windows的函數(shù)hook大致分為2類(lèi):指定進(jìn)程Hook和系統(tǒng)全局(system-wide)Hook辑甜。指定進(jìn)程的Hook常規(guī)思路是先編寫(xiě)一個(gè)hook指定函數(shù)的dll雾消,然后使用dll注入打到指定進(jìn)程荸恕。系統(tǒng)全局Hook一般采用AppInit DLLs方案猴誊,這大概是最簡(jiǎn)單做全局dll注入的方案了艰赞,很明顯微軟也意識(shí)到了這個(gè)弱點(diǎn)莱褒,在win10上面開(kāi)始對(duì)AppInit DLLs進(jìn)行限制浴栽,參考 AppInit_Dlls鍵值 和 微軟官方文檔 AppInit DLLs and Secure Boot荒叼。本文將使用MiniHook模塊實(shí)現(xiàn)指定進(jìn)程Hook。
代碼背景:朋友從某個(gè)論壇買(mǎi)了一個(gè)教程典鸡,但是論壇給了指定播放器被廓。導(dǎo)致每次播放時(shí)需要聯(lián)網(wǎng)驗(yàn)證,而且檢測(cè)到開(kāi)啟屏幕錄像軟件后就將其殺掉椿每。首先使用API Logger對(duì)播放器進(jìn)程進(jìn)行函數(shù)調(diào)用跟蹤伊者,發(fā)現(xiàn)該播放器使用CreateToolhelp32Snapshot枚舉進(jìn)程,當(dāng)發(fā)現(xiàn)是屏幕錄像軟件時(shí)則使用OpenProcess和TerminateProcess殺死進(jìn)程间护。解決思路為Hook 播放器進(jìn)程的OpenProcess函數(shù)亦渗,當(dāng)嘗試打開(kāi)非當(dāng)前進(jìn)程時(shí)直接返回?zé)o效句柄。
- 使用MiniHook Hook OpenProcess函數(shù)
#include <iostream>
#include "MinHook.h"
typedef HANDLE (WINAPI *OpenProcessFunc)(DWORD ,BOOL ,DWORD );
OpenProcessFunc pfOpenProcess = NULL;
HANDLE WINAPI FuckOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
{
if (dwProcessId == GetCurrentProcessId())
{
return (pfOpenProcess)(dwDesiredAccess, bInheritHandle, dwProcessId);
}
else // 當(dāng)嘗試打開(kāi)其他進(jìn)程時(shí)直接返回空句柄
{
SetLastError(ERROR_ACCESS_DENIED);
return INVALID_HANDLE_VALUE;
}
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD url_for_reason, LPVOID lpReserved)
{
switch (url_for_reason)
{
case DLL_PROCESS_ATTACH:
{
MH_Initialize();
MH_CreateHookApi(L"Kernel32", "OpenProcess", &FuckOpenProcess, (LPVOID*)&pfOpenProcess);
MH_EnableHook(&OpenProcess);
break;
}
case DLL_PROCESS_DETACH:
{
MH_DisableHook(&OpenProcess);
MH_Uninitialize();
break;
}
}
return TRUE;
}
- 使用Remote DLL進(jìn)行進(jìn)程注入
Remote DLL下載地址: https://securityxploded.com/remotedll.php
使用截圖如下:
remote dll
