Re[2]: Добавление ДЛЛ и перехват API функций
От: urban1981  
Дата: 05.02.15 17:53
Оценка:
Счастливая библиотека для тех кому интерсно пока компилирую только не запускаю:
// Dll777.cpp: определяет точку входа для приложения DLL.
//
#undef UNICODE
//#include "stdafx.h"
#include <windows.h>
//#include <map>
//#include <atlbase.h>
//#include <atlstr.h>
#include "Logger.h"
#include <Tlhelp32.h>
#include "DeepIATHook.h"
//#include <cstdio>

//typedef std::map<HANDLE, CStringA> Files;
//Files files; 

#pragma comment ( lib , "toolhelp.lib" )

#ifdef UNDER_NT
#      include <tchar.h>
#endif

typedef struct _CALLBACKINFO 
{
    HANDLE  hProc;      //Процесс назначения
    FARPROC pfn;        //функция, которая вызывается в процессе назначения
    PVOID   pvArg0;     //arg0 data
} 
CALLBACKINFO;

typedef CALLBACKINFO *PCALLBACKINFO;

extern "C" 
{
    BOOL SetKMode ( BOOL fMode );
    DWORD SetProcPermissions ( DWORD );
    LPVOID MapPtrToProcess ( LPVOID lpv, HANDLE hProc );
    DWORD PerformCallBack4 ( PCALLBACKINFO pcbi, ... );//Выполнить функцию внутри процесса    
    HLOCAL LocalAllocInProcess ( DWORD, DWORD, HPROCESS );
    VOID LocalFreeInProcess ( HLOCAL, HPROCESS );
}

#define SIZE 6 //Number of bytes needed to redirect

typedef int (WINAPI* MESSAGEBOXW)( HWND, LPCWSTR, LPCWSTR, UINT);
typedef HANDLE (WINAPI* CREATEFILEW) ( LPWSTR , unsigned long int , unsigned long int , LPSECURITY_ATTRIBUTES , unsigned long int , unsigned long int , LPVOID );
typedef BOOL (WINAPI* READFILE) ( LPVOID  , LPVOID  , unsigned long int  , unsigned long int *  , LPOVERLAPPED );
typedef BOOL (WINAPI* WRITEFILE) ( LPVOID  , LPVOID  , unsigned long int  , unsigned long int *  , LPOVERLAPPED  ); 

MESSAGEBOXW g_pfnOldMessageBoxW = NULL;
CREATEFILEW g_pfnOldCreateFileW = NULL;
READFILE g_pfnOldReadFile = NULL;
WRITEFILE g_pfnOldWriteFile = NULL;

//typedef HANDLE ( WINAPI *pCreateFileW )( LPWSTR lpFileName, unsigned long int dwDesiredAccess, unsigned long int dwShareMode, LPSECURITY_ATTRIBUTES lpsa, unsigned long int dwCreationDisposition, unsigned long int dwFlagsAndAttributes, LPVOID hTemplateFile );
//typedef BOOL ( WINAPI *pReadFile ) ( LPVOID hFile, LPVOID lpBuffer, unsigned long int nNumberOfBytesToRead, unsigned long int * lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped );
//typedef BOOL ( WINAPI *pWriteFile ) ( LPVOID hFile, LPVOID lpBuffer, unsigned long int nNumberOfBytesToWrite, unsigned long int * lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped ); 

int WINAPI MyMessageBoxW(
                         HWND hWnd, 
                         LPCWSTR lpText, 
                         LPCWSTR lpCaption, 
                         UINT uType
                         );


HANDLE __stdcall MyCreateFileW( 
                                     LPWSTR lpFileName, 
                                     unsigned long int dwDesiredAccess, 
                                     unsigned long int dwShareMode, 
                                     LPSECURITY_ATTRIBUTES lpsa, 
                                     unsigned long int dwCreationDisposition, 
                                     unsigned long int dwFlagsAndAttributes, 
                                     LPVOID hTemplateFile 
                                     );

BOOL __stdcall MyReadFile ( 
                                 LPVOID hFile, 
                                 LPVOID lpBuffer, 
                                 unsigned long int nNumberOfBytesToRead, 
                                 unsigned long int * lpNumberOfBytesRead, 
                                 LPOVERLAPPED lpOverlapped 
                                 );

BOOL __stdcall MyWriteFile ( 
                                  LPVOID hFile, 
                                  LPVOID lpBuffer, 
                                  unsigned long int nNumberOfBytesToWrite, 
                                  unsigned long int * lpNumberOfBytesWritten, 
                                  LPOVERLAPPED lpOverlapped 
                                  );


HWND x;
BOOL APIENTRY DllMain ( HANDLE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved )
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH:

            g_pfnOldMessageBoxW = (MESSAGEBOXW)DeepHookImportedFunction(L"coredll.dll", L"MessageBoxW", (PROC)MyMessageBoxW, NULL);
            MessageBoxW  (x, L"XXX", L"XXX", MB_OK);
            DeepHookImportedFunction(L"coredll.dll", L"MessageBoxW", (PROC)g_pfnOldMessageBoxW, NULL);            

            g_pfnOldCreateFileW = (CREATEFILEW)DeepHookImportedFunction(L"coredll.dll", L"CreateFileW", (PROC)MyCreateFileW, NULL);
            g_pfnOldReadFile = (READFILE)DeepHookImportedFunction(L"coredll.dll", L"ReadFile", (PROC)MyReadFile, NULL);
            g_pfnOldWriteFile = (WRITEFILE)DeepHookImportedFunction(L"coredll.dll", L"WriteFile", (PROC)MyWriteFile, NULL);

            break;
        case DLL_PROCESS_DETACH:
                DeepHookImportedFunction(L"coredll.dll", L"CreateFileW", (PROC)g_pfnOldCreateFileW, NULL);
                DeepHookImportedFunction(L"coredll.dll", L"ReadFile", (PROC)g_pfnOldReadFile, NULL);
                DeepHookImportedFunction(L"coredll.dll", L"WriteFile", (PROC)g_pfnOldWriteFile, NULL);
            break;
        case DLL_THREAD_ATTACH:
            break;
        case DLL_THREAD_DETACH:
            break;
        default:
            return FALSE;
        break;
    }
    return TRUE;
}

int WINAPI MyMessageBoxW(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType)
{
    return g_pfnOldMessageBoxW(hWnd, L"!!!", L"!!!", uType);
}

HANDLE __stdcall MyCreateFileW( LPWSTR lpFileName, unsigned long int dwDesiredAccess, unsigned long int dwShareMode, LPSECURITY_ATTRIBUTES lpsa, unsigned long int dwCreationDisposition, unsigned long int dwFlagsAndAttributes, LPVOID hTemplateFile )
{
    HANDLE hFile = CreateFileW ( lpFileName, dwDesiredAccess, dwShareMode, lpsa, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile );
    if ( hFile != INVALID_HANDLE_VALUE && wcsstr ( lpFileName, L"COM" ) == lpFileName )
    {
        //files[hFile] = lpFileName;
        //logger.write(files[hFile], "CreateFileW");
        logger.write (  lpFileName , "CreateFileW" );
    }
    return g_pfnOldCreateFileW ( lpFileName, dwDesiredAccess, dwShareMode, lpsa, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile );
    //return hFile;
}

BOOL __stdcall MyReadFile ( LPVOID hFile, LPVOID lpBuffer, unsigned long int nNumberOfBytesToRead, unsigned long int * lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped )
{
    BOOL result = ReadFile ( hFile, lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped );         
    //Files::iterator it = files.find(hFile);
    //if(result == TRUE && it != files.end())
    if ( result == TRUE )
    {
        //logger.write(it->second, "ReadFile", lpBuffer, *lpNumberOfBytesRead);
        logger.write ( ( LPWSTR ) hFile , "ReadFile", lpBuffer, *lpNumberOfBytesRead );
    }
    return g_pfnOldReadFile ( hFile, lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped );
    //return result;
}

BOOL __stdcall MyWriteFile ( LPVOID hFile, LPVOID lpBuffer, unsigned long int nNumberOfBytesToWrite, unsigned long int * lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped )
{
    BOOL result = WriteFile ( hFile, lpBuffer, nNumberOfBytesToWrite, lpNumberOfBytesWritten, lpOverlapped );
    //Files::iterator it = files.find( hFile);
    //if(it != files.end())
    {
        //logger.write(it->second, result == TRUE ? "WriteFile OK" : "WriteFile ERROR", lpBuffer, nNumberOfBytesToWrite);
        logger.write( ( LPWSTR ) hFile , result == TRUE ? "WriteFile OK" : "WriteFile ERROR", lpBuffer, nNumberOfBytesToWrite);
    }
    return g_pfnOldWriteFile ( hFile, lpBuffer, nNumberOfBytesToWrite, lpNumberOfBytesWritten, lpOverlapped );
    //return result;
}
Отредактировано 09.02.2015 9:29 urban1981 . Предыдущая версия . Еще …
Отредактировано 06.02.2015 5:31 urban1981 . Предыдущая версия .
 
Подождите ...
Wait...
Пока на собственное сообщение не было ответов, его можно удалить.