69,382
社区成员
发帖
与我相关
我的任务
分享
#include "stdafx.h"
#include "HookRegApi.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
#define UM_WNDTITLE WM_USER+100 //
#define CODE_LEN 12
#pragma data_seg(".Share")
HWND g_hWnd=NULL;
HHOOK hhk=NULL;
HINSTANCE hInst=NULL;
#pragma data_seg()
#pragma comment(linker, "/section:.Share,rws")
HANDLE hProcess=NULL;
BOOL bIsInjected=FALSE;
typedef LONG (WINAPI *RegCKeyExA)(
HKEY hKey, // handle to an open key
LPCTSTR lpSubKey, // address of subkey name
DWORD Reserved, // reserved
LPTSTR lpClass, // address of class string
DWORD dwOptions, // special options flag
REGSAM samDesired, // desired security access
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
// address of key security structure
PHKEY phkResult, // address of buffer for opened handle
LPDWORD lpdwDisposition // address of disposition value buffer
);
RegCKeyExA oldRCKExA=NULL;
FARPROC pfMsgBoxExA=NULL;
BYTE OldCodeExA[5];
BYTE NewCodeExA[5];
LONG WINAPI MyRegCreateKeyExA(
HKEY hKey, // handle to an open key
LPCTSTR lpSubKey, // address of subkey name
DWORD Reserved, // reserved
LPTSTR lpClass, // address of class string
DWORD dwOptions, // special options flag
REGSAM samDesired, // desired security access
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
// address of key security structure
PHKEY phkResult, // address of buffer for opened handle
LPDWORD lpdwDisposition // address of disposition value buffer
);
void HookOn()
{
ASSERT(hProcess!=NULL);
DWORD dwTemp=0,dwOldProtect,dwRet=0;
SIZE_T dwWrite;
VirtualProtectEx(hProcess,pfMsgBoxExA,5,PAGE_READWRITE,&dwOldProtect);
dwRet=WriteProcessMemory(hProcess,pfMsgBoxExA,NewCodeExA,5,&dwWrite);
if (0==dwRet||0==dwWrite)
{
TRACE("write error");
}
VirtualProtectEx(hProcess,pfMsgBoxExA,5,dwOldProtect,&dwTemp);
}
void HookOff()
{
ASSERT(hProcess!=NULL);
DWORD dwOldProtect;
::VirtualProtect(oldRCKExA, CODE_LEN, PAGE_EXECUTE_READWRITE, &dwOldProtect);
memcpy(oldRCKExA, OldCodeExA, CODE_LEN);
::VirtualProtect(oldRCKExA, CODE_LEN, dwOldProtect, NULL);
}
void Inject()
{
if (!bIsInjected)
{
bIsInjected=TRUE;
oldRCKExA=(RegCKeyExA)::GetProcAddress(GetModuleHandle(TEXT("Advapi32.dll")), "RegCreateKeyExW");
DWORD dwTemp=0,dwOldProtect,dwRet=0;
::VirtualProtect(oldRCKExA, CODE_LEN, PAGE_EXECUTE_READWRITE, &dwOldProtect);
memcpy(OldCodeExA, oldRCKExA, CODE_LEN);
memset(oldRCKExA, 0x90, CODE_LEN);
/*
mov rax, FakeCreateProcessInternal
jmp rax
*/
*(LPWORD)oldRCKExA = 0xb848;
*(INT64*)((INT64)oldRCKExA+2) = (INT64)MyRegCreateKeyExW;
*(LPWORD)((INT64)oldRCKExA+10) = 0xe0ff;
::VirtualProtect(oldRCKExA, CODE_LEN, dwOldProtect, NULL);
}
}
LONG WINAPI MyRegCreateKeyExA(
HKEY hKey, // handle to an open key
LPCTSTR lpSubKey, // address of subkey name
DWORD Reserved, // reserved
LPTSTR lpClass, // address of class string
DWORD dwOptions, // special options flag
REGSAM samDesired, // desired security access
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
// address of key security structure
PHKEY phkResult, // address of buffer for opened handle
LPDWORD lpdwDisposition // address of disposition value buffer
)
{
char str[1000]={0};
DWORD d= GetCurrentProcessId();
sprintf_s(str, 1000,"ExA item: HKEY_CURRENT_USER\\%s \nRegedit is being Created !\nPID: %ld",lpSubKey, d);
::MessageBoxA(NULL,str,"warning",MB_ICONWARNING);
return 0;
}
// CHookRegApi
BEGIN_MESSAGE_MAP(CHookRegApi, CWinApp)
END_MESSAGE_MAP()
CHookRegApi::CHookRegApi()
{
}
CHookRegApi theApp;
BOOL CHookRegApi::InitInstance()
{
CWinApp::InitInstance();
hInst=AfxGetInstanceHandle();
DWORD dwPid=::GetCurrentProcessId();
hProcess=::OpenProcess(PROCESS_ALL_ACCESS,0,dwPid);
Inject();//
return TRUE;
}
LRESULT CALLBACK MouseProc(int nCode, // hook code
WPARAM wParam, // message identifier
LPARAM lParam // mouse coordinates
)
{
if (nCode==HC_ACTION)
{
::SendMessage(g_hWnd,UM_WNDTITLE,wParam,(LPARAM)(((PMOUSEHOOKSTRUCT)lParam)->hwnd));
}
return CallNextHookEx(hhk,nCode,wParam,lParam);
}
LRESULT CALLBACK KeyboardProc(int nCode, // hook code
WPARAM wParam, // message identifier
LPARAM lParam // mouse coordinates
)
{
if (nCode==HC_ACTION)
{
::SendMessage(g_hWnd,UM_WNDTITLE,wParam,lParam);
}
return CallNextHookEx(hhk,nCode,wParam,lParam);
}
BOOL WINAPI StartHook(HWND hWnd)
{
g_hWnd=hWnd;
hhk=::SetWindowsHookEx(WH_MOUSE,MouseProc,hInst,0);
if (hhk==NULL)
{
return FALSE;
}
else
{
return TRUE;
}
}
VOID WINAPI StopHook()
{
HookOff();
if (hhk!=NULL)
{
UnhookWindowsHookEx(hhk);
FreeLibrary(hInst);
}
}
int CHookRegApi::ExitInstance()
{
HookOff();
return CWinApp::ExitInstance();
}
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <ntdll.h>
#include <Shlwapi.h>
#include <strsafe.h>
#pragma comment(lib, "shlwapi.lib")
#pragma comment(linker, "/export:SetHook=SetHook")
#pragma comment(linker, "/export:UnHook=UnHook")
HHOOK hHook;
HMODULE hDll;
LRESULT CALLBACK GetMsgProc(
_In_ int code,
_In_ WPARAM wParam,
_In_ LPARAM lParam)
{
return CallNextHookEx(hHook, code, wParam, lParam);
}
extern "C" int __stdcall SetHook()
{
hHook = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc, hDll, 0);
return hHook ? 1 : 0;
}
extern "C" int __stdcall UnHook()
{
return UnhookWindowsHookEx(hHook);
}
LPVOID pfnNtSetValueKey = 0;
typedef NTSTATUS (__fastcall* FNNTSETVALUEKEY)(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize);
LPVOID x64HookNtApi(LPCTSTR lpszDll, LPCSTR lpszFunc, LPVOID FakeFunc, int Len = 16)
{
DWORD dwOldProtect = 0;
LPVOID pfn = GetProcAddress(GetModuleHandle(lpszDll), lpszFunc);
if (!pfn)
{
return 0;
}
VirtualProtect(pfn, Len, PAGE_EXECUTE_READWRITE, &dwOldProtect);
LPVOID OldCode = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Len);
memcpy(OldCode, pfn, Len);
memset(pfn, 0x90, Len);
memcpy(pfn, "\xff\x25\x00\x00\x00\x00", 6);
*(PINT64)((INT64)pfn + 6) = (INT64)FakeFunc;
FlushInstructionCache(GetCurrentProcess(), pfn, Len);
VirtualProtect(OldCode, Len, PAGE_EXECUTE_READWRITE, &dwOldProtect);
return OldCode;
}
PUNICODE_STRING pKeyName;
TCHAR szMsg[2048] = { 0 };
NTSTATUS __fastcall HookNtSetValueKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize)
{
ULONG Len = 2048;
if (NtQueryObject(KeyHandle, ObjectNameInformation, pKeyName, Len, &Len) == 0)
{
switch (Type)
{
case REG_DWORD:
StringCchPrintf(szMsg, _countof(szMsg), TEXT("KeyName:%s ValueName:%s Values:%d DataType:REG_DWORD"), pKeyName->Buffer, ValueName->Buffer, *(int*)Data);
break;
case REG_QWORD:
StringCchPrintf(szMsg, _countof(szMsg), TEXT("KeyName:%s ValueName:%s Values:%lld DataType:REG_QWORD"), pKeyName->Buffer, ValueName->Buffer, *(PLONGLONG)Data);
break;
case REG_SZ://字符串类型数据
StringCchPrintf(szMsg, _countof(szMsg), TEXT("KeyName:%s ValueName:%s Values:%s DataType:REG_SZ"), pKeyName->Buffer, ValueName->Buffer, Data);
break;
default:
break;
}
OutputDebugString(szMsg);
}
return ((FNNTSETVALUEKEY)pfnNtSetValueKey)(KeyHandle, ValueName, TitleIndex, Type, Data, DataSize);
}
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved)
{
if (dwReason == DLL_PROCESS_ATTACH)
{
DisableThreadLibraryCalls(hModule);
TCHAR szModuleFile[MAX_PATH] = { 0 };
hDll = hModule;
GetModuleFileName(NULL, szModuleFile, _countof(szModuleFile));
LPTSTR lpszFileName = PathFindFileName(szModuleFile);
if (StrCmpI(lpszFileName, TEXT("regedit.exe")) == 0)
{
pfnNtSetValueKey = x64HookNtApi(TEXT("NTDLL.DLL"), "NtSetValueKey", HookNtSetValueKey);
pKeyName = (PUNICODE_STRING)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 2048);
return 1;
}
}
if (dwReason == DLL_PROCESS_DETACH)
{
UnhookWindowsHookEx(hHook);
HeapFree(GetProcessHeap(), 0, pKeyName);
}
return 1;
}
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <ntdll.h>
#include <Shlwapi.h>
#include <strsafe.h>
#pragma comment(lib, "shlwapi.lib")
LPVOID pfnNtSetValueKey = 0;
typedef NTSTATUS (__fastcall* FNNTSETVALUEKEY)(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize);
LPVOID x64HookNtApi(LPCTSTR lpszDll, LPCSTR lpszFunc, LPVOID FakeFunc, int Len = 16)
{
DWORD dwOldProtect = 0;
LPVOID pfn = GetProcAddress(GetModuleHandle(lpszDll), lpszFunc);
if (!pfn)
{
return 0;
}
VirtualProtect(pfn, Len, PAGE_EXECUTE_READWRITE, &dwOldProtect);
LPVOID OldCode = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Len);
memcpy(OldCode, pfn, Len);
memset(pfn, 0x90, Len);
memcpy(pfn, "\xff\x25\x00\x00\x00\x00", 6);
*(PINT64)((INT64)pfn + 6) = (INT64)FakeFunc;
FlushInstructionCache(GetCurrentProcess(), pfn, Len);
VirtualProtect(OldCode, Len, PAGE_EXECUTE_READWRITE, &dwOldProtect);
return OldCode;
}
PUNICODE_STRING pKeyName;
TCHAR szMsg[2048] = { 0 };
NTSTATUS __fastcall HookNtSetValueKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize)
{
ULONG Len = 2048;
if (NtQueryObject(KeyHandle, ObjectNameInformation, pKeyName, Len, &Len) == 0)
{
switch (Type)
{
case REG_DWORD://整数类型数据
break;
StringCchPrintf(szMsg, _countof(szMsg), TEXT("KeyName:%s ValueName:%s Values:%d"), pKeyName->Buffer, ValueName->Buffer, Data);
case REG_SZ://字符串类型数据
StringCchPrintf(szMsg, _countof(szMsg), TEXT("KeyName:%s ValueName:%s Values:%s"), pKeyName->Buffer, ValueName->Buffer, Data);
break;
default:
break;
}
OutputDebugString(szMsg);
}
return ((FNNTSETVALUEKEY)pfnNtSetValueKey)(KeyHandle, ValueName, TitleIndex, Type, Data, DataSize);
}
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved)
{
if (dwReason == DLL_PROCESS_ATTACH)
{
DisableThreadLibraryCalls(hModule);
TCHAR szModuleFile[MAX_PATH] = { 0 };
GetModuleFileName(NULL, szModuleFile, _countof(szModuleFile));
LPTSTR lpszFileName = PathFindFileName(szModuleFile);
if (StrCmpI(lpszFileName, TEXT("regedit.exe")) == 0)
{
pfnNtSetValueKey = x64HookNtApi(TEXT("NTDLL.DLL"), "NtSetValueKey", HookNtSetValueKey);
pKeyName = (PUNICODE_STRING)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 2048);
return 1;
}
}
return 1;
}