EasyHook远路代码注入

2012-06-20

EasyHook远程代码注入最近一段时间由于使用MinHook的API挂钩不稳定，经常因为挂钩地址错误而导致宿主进程崩

EasyHook远程代码注入

最近一段时间由于使用MinHook的API挂钩不稳定，经常因为挂钩地址错误而导致宿主进程崩溃。听同事介绍了一款智能强大的挂钩引擎EasyHook。它比微软的detours好的一点是它的x64注入支持是免费开源的。不想微软的detours，想搞x64还得购买。

好了，闲话不多说，先下载EasyHook的开发库，当然有兴趣的同学可以下载源码进行学习。下载地址：http://easyhook.codeplex.com/releases/view/24401。我给的这个是2.6版本的。

EasyHook提供了两种模式的注入管理。一种是托管代码的注入，另一种是非托管代码的注入。我是学习C++的，所以直接学习了例子中的非托管项目UnmanagedHook。里面给了一个简单的挂钩MessageBeep API的示例。我需要将其改造成支持远程注入的。下面先给出钩子DLL代码：

BOOL RtlFileExists(WCHAR* InPath){HANDLE          hFile;if((hFile = CreateFileW(InPath, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL)) == INVALID_HANDLE_VALUE)return FALSE;CloseHandle(hFile);return TRUE;}BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege){TOKEN_PRIVILEGES tp;HANDLE hToken;LUID luid;if( !OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken) ){return FALSE;}if( !LookupPrivilegeValue(NULL,             // lookup privilege on local systemlpszPrivilege,    // privilege to lookup &luid) )          // receives LUID of privilege{return FALSE; }tp.PrivilegeCount = 1;tp.Privileges[0].Luid = luid;if( bEnablePrivilege )tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;elsetp.Privileges[0].Attributes = 0;// Enable the privilege or disable all privileges.if( !AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL) ){return FALSE; } if( GetLastError() == ERROR_NOT_ALL_ASSIGNED ){//The token does not have the specified privilege.return FALSE;} return TRUE;}typedef DWORD (WINAPI *PFNTCREATETHREADEX)(  PHANDLE                 ThreadHandle, ACCESS_MASK             DesiredAccess, LPVOID                  ObjectAttributes, HANDLE                  ProcessHandle, LPTHREAD_START_ROUTINE  lpStartAddress, LPVOID                  lpParameter, BOOL                CreateSuspended, DWORD                   dwStackSize, DWORD                   dw1,  DWORD                   dw2,  LPVOID                  Unknown  ); BOOL MyCreateRemoteThread(HANDLE hProcess, LPTHREAD_START_ROUTINE pThreadProc, LPVOID pRemoteBuf){HANDLE      hThread = NULL;FARPROC     pFunc = NULL;BOOL bHook;// 判断系统版本OSVERSIONINFO osvi;//BOOL bIsWindowsXPorLater;ZeroMemory(&osvi, sizeof(OSVERSIONINFO));osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);GetVersionEx(&osvi);if (osvi.dwMajorVersion == 6){bHook = TRUE;}else{bHook = FALSE;}if(bHook)    // Vista, 7, Server2008{pFunc = GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateThreadEx");if( pFunc == NULL ){//GetLastError());return FALSE;}OutputDebugString(L"MyCreateRemoteThread");((PFNTCREATETHREADEX)pFunc)(&hThread,0x1FFFFF,NULL,hProcess,pThreadProc,pRemoteBuf,FALSE,NULL,NULL,NULL,NULL);if( hThread == NULL ){return FALSE;}}else                    // 2000, XP, Server2003{hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL);if( hThread == NULL ){return FALSE;}}if( WAIT_FAILED == WaitForSingleObject(hThread, INFINITE) ){return FALSE;}return TRUE;}BOOL InjectDll(DWORD dwPID, const wchar_t *szDllName){HANDLE hProcess = NULL;LPVOID pRemoteBuf = NULL;FARPROC pThreadProc = NULL;DWORD dwBufSize = wcslen(szDllName)*sizeof(wchar_t)+2;if ( !(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)) ){return FALSE;}pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllName, dwBufSize, NULL);pThreadProc = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryW");if( !MyCreateRemoteThread(hProcess, (LPTHREAD_START_ROUTINE)pThreadProc, pRemoteBuf) ){return FALSE;}VirtualFreeEx(hProcess, pRemoteBuf, dwBufSize, MEM_RELEASE);CloseHandle(hProcess);return TRUE;}int DoInject(DWORD aPid, const WCHAR *aFullpath){if (wcslen(aFullpath) <= 0){return -1;}//判断dll是否存在HANDLE hFile = CreateFile(aFullpath, GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_WRITE,NULL, OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);if(hFile != INVALID_HANDLE_VALUE){DWORD dwsize = GetFileSize(hFile, NULL);CloseHandle(hFile);if (dwsize < 10){return -2;}}else{return -3;}BOOL bSuc=SetPrivilege(SE_DEBUG_NAME, TRUE);bSuc=InjectDll((DWORD)aPid, aFullpath);if (bSuc){return -4;}return 0;}// 真实注入的时候应该这样调用DoInject(m_processId, L"E:\\src\\easyhook\\trunk\\Debug\\x86\\HookSvr.dll");

这样就能保证注入的钩子能正常工作了。

1楼Wentasy12小时前: 不错，学习了。

热点排行

其他相关

EasyHook远路代码注入