Detours应用实例Hook CryptSignAndEncryptMessage截取消息

来源：互联网发布：retrofit 2.0解析json 编辑：程序博客网时间：2024/06/03 18:36

由于需要查看通信过程中的明文协议，但是抓包发现有点问题，在OD下跟了下，发现使用了微软的CryptSignAndEncryptMessage对数据包进行了加密，并没有其他附加处理，那么索性使用Detours拦截这个函数，然后将相关协议数据写入文件。

#include <windows.h>#include <stdio.h>#include <string.h>#include <malloc.h>#define SECURITY_WIN32#include <sspi.h>#pragma comment(lib, "Secur32.lib")#include "detours.h"#pragma comment(lib, "detours.lib")#pragma comment(lib, "detoured.lib")#ifdef _MANAGED#pragma managed(push, off)#endifextern "C" _declspec(dllexport) VOID NullExport();VOID NullExport(){}/*typedef LONG SECURITY_STATUS;typedef struct _SecHandle{ULONG_PTR dwLower;ULONG_PTR dwUpper;} SecHandle, * PSecHandle ;  typedef PSecHandle PCtxtHandle;typedef struct _SecBuffer {unsigned long cbBuffer;          unsigned long BufferType;         void* pvBuffer;           } SecBuffer, * PSecBuffer;  typedef struct _SecBufferDesc {unsigned long ulVersion;         unsigned long cBuffers;            PSecBuffer pBuffers;                } SecBufferDesc, * PSecBufferDesc;  SECURITY_STATUS EncryptMessage(PCtxtHandle phContext,   ULONG fQOP,   PSecBufferDesc pMessage,   ULONG MessageSeqNo);*/typedef SECURITY_STATUS (*Func_decode)(PCtxtHandle phContext,   ULONG fQOP,   PSecBufferDesc pMessage,   ULONG MessageSeqNo);#define DECODE 0x10050B79Func_decode decode = (Func_decode)DECODE;LONG SEC_ENTRY hook_decode(PCtxtHandle phContext,   ULONG fQOP,   PSecBufferDesc pMessage,   ULONG MessageSeqNo){PSecBufferDesc pDeMessage = pMessage;char * pBuffer = (char *)malloc(pDeMessage->pBuffers->cbBuffer+1);memcpy(pBuffer, pDeMessage->pBuffers->pvBuffer, pDeMessage->pBuffers->cbBuffer);pBuffer[pDeMessage->pBuffers->cbBuffer] = '\0';FILE* fp;fopen_s(&fp, "result.txt", "wb+");fwrite(pBuffer, sizeof(char), pDeMessage->pBuffers->cbBuffer+1, fp);fclose(fp);free(pBuffer);return EncryptMessage(phContext, fQOP, pMessage, MessageSeqNo);}void SetHook(BOOL flag){if (flag){DetourRestoreAfterWith();DetourTransactionBegin();DetourUpdateThread(GetCurrentThread());DetourAttach(&(PVOID&)decode, hook_decode);DetourTransactionCommit();}else{DetourTransactionBegin();DetourUpdateThread(GetCurrentThread());DetourDetach(&(PVOID&)decode, hook_decode);DetourTransactionCommit();}}INT APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved){switch(ul_reason_for_call){case DLL_PROCESS_ATTACH:case DLL_THREAD_ATTACH:{SetHook(TRUE);break;}case DLL_PROCESS_DETACH:{SetHook(FALSE);}case DLL_THREAD_DETACH:default:break;}    return TRUE;}#ifdef _MANAGED#pragma managed(pop)#endif

将代码编译成dll后，注入到相关进程中就OK了。没有对代码进行注释，截取部分说明下。

如下：因为目标进程使用了CryptSignAndEncryptMessage函数，所以需要相关结构；加之使用静态Detours库，也要进行引入。

#define SECURITY_WIN32#include <sspi.h>#pragma comment(lib, "Secur32.lib")#include "detours.h"#pragma comment(lib, "detours.lib")#pragma comment(lib, "detoured.lib")

Detours规定，注入目标进程的dll需要有一个导出函数，这里写空函数就好。

extern "C" _declspec(dllexport) VOID NullExport();VOID NullExport(){}

因为需要保持栈平衡，所以函数原型一定要正确，不过这个函数有MSDN的说明，就非常好定义了。

typedef SECURITY_STATUS (*Func_decode)(PCtxtHandle phContext,   ULONG fQOP,   PSecBufferDesc pMessage,   ULONG MessageSeqNo);

函数指针，这个就不多解释了。

#define DECODE 0x10050B79Func_decode decode = (Func_decode)DECODE;

HOOK后重写的函数，因为return 了原函数的地址，所以没有对栈进行平衡，但是如果没有这步操作是需要对栈手动平衡的，否则会引起程序崩溃的。

LONG SEC_ENTRY hook_decode(PCtxtHandle phContext,   ULONG fQOP,   PSecBufferDesc pMessage,   ULONG MessageSeqNo){PSecBufferDesc pDeMessage = pMessage;char * pBuffer = (char *)malloc(pDeMessage->pBuffers->cbBuffer+1);memcpy(pBuffer, pDeMessage->pBuffers->pvBuffer, pDeMessage->pBuffers->cbBuffer);pBuffer[pDeMessage->pBuffers->cbBuffer] = '\0';FILE* fp;fopen_s(&fp, "result.txt", "wb+");fwrite(pBuffer, sizeof(char), pDeMessage->pBuffers->cbBuffer+1, fp);fclose(fp);free(pBuffer);return EncryptMessage(phContext, fQOP, pMessage, MessageSeqNo);}

当然这个SetHook() 函数，就是使用Detours的所在了，其实过程很简单，套用就好。

void SetHook(BOOL flag){if (flag){DetourRestoreAfterWith();DetourTransactionBegin();DetourUpdateThread(GetCurrentThread());DetourAttach(&(PVOID&)decode, hook_decode);DetourTransactionCommit();}else{DetourTransactionBegin();DetourUpdateThread(GetCurrentThread());DetourDetach(&(PVOID&)decode, hook_decode);DetourTransactionCommit();}}

最后设置好dll的接口，附加的时候，开启HOOK，卸载时关闭HOOK。

INT APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved){switch(ul_reason_for_call){case DLL_PROCESS_ATTACH:case DLL_THREAD_ATTACH:{SetHook(TRUE);break;}case DLL_PROCESS_DETACH:{SetHook(FALSE);}case DLL_THREAD_DETACH:default:break;}    return TRUE;}

嗯，就是将一百多行的代码贴了下，希望能给需要的人予以帮助。