15,440
社区成员
发帖
与我相关
我的任务
分享
//MsgHook.cpp
#include "../../StdAfx.h"
#include "MsgHook.h"
extern CBehaviorMonApp theApp;
extern NTSYSTEMDEBUGCONTROL NtSystemDebugControl ;
ULONG g_pgSharedInfo=NULL;//user32中指向SHAREDINFO的指针
ULONG g_ETHREAD_CLIENTID_PID=0x1ec;
ULONG g_ETHREAD_CLIENTID_TID=0x1f0;
//////////////////////////////////////////////////////////////////////////
short ReadMemoryToInt( ULONG dwAddress)
{
short ret=0;
ULONG nReadBytes=0;
ULONG st = !ReadProcessMemory(GetCurrentProcess(),(void *)dwAddress,&ret,sizeof(ret), &nReadBytes );
return ret;
}
ULONG ReadMemoryToLong( ULONG dwAddress)
{
ULONG ret=0;
ULONG nReadBytes=0;
ULONG st = !ReadProcessMemory(GetCurrentProcess(),(void *)dwAddress,&ret,sizeof(ret), &nReadBytes );
return ret;
}
BYTE ReadMemoryToByt( ULONG dwAddress)
{
BYTE ret=0;
ULONG nReadBytes=0;
ULONG st = !ReadProcessMemory(GetCurrentProcess(),(void *)dwAddress,&ret,sizeof(ret), &nReadBytes );
return ret;
}
void LocateSharedInfo()
{
ULONG pfnUserRegisterWowHandlers = (ULONG)GetProcAddress(GetModuleHandle("user32.dll"), "UserRegisterWowHandlers");
ULONG I=0;
for( I = pfnUserRegisterWowHandlers ; I<pfnUserRegisterWowHandlers+0x1000;I++){
if( (ReadMemoryToInt(I)== 0x40C7 )&&
(ReadMemoryToInt(I + 1 * 7)== 0x40C7 )&&
(ReadMemoryToInt(I + 2 * 7)== 0x40C7 )&&
(ReadMemoryToInt(I + 3 * 7)== 0x40C7 )&&
(ReadMemoryToInt(I + 4 * 7)== 0x40C7 )&&
(ReadMemoryToInt(I + 5 * 7)== 0x40C7 ) )
{
if( ReadMemoryToByt(I + 6*7 )== 0xB8 )
{
g_pgSharedInfo = ReadMemoryToLong(I + 6 * 7 + 1);
}
}
}
}
BOOLEAN DumpKernelMemory(PVOID StartAddr , ULONG Length, BYTE lpBuffer[])
{
MEMORY_CHUNKS mc ;
ULONG retl;
mc.Address= StartAddr;
mc.Length = Length;
mc.pData = (ULONG)&(lpBuffer[0]) ;
ULONG st = -1 ;//unsuccessful
st = NtSystemDebugControl(DebugCopyMemoryChunks_0, &(mc), sizeof(mc), 0, 0, &(retl));
return NT_SUCCESS(st);
}
int EnumMessageHook(CSortListCtrl *m_MessageHookList)
{
char msg[128]={0};
int num=0;
HANDLE hProcess = GetCurrentProcess();
SHAREDINFO gSharedInfo={0};
HANDLEENTRY* gHandleEntries=NULL;
SERVERINFO gsi={0};
MsgHookInfo msgHookInfo={0};
ULONG nReadBytes=0,I=0;
HOOK hookInfo={0};
BYTE *tmpBytArray=NULL;
char hookHandleStr[16]={0};
char hookTypeStr[16]={0};
char hookFunAddStr[16]={0};
char hookProcessPath[MAX_PATH]={0};
char hookPIDStr[16]={0};
char hookTIDStr[16]={0};
char hookFunDllPath[MAX_PATH]={0};
W32THREAD w32thd={0};
int nIconIndex;
//首先检查g_pgSharedInfo是否已经得到
if(g_pgSharedInfo==NULL)
{
LocateSharedInfo();
if(g_pgSharedInfo==NULL)
return 0;
}
//开始遍历消息钩子
//申请内存
tmpBytArray = (BYTE *)malloc( sizeof(HOOK) );
//读取共享信息
if( !ReadProcessMemory(hProcess, (void *)g_pgSharedInfo, &gSharedInfo, sizeof(gSharedInfo), &nReadBytes) )
goto ret;
//读取SERVERINFO 内部包含钩子句柄数目信息
if( !ReadProcessMemory(hProcess, (void *)gSharedInfo.psi, &gsi, sizeof(gsi), &nReadBytes))
goto ret;
//申请存放句柄条目的内存
gHandleEntries = (HANDLEENTRY *)malloc( sizeof(HANDLEENTRY)*gsi.cHandleEntries );
if(gHandleEntries==NULL )
{
sprintf(msg,"EnumMessageHook:申请内存失败!");
OutputDebugString(msg);
goto ret;
}
//读取钩子句柄信息到gHandleEntries缓冲区中
if(!ReadProcessMemory(hProcess, (void *)gSharedInfo.aheList, gHandleEntries, sizeof(HANDLEENTRY)*gsi.cHandleEntries ,&nReadBytes))
goto ret;
//遍历钩子句柄信息 搜索低级键盘钩子 然后把它废掉
for( I = 0 ; I < gsi.cHandleEntries ; I++)
{
if(gHandleEntries[I].bType == TYPE_HOOK )//消息钩子
{
//获取钩子对象的内核信息到 hookInfo
if( DumpKernelMemory(gHandleEntries[I].phead, sizeof(HOOK), tmpBytArray ) )
{
if(CopyMemory(&(hookInfo), &(tmpBytArray[0]), sizeof(HOOK)))
{
num++;
//填充钩子信息到msgHookInfo中
msgHookInfo.hHook = hookInfo.tshead.ThreadObjHead.headinfo.h;//钩子句柄
msgHookInfo.iHookType = (HOOK_TYPE)hookInfo.iHook;//钩子类型
msgHookInfo.offPfn = hookInfo.offPfn ;//钩子函数地址
//获取 THREADINFO
if( DumpKernelMemory(hookInfo.tshead.ThreadObjHead.pti, sizeof(w32thd),(BYTE *)&w32thd ) )
{
msgHookInfo.pEThread = w32thd.pEThread;
}
//获取模块基址
DumpKernelMemory((PVOID)((ULONG)w32thd.ppi+0xA8+4*hookInfo.ihmod), sizeof(msgHookInfo.modBase),(BYTE *)&msgHookInfo.modBase );
//计算函数地址 = 模块基址 + 偏移
msgHookInfo.funAdd = (PVOID)((ULONG)msgHookInfo.modBase+(ULONG)msgHookInfo.offPfn);
//由线程结构体指针 msgHookInfo.pEThread 得到 进程PID 线程TID 进程路径
DumpKernelMemory((PVOID)((ULONG)msgHookInfo.pEThread+g_ETHREAD_CLIENTID_TID), sizeof(msgHookInfo.TID),(BYTE *)&msgHookInfo.TID );
DumpKernelMemory((PVOID)((ULONG)msgHookInfo.pEThread+g_ETHREAD_CLIENTID_PID), sizeof(msgHookInfo.PID),(BYTE *)&msgHookInfo.PID );
if(m_MessageHookList)
{
//获取进程路径
GetProcessPathByPID(msgHookInfo.PID,hookProcessPath);
//获取模块路径
GetHookModuleName((DWORD)msgHookInfo.funAdd,hookFunDllPath,msgHookInfo.PID);
sprintf(hookHandleStr,"0x%08X",msgHookInfo.hHook);
switch(msgHookInfo.iHookType)
{
case WH_MSGFILTER: strcpy(hookTypeStr,"WH_MSGFILTER");break;
case WH_JOURNALRECORD: strcpy(hookTypeStr,"WH_JOURNALRECORD");break;
case WH_JOURNALPLAYBACK: strcpy(hookTypeStr,"WH_JOURNALPLAYBACK");break;
case WH_KEYBOARD: strcpy(hookTypeStr,"WH_KEYBOARD");break;
case WH_GETMESSAGE: strcpy(hookTypeStr,"WH_GETMESSAGE");break;
case WH_CALLWNDPROC: strcpy(hookTypeStr,"WH_CALLWNDPROC");break;
case WH_CBT: strcpy(hookTypeStr,"WH_CBT");break;
case WH_SYSMSGFILTER: strcpy(hookTypeStr,"WH_SYSMSGFILTER");break;
case WH_MOUSE: strcpy(hookTypeStr,"WH_MOUSE");break;
case WH_HARDWARE: strcpy(hookTypeStr,"WH_HARDWARE");break;
case WH_DEBUG: strcpy(hookTypeStr,"WH_DEBUG");break;
case WH_SHELL: strcpy(hookTypeStr,"WH_SHELL");break;
case WH_FOREGROUNDIDLE: strcpy(hookTypeStr,"WH_FOREGROUNDIDLE");break;
case WH_CALLWNDPROCRET: strcpy(hookTypeStr,"WH_CALLWNDPROCRET");break;
case WH_KEYBOARD_LL: strcpy(hookTypeStr,"WH_KEYBOARD_LL");break;
case WH_MOUSE_LL: strcpy(hookTypeStr,"WH_MOUSE_LL");break;
default: strcpy(hookTypeStr,"未知");break;
}
sprintf(hookFunAddStr,"0x%08X",msgHookInfo.funAdd);
sprintf(hookPIDStr,"%d",msgHookInfo.PID);
sprintf(hookTIDStr,"%d",msgHookInfo.TID);
//获取图标
nIconIndex=theApp.pView->GetIconIndex(hookFunDllPath);
//加入列表控件 ("句柄,80;钩子类型,100;钩子函数,80;所在模块,200;申请进程路径,200;进程PID,80;线程TID,80")
m_MessageHookList->AddItem(
nIconIndex,//图标号
hookHandleStr,
hookTypeStr,
hookFunAddStr,
hookFunDllPath,
hookProcessPath,
hookPIDStr,
hookTIDStr
);
}
}
}
}
}
ret:
//清除缓冲区
if(tmpBytArray)
delete tmpBytArray;
if(gHandleEntries)
delete gHandleEntries;
return num;
}
//MsgHook.h
#ifndef __MSGHOOK__
#define __MSGHOOK__
int EnumMessageHook(CSortListCtrl *m_MessageHookList);
//////////////////////////////////////////////////////////////////////////
typedef enum _HANDLE_TYPE
{
TYPE_FREE = 0 , //must be zero!
TYPE_WINDOW = 1 , //in order of use for C code lookups
TYPE_MENU = 2,
TYPE_CURSOR = 3,
TYPE_SETWINDOWPOS = 4,
TYPE_HOOK = 5,
TYPE_CLIPDATA = 6 , //clipboard data
TYPE_CALLPROC = 7,
TYPE_ACCELTABLE = 8,
TYPE_DDEACCESS = 9,
TYPE_DDECONV = 10,
TYPE_DDEXACT = 11, //DDE transaction tracking info.
TYPE_MONITOR = 12,
TYPE_KBDLAYOUT = 13 , //Keyboard Layout handle (HKL) object.
TYPE_KBDFILE = 14 , //Keyboard Layout file object.
TYPE_WINEVENTHOOK = 15 , //WinEvent hook (EVENTHOOK)
TYPE_TIMER = 16,
TYPE_INPUTCONTEXT = 17 , //Input Context info structure
TYPE_CTYPES = 18 , //Count of TYPEs; Must be LAST + 1
TYPE_GENERIC = 255 //used for generic handle validation
}HANDLE_TYPE;
typedef enum _HOOK_TYPE{
MY_WH_MSGFILTER = -1,
MY_WH_JOURNALRECORD = 0,
MY_WH_JOURNALPLAYBACK = 1,
MY_WH_KEYBOARD = 2,
MY_WH_GETMESSAGE = 3,
MY_WH_CALLWNDPROC = 4,
MY_WH_CBT = 5,
MY_WH_SYSMSGFILTER = 6,
MY_WH_MOUSE = 7,
MY_WH_HARDWARE = 8,
MY_WH_DEBUG = 9,
MY_WH_SHELL = 10,
MY_WH_FOREGROUNDIDLE = 11,
MY_WH_CALLWNDPROCRET = 12,
MY_WH_KEYBOARD_LL = 13,
MY_WH_MOUSE_LL = 14
}HOOK_TYPE;
typedef struct HANDLEENTRY{
PVOID phead; //pointer to the real object
ULONG pOwner; //pointer to owning entity (pti or ppi)
BYTE bType; //type of object
BYTE bFlags; //flags - like destroy flag
short wUniq; //uniqueness count
}HANDLEENTRY,*PHANDLEENTRY;
typedef struct SERVERINFO{ //si
short wRIPFlags ; //RIPF_ flags
short wSRVIFlags ; //SRVIF_ flags
short wRIPPID ; //PID of process to apply RIP flags to (zero means all)
short wRIPError ; //Error to break on (zero means all errors are treated equal)
ULONG cHandleEntries; //count of handle entries in array
}SERVERINFO,*PSERVERINFO;
typedef struct SHAREDINFO{
PSERVERINFO psi; //tagSERVERINFO
PHANDLEENTRY aheList; //_HANDLEENTRY - handle table pointer
ULONG pDispInfo; //global displayinfo
ULONG ulSharedDelta; //delta between client and kernel mapping of ...
}SHAREDINFO,*PSHAREDINFO;
typedef struct HEAD
{
HANDLE h;
ULONG cLockObj;
}HEAD;
typedef struct THROBJHEAD
{
HEAD headinfo;
PVOID pti; //PTHREADINFO
}THROBJHEAD;
typedef struct DESKHEAD
{
PVOID rpdesk; //PDESKTOP
PBYTE pSelf ; //PBYTE
}DESKHEAD;
typedef struct THRDESKHEAD
{
THROBJHEAD ThreadObjHead ;
DESKHEAD DesktopHead ;
}THRDESKHEAD;
typedef struct HOOK //hk
{
THRDESKHEAD tshead ;
HOOK * phkNext ;
HOOK_TYPE iHook; //// WH_xxx hook type
ULONG offPfn; //函数地址偏移
UINT flags ; //// HF_xxx flags
int ihmod ;
PVOID ptiHooked; ////PTHREADINFO - Thread hooked.
PVOID rpdesk ; //// Global hook pdesk. Only used when hook is locked and owner is destroyed
}HOOK,*PHOOK;
typedef struct W32THREAD
{
//W32THREAD
PVOID pEThread ;
ULONG RefCount ;
ULONG ptlW32 ;
ULONG pgdiDcattr ;
ULONG pgdiBrushAttr ;
ULONG pUMPDObjs ;
ULONG pUMPDHeap ;
ULONG dwEngAcquireCount ;
ULONG pSemTable ;
ULONG pUMPDObj ;
//*********************
PVOID ptl;
PVOID ppi;
}W32THREAD;
typedef struct MsgHookInfo
{
HANDLE hHook ;
HOOK_TYPE iHookType;
PVOID pEThread ;
ULONG offPfn ;
PVOID modBase;
PVOID funAdd;
ULONG TID;
ULONG PID;
}MsgHookInfo;
#endif