Windows messages are generally familiar with the hook. It's a lot of useful, well-known there - to use a keyboard hook to obtain the objectives of the process of keyboard input, so as to obtain all types of password in order to achieve ulterior motives. His friends want to be someone else's software does not hook to monitor the overall situation, there is no way to achieve it? The answer is yes, but also some shortcomings.
First of all, take a brief look at how to hook into the overall situation else the process.
News hook is provided by the Win32 subsystem, the core part of the NtUserSetWindowsHookEx through provides users with information to set the hook system, through its registered users to hook the whole. When access to certain events, such as user keys, the keyboard driver will scan the code and so on win32k into KeyEvent handler, the handler to determine whether or not the corresponding hook, there are callhook. At this point, the system achieved the target Hook, if the goal is no process of loading the corresponding Dll, while the load (the use of KeUserModeCallback "call" routine users, and it is called Apc, it is the interruption of imitation return to the environment, the call is "immediately" The nature).
Users enter the state of KiUserCallbackDispatcher after, KiUserCallbackDispatcher according to the transmission of data required for access to call a function of parameters, and so on, then call. For the example above, in order to load hook dll, to be called the LoadLibraryExW, then enter LdrLoadDll, after loading the return, not the back of the steps described.
From the above discussion we can draw a simple anti-intrusion: the load hook dll before the corresponding hook makes api failed to load, but there is a flaw: the system will not be because of a failure to give up every time there is news To have a call hook system when you are in the process of trying to load the dll, which have the slightest impact on performance, but should not feel. The remaining question is, should not all LoadLibraryExW interception, this easy to solve, such as the return address of the judge. The following gives an example of clips can be added to allow some of the judge makes some of the load hook dll be loaded.
Here hook api using Microsoft's database detours, they are free to revised.
Code for the following:
Typedef HMODULE (__stdcall * LOADLIB) (
LPCWSTR lpwLibFileName,
HANDLE hFile,
DWORD dwFlags);
Extern "C" (
DETOUR_TRAMPOLINE (HMODULE __stdcall Real_LoadLibraryExW (
LPCWSTR lpwLibFileName,
HANDLE hFile,
DWORD dwFlags),
LoadLibraryExW);
)
ULONG user32 = 0;
HMODULE __stdcall Mine_LoadLibraryExW (
LPCWSTR lpwLibFileName,
HANDLE hFile,
DWORD dwFlags)
(
ULONG addr;
_asm Mov eax, [ebp +4]
_asm Mov addr, eax
if ((user32 & 0xFFFF0000) == (addr & 0xFFFF0000))
(
Return 0;
)
HMODULE res = (LOADLIB (Real_LoadLibraryExW)) (
LpwLibFileName,
HFile,
DwFlags);
Return res;
)
BOOL ProcessAttach ()
(
DetourFunctionWithTrampoline ((PBYTE) Real_LoadLibraryExW,
(PBYTE) Mine_LoadLibraryExW);
Return TRUE;
)
BOOL ProcessDetach ()
(
DetourRemove ((PBYTE) Real_LoadLibraryExW,
(PBYTE) Mine_LoadLibraryExW);
Return TRUE;
)
CAnti_HookApp:: CAnti_HookApp () file: / / user interface used in the service before the call ProcessAttach
(
user32 = (ULONG) GetModuleHandle ( "User32.dll");
ProcessAttach ();
) |
