 2020-02-20)
.vs\Inline Hook\v16\ipch\AutoPCH\b34de07e5cdb4569\INLINEHOOK.ipch (786432, 2020-02-20)
.vs\Inline Hook\v16\ipch\AutoPCH\ee29808f82cc9cc9 (0, 2020-02-22)
.vs\Inline Hook\v16\ipch\AutoPCH\ee29808f82cc9cc9\MAIN.ipch (720896, 2020-02-22)
Debug (0, 2020-04-02)
Debug\Inline Hook(0环) (0, 2020-04-02)
Debug\Inline Hook(0环)\InlineHook(0环).sys (9808, 2020-02-22)
Debug\Inline Hook(0环)\InlineHook.inf (2321, 2020-02-22)
Debug\Inline Hook(0环)\WdfCoinstaller01009.dll (1461992, 2018-08-09)
Debug\InlineHook(0环).cer (784, 2020-02-22)
Debug\InlineHook(0环).pdb (544768, 2020-02-22)
Debug\InlineHook(0环).sys (9808, 2020-02-22)
Debug\InlineHook.inf (2321, 2020-02-22)
Inline Hook.sln (2797, 2020-02-11)
Inline Hook (0, 2020-04-02)
Inline Hook\Debug (0, 2020-04-02)
Inline Hook\Debug\inf2catOutput.log (448, 2020-02-11)
Inline Hook\Debug\Inline Hook(0环).tlog (0, 2020-04-02)
Inline Hook\Debug\Inline Hook(0环).tlog\CL.command.1.tlog (1476, 2020-02-22)
Inline Hook\Debug\Inline Hook(0环).tlog\CL.read.1.tlog (6158, 2020-02-22)
Inline Hook\Debug\Inline Hook(0环).tlog\CL.write.1.tlog (350, 2020-02-22)
Inline Hook\Debug\Inline Hook(0环).tlog\Inline Hook(0环).lastbuildstate (230, 2020-02-22)
Inline Hook\Debug\Inline Hook(0环).tlog\link.command.1.tlog (2368, 2020-02-22)
... ...
# Inlinehook库的介绍 1. 支持用户和内核两种模式 2. 内核在hook时候挂起了其他cpu,降低挂钩高频函数蓝屏问题 3. 提供函数hook和寄存器hook两种方式 # 函数hook使用范例以hook NtOpenThread为例子: ``` stata //第一步定义NtOpenThread函数指针类型 typedef NTSTATUS (*fpTypeNtOpenThread)( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL ); //第二步定义一个inlinehook结构体 InlineHookFunctionSt g_inlineNtOpenThread = { 0 }; //第三步定义一个山寨函数 NTSTATUS FakeNtOpenThread( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId) { //直接调用旧的函数,在这里你可以进行过滤 fpTypeNtOpenThread pOldFunc = (fpTypeNtOpenThread)g_inlineNtOpenThread.pNewHookAddr; return pOldFunc(ThreadHandle, DesiredAccess, ObjectAttributes, ClientId); } //第四步开始执行hook PVOID pfnNtOpenThread = GetSSDTFuncAddrByName("NtOpenThread"); InitInlineHookFunction(&g_inlineNtOpenThread, pfnNtOpenThread, FakeNtOpenThread); bInstallRet = InstallInlineHookFunction(&g_inlineNtOpenThread); KdPrint(("NtOpenThread 安装结果:%d\n", bInstallRet)); //第五步当驱动退出的时候,卸载hook UninstallInlineHookFunction(&g_inlineNtOpenThread); ``` # 寄存器过滤使用范例,以hook NtOpenThread为例子: ``` x86asm //第一步先用ida查看NtOpenThread确定好我们要hook的位置,假设我们hook的位置是:0065FDA2,相对于函数开始地址偏移为:0x1B PAGE:0065FD87 ; Exported entry 1113. NtOpenThread PAGE:0065FD87 PAGE:0065FD87 PAGE:0065FD87 ; Attributes: bp-based frame PAGE:0065FD87 PAGE:0065FD87 ; __stdcall NtOpenThread(x, x, x, x) PAGE:0065FD87 public _NtOpenThread@16 PAGE:0065FD87 _NtOpenThread@16 proc near PAGE:0065FD87 PAGE:0065FD87 PreviousMode= byte ptr -4 PAGE:0065FD87 arg_0= dword ptr 8 PAGE:0065FD87 arg_4= dword ptr 0Ch PAGE:0065FD87 arg_8= dword ptr 10h PAGE:0065FD87 arg_C= dword ptr 14h PAGE:0065FD87 PAGE:0065FD87 mov edi, edi PAGE:0065FD89 push ebp PAGE:0065FD8A mov ebp, esp PAGE:0065FD8C push ecx PAGE:0065FD8D mov eax, large fs:124h PAGE:0065FD93 mov al, [eax+13Ah] PAGE:0065FD99 mov ecx, [ebp+arg_C] PAGE:0065FD9C mov edx, [ebp+arg_8] PAGE:0065FD9F mov [ebp+PreviousMode], al PAGE:0065FDA2 push dword ptr [ebp+PreviousMode] ; PreviousMode PAGE:0065FDA5 push dword ptr [ebp+PreviousMode] ; char PAGE:0065FDA8 push [ebp+arg_4] ; int PAGE:0065FDAB push [ebp+arg_0] ; int PAGE:0065FDAE call _PsOpenThread@24 ; PsOpenThread(x,x,x,x,x,x) PAGE:0065FDB3 leave PAGE:0065FDB4 retn 10h PAGE:0065FDB4 _NtOpenThread@16 endp PAGE:0065FDB4 //第二步定义一个寄存器过滤结构体 InlineRegFilterHookSt g_inlineRegfilterSt = {0}; //第三步定义一个寄存器过滤函数 void _stdcall NtOpenThreadRegFilterReg(HookContex* hookContex) { //在这里做下简单的判断 if(hookContex->uEax == hookContex->uEbx) { //如果满足条件当程序运行到NtOpenThread+0x1B的地方会修改eax的值为1 hookContex->uEax=1; } } //第四步执行过滤hook PVOID pfnNtOpenThread = GetSSDTFuncAddrByName("NtOpenThread"); InitRegFilterInlineHook(&g_inlineRegfilterSt, (LVOID)((SIZE_T)pfnNtOpenThread+0X1b), NtOpenThreadRegFilterReg); bInstallRet = InstallRegFilterInlineHook(&g_inlineRegfilterSt); KdPrint(("NtOpenThread 寄存器过滤安装结果:%d\n", bInstallRet)); //第四步当程序退出时候卸载hook UninstallRegFilterInlineHook(&g_inlineRegfilterSt); ```
近期下载者
相关文件
收藏者

© 联合开发网 from 2004 | 联系站长 | 湘ICP备2023001425号 | 网安备43010502000604 |