調(diào)用DLL中的函數(shù)即可,可以自行擴(kuò)展hook的函數(shù),這里只hook了 RegCreateKeyEx 一、HOOK DLL的編寫:
- #include <windows.h>
- #include <Tlhelp32.h>
- #include <stdio.h>
-
-
- HINSTANCE glhInstance=NULL;
-
- BYTE g_OldRegCreateKeyExCode[5] = {0};
- BYTE g_NewRegCreateKeyExCode[5] = {0};
-
- FARPROC FuncAddr = NULL;
- DWORD PID=0;
- int count=0;
- HANDLE hProcess;
-
- typedef struct tagReg_Info
- {
- HKEY hKey;
- LPCTSTR lpSubKey;
- DWORD Reserved;
- LPTSTR lpClass;
- DWORD dwOptions;
- REGSAM samDesired;
- LPSECURITY_ATTRIBUTES lpSecurityAttributes;
-
- PHKEY phkResult;
- LPDWORD lpdwDisposition;
- }Reg_Info;
-
- Reg_Info RegInfo;
-
-
- #pragma data_seg("mydata")
- HHOOK hook=NULL;
- #pragma data_seg()
- #pragma comment(linker,"/SECTION:mydata,RWS")
-
-
- _declspec (dllexport) bool Inject();
- _declspec (dllexport) bool SetHook();
- _declspec (dllexport) bool UnSetHook();
- bool Init();
-
- LONG MyRegCreateKeyEx(
- HKEY hKey,
- LPCTSTR lpSubKey,
- DWORD Reserved,
- LPTSTR lpClass,
- DWORD dwOptions,
- REGSAM samDesired,
- LPSECURITY_ATTRIBUTES lpSecurityAttributes,
-
- PHKEY phkResult,
- LPDWORD lpdwDisposition
- );
-
-
- LONG HookOff();
- LRESULT CALLBACK ShellProc(
- int nCode,
- WPARAM wParam,
- LPARAM lParam
- );
-
-
-
- BOOL WINAPI DllMain(
- HINSTANCE hinstDLL,
- DWORD fdwReason,
- LPVOID lpvReserved
- )
- {
- glhInstance=hinstDLL;
- return 1;
- }
-
- _declspec (dllexport) bool Inject()
- {
- Init();
-
- if(hProcess == NULL)
- {
- return false;
- }
- CRITICAL_SECTION cs;
- InitializeCriticalSection(&cs);
- EnterCriticalSection(&cs);
-
- DWORD PROTECT=0;
- VirtualProtectEx(hProcess, FuncAddr, 5, PAGE_READWRITE, &PROTECT);
- WriteProcessMemory(hProcess, FuncAddr, g_NewRegCreateKeyExCode, 5, NULL);
- VirtualProtectEx(hProcess, FuncAddr, 5, PROTECT, &PROTECT);
-
- LeaveCriticalSection(&cs);
- DeleteCriticalSection(&cs);
- CloseHandle(hProcess);
- return true;
- }
-
- _declspec (dllexport) bool SetHook()
- {
-
- hook=SetWindowsHookEx(WH_SHELL,ShellProc,glhInstance,0);
- if(NULL==hook)
- {
- ::MessageBox(NULL,"SetWindowsHookEx!","Error!",MB_ICONERROR);
- return false;
- }
- return true;
- }
-
-
-
- _declspec (dllexport) bool UnSetHook()
- {
- bool ret=false;
- if(hook)
- {
- ret=UnhookWindowsHookEx(hook);
- if(!ret)
- {
- ::MessageBox(NULL,"UnhookWindowsHookEx!","Error!",MB_ICONERROR);
- return false;
- }
-
- return true;
- }
- return false;
- }
-
- LRESULT CALLBACK ShellProc(int nCode, WPARAM wParam,LPARAM lParam)
- {
- if(nCode==HSHELL_WINDOWCREATED)
- {
- PID=GetCurrentProcessId();
- hProcess = OpenProcess(PROCESS_ALL_ACCESS,0, PID);
- Init();
- Inject();
- }
- return CallNextHookEx(hook,nCode,wParam,lParam);
- }
-
-
-
- LONG MyRegCreateKeyEx(
- HKEY hKey,
- LPCTSTR lpSubKey,
- DWORD Reserved,
- LPTSTR lpClass,
- DWORD dwOptions,
- REGSAM samDesired,
- LPSECURITY_ATTRIBUTES lpSecurityAttributes,
-
- PHKEY phkResult,
- LPDWORD lpdwDisposition
- )
- {
- char str[1000]={0};
- if(HKEY_LOCAL_MACHINE==hKey)
- {
- sprintf(str,"注冊表位置: HKEY_LOCAL_MACHINE\\%s \nRegedit is being Created !",lpSubKey);
- }
- if(HKEY_USERS==hKey)
- {
- sprintf(str,"注冊表位置: HKEY_USERS\\%s \nRegedit is being Created !",lpSubKey);
- }
- if(HKEY_CLASSES_ROOT==hKey)
- {
- sprintf(str,"注冊表位置: HKEY_CLASSES_ROOT\\%s \nRegedit is being Created !",lpSubKey);
- }
- if(HKEY_CURRENT_CONFIG==hKey)
- {
- sprintf(str,"注冊表位置: HKEY_CURRENT_CONFIG\\%s \nRegedit is being Created !",lpSubKey);
- }
- else
- {
- sprintf(str,"注冊表位置: HKEY_CURRENT_USER\\%s \nRegedit is being Created !\nPID: %ld",lpSubKey,PID);
-
- }
-
- if(count<1)
- {
- ::MessageBox(NULL,str,"warning",MB_ICONWARNING);
- }
- count++;
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ZeroMemory(&RegInfo,sizeof(RegInfo));
- RegInfo.dwOptions=dwOptions;
- RegInfo.hKey=hKey;
- RegInfo.lpClass=lpClass;
- RegInfo.lpdwDisposition=lpdwDisposition;
- RegInfo.lpSecurityAttributes=lpSecurityAttributes;
- RegInfo.lpSubKey=lpSubKey;
- RegInfo.phkResult=phkResult;
- RegInfo.Reserved=Reserved;
- RegInfo.samDesired=samDesired;
-
- HookOff();
- Sleep(1000);
- LONG ret=RegCreateKeyEx(RegInfo.hKey,
- RegInfo.lpSubKey,
- RegInfo.Reserved,
- RegInfo.lpClass,
- RegInfo.dwOptions,
- RegInfo.samDesired,
- RegInfo.lpSecurityAttributes,
- RegInfo.phkResult,
- RegInfo.lpdwDisposition);
- Sleep(1000);
- Inject(); return ret;
-
- }
-
- LONG HookOff()
- {
-
- if(hProcess == NULL)
- {
- return (LONG)1;
- }
-
- CRITICAL_SECTION cs;
- InitializeCriticalSection(&cs);
- EnterCriticalSection(&cs);
-
- DWORD PROTECT=0;
- VirtualProtectEx(hProcess, FuncAddr, 5, PAGE_READWRITE, &PROTECT);
- WriteProcessMemory(hProcess, FuncAddr, g_OldRegCreateKeyExCode, 5, NULL);
- VirtualProtectEx(hProcess, FuncAddr, 5, PROTECT, &PROTECT);
-
- LeaveCriticalSection(&cs);
- DeleteCriticalSection(&cs);
-
-
-
- return (LONG)1;
- }
-
- bool Init()
- {
-
- FuncAddr = GetProcAddress(LoadLibrary("Advapi32.dll"),"RegCreateKeyExA");
- if(NULL==FuncAddr)
- return false;
-
- CRITICAL_SECTION cs;
- InitializeCriticalSection(&cs);
- EnterCriticalSection(&cs);
-
- _asm
- {
- lea edi, g_OldRegCreateKeyExCode
- mov esi, FuncAddr
- cld
- movsd
- movsb
- }
-
- g_NewRegCreateKeyExCode[0] = 0xe9;
- _asm
- {
- lea eax, MyRegCreateKeyEx
- mov ebx, FuncAddr
- sub eax, ebx
- sub eax, 5
- mov dword ptr [g_NewRegCreateKeyExCode + 1], eax
- }
- LeaveCriticalSection(&cs);
- DeleteCriticalSection(&cs);
-
- }
|