HOOK APIæ¯ä¸ä¸ªæ°¸æçè¯é¢ï¼å¦æ没æHOOKï¼è®¸å¤ææ¯å°å¾é¾å®ç°ï¼ä¹è®¸æ ¹æ¬ä¸è½å®ç°ã
è¿éæ说çAPIï¼æ¯å¹¿ä¹ä¸çAPIï¼å®å æ¬DOSä¸çä¸æï¼WINDOWSéçAPIãä¸ææå¡ãIFSå
NDISè¿æ»¤çãæ¯å¦å¤§å®¶çæçå³æ¶ç¿»è¯è½¯ä»¶ï¼å°±æ¯é HOOK TextOut()æExtTextOut()è¿ä¸¤ä¸ª
å½æ°å®ç°çï¼å¨æä½ç³»ç»ç¨è¿ä¸¤ä¸ªå½æ°è¾åºææ¬ä¹åï¼å°±æç¸åºçè±ææ¿æ¢æä¸æèè¾¾å°å³
æ¶ç¿»è¯ï¼IFSåNDISè¿æ»¤ä¹æ¯å¦æ¤ï¼å¨è¯»åç£çåæ¶åæ°æ®ä¹åï¼ç³»ç»ä¼è°ç¨ç¬¬ä¸æ¹æä¾ç
åè°å½æ°æ¥å¤ææä½æ¯å¦å¯ä»¥æ¾è¡ï¼å®ä¸æ®éHOOKä¸åï¼å®æ¯æä½ç³»ç»å 许çï¼ç±æä½ç³»ç»
æä¾æ¥å£æ¥å®è£ åè°å½æ°ã
çè³å¦æ没æHOOKï¼å°±æ²¡æç æ¯ï¼å 为ä¸ç®¡æ¯DOSä¸çç æ¯æWINDOWSéçç æ¯ï¼
é½æ¯é HOOKç³»ç»æå¡æ¥å®ç°èªå·±çåè½çï¼DOSä¸çç æ¯é HOOK INT 21æ¥æææ件ï¼æ件åç æ¯ï¼ï¼é HOOK INT 13æ¥ææå¼å¯¼æåºï¼å¼å¯¼åç æ¯ï¼ï¼WINDOWSä¸çç æ¯é HOOK ç³»ç»APIï¼å æ¬RING0å±çåRING3å±çï¼ï¼æè å®è£ IFSï¼CIHç æ¯æç¨çæ¹æ³ï¼æ¥æææ件ãå æ¤å¯ä»¥è¯´â没æHOOKï¼å°±æ²¡æä»å¤©å¤å§¿å¤å½©ç软件ä¸çâã
ç±äºæ¶åå°ä¸å©åç¥è¯äº§æï¼æè æ¯åä¸æºå¯ï¼å¾®è½¯ä¸ç´ä¸æå¡å¤§å®¶HOOKå®çç³»ç»APIï¼
æä¾IFSåNDISçå ¶ä»è¿æ»¤æ¥å£ï¼ä¹æ¯ä¸ºäºéåºææ¯è½¯ä»¶åé²ç«å¢çéè¦æå¼æ¾çãæ以å¨
大å¤æ°æ¶åï¼HOOK APIè¦é èªå·±çåéæ¥å®æã
HOOK APIæä¸ä¸ªååï¼è¿ä¸ªååå°±æ¯ï¼è¢«HOOKçAPIçåæåè½ä¸è½åå°ä»»ä½å½±åã就象
å»çæ人ï¼å¦ææç 人身ä½éçç æ¯ææ»äºï¼ç 人ä¹æ»äºï¼é£ä¹è¿ä¸ªâæ人â就没æä»»ä½æä¹äºã
å¦æä½ HOOK APIä¹åï¼ä½ çç®çè¾¾å°äºï¼ä½APIçåæåè½å¤±æäºï¼è¿æ ·ä¸æ¯HOOKï¼èæ¯REPLACEï¼æä½ç³»ç»çæ£å¸¸åè½å°±ä¼åå°å½±åï¼çè³ä¼å´©æºã
HOOK APIçææ¯ï¼è¯´èµ·æ¥ä¹ä¸å¤æï¼å°±æ¯æ¹åç¨åºæµç¨çææ¯ãå¨CPUçæ令éï¼æå æ¡
æ令å¯ä»¥æ¹åç¨åºçæµç¨ï¼JMPï¼CALLï¼INTï¼RETï¼RETFï¼IRETçæ令ãç论ä¸åªè¦æ¹åAPI
å ¥å£ååºå£çä»»ä½æºå¨ç ï¼é½å¯ä»¥HOOKï¼ä½æ¯å®é å®ç°èµ·æ¥è¦å¤æå¾å¤ï¼å 为è¦å¤ç好以ä¸é®é¢ï¼
1ï¼CPUæ令é¿åº¦é®é¢ï¼å¨32ä½ç³»ç»éï¼ä¸æ¡JMP/CALLæ令çé¿åº¦æ¯5个åèï¼å æ¤ä½ åªææ¿æ¢API
éè¶ è¿5个åèé¿åº¦çæºå¨ç ï¼æè æ¿æ¢å æ¡æ令é¿åº¦å èµ·æ¥æ¯5åèçæ令ï¼ï¼å¦åä¼å½±å被æ´
æ¹çå°äº5个åèçæºå¨ç åé¢çæ°æ¡æ令ï¼çè³ç¨åºæµç¨ä¼è¢«æä¹±ï¼äº§çä¸å¯é¢æçåæï¼
2ï¼åæ°é®é¢ï¼ä¸ºäºè®¿é®åAPIçåæ°ï¼ä½ è¦éè¿EBPæESPæ¥å¼ç¨åæ°ï¼å æ¤ä½ è¦éå¸¸æ¸ æ¥ä½ çHOOK代ç éæ¤æ¶çEBP/ESPçå¼æ¯å¤å°ï¼
3ï¼æ¶æºçé®é¢ï¼æäºHOOKå¿ é¡»å¨APIçå¼å¤´ï¼æäºå¿ é¡»å¨APIçå°¾é¨ï¼æ¯å¦HOOK CreateFilaA()ï¼
å¦æä½ å¨APIå°¾é¨HOOK APIï¼é£ä¹æ¤æ¶ä½ å°±ä¸è½åæ件ï¼çè³ä¸è½è®¿é®æ件ï¼HOOK RECV()ï¼
å¦æä½ å¨API头HOOKï¼æ¤æ¶è¿æ²¡ææ¶å°æ°æ®ï¼ä½ å°±å»æ¥çRECV()çæ¥æ¶ç¼å²åºï¼éé¢å½ç¶æ²¡æ
ä½ æ³è¦çæ°æ®ï¼å¿ é¡»çRECV()æ£å¸¸æ§è¡åï¼å¨RECV()çå°¾é¨HOOKï¼æ¤æ¶å»æ¥çRECV()çç¼å²åºï¼
éé¢æææ³è¦çæ°æ®ï¼
4ï¼ä¸ä¸æçé®é¢ï¼æäºHOOK代ç ä¸è½æ§è¡æäºæä½ï¼å¦åä¼ç ´ååAPIçä¸ä¸æï¼åAPI就失æäºï¼
5ï¼åæ¥é®é¢ï¼å¨HOOK代ç éå°½éä¸ä½¿ç¨å ¨å±åéï¼è使ç¨å±é¨åéï¼è¿æ ·ä¹æ¯æ¨¡ååç¨åºçéè¦ï¼
6ï¼æåè¦æ³¨æçæ¯ï¼è¢«æ¿æ¢çCPUæ令çåæåè½ä¸å®è¦å¨HOOK代ç çæ个å°æ¹æ¨¡æå®ç°ã
ä¸é¢ä»¥ws2_32.dlléçsend()为ä¾åæ¥è¯´æå¦ä½HOOKè¿ä¸ªå½æ°ï¼
Exported fn(): send - Ord:0013h
å°å æºå¨ç æ±ç¼ä»£ç
:71A21AF4 55 push ebp //å°è¢«HOOKçæºå¨ç ï¼ç¬¬1ç§æ¹æ³ï¼
:71A21AF5 8BEC mov ebp, esp //å°è¢«HOOKçæºå¨ç ï¼ç¬¬2ç§æ¹æ³ï¼
:71A21AF7 83EC10 sub esp, 00000010
:71A21AFA 56 push esi
:71A21AFB 57 push edi
:71A21AFC 33FF xor edi, edi
:71A21AFE 813D1C20A371931CA271 cmp dword ptr [71A3201C], 71A21C93 //å°è¢«HOOKçæºå¨ç ï¼ç¬¬4ç§æ¹æ³ï¼
:71A21B08 0F84853D0000 je 71A25893
:71A21B0E 8D45F8 lea eax, dword ptr [ebp-08]
:71A21B11 50 push eax
:71A21B12 E869F7FFFF call 71A21280
:71A21B17 3BC7 cmp eax, edi
:71A21B19 8945FC mov dword ptr [ebp-04], eax
:71A21B1C 0F85C4940000 jne 71A2AFE6
:71A21B22 FF7508 push [ebp+08]
:71A21B25 E826F7FFFF call 71A21250
:71A21B2A 8BF0 mov esi, eax
:71A21B2C 3BF7 cmp esi, edi
:71A21B2E 0F84AB940000 je 71A2AFDF
:71A21B34 8B4510 mov eax, dword ptr [ebp+10]
:71A21B37 53 push ebx
:71A21B38 8D4DFC lea ecx, dword ptr [ebp-04]
:71A21B3B 51 push ecx
:71A21B3C FF75F8 push [ebp-08]
:71A21B3F 8D4D08 lea ecx, dword ptr [ebp+08]
:71A21B42 57 push edi
:71A21B43 57 push edi
:71A21B44 FF7514 push [ebp+14]
:71A21B47 8945F0 mov dword ptr [ebp-10], eax
:71A21B4A 8B450C mov eax, dword ptr [ebp+0C]
:71A21B4D 51 push ecx
:71A21B4E 6A01 push 00000001
:71A21B50 8D4DF0 lea ecx, dword ptr [ebp-10]
:71A21B53 51 push ecx
:71A21B54 FF7508 push [ebp+08]
:71A21B57 8945F4 mov dword ptr [ebp-0C], eax
:71A21B5A 8B460C mov eax, dword ptr [esi+0C]
:71A21B5D FF5064 call [eax+64]
:71A21B60 8BCE mov ecx, esi
:71A21B62 8BD8 mov ebx, eax
:71A21B64 E8C7F6FFFF call 71A21230 //å°è¢«HOOKçæºå¨ç ï¼ç¬¬3ç§æ¹æ³ï¼
:71A21B69 3BDF cmp ebx, edi
:71A21B6B 5B pop ebx
:71A21B6C 0F855F940000 jne 71A2AFD1
:71A21B72 8B4508 mov eax, dword ptr [ebp+08]
:71A21B75 5F pop edi
:71A21B76 5E pop esi
:71A21B77 C9 leave
:71A21B78 C21000 ret 0010
ä¸é¢ç¨4ç§æ¹æ³æ¥HOOKè¿ä¸ªAPIï¼
1ï¼æAPIå ¥å£ç第ä¸æ¡æ令æ¯PUSH EBPæ令ï¼æºå¨ç 0x55ï¼æ¿æ¢æINT 3ï¼æºå¨ç 0xccï¼ï¼
ç¶åç¨WINDOWSæä¾çè°è¯å½æ°æ¥æ§è¡èªå·±ç代ç ï¼è¿ä¸æ¹æ³è¢«SOFT ICEçDEBUGER广æ³éç¨ï¼
å®å°±æ¯éè¿BPXå¨ç¸åºçå°æ¹è®¾ä¸æ¡INT 3æ令æ¥ä¸æç¹çãä½æ¯ä¸æå¡ç¨è¿ç§æ¹æ³ï¼å 为å®
ä¼ä¸WINDOWSæè°è¯å·¥å ·äº§çå²çªï¼èæ±ç¼ä»£ç åºæ¬é½è¦è°è¯ï¼
2ï¼æ第äºæ¡mov ebp,espæ令ï¼æºå¨ç 8BECï¼2åèï¼æ¿æ¢ä¸ºINT F0æ令ï¼æºå¨ç CDF0ï¼ï¼
ç¶åå¨IDTé设置ä¸ä¸ªä¸æé¨ï¼æåæ们ç代ç ãæè¿éç»åºä¸ä¸ªHOOK代ç ï¼
lea ebp,[esp+12] //模æåæ令mov ebp,espçåè½
pushfd //ä¿åç°åº
pushad //ä¿åç°åº
//å¨è¿éåä½ æ³åçäºæ
popad //æ¢å¤ç°åº
popfd //æ¢å¤ç°åº
iretd //è¿ååæ令çä¸ä¸æ¡æ令继ç»æ§è¡åå½æ°ï¼71A21AF7å°åå¤ï¼
è¿ç§æ¹æ³å¾å¥½ï¼ä½ç¼ºç¹æ¯è¦å¨IDT设置ä¸ä¸ªä¸æé¨ï¼ä¹å°±æ¯è¦è¿RING0ã
3ï¼æ´æ¹CALLæ令çç¸å¯¹å°åï¼CALLåå«å¨71A21B12ã71A21B25ã71A21B64ï¼ä½åé¢2æ¡CALLä¹åæä¸ä¸ªæ¡ä»¶
跳转æ令ï¼æå¯è½ä¸è¢«æ§è¡å°ï¼å æ¤æ们è¦HOOK 71A21B64å¤çCALLæ令ï¼ã为ä»ä¹è¦æ¾CALLæ令ä¸æï¼
å 为å®ä»¬é½æ¯5åèçæ令ï¼èä¸é½æ¯CALLæ令ï¼åªè¦ä¿ææä½ç 0xE8ä¸åï¼æ¹ååé¢çç¸å¯¹å°åå°±å¯ä»¥è½¬
å°æ们çHOOK代ç å»æ§è¡äºï¼å¨æ们çHOOK代ç åé¢å转å°ç®æ å°åå»æ§è¡ã
å设æ们çHOOK代ç å¨71A20400å¤ï¼é£ä¹æ们æ71A21B64å¤çCALLæ令æ¹ä¸ºCALL 71A20400ï¼åæ令æ¯è¿æ ·çï¼CALL 71A21230ï¼
è71A20400å¤çHOOK代ç æ¯è¿æ ·çï¼
71A20400:
pushad
//å¨è¿éåä½ æ³åçäºæ
popad
jmp 71A21230 //跳转å°åCALLæ令çç®æ å°åï¼åæ令æ¯è¿æ ·çï¼call 71A21230
è¿ç§æ¹æ³éè½æ§å¾å¥½ï¼ä½æ¯æ¯è¾é¾æ¾è¿æ¡5åèçCALLæ令ï¼è®¡ç®ç¸å¯¹å°åä¹å¤æã
4ï¼æ¿æ¢71A21AFEå°åä¸çcmp dword ptr [71A3201C], 71A21C93æ令ï¼æºå¨ç ï¼813D1C20A371931CA271ï¼10åèï¼æ为
call 71A20400
nop
nop
nop
nop
nop
ï¼æºå¨ç ï¼E8 XX XX XX XX 90 90 90 90 90ï¼10åèï¼
å¨71A20400çHOOK代ç æ¯ï¼
pushad
mov edx,71A3201Ch //模æåæ令cmp dword ptr [71A3201C], 71A21C93
cmp dword ptr [edx],71A21C93h //模æåæ令cmp dword ptr [71A3201C], 71A21C93
pushfd
//å¨è¿éåä½ æ³åçäº
popfd
popad
ret
è¿ç§æ¹æ³éè½æ§æ好ï¼ä½ä¸æ¯æ¯ä¸ªAPIé½æè¿æ ·çæ令ï¼è¦å ·ä½æ åµå ·ä½æä½ã
以ä¸å ç§æ¹æ³æ¯å¸¸ç¨çæ¹æ³ï¼å¼å¾ä¸æçæ¯å¾å¤äººé½æ¯æ¹APIå¼å¤´ç5个åèï¼ä½æ¯ç°å¨å¾å¤ææ¯è½¯ä»¶ç¨è¿æ ·çæ¹æ³
æ£æ¥APIæ¯å¦è¢«HOOKï¼æå ¶ä»ç æ¯æ¨é©¬å¨ä½ ä¹ååæ¹äºå5个åèï¼è¿æ ·å°±ä¼äºç¸è¦çï¼æåä¸ä¸ªHOOK APIçæä½ææ¯ææçï¼
è¿éæ说çAPIï¼æ¯å¹¿ä¹ä¸çAPIï¼å®å æ¬DOSä¸çä¸æï¼WINDOWSéçAPIãä¸ææå¡ãIFSå
NDISè¿æ»¤çãæ¯å¦å¤§å®¶çæçå³æ¶ç¿»è¯è½¯ä»¶ï¼å°±æ¯é HOOK TextOut()æExtTextOut()è¿ä¸¤ä¸ª
å½æ°å®ç°çï¼å¨æä½ç³»ç»ç¨è¿ä¸¤ä¸ªå½æ°è¾åºææ¬ä¹åï¼å°±æç¸åºçè±ææ¿æ¢æä¸æèè¾¾å°å³
æ¶ç¿»è¯ï¼IFSåNDISè¿æ»¤ä¹æ¯å¦æ¤ï¼å¨è¯»åç£çåæ¶åæ°æ®ä¹åï¼ç³»ç»ä¼è°ç¨ç¬¬ä¸æ¹æä¾ç
åè°å½æ°æ¥å¤ææä½æ¯å¦å¯ä»¥æ¾è¡ï¼å®ä¸æ®éHOOKä¸åï¼å®æ¯æä½ç³»ç»å 许çï¼ç±æä½ç³»ç»
æä¾æ¥å£æ¥å®è£ åè°å½æ°ã
çè³å¦æ没æHOOKï¼å°±æ²¡æç æ¯ï¼å 为ä¸ç®¡æ¯DOSä¸çç æ¯æWINDOWSéçç æ¯ï¼
é½æ¯é HOOKç³»ç»æå¡æ¥å®ç°èªå·±çåè½çï¼DOSä¸çç æ¯é HOOK INT 21æ¥æææ件ï¼æ件åç æ¯ï¼ï¼é HOOK INT 13æ¥ææå¼å¯¼æåºï¼å¼å¯¼åç æ¯ï¼ï¼WINDOWSä¸çç æ¯é HOOK ç³»ç»APIï¼å æ¬RING0å±çåRING3å±çï¼ï¼æè å®è£ IFSï¼CIHç æ¯æç¨çæ¹æ³ï¼æ¥æææ件ãå æ¤å¯ä»¥è¯´â没æHOOKï¼å°±æ²¡æä»å¤©å¤å§¿å¤å½©ç软件ä¸çâã
ç±äºæ¶åå°ä¸å©åç¥è¯äº§æï¼æè æ¯åä¸æºå¯ï¼å¾®è½¯ä¸ç´ä¸æå¡å¤§å®¶HOOKå®çç³»ç»APIï¼
æä¾IFSåNDISçå ¶ä»è¿æ»¤æ¥å£ï¼ä¹æ¯ä¸ºäºéåºææ¯è½¯ä»¶åé²ç«å¢çéè¦æå¼æ¾çãæ以å¨
大å¤æ°æ¶åï¼HOOK APIè¦é èªå·±çåéæ¥å®æã
HOOK APIæä¸ä¸ªååï¼è¿ä¸ªååå°±æ¯ï¼è¢«HOOKçAPIçåæåè½ä¸è½åå°ä»»ä½å½±åã就象
å»çæ人ï¼å¦ææç 人身ä½éçç æ¯ææ»äºï¼ç 人ä¹æ»äºï¼é£ä¹è¿ä¸ªâæ人â就没æä»»ä½æä¹äºã
å¦æä½ HOOK APIä¹åï¼ä½ çç®çè¾¾å°äºï¼ä½APIçåæåè½å¤±æäºï¼è¿æ ·ä¸æ¯HOOKï¼èæ¯REPLACEï¼æä½ç³»ç»çæ£å¸¸åè½å°±ä¼åå°å½±åï¼çè³ä¼å´©æºã
HOOK APIçææ¯ï¼è¯´èµ·æ¥ä¹ä¸å¤æï¼å°±æ¯æ¹åç¨åºæµç¨çææ¯ãå¨CPUçæ令éï¼æå æ¡
æ令å¯ä»¥æ¹åç¨åºçæµç¨ï¼JMPï¼CALLï¼INTï¼RETï¼RETFï¼IRETçæ令ãç论ä¸åªè¦æ¹åAPI
å ¥å£ååºå£çä»»ä½æºå¨ç ï¼é½å¯ä»¥HOOKï¼ä½æ¯å®é å®ç°èµ·æ¥è¦å¤æå¾å¤ï¼å 为è¦å¤ç好以ä¸é®é¢ï¼
1ï¼CPUæ令é¿åº¦é®é¢ï¼å¨32ä½ç³»ç»éï¼ä¸æ¡JMP/CALLæ令çé¿åº¦æ¯5个åèï¼å æ¤ä½ åªææ¿æ¢API
éè¶ è¿5个åèé¿åº¦çæºå¨ç ï¼æè æ¿æ¢å æ¡æ令é¿åº¦å èµ·æ¥æ¯5åèçæ令ï¼ï¼å¦åä¼å½±å被æ´
æ¹çå°äº5个åèçæºå¨ç åé¢çæ°æ¡æ令ï¼çè³ç¨åºæµç¨ä¼è¢«æä¹±ï¼äº§çä¸å¯é¢æçåæï¼
2ï¼åæ°é®é¢ï¼ä¸ºäºè®¿é®åAPIçåæ°ï¼ä½ è¦éè¿EBPæESPæ¥å¼ç¨åæ°ï¼å æ¤ä½ è¦éå¸¸æ¸ æ¥ä½ çHOOK代ç éæ¤æ¶çEBP/ESPçå¼æ¯å¤å°ï¼
3ï¼æ¶æºçé®é¢ï¼æäºHOOKå¿ é¡»å¨APIçå¼å¤´ï¼æäºå¿ é¡»å¨APIçå°¾é¨ï¼æ¯å¦HOOK CreateFilaA()ï¼
å¦æä½ å¨APIå°¾é¨HOOK APIï¼é£ä¹æ¤æ¶ä½ å°±ä¸è½åæ件ï¼çè³ä¸è½è®¿é®æ件ï¼HOOK RECV()ï¼
å¦æä½ å¨API头HOOKï¼æ¤æ¶è¿æ²¡ææ¶å°æ°æ®ï¼ä½ å°±å»æ¥çRECV()çæ¥æ¶ç¼å²åºï¼éé¢å½ç¶æ²¡æ
ä½ æ³è¦çæ°æ®ï¼å¿ é¡»çRECV()æ£å¸¸æ§è¡åï¼å¨RECV()çå°¾é¨HOOKï¼æ¤æ¶å»æ¥çRECV()çç¼å²åºï¼
éé¢æææ³è¦çæ°æ®ï¼
4ï¼ä¸ä¸æçé®é¢ï¼æäºHOOK代ç ä¸è½æ§è¡æäºæä½ï¼å¦åä¼ç ´ååAPIçä¸ä¸æï¼åAPI就失æäºï¼
5ï¼åæ¥é®é¢ï¼å¨HOOK代ç éå°½éä¸ä½¿ç¨å ¨å±åéï¼è使ç¨å±é¨åéï¼è¿æ ·ä¹æ¯æ¨¡ååç¨åºçéè¦ï¼
6ï¼æåè¦æ³¨æçæ¯ï¼è¢«æ¿æ¢çCPUæ令çåæåè½ä¸å®è¦å¨HOOK代ç çæ个å°æ¹æ¨¡æå®ç°ã
ä¸é¢ä»¥ws2_32.dlléçsend()为ä¾åæ¥è¯´æå¦ä½HOOKè¿ä¸ªå½æ°ï¼
Exported fn(): send - Ord:0013h
å°å æºå¨ç æ±ç¼ä»£ç
:71A21AF4 55 push ebp //å°è¢«HOOKçæºå¨ç ï¼ç¬¬1ç§æ¹æ³ï¼
:71A21AF5 8BEC mov ebp, esp //å°è¢«HOOKçæºå¨ç ï¼ç¬¬2ç§æ¹æ³ï¼
:71A21AF7 83EC10 sub esp, 00000010
:71A21AFA 56 push esi
:71A21AFB 57 push edi
:71A21AFC 33FF xor edi, edi
:71A21AFE 813D1C20A371931CA271 cmp dword ptr [71A3201C], 71A21C93 //å°è¢«HOOKçæºå¨ç ï¼ç¬¬4ç§æ¹æ³ï¼
:71A21B08 0F84853D0000 je 71A25893
:71A21B0E 8D45F8 lea eax, dword ptr [ebp-08]
:71A21B11 50 push eax
:71A21B12 E869F7FFFF call 71A21280
:71A21B17 3BC7 cmp eax, edi
:71A21B19 8945FC mov dword ptr [ebp-04], eax
:71A21B1C 0F85C4940000 jne 71A2AFE6
:71A21B22 FF7508 push [ebp+08]
:71A21B25 E826F7FFFF call 71A21250
:71A21B2A 8BF0 mov esi, eax
:71A21B2C 3BF7 cmp esi, edi
:71A21B2E 0F84AB940000 je 71A2AFDF
:71A21B34 8B4510 mov eax, dword ptr [ebp+10]
:71A21B37 53 push ebx
:71A21B38 8D4DFC lea ecx, dword ptr [ebp-04]
:71A21B3B 51 push ecx
:71A21B3C FF75F8 push [ebp-08]
:71A21B3F 8D4D08 lea ecx, dword ptr [ebp+08]
:71A21B42 57 push edi
:71A21B43 57 push edi
:71A21B44 FF7514 push [ebp+14]
:71A21B47 8945F0 mov dword ptr [ebp-10], eax
:71A21B4A 8B450C mov eax, dword ptr [ebp+0C]
:71A21B4D 51 push ecx
:71A21B4E 6A01 push 00000001
:71A21B50 8D4DF0 lea ecx, dword ptr [ebp-10]
:71A21B53 51 push ecx
:71A21B54 FF7508 push [ebp+08]
:71A21B57 8945F4 mov dword ptr [ebp-0C], eax
:71A21B5A 8B460C mov eax, dword ptr [esi+0C]
:71A21B5D FF5064 call [eax+64]
:71A21B60 8BCE mov ecx, esi
:71A21B62 8BD8 mov ebx, eax
:71A21B64 E8C7F6FFFF call 71A21230 //å°è¢«HOOKçæºå¨ç ï¼ç¬¬3ç§æ¹æ³ï¼
:71A21B69 3BDF cmp ebx, edi
:71A21B6B 5B pop ebx
:71A21B6C 0F855F940000 jne 71A2AFD1
:71A21B72 8B4508 mov eax, dword ptr [ebp+08]
:71A21B75 5F pop edi
:71A21B76 5E pop esi
:71A21B77 C9 leave
:71A21B78 C21000 ret 0010
ä¸é¢ç¨4ç§æ¹æ³æ¥HOOKè¿ä¸ªAPIï¼
1ï¼æAPIå ¥å£ç第ä¸æ¡æ令æ¯PUSH EBPæ令ï¼æºå¨ç 0x55ï¼æ¿æ¢æINT 3ï¼æºå¨ç 0xccï¼ï¼
ç¶åç¨WINDOWSæä¾çè°è¯å½æ°æ¥æ§è¡èªå·±ç代ç ï¼è¿ä¸æ¹æ³è¢«SOFT ICEçDEBUGER广æ³éç¨ï¼
å®å°±æ¯éè¿BPXå¨ç¸åºçå°æ¹è®¾ä¸æ¡INT 3æ令æ¥ä¸æç¹çãä½æ¯ä¸æå¡ç¨è¿ç§æ¹æ³ï¼å 为å®
ä¼ä¸WINDOWSæè°è¯å·¥å ·äº§çå²çªï¼èæ±ç¼ä»£ç åºæ¬é½è¦è°è¯ï¼
2ï¼æ第äºæ¡mov ebp,espæ令ï¼æºå¨ç 8BECï¼2åèï¼æ¿æ¢ä¸ºINT F0æ令ï¼æºå¨ç CDF0ï¼ï¼
ç¶åå¨IDTé设置ä¸ä¸ªä¸æé¨ï¼æåæ们ç代ç ãæè¿éç»åºä¸ä¸ªHOOK代ç ï¼
lea ebp,[esp+12] //模æåæ令mov ebp,espçåè½
pushfd //ä¿åç°åº
pushad //ä¿åç°åº
//å¨è¿éåä½ æ³åçäºæ
popad //æ¢å¤ç°åº
popfd //æ¢å¤ç°åº
iretd //è¿ååæ令çä¸ä¸æ¡æ令继ç»æ§è¡åå½æ°ï¼71A21AF7å°åå¤ï¼
è¿ç§æ¹æ³å¾å¥½ï¼ä½ç¼ºç¹æ¯è¦å¨IDT设置ä¸ä¸ªä¸æé¨ï¼ä¹å°±æ¯è¦è¿RING0ã
3ï¼æ´æ¹CALLæ令çç¸å¯¹å°åï¼CALLåå«å¨71A21B12ã71A21B25ã71A21B64ï¼ä½åé¢2æ¡CALLä¹åæä¸ä¸ªæ¡ä»¶
跳转æ令ï¼æå¯è½ä¸è¢«æ§è¡å°ï¼å æ¤æ们è¦HOOK 71A21B64å¤çCALLæ令ï¼ã为ä»ä¹è¦æ¾CALLæ令ä¸æï¼
å 为å®ä»¬é½æ¯5åèçæ令ï¼èä¸é½æ¯CALLæ令ï¼åªè¦ä¿ææä½ç 0xE8ä¸åï¼æ¹ååé¢çç¸å¯¹å°åå°±å¯ä»¥è½¬
å°æ们çHOOK代ç å»æ§è¡äºï¼å¨æ们çHOOK代ç åé¢å转å°ç®æ å°åå»æ§è¡ã
å设æ们çHOOK代ç å¨71A20400å¤ï¼é£ä¹æ们æ71A21B64å¤çCALLæ令æ¹ä¸ºCALL 71A20400ï¼åæ令æ¯è¿æ ·çï¼CALL 71A21230ï¼
è71A20400å¤çHOOK代ç æ¯è¿æ ·çï¼
71A20400:
pushad
//å¨è¿éåä½ æ³åçäºæ
popad
jmp 71A21230 //跳转å°åCALLæ令çç®æ å°åï¼åæ令æ¯è¿æ ·çï¼call 71A21230
è¿ç§æ¹æ³éè½æ§å¾å¥½ï¼ä½æ¯æ¯è¾é¾æ¾è¿æ¡5åèçCALLæ令ï¼è®¡ç®ç¸å¯¹å°åä¹å¤æã
4ï¼æ¿æ¢71A21AFEå°åä¸çcmp dword ptr [71A3201C], 71A21C93æ令ï¼æºå¨ç ï¼813D1C20A371931CA271ï¼10åèï¼æ为
call 71A20400
nop
nop
nop
nop
nop
ï¼æºå¨ç ï¼E8 XX XX XX XX 90 90 90 90 90ï¼10åèï¼
å¨71A20400çHOOK代ç æ¯ï¼
pushad
mov edx,71A3201Ch //模æåæ令cmp dword ptr [71A3201C], 71A21C93
cmp dword ptr [edx],71A21C93h //模æåæ令cmp dword ptr [71A3201C], 71A21C93
pushfd
//å¨è¿éåä½ æ³åçäº
popfd
popad
ret
è¿ç§æ¹æ³éè½æ§æ好ï¼ä½ä¸æ¯æ¯ä¸ªAPIé½æè¿æ ·çæ令ï¼è¦å ·ä½æ åµå ·ä½æä½ã
以ä¸å ç§æ¹æ³æ¯å¸¸ç¨çæ¹æ³ï¼å¼å¾ä¸æçæ¯å¾å¤äººé½æ¯æ¹APIå¼å¤´ç5个åèï¼ä½æ¯ç°å¨å¾å¤ææ¯è½¯ä»¶ç¨è¿æ ·çæ¹æ³
æ£æ¥APIæ¯å¦è¢«HOOKï¼æå ¶ä»ç æ¯æ¨é©¬å¨ä½ ä¹ååæ¹äºå5个åèï¼è¿æ ·å°±ä¼äºç¸è¦çï¼æåä¸ä¸ªHOOK APIçæä½ææ¯ææçï¼
温馨提示:内容为网友见解,仅供参考
无其他回答
相似回答
