|
|
本帖最后由 LittlePig 于 2012-7-2 23:56 编辑
原文标题:VB变态HOOK API也疯狂
本文于 2007-12-7 首次于http://hi.baidu.com/cxwr 发表 原创作者:菜新
之所以起这个名字,其主要原因是想证明用VB也可以正常稳定的实现HOOK API功能。貌似关于VB实现HOOK API方面的文章chenhui530有写过,说实话,给我的感觉很一般,最让我大跌眼镜的是,所生成的代码的方式竟然是P-CODE??难怪文章最后说只能成功用于VB程序,OK,当看到这时我已没心情继续看下去了。算了,还是来说说我自己的吧,只有自己拿得出真才实料才会让人信服,关于该文章的所有技术实现都是纯VB代码,不加任何外部DLL文件实现。在该文章中你将学会以下知识:
1,HOOK API函数
2,远程注入代码与远程注入DLL
3,学会OD分析调试自己的代码
4,学会自己制作tlb类库文件
5,其它细节方面的知识等等。。
首先让我们了解下HOOK API的原理,HOOK API所实现的原理无非就是通过更改API代码默认运行轨道,将所运行的代码指向他处(这里一般为我们自己的地址),通过如此达到HOOK API的功能。如果用汇编的方式表达的话我想可能更明确,如下:
HOOK 代码即是如此而已,首先是把我们自己处理的函数地址放在eax寄存器中,然后通过jmp(汇编跳转指令)eax 跳转到eax寄存器中的函数地址处。这时当程序中执行某个被HOOK的函数时,该函数会自动跳转到 eax 地址,也就这样,整个HOOK工作完成了。
OK,明白了原理之后我们还有其它技术方面的问题需要解决,当然在VB中这些问题必须解决,首先是HOOK API问题,在其它语言中如Delphi或ASM可以直接写个DLL HOOK,通过SetWindowsHookEx把该DLL注入到带有消息处理的进程中去,一般 用SetWindowsHookEx注入DLL的方式对于普通的应用程序还行,但对于如系统服务或控制台内进程则无效,所以这时我们需要通过CreateRemoteThread(创建远程线程)API去解决。当然在使用这些方法的前提是必须有DLL。
我们都知道VB压根就实现不了啥标准DLL,当然说到这里可能会有人跟我争辩,我觉得没必要,争来争去结果都一样,VB根本就实现不了啥标准DLL,可网上硬是有些人把什么什么“用VB做输入函数DLL”一文来强加之理,说这就是“标准DLL”,唉,除了汗还是汗,老兄你先把VB下的DLL运行库msvbvm60.dll解决了再来跟我说吧,你呐!~~~
所以,VB用DLL来实现基本上是不可能了,现在唯一一种方法就是利用远程线程注入EXE代码,然后通过注入的代码去解决它,该方法首先要解决的问题是VB的默认运行库,你我都知道VB运行是需要运行库的,别自欺欺人了兄弟!~咱还是老老实实用远程注入DLL的方法去解决它,OK,运行库问题解决了,那么远程注入代码呢?Why??不容易实现?啥?你实现了?说你实现了我又想到了 chenhui530 中的那种对注入代码的处理方式,基本上除了可以正常用于在VB生成的自家兄弟EXE程序以外,插入其它进程基本上会给你一个下图效果:
但是这个问题必须要解决,否则就不存在用远程注入代码的方式解决方式了。
当然自己的在用VB编写远程注入代码的时候,也出现了这种现象,不过通过OD反汇编跟踪,我发现罪魁祸首的竟然是 __vbaSetSystemError 的调用。如下图:
上面反汇编代码所对应的VB代码如下:- Public Function MyShowTip() As Long
- MessageBeep 0
- End Function
首先我们写一个简单的 MessageBox 类型库试试:
[
uuid(12345678-1234-1234-1234-123456789ABC),
helpstring("my api library"),
lcid(0x0),
version(1.0)
]
library MyAPIs
{
importlib("stdole2.tlb");
typedef [public] long HWND;
typedef [public] long DWORD;
typedef [public] long UINT;
typedef [public] long WPARAM;
typedef [public] long LPARAM;
typedef [public] long HANDLE;
[dllname("user32")]
module User32
{
[entry("MessageBoxA")] long MessageBox ([in] HANDLE hWnd, [in] LPSTR lpText,
[in] LPSTR lpCaption, [in] UINT uType);
};
};
保存为myapi.odl,这里生成tlb文件需要借助VC++来完成,通过VC++的Bin目录中的MKTYPLIB.EXE程序生成,OK,完成以上操作以后我们再回到VB中。
然后在VB工程菜单,引用,选择刚刚输出的 myapi.tlb 文件,注意如果你已经声明了 MessageBox 函数请删除掉。注意这里引用了该类型库以后我们的代码中将不需要再声明MessageBox API。接着我把上面的注入代码改成以下:- Public Function MyShowTip() As Long
- MessageBox 0, "显示一个消息", "消息", 0
- End Function
OK,__vbaSetSystemError 被我们彻底的干掉了。通过上面反汇编的VB代码我们可以看出,使用类型库可以直接定位并调用API函数,免去了VB中默认一些烦杂的操作,可见类型库还是值得提倡的。看看下图将会明白,咱们不再是通过 DllFunctionCall 去调用API了。
好了,现在就剩下最后一个问题,就是远程注入代码的重定位问题,这个问题最为关键,我想如果不解决此问题,上面所有的实现原理也就没啥必要了。
据我的观察,VB或Delphi、ASM、VC++默认的基址为0x400000 处,当然也可能其它编程语言所生成的不是这个基址,但是一般的应用程序基址普遍是在0x10000000以下,这里可能某些网友会问为什么我突然间扯到这里来了,不是我为什么要扯到这里,是因为这里我们必须要了解,因为一旦我们设置好了程序的基址,所有代码的重定位工作也就让编译器自然为我们做好了。所以我们需要通过基址来重定位我们的代码。
VB默认不支持EXE的/BASE基址设置功能,所以这里需要我们自己动手去解决它(朋友!养成多动动手的习惯吧!!!),VB程序的编译是靠C2.EXE和LINK.EXE两个东东来完成的,所以我们要从半路中截取它们的命令行参数,并修改,以达到我们需要的效果,这里我写了个拦截代码,如下:- Public Sub Main()
- Dim sBuf As String
- Dim szBase As String
-
- If MsgBox("是否设置EXE基地址?", vbYesNo + 64, "基址") = vbNo Then
- Shell "Link2.exe " & Command
- Else
-
- szBase = InputBox("请输入需要设置的基地址,不用输入 0x", "基址", "400000")
- If Trim(szBase) = vbNullString Then
- szBase = "/BASE:0x400000"
- Else
- szBase = "/BASE:0x" & szBase
- End If
-
- sBuf = Replace(Command, "/BASE:0x400000", szBase)
- Shell "link2.exe " & sBuf
- End If
- End Sub
然后点击“是”,接着再弹出以下对话框:
上面这个东西有下载,请到 http://cxwr.ys168.com/的Source Code 目录下载或者参见下面的附件。
输入相应的基址即可,默认我们输入 0x14000000,只要高出 0x10000000 就行了,当然你也可以设置为0x20000000、0x30000000等等等,只要你愿意,就随你吧(注意不能超过 0x80000000)。下图为 PEiD查看的结果:
OK,所有的操作原理都明白以后,剩下的就是正式写注入和HOOK代码了。
首先HOOK API时我前面说过,默认的注入代码方法不可取,我们需要一个类型库,这样所注入的代码操作会尽可能的“远离”msvbvm60.dll,记住,要想让你的VB代码能在其它进程中撒欢,那么就得少用些运行库中的函数,最好能全部用API解决,有时VB中默认添加的一个小小的转换函数就会让整个进程崩溃,要不然为啥VB的本机代码不支持多线程?现在我们只需要把HOOK API常用的几个API做成类型库即可。下面是需要用到的几个API函数:
ReadProcessMemory、WriteProcessMemory、GetModuleHandle、GetProcAddress、GetCurrentProcess、CopyMemory
(问:不会吧?HOOK API就这几个API就可以搞定? 答:是的)OK,以下为类型库ODL代码:
[
uuid(12345678-1234-1234-1234-123456789ABC),
helpstring("my api library"),
lcid(0x0),
version(1.0)
]
library MyAPIs
{
importlib("stdole2.tlb");
typedef [public] long HWND;
typedef [public] long DWORD;
typedef [public] long UINT;
typedef [public] long WPARAM;
typedef [public] long LPARAM;
typedef [public] long HANDLE;
[dllname("kernel32")]
module kernel32
{
[entry("WriteProcessMemory")] long WriteProcessMemory ([in] HANDLE hProcess,
[in] void* lpBaseAddress, [in] void* lpBuffer, [in] DWORD nSize, [in] DWORD* lpNumberOfBytesWritten);
[entry("ReadProcessMemory")] long ReadProcessMemory ([in] HANDLE hProcess,
[in] void* lpBaseAddress, [in] void* lpBuffer, [in] DWORD nSize, [in] DWORD* lpNumberOfBytesWritten);
[entry("GetCurrentProcess")] HANDLE GetCurrentProcess();
[entry("RtlMoveMemory")] void CopyMemory([in] void* pDest, [in] void*
pSrc, [in] long ByteLen);
[entry("GetModuleHandleA")] long GetModuleHandle ([in] LPSTR lpModuleName);
[entry("GetProcAddress")] long GetProcAddress ([in] DWORD hModule, [in] LPSTR lpProcName);
};
[dllname("user32")]
module User32
{
[entry("MessageBoxA")] long MessageBox ([in] HANDLE hWnd, [in] LPSTR lpText,
[in] LPSTR lpCaption, [in] UINT uType);
[entry("MessageBoxW")] long MessageBoxW ([in] HANDLE hWnd, [in] LPWSTR lpText,
[in] LPWSTR lpCaption, [in] UINT uType);
};
};
OK现在,上面保存名为 odl 的扩展名文件,然后用MKTYPLIB.EXE生成一下就OK了。。
该文件请到 http://cxwr.ys168.com/ 中下载或者参考下面的附件。
剩下的就是写代码了,不说多了,直接上代码,该代码为通过演示HOOK MessageBoxA API函数,让你明白在VB中使用纯代码HOOK API是如何实现的。如果你想HOOK NtOpenProcess 等等API也是如此。
该注入与HOOK程序中只用到了两个模块,如下:
modMain.bas 中的代码:- Option Explicit
- Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
- Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
- Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
- Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
- '上面这些是我们自己用到的,因为我们已经引用了类型库,所以默认声明为 Private 方式,
- '这样做的好处是不影响 modHOOK 模块中的相同API使用
- Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
- Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
- Public Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
- Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
- Public Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Long, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
- Public Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
- Public Const MEM_RELEASE = &H8000
- Public Const MEM_COMMIT = &H1000
- Public Const MEM_RESERVE = &H2000
- Public Const MEM_DECOMMIT = &H4000
- Public Const PAGE_EXECUTE_READWRITE = &H40
- Public Const SYNCHRONIZE = &H100000
- Public Const STANDARD_RIGHTS_REQUIRED = &HF0000
- Public Const PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
- Public Const INFINITE = &HFFFFFFFF
- '以下全部从Delphi中翻译
- Public Type IMAGE_DOS_HEADER
- e_magic As Integer
- e_cblp As Integer
- e_cp As Integer
- e_crlc As Integer
- e_cparhdr As Integer
- e_minalloc As Integer
- e_maxalloc As Integer
- e_ss As Integer
- e_sp As Integer
- e_csum As Integer
- e_ip As Integer
- e_cs As Integer
- e_lfarlc As Integer
- e_ovno As Integer
- e_res(3) As Integer
- e_oemid As Integer
- e_oeminfo As Integer
- e_res2(9) As Integer
- e_lfanew As Long
- End Type
- Public Type IMAGE_FILE_HEADER
- Machine As Integer
- NumberOfSections As Integer
- TimeDateStamp As Long
- PointerToSymbolTable As Long
- NumberOfSymbols As Long
- SizeOfOptionalHeader As Integer
- Characteristics As Integer
- End Type
- Public Type IMAGE_DATA_DIRECTORY
- VirtualAddress As Long
- Size As Long
- End Type
-
- Public Type IMAGE_OPTIONAL_HEADER
- Magic As Integer
- MajorLinkerVersion As Byte
- MinorLinkerVersion As Byte
- SizeOfCode As Long
- SizeOfInitializedData As Long
- SizeOfUninitializedData As Long
- AddressOfEntryPoint As Long
- BaseOfCode As Long
- BaseOfData As Long
- ImageBase As Long
- SectionAlignment As Long
- FileAlignment As Long
- MajorOperatingSystemVersion As Integer
- MinorOperatingSystemVersion As Integer
- MajorImageVersion As Integer
- MinorImageVersion As Integer
- MajorSubsystemVersion As Integer
- MinorSubsystemVersion As Integer
- Win32VersionValue As Long
- SizeOfImage As Long
- SizeOfHeaders As Long
- CheckSum As Long
- Subsystem As Integer
- DllCharacteristics As Integer
- SizeOfStackReserve As Long
- SizeOfStackCommit As Long
- SizeOfHeapReserve As Long
- SizeOfHeapCommit As Long
- LoaderFlags As Long
- NumberOfRvaAndSizes As Long
- DataDirectory(15) As IMAGE_DATA_DIRECTORY
- End Type
-
- Public Type IMAGE_NT_HEADERS
- Signature As Long
- FileHeader As IMAGE_FILE_HEADER
- OptionalHeader As IMAGE_OPTIONAL_HEADER
- End Type
- Public Sub Main()
- Dim Pid As Long
- Dim sBuf As String
-
- sBuf = InputBox("PID", , 0)
- Pid = CLng(sBuf)
-
- If InjectMsvbvm6_dll(Pid) Then
- MsgBox "插入运行库OK"
- End If
-
- If InjectExe(Pid) Then
- MsgBox "已插入代码"
- End If
- End Sub
- '///////////////////////////////////////////////////////
- '///
- '///说明: 插入运行库代码
- '///参数: Pid=进程PID
- '///返回: 成功True,否则False
- '///
- '///////////////////////////////////////////////////////
- Public Function InjectMsvbvm6_dll(ByVal Pid As Long) As Boolean
- Dim hProcess As Long, hThread As Long
- Dim szDllPath As String
- Dim cbDllPath As Long
- Dim pBaseAddr As Long
- Dim pFuncAddr As Long
- Dim hMod As Long
-
- InjectMsvbvm6_dll = False
-
- hMod = GetModuleHandle("kernel32.dll")
- pFuncAddr = GetProcAddress(hMod, "LoadLibraryA")
-
- hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, Pid)
- If hProcess = 0 Then GoTo Err
-
- szDllPath = "c:\windows\system32\msvbvm60.dll"
- cbDllPath = Len(szDllPath) * 2 + 1
-
- pBaseAddr = VirtualAllocEx(hProcess, ByVal 0&, cbDllPath, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
- If pBaseAddr = 0 Then GoTo Err
-
- If WriteProcessMemory(hProcess, ByVal pBaseAddr, ByVal szDllPath, cbDllPath, 0) = 0 Then GoTo Err
-
- hThread = CreateRemoteThread(hProcess, ByVal 0&, 0, ByVal pFuncAddr, ByVal pBaseAddr, 0, 0)
- If hThread = 0 Then GoTo Err
-
- WaitForSingleObject hThread, INFINITE
- CloseHandle hThread
-
- InjectMsvbvm6_dll = True
-
- Err:
- If pBaseAddr <> 0 Then VirtualFreeEx hProcess, ByVal pBaseAddr, 0, MEM_RELEASE
- If hProcess <> 0 Then CloseHandle hProcess
- End Function
- '///////////////////////////////////////////////////////
- '///
- '///说明: 插入代码
- '///参数: Pid=进程PID
- '///返回: 成功True,否则False
- '///
- '///////////////////////////////////////////////////////
- Public Function InjectExe(ByVal Pid As Long) As Boolean
- Dim hMod As Long
- Dim stIDH As IMAGE_DOS_HEADER
- Dim stINH As IMAGE_NT_HEADERS
- Dim cbImage As Long
- Dim hProcess As Long, hThread As Long
- Dim pBaseAddr As Long
- Dim pFuncAddr As Long
-
- InjectExe = False
-
- hMod = GetModuleHandle(vbNullString)
-
- '得到相应的偏移值结构
- CopyMemory stIDH, ByVal hMod, Len(stIDH)
- CopyMemory stINH, ByVal (hMod + stIDH.e_lfanew), Len(stINH)
- cbImage = stINH.OptionalHeader.SizeOfImage
- If cbImage = 0 Then GoTo Err
-
- hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, Pid)
- If hProcess = 0 Then GoTo Err
-
- VirtualFreeEx hProcess, hMod, 0, MEM_RELEASE
- pBaseAddr = VirtualAllocEx(hProcess, ByVal hMod, cbImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
- If pBaseAddr = 0 Then GoTo Err
-
- If WriteProcessMemory(hProcess, ByVal pBaseAddr, ByVal hMod, cbImage, 0) = 0 Then GoTo Err
-
- '现在处理该是处理我们自己的函数地址的时候了,至于为什么会先在这里把函数地址计算好,具
- '体可以看 modHook 中的说明
- '
- Dim pFAddr As Long
-
- Init '先初始以便获取函数地址
-
- pFAddr = VirtualAllocEx(hProcess, ByVal 0&, 4, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
- If pFAddr = 0 Then GoTo Err
-
- '然后把咱们的地址传进去
- If WriteProcessMemory(hProcess, ByVal pFAddr, NewAddr(1), 4, 0) = 0 Then GoTo Err
-
-
- pFuncAddr = GetFuncAddr(AddressOf Hook)
- hThread = CreateRemoteThread(hProcess, ByVal 0&, 0, ByVal pFuncAddr, ByVal pFAddr, 0, 0)
- If hThread = 0 Then GoTo Err
-
- WaitForSingleObject hThread, INFINITE
- CloseHandle hThread
-
- InjectExe = True
- Err:
- 'If pBaseAddr <> 0 Then VirtualFreeEx hProcess, ByVal pBaseAddr, 0, MEM_RELEASE
- If hProcess <> 0 Then CloseHandle hProcess
-
- End Function
- Private Function Init() As Long
- Dim pFuncAddr As Long
- pFuncAddr = GetFuncAddr(AddressOf NewMessageBox)
-
- '保存该地址,一会要注入进去的
- CopyMemory NewAddr(1), pFuncAddr, 4
- End Function
- Private Function GetFuncAddr(ByVal func As Long) As Long
- GetFuncAddr = func
- End Function
- 然后 modHook.bas 中的代码:
- Option Explicit
- Public NewAddr(7) As Byte
- Public Function Hook(ByVal pFAddr As Long) As Long
- Dim hMod As Long
- Dim pBaseAddr As Long
-
-
-
- hMod = GetModuleHandle("user32.dll")
- pBaseAddr = GetProcAddress(hMod, "MessageBoxA")
-
- '该步骤下普遍会崩溃...我实现是米得办法啊..用OD跟踪发现读取内存有误,唉..VB就是VB..没办法
- '这里有点让我抓狂,曾想过用硬编码的方式...汗!~~ 我实在是米有办法啊!!~~~
-
- 'Dim pFuncAddr As Long
- ' pFuncAddr = GetFuncAddr(AddressOf NewMessageBox)
- ' CopyMemory NewAddr(1), pFuncAddr, 4
- '以下部分为机器码生成
- '机器码意思为:
- '
- 'mov eax, 我们的地址
- 'jmp eax
- '
- NewAddr(0) = &HB8
- NewAddr(5) = &HFF
- NewAddr(6) = &HE0
- NewAddr(7) = &H0
-
- '最后我想到一个折中的办法,就是先让注入程序帮我们把地址算好,然后我们直接调用即可.
- ReadProcessMemory GetCurrentProcess, ByVal pFAddr, NewAddr(1), 4, 0
-
- MessageBox 0, "被我给HOOK了...", "已HOOK", 32
-
- '这一步写进去以后基本上就成功OK了..
- WriteProcessMemory GetCurrentProcess, ByVal pBaseAddr, NewAddr(0), 8, 0
- End Function
- Public Function NewMessageBox(ByVal hWnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
- '默认HOOK的是MessageBoxA函数,所以我们用 MessageBoxW 给我们弹出消息
- '这里没有写还原函数,其实这个都很好解决,我们在用 WriteProcessMemory写入HOOK代码时可以还通过
- 'ReadProcessMemory读取原始代码,当需要恢复时再通过 WriteProcessMemory写回去就OK了..
-
- MessageBoxW 0, "哈哈...被我们给HOOK了", "嘿嘿~~啦啦啦..", 16
- NewMessageBox = 1
- End Function
首先是Delphi 的HOOK前和HOOK后,至于进程PID的话可以直接打开进程管理器找:
HOOK后如下:
还有一个VB测试结果,如下:
HOOK 后:
至于VC++和ASM我想应该也没问题。如果大家有兴趣可以自己试试。
注:以上在Windows XP SP2 环境下测试通过。
结束语:
最近都在忙着学内核ring0,也不知什么原因,这些天突然心血来潮要用VB来搞HOOK API,其实如果用VB借助其它语言编写的DLL来完成此功能的话我想应该非常容易,如果用纯VB来实现的话如果没有一定的汇编和OD调试基础,基本上很难用VB实现。附一张图大家看看就知道了,如下:
呵。。大家表笑,事实就是如此,上图为调试VB HOOK 的崩溃信息,说真的我都不知道我是怎么坚持下来的。就我个人认为,用VB纯代码写HOOK API是很变态的事情,至少我是这么认为的。好了,不说多了,该文章也算是学VB一年多来一个好的结尾吧,我这样说并不是说我就放弃VB了,只是我觉得用VB写Win32系统程序是一件很烦的事情,光声明这些API都不知要花多少时间,除此之外当然还有其它原因(当然除写数据库外)。所以以后大部分程序我可能不会采用VB来写,而是用Delphi、VC++和ASM等来完成。不要问我为什么,你我心里都明白!
最后我想说的是,VB是我人生中的第一个语言,因为拥有它,我才有今天,所以做人不得忘本!关于VB界内的信息我会一直关注的!另外就是复制转帖问题,请一定要保留文章出处与作者信息。谢谢合作。
注:该文中的所有资料或代码都可在 http://cxwr.ys168.com/ 中下载。
文章附件下载地址:
下载地址1(劳资的SkyDrive)
下载地址2(作者的永硕网盘) |
|
发表于 2012-7-2 23:46:19
