Neler yeni

Dll injection ile WIN API Detour

Durum
Üzgünüz bu konu cevaplar için kapatılmıştır...
Z

Zax0nn

Normal Üye
Katılım
21 Ara 2020
Mesajlar
2
Beğeniler
1
Merhaba arkadaşlar , yazdığım bir dll var bazı apı ları hooklamak için kullanacağım fakat asıl hooklamak istediğim apı lar aynı exe'ye inject edilmiş bir dll tarafından kullanılıyor. Hook ve Detour konusunda yeniyim kafamdaki soru şu ben bu dll i exeye inject ettiğimde diğer inject olan dll i hooklar mı ? denediğimde göremedim bende mi bir sıkıntı var yoksa kernel üzerinden global bir hooking ile mi mümkün ?

ayrıca hooklamaya çalıştığım dll vmpotect ile korunmakta bu durum beni etkiler mi ?(inject etmede bir sorun yada crash almıyorum)

kodu da buraya bırakıyorum ihtiyacı olan arkadaşlar olabilir.(üzerinde oynama yapılması gerekebilir bazı hooklar sadece donen dataları okumak için kullanılıyor şuan)

apihook.cpp

C++: 
#include "apihook.h"
#include "detours\detours.h"
#include <IPHlpApi.h>
#include <winnt.h>
#include <iostream>
#include <string>
#include <Sddl.h>

#pragma comment(lib, "iphlpapi.lib")
#pragma comment(lib, "Advapi32.lib")
//-----------------------------------

typedef BOOL (WINAPI* pCryptHashData)(
    HCRYPTHASH hHash,
    const BYTE* pbData,
    DWORD      dwDataLen,
    DWORD      dwFlags
);


typedef BOOL (WINAPI* pGetTokenInformation)(
    HANDLE                  TokenHandle,
    TOKEN_INFORMATION_CLASS TokenInformationClass,
    LPVOID                  TokenInformation,
    DWORD                   TokenInformationLength,
    PDWORD                  ReturnLength
);

typedef BOOL (WINAPI* pGetVolumeInformationW)(
    LPCTSTR lpRootPathName,
    LPTSTR lpVolumeNameBuffer,
    DWORD nVolumeNameSize,
    LPDWORD lpVolumeSerialNumber,
    LPDWORD lpMaximumComponentLength,
    LPDWORD lpFileSystemFlags,
    LPTSTR lpFileSystemNameBuffer,
    DWORD nFileSystemNameSize);

typedef DWORD (WINAPI* pGetAdaptersInfo)(
    PIP_ADAPTER_INFO pAdapterInfo,
    PULONG pOutBufLen);




HMODULE hKernel32;
HMODULE hIphlpapi;
HMODULE hAdvapi32;

pGetTokenInformation p_origTokenInformation;
pGetVolumeInformationW p_origGetVolumeInformationW;
pGetAdaptersInfo p_origGetAdaptersInfo;
pCryptHashData p_origCryptHashData;


void apihook::Init(bool randomVolSerial, bool randomMac, bool randomToken, bool randomcrypthash)
{
    srand(time(NULL));

    hKernel32 = GetModuleHandleA("Kernel32.dll");
    hIphlpapi = GetModuleHandleA("Iphlpapi.dll");
    hAdvapi32 = GetModuleHandleA("Advapi32.dll");

    if(randomVolSerial) apihook::SetupVolumeSerialHook();
    if(randomMac) apihook::SetupMacAddrHook();
    if(randomToken) apihook::SetupTokenHook();
    if (randomcrypthash) apihook::SetupCryptHash();
}

//-----------------------------------


BOOL WINAPI MyCryptHashData(HCRYPTHASH hHash,
    const BYTE* pbData,
    DWORD      dwDataLen,
    DWORD      dwFlags) {
    BOOL rest = p_origCryptHashData(hHash, pbData, dwDataLen, dwFlags);

    std::cout << "CryptHashData -> Hash Value " << pbData << std::endl;
    return rest;
}

void apihook::SetupCryptHash() {
    p_origCryptHashData = (pCryptHashData)GetProcAddress(hAdvapi32, "CryptHashData");
    DetourTransactionBegin();
    DetourAttach(&(PVOID&)p_origCryptHashData, MyCryptHashData);
    DetourTransactionCommit();
    std::cout << "CryptHashData "  << std::endl;
}

BOOL WINAPI MyGetTokenInformation(HANDLE                  TokenHandle,
    TOKEN_INFORMATION_CLASS TokenInformationClass,
    LPVOID                  TokenInformation,
    DWORD                   TokenInformationLength,
    PDWORD                  ReturnLength) {
    BOOL res = p_origTokenInformation(TokenHandle, TokenInformationClass, TokenInformation ,  TokenInformationLength ,ReturnLength);

  

    std::cout << "MyGetTokenInformation -> Old Token " << TokenInformation << std::endl;

    return res;
}

void apihook::SetupTokenHook() {
    p_origTokenInformation = (pGetTokenInformation)GetProcAddress(hAdvapi32, "GetTokenInformation");

    DetourTransactionBegin();
    DetourAttach(&(PVOID&)p_origTokenInformation, MyGetTokenInformation);
    DetourTransactionCommit();
}

BOOL WINAPI MyGetVolumeInformationW(LPCTSTR lpRootPathName, LPTSTR lpVolumeNameBuffer, DWORD nVolumeNameSize, LPDWORD lpVolumeSerialNumber, LPDWORD lpMaximumComponentLength, LPDWORD lpFileSystemFlags, LPTSTR lpFileSystemNameBuffer, DWORD nFileSystemNameSize)
{
    BOOL res = p_origGetVolumeInformationW(lpRootPathName, lpVolumeNameBuffer, nVolumeNameSize, lpVolumeSerialNumber, lpMaximumComponentLength, lpFileSystemFlags, lpFileSystemNameBuffer, nFileSystemNameSize);
  
    std::cout << "MyGetVolumeInformationW -> Old serial " << *lpVolumeSerialNumber << std::endl;

    //Override
    DWORD newSerial = GetTickCount64() + rand();

    std::cout << "MyGetVolumeInformationW -> New serial " << newSerial << std::endl;

    *lpVolumeSerialNumber = newSerial;
    return res;
}

void apihook::SetupVolumeSerialHook()
{
    p_origGetVolumeInformationW = (pGetVolumeInformationW)GetProcAddress(hKernel32, "GetVolumeInformationW");

    DetourTransactionBegin();
    DetourAttach(&(PVOID&)p_origGetVolumeInformationW, MyGetVolumeInformationW);
    DetourTransactionCommit();

    std::cout << "Volume serial number hook initialized" << std::endl;
}

typedef DWORD (WINAPI* pGetAdaptersInfo)(
    PIP_ADAPTER_INFO pAdapterInfo,
    PULONG pOutBufLen);

DWORD WINAPI MyGetAdaptersInfo(PIP_ADAPTER_INFO pAdapterInfo, PULONG pOutBufLen)
{
    DWORD res = p_origGetAdaptersInfo(pAdapterInfo, pOutBufLen);
  
    //BYTE_IP_ADAPTER_INFO::Address
    for(int i = 0; i < 8; i++)
        pAdapterInfo->Address[i] = rand() % 0xFF;

    std::cout << "MyGetAdaptersInfo -> Address override" << std::endl;
    std::cout << "MyGetAdaptersInformationW -> New serial " << pAdapterInfo->Address << std::endl;
    return res;
}


void apihook::SetupMacAddrHook()
{
    p_origGetAdaptersInfo = (pGetAdaptersInfo)GetProcAddress(hIphlpapi, "GetAdaptersInfo");

    DetourTransactionBegin();
    DetourAttach(&(PVOID&)p_origGetAdaptersInfo, MyGetAdaptersInfo);
    DetourTransactionCommit();

    std::cout << "MAC address hook initialized" << std::endl;
}

dllmain.cpp
C++: 
#include "common.h"
#include "apihook.h"

BOOL WINAPI DllMain(HMODULE module, DWORD callReason, LPVOID reserved)
{
    switch(callReason)
    {
        case DLL_PROCESS_ATTACH:
            {
                DisableThreadLibraryCalls(module);

                AllocConsole();
                freopen("CONOUT$", "w", stdout);

                std::cout << "hwfck init" << std::endl;
              
                apihook::Init(true, true,true,true);
            }
            break;
    }

    return TRUE;
}

apihook.h
C++: 
#ifndef HG_APIHOOK
#define HG_APIHOOK
#include "common.h"


class apihook
{
public:
    static void Init(bool randomVolSerial, bool randomMac, bool randomToken, bool randomcrypthash);
private:
    static void SetupVolumeSerialHook();
    static void SetupMacAddrHook();
    static void SetupTokenHook();
    static void SetupCryptHash();
};
#endif

common.h
Kod: 
#ifndef HG_COMMON
#define HG_COMMON

#pragma comment(lib, "detours.lib")

#define _CRT_SECURE_NO_WARNINGS

#include <Windows.h>
#include <iostream>

#endif
 
Durum
Üzgünüz bu konu cevaplar için kapatılmıştır...

  Şuanda konuyu görüntüleyen kullanıcılar

Toplam: 2 (Kullanıcı: 0, ziyaretçi: 2)

Üst Alt