APIMon开发进度
最近想起开发一个工具,用于日常分析样本用。主要是写一个api监视器。在网上搜了一下,没有一个好用的。要么是工具太强大,以致我不会用。这样的话那就动手写一个吧。
主要监视R3层的api调用及参数。显示看它干了些什么。使用R3 inline hook方法将需要监控的api钩住。截取参数。
首先弄一个inline hook 的模板(来自网络)。至于原理,网上一大堆。口才不大好,就不写了。
// APIMondll.cpp : 定义 DLL 应用程序的入口点。 // #include "stdafx.h" #include "APIMondll.h" #include <Psapi.h> #pragma comment(lib, "Psapi.lib") //APIMon的相关信息 struct APIMONINFO{ char cProcessName[256]; //进程名 UINT nPID; //进程PID char cAPIName[64]; //ApiName char cArgment[256]; //参数 }; extern "C" BOOL APIENTRY DllMain( HINSTANCE hinst, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: //获取当前进程句柄 g_hForm = FindWindow(NULL, "ApiMon"); if (g_hForm == NULL) { MessageBox(0, "can't Find ApiMon", "Error", MB_OK|MB_ICONERROR); return 0; } //g_hinstDLL = hModule; if (!InitHook()) { MessageBox(NULL, "初使化钩子失败","Tips", MB_OK); return (FALSE); } break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } BOOL InitHook() { HookAPI("user32.dll", "MessageBoxA", (DWORD)MyMessageBoxA, &HookStruct); dwIdNew = GetCurrentProcessId(); dwIdOld = dwIdNew; //开始拦截 HookON(&HookStruct); return TRUE; } BOOL HookAPI(char *dllname, char *procname, DWORD myfuncaddr, HOOKSTRUCT *hookfunc) { //需要hook的函数所在的dll hModule = LoadLibrary(dllname); if (hModule) { //获取需要hook的函数地址 hookfunc->funcaddr = GetProcAddress(hModule, procname); if (hookfunc->funcaddr == NULL) { return FALSE; } //保存需要hook的函数地址到结构体,恢复用 memcpy(hookfunc->olddata, hookfunc->funcaddr, 6); hookfunc->newdata[0] = 0xe9; //获取要跳转的地址 DWORD jmpaddr = myfuncaddr - (DWORD)hookfunc->funcaddr - 5; //保存之 memcpy(&hookfunc->newdata[1], &jmpaddr, 5); return TRUE; }else{ return FALSE; } } void HookON(HOOKSTRUCT *hookfunc) { HANDLE hProc; dwIdOld = dwIdNew; //得到所属进程的句柄 hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, dwIdOld); //修改所属进程中的函数前5个字节的属性为可写(改变thunk保护属性) VirtualProtectEx(hProc, hookfunc->funcaddr, 5, PAGE_READWRITE, &dwIdOld); //将所属进程中的函数前5个字节改为JMP到指字的函数 WriteProcessMemory(hProc, hookfunc->funcaddr, hookfunc->newdata, 5, 0); VirtualProtectEx(hProc, hookfunc->funcaddr, 5, dwIdOld, &dwIdOld); } void HookOFF(HOOKSTRUCT *hookfunc) { HANDLE hProc; dwIdOld = dwIdNew; hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, dwIdOld); VirtualProtectEx(hProc, hookfunc->funcaddr, 5, PAGE_READWRITE, &dwIdOld); //修改所属进程中Jmp myfunc到system func WriteProcessMemory(hProc, hookfunc->funcaddr, hookfunc->olddata, 5, 0); VirtualProtectEx(hProc, hookfunc->funcaddr, 5, dwIdOld, &dwIdOld); } LRESULT CALLBACK MRHooK(int nCode, WPARAM wParam, LPARAM lParam) { return ((LRESULT)CallNextHookEx(g_hHook, nCode, wParam, lParam)); } extern "C" APIMONDLL_API BOOL InstallHook() { g_hHook = SetWindowsHookEx(WH_GETMESSAGE, MRHooK, g_hinstDLL, 0); if (!g_hHook) { MessageBox(NULL, "安装钩子失败", "Tips", MB_OK); return (FALSE); } return(TRUE); } extern "C" APIMONDLL_API BOOL UninstallHook() { HookOFF(&HookStruct); if (g_hHook == NULL) { return TRUE; } return (UnhookWindowsHookEx(g_hHook)); } //自定义函数 int WINAPI MyMessageBoxA(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType) { APIMONINFO ApiMonInformation; COPYDATASTRUCT stuCopyData; int nReturn; nReturn = 1; HookOFF(&HookStruct); //关闭拦截 DWORD dwPID = GetCurrentProcessId(); char szFileFulePath[MAX_PATH]; GetModuleFileNameEx(GetCurrentProcess(), NULL, szFileFulePath, MAX_PATH); char tmp[128]; wsprintf(tmp, "%s ->[PID:%d]", szFileFulePath, dwPID); MessageBox(0, tmp, "Tips", MB_OK); //nReturn = MessageBoxA(hWnd, tmp, lpCaption, MB_OK); strncpy(ApiMonInformation.cAPIName, "MessageBoxA", strlen("MessageBoxA")); ApiMonInformation.nPID = dwPID; strncpy(ApiMonInformation.cProcessName, szFileFulePath, sizeof(szFileFulePath)); strncpy(ApiMonInformation.cArgment, lpText, sizeof(lpText)); strncat(ApiMonInformation.cAPIName, "\0", 1); strncat(ApiMonInformation.cProcessName, "\0", 1); strncat(ApiMonInformation.cArgment, "\0", 1); stuCopyData.dwData = 0; stuCopyData.cbData = sizeof(ApiMonInformation); stuCopyData.lpData = (PVOID)&ApiMonInformation; //发向光明之巅,不过好像还有问题 SendMessage(FindWindow(NULL, "ApiMon"), WM_COPYDATA, 0, (LPARAM)&ApiMonInformation); MessageBox(0, "Send Success!", "Tips", MB_OK); return 1; //return (nReturn); }
眼晴好难受。。。
2012-09-01
模板完成。接下一是慢慢的添加需要hook的函数,如图:
此图hook的函数:LoadLibraryA,GetModuleFileNameA,MessageBoxA,URLDownloadToFileA。
2012-09-25
浙公网安备 33010602011771号