采取个hook技巧对writefile函数进行阻碍(2)
来源:互联网 发布:留学银行卡 知乎 编辑:程序博客网 时间:2024/06/16 22:11
内容充分的生命就是长久的生命,我们要以此为而不是以时候来衡量生命。http://www.cnblogs.com/zhxfl/archive/2011/11/03/2233846.html 这个是笔者之前写过的WriteFile HOOK代码
凡建树功业者,又立品为始基。从来有学问而能提当大事业者,无不先从品德上立定脚跟。
必须补充对这几个函数的HOOK,才干对WriteFile的所有操纵做“斗劲彻底的阻碍”,笔者知道应用层的阻碍很轻易呈现漏掉的,只有编写驱动做文件过滤才会有斗劲好的结果,不过在实现那个之前,想再应用层做好这些实验,看一下结果。
具体的api函数参数可以在http://msdn.microsoft.com/en-us/library/aa365749%28VS.85%29.aspx里面翻出来
BOOL WriteFileEx(
HANDLE hFile,
LPCVOID lpBuffer,
DWORD nNumberOfBytesToWrite,
LPOVERLAPPED lpOverlapped,
LPOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
);塞涅卡
BOOL WINAPI WriteFileGather( __in HANDLE hFile, __in FILE_SEGMENT_ELEMENT aSegmentArray[], __in DWORD nNumberOfBytesToWrite, __reserved LPDWORD lpReserved, __inout LPOVERLAPPED lpOverlapped);
View Code
#include <windows.h>#include <ImageHlp.h>#include <TlHelp32.h>#include <stdio.h>#pragma comment(lib,"ImageHlp")#pragma data_seg("Shared")HHOOK hhk = NULL;#pragma data_seg()#pragma comment(linker, "/Section:Shared,rws")HMODULE hmodThisDll;#define MyName "DLL.DLL"typedef struct _IO_STATUS_BLOCK{ LONG Status; LONG Information;} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;typedef struct _FILE_NAME_INFORMATION{ ULONG FileNameLength; WCHAR FileName[MAX_PATH];} FILE_NAME_INFORMATION;FARPROC ZwQueryInformationFile;//经由过程文件句柄,获得文件地点盘符BOOL GetVolumeNameByHandle(HANDLE hFile, char *szFullPath){ //获得所有磁盘卷的卷序号 char szBuf[500]; int i; DWORD dwVolumeSerialNumber; memset(szBuf, 0, sizeof(szBuf)); //经由过程句柄获得文件的卷序号 //获得卷序号 lpFileInformation.dwVolumeSerialNumber BY_HANDLE_FILE_INFORMATION lpFileInformation; if(!GetFileInformationByHandle(hFile, &lpFileInformation) || (lpFileInformation.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)){ //经由过程句柄获得文件信息失败 或者 此句柄为文件夹句柄,并非文件句柄 return FALSE; } if(::GetLogicalDriveStringsA(sizeof(szBuf) - 1,szBuf)){ for(i = 0; szBuf[i]; i += 4){ //获得卷信息->卷序号 if(!stricmp(&(szBuf[i]), "A:\") || !stricmp(&(szBuf[i]), "B:\")){ //忽视软盘 (一般不会应用,并且查询它的速度很是之慢) continue; } if(GetVolumeInformationA(&(szBuf[i]), NULL, NULL,&dwVolumeSerialNumber,NULL, NULL, NULL, NULL)){ // 与 lpFileInformation.dwVolumeSerialNumber 斗劲 // 若是雷同,则找到该磁盘 if(dwVolumeSerialNumber == lpFileInformation.dwVolumeSerialNumber){ //找到 char szVolumeName[4]; memset(szVolumeName, 0, sizeof(szVolumeName)); strcpy(szVolumeName, &(szBuf[i])); szVolumeName[strlen(szVolumeName)-1] = """"; //获得路径 IO_STATUS_BLOCK isb; FILE_NAME_INFORMATION fni; HMODULE hNt = LoadLibraryA("ntdll.dll"); if(hNt){ ZwQueryInformationFile = ::GetProcAddress(hNt, "ZwQueryInformationFile"); if(ZwQueryInformationFile){ DWORD dwfni = sizeof(fni); DWORD dwRet = 0; __asm{ push 9 ; push dwfni ; lea eax, fni ; push eax ; lea eax, isb ; push eax ; push hFile ; mov eax, ZwQueryInformationFile ; call eax ;//调用 ZwQueryInformationFile 函数 mov dwRet, eax;//获得返回值 } if(!dwRet){ //获取文件路径成功 fni.FileName[fni.FileNameLength/2] = 0; //机关成完全路径名 char szFilePath[MAX_PATH+1]; memset(szFilePath, 0, sizeof(szFilePath)); WideCharToMultiByte( CP_ACP, 0, fni.FileName, -1, szFilePath, sizeof(szFilePath) - 1, NULL, NULL); sprintf(szFullPath, "%s%s", szVolumeName, szFilePath); return TRUE; } } FreeLibrary(hNt); } } } } } //没有找到 return FALSE;}LRESULT CALLBACK GetMsgProc( int nCode,WPARAM wParam,LPARAM lParam){ return CallNextHookEx(hhk,nCode,wParam,lParam);}BOOL MyWriteFile( HANDLE hFile, // 文件句柄 LPCVOID lpBuffer,// 数据缓存区指针 DWORD nNumberOfBytesToWrite, // 你要写的字节数 LPDWORD lpNumberOfBytesWritten, // 用于保存实际写入字节数的存储区域的指针 LPOVERLAPPED lpOverlapped // OVERLAPPED布局体指针 ){ char szFullPath[MAX_PATH]; memset(szFullPath, 0, sizeof(szFullPath)); if(GetVolumeNameByHandle(hFile, szFullPath)) { MessageBoxA(NULL,szFullPath,"DLL",MB_OK); } else MessageBoxA(NULL,"HOOK","DLL",MB_OK); return WriteFile(hFile,lpBuffer,nNumberOfBytesToWrite,lpNumberOfBytesWritten,lpOverlapped);}BOOL MyWriteFileEx( HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPOVERLAPPED lpOverlapped, LPOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine ){ char szFullPath[MAX_PATH]; memset(szFullPath, 0, sizeof(szFullPath)); if(GetVolumeNameByHandle(hFile, szFullPath)) { MessageBoxA(NULL,szFullPath,"DLL",MB_OK); } else MessageBoxA(NULL,"HOOK","DLL",MB_OK); return WriteFileEx(hFile,lpBuffer,nNumberOfBytesToWrite,lpOverlapped,lpCompletionRoutine);}BOOL WINAPI MyWriteFileGather( HANDLE hFile, FILE_SEGMENT_ELEMENT aSegmentArray[], DWORD nNumberOfBytesToWrite, LPDWORD lpReserved, LPOVERLAPPED lpOverlapped ){ char szFullPath[MAX_PATH]; memset(szFullPath, 0, sizeof(szFullPath)); if(GetVolumeNameByHandle(hFile, szFullPath)) { MessageBoxA(NULL,szFullPath,"DLL",MB_OK); } else MessageBoxA(NULL,"HOOK","DLL",MB_OK); return WriteFileGather(hFile,aSegmentArray,nNumberOfBytesToWrite,lpReserved,lpOverlapped);}VOID ModifyIAT(HMODULE hmodCaller,LPCSTR szDllName,PROC pfnOrg,PROC pfnNew){ PIMAGE_THUNK_DATA pITD; ULONG ulSize; PIMAGE_IMPORT_DESCRIPTOR pIID; pIID = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hmodCaller,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&ulSize); if( !pIID ) return; for( ; pIID->Name; pIID++ ){ if( !lstrcmpiA(szDllName,(LPSTR)((PBYTE)hmodCaller+pIID->Name)) ) break; } if( !pIID->Name ) return; pITD = (PIMAGE_THUNK_DATA)((PBYTE)hmodCaller+pIID->FirstThunk); for( ; pITD->u1.Function ; pITD++ ){ PROC* ppfn = (PROC*)&pITD->u1.Function; if(*ppfn == pfnOrg){ WriteProcessMemory(GetCurrentProcess(),ppfn,&pfnNew,sizeof(pfnNew),NULL); return; } }}VOID ModifyIATs(LPCSTR szDllName,PROC pfnOrg,PROC pfnNew){ BOOL fOk = FALSE; MODULEENTRY32 me32; HANDLE hSnapshot; hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,GetCurrentProcessId()); me32.dwSize = sizeof( me32 ); for( fOk = Module32First( hSnapshot,&me32 ); fOk ; fOk = Module32Next(hSnapshot,&me32)){ if( me32.hModule != hmodThisDll ){ ModifyIAT(me32.hModule,szDllName,pfnOrg,pfnNew); } } CloseHandle( hSnapshot );}FARPROC WINAPI MyGetProcAddress( HMODULE hModule,LPCSTR lpProcName ){ if( hModule == GetModuleHandle("kernel32.DLL") && !lstrcmpiA(lpProcName,"WriteFile") ) return (PROC)MyWriteFile; else return GetProcAddress( hModule,lpProcName );}HMODULE WINAPI MyLoadLibraryA( LPCSTR lpLibFileName ){ HMODULE hmod = LoadLibraryA( lpLibFileName ); ModifyIAT(hmod,"kernel32.DLL",GetProcAddress(GetModuleHandle("kernel32.DLL"),"WriteFile"),(PROC)MyWriteFile); ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetProcAddress"),(PROC)MyGetProcAddress); ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileEx"),(PROC)MyWriteFileEx); ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileGather"),(PROC)MyWriteFileGather); return hmod;}HMODULE WINAPI MyLoadLibraryW( LPCWSTR lpLibFileName ){ HMODULE hmod = LoadLibraryW( lpLibFileName ); ModifyIAT(hmod,"kernel32.DLL",GetProcAddress(GetModuleHandle("kernel32.DLL"),"WriteFile"),(PROC)MyWriteFile); ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetProcAddress"),(PROC)MyGetProcAddress); ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileEx"),(PROC)MyWriteFileEx); ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileGather"),(PROC)MyWriteFileGather); return hmod;}HMODULE WINAPI MyLoadLibraryExA(LPCTSTR lpFileName,HANDLE hFile,DWORD dwFlags){ HMODULE hmod = LoadLibraryExA( lpFileName,hFile,dwFlags); ModifyIAT(hmod,"kernel32.DLL",GetProcAddress(GetModuleHandle("kernel32.DLL"),"WriteFile"),(PROC)MyWriteFile); ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetProcAddress"),(PROC)MyGetProcAddress); ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileEx"),(PROC)MyWriteFileEx); ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileGather"),(PROC)MyWriteFileGather); return hmod;}HMODULE WINAPI MyLoadLibraryExW(LPCWSTR lpFileName,HANDLE hFile,DWORD dwFlags){ HMODULE hmod = LoadLibraryExW(lpFileName,hFile,dwFlags); ModifyIAT(hmod,"kernel32.DLL",GetProcAddress(GetModuleHandle("kernel32.DLL"),"WriteFile"),(PROC)MyWriteFile); ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetProcAddress"),(PROC)MyGetProcAddress); ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileEx"),(PROC)MyWriteFileEx); ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileGather"),(PROC)MyWriteFileGather); return hmod;}extern "C"_declspec(dllexport) VOID SetHook( ){ if( !hhk ){ HINSTANCE hInst = LoadLibrary(MyName); if( !hInst ) return; hhk = SetWindowsHookEx(WH_GETMESSAGE,GetMsgProc,hInst,0); FreeLibrary( hInst ); }}extern"C"_declspec(dllexport) VOID UnHook(){ if( hhk ) UnhookWindowsHookEx( hhk );}BOOL WINAPI DllMain(HINSTANCE hInstance,DWORD dwReason,LPVOID lpvReserved){ hmodThisDll = hInstance; switch( dwReason ){ case DLL_PROCESS_ATTACH: ModifyIATs("kernel32.DLL",GetProcAddress(GetModuleHandle("kernel32.DLL"), "WriteFile"),(PROC)MyWriteFile); ModifyIATs("KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryA"),(PROC)MyLoadLibraryA); ModifyIATs("KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryW"),(PROC)MyLoadLibraryW); ModifyIATs("KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryExA"),(PROC)MyLoadLibraryExA); ModifyIATs("KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryExW"),(PROC)MyLoadLibraryExW); ModifyIATs("KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "GetProcAddress"),(PROC)MyGetProcAddress); ModifyIATs("KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "WriteFileEx"),(PROC)MyWriteFileEx); ModifyIATs("KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileGather"),(PROC)MyWriteFileGather); break; case DLL_PROCESS_DETACH: ModifyIATs("KERNEL32.DLL",(PROC)MyWriteFile ,GetProcAddress(GetModuleHandle("kernel32.DLL"),"WriteFile")); ModifyIATs("KERNEL32.DLL",(PROC)MyLoadLibraryA ,GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"LoadLibraryA")); ModifyIATs("KERNEL32.DLL",(PROC)MyLoadLibraryW ,GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"LoadLibraryW")); ModifyIATs("KERNEL32.DLL",(PROC)MyLoadLibraryExA ,GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"LoadLibraryExA")); ModifyIATs("KERNEL32.DLL",(PROC)MyLoadLibraryExW ,GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"LoadLibraryExW")); ModifyIATs("KERNEL32.DLL",(PROC)MyGetProcAddress ,GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetProcAddress")); ModifyIATs("KERNEL32.DLL",(PROC)MyWriteFileEx ,GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileEx")); ModifyIATs("KERNEL32.DLL",(PROC)MyWriteFileGather,GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"WriteFileGather")); break; } return TRUE;}
进行了斗劲周全的阻碍,不过会造成体系不稳定,希罕是LoadLibararyExA和LoadLibararyExW函数的阻碍。别的令人纠结的是fopen打开的文件写操纵没有阻碍成功,天然freopen这些重定向的也不克不及成功啦,所有应用层DLL注入的办法实现文件write的过滤是很是不公道的设法,很难做周全的阻碍,并且影响体系的正常运行。周全的文件过滤在这个实验里面,不得不承认api hook技巧无法承担这个重担,看来只有驱动层可以或许实现真正意义上的完全文
- 采取个hook技巧对writefile函数进行阻碍(2)
- Android Hook程序,对库函数进行HOOK
- 关于Android上对so进行函数的hook的完整原理解析,最新测试通过
- 关于Android上对so进行函数的hook的完整原理解析,最新测试通过
- WriteFile和ReadFile函数
- WriteFile和ReadFile函数
- WriteFile 函数解析
- WriteFile和ReadFile函数
- WriteFile和ReadFile函数
- WriteFile和ReadFile函数
- Xcode6小技巧-#pragma-mark对函数进行分类
- js对文字进行编码涉及3个函数
- Hook(钩子)函数
- CreateFile,SetFilePointer,WriteFile函数介绍
- 利用Cydia Substrate进行Android HOOK(2)
- WriteFile
- writeFile
- visual SVN 如何通过 hook 对提交文件进行过滤
- android-整体UI设计-(滑动导航栏+滚动页面)
- 开始用 Emacs 24
- SQL Server 2008过期导致MSSQLSERVER服务无法启动
- MyEclipse安装Spket插件
- 文件描述符和文件指针的区别
- 采取个hook技巧对writefile函数进行阻碍(2)
- ubuntu编译安装gvim
- ORACLE 一条sql语句生成前60年的年份
- python 类方法(classmethod)小实验代码
- shell脚本学习指南-01
- iPhone中的剪切技巧
- iPhone下主要的目录的意义
- 如何用MsiZap.exe 卸载软件
- 两点确定直线方程