-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathutils.c
More file actions
171 lines (145 loc) · 5.58 KB
/
utils.c
File metadata and controls
171 lines (145 loc) · 5.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
#include <windows.h>
#include <winternl.h>
#include <psapi.h>
typedef struct _LDR_MODULE
{
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;
typedef struct _RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS;
typedef struct _RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION;
#define GDI_HANDLE_BUFFER_SIZE32 34
#define GDI_HANDLE_BUFFER_SIZE64 60
#ifdef _WIN64
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64
#else
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32
#endif
typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];
typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
#define GDI_BATCH_BUFFER_SIZE 310
typedef struct _GDI_TEB_BATCH
{
ULONG Offset;
ULONG_PTR HDC;
ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
} GDI_TEB_BATCH, *PGDI_TEB_BATCH;
typedef struct _TEB_ACTIVE_FRAME_CONTEXT
{
ULONG Flags;
PSTR FrameName;
} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
typedef struct _TEB_ACTIVE_FRAME
{
ULONG Flags;
struct _TEB_ACTIVE_FRAME *Previous;
PTEB_ACTIVE_FRAME_CONTEXT Context;
} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
// 将C++的wstring处理函数转换为C语言的相应函数
size_t wlindexof(const wchar_t *str, size_t len, wchar_t c)
{
for (size_t i = len - 1; i != (size_t)(-1); --i)
{
if (str[i] == c)
return i;
}
return -1;
}
// 将C++的类型转换为C语言的类型
HMODULE GetModuleHandlePeb(LPCWSTR name)
{
#ifdef _AMD64_
PPEB peb = (PPEB)(*(PDWORD64)(0x60));
#else
PPEB peb = (PPEB)(*(PDWORD)(0x30));
#endif
PPEB_LDR_DATA LdrData = (PPEB_LDR_DATA)(peb->Ldr);
PLDR_MODULE ListEntry = (PLDR_MODULE)(LdrData->InMemoryOrderModuleList.Flink);
while (ListEntry && ListEntry->BaseAddress)
{
size_t lastDot = wlindexof(ListEntry->BaseDllName.Buffer, ListEntry->BaseDllName.Length, L'.');
size_t cmpResult = lastDot != -1
? wcsncmp(ListEntry->BaseDllName.Buffer, name, lastDot)
: wcscmp(ListEntry->BaseDllName.Buffer, name);
if (!cmpResult)
return (HMODULE)(ListEntry->BaseAddress);
ListEntry = (PLDR_MODULE)(ListEntry->InLoadOrderModuleList.Flink);
}
return NULL;
}
// 将C++的函数指针转换为C语言的函数指针
PVOID GetProcAddressPeb(HMODULE hModule, LPCSTR name)
{
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)(hModule);
PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)(hModule) + dosHeader->e_lfanew);
IMAGE_OPTIONAL_HEADER optionalHeader = ntHeaders->OptionalHeader;
IMAGE_DATA_DIRECTORY exportDir = optionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
if (!exportDir.Size)
return NULL;
PIMAGE_EXPORT_DIRECTORY exports = (PIMAGE_EXPORT_DIRECTORY)((DWORD_PTR)(hModule) + exportDir.VirtualAddress);
PDWORD functions = (PDWORD)((DWORD_PTR)(hModule) + exports->AddressOfFunctions);
PDWORD names = (PDWORD)((DWORD_PTR)(hModule) + exports->AddressOfNames);
for (size_t i = 0; i < exports->NumberOfFunctions; i++)
{
DWORD rva = *(functions + i);
LPCSTR szName = (LPCSTR)((DWORD_PTR)(hModule) + *(names + i));
if (!strcmp(name, szName))
return (PBYTE)((DWORD_PTR)(hModule) + rva);
}
return NULL;
}
BYTE HookCode[12] = {0x48, 0xB8, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0xFF, 0xE0};
void UnHookFuncAddress64(UINT64 FuncAddress, BYTE OldCode[12])
{
DWORD OldProtect = 0;
if (VirtualProtect((LPVOID)FuncAddress, 12, PAGE_EXECUTE_READWRITE, &OldProtect))
{
memcpy((LPVOID)FuncAddress, OldCode, 12);
}
VirtualProtect((LPVOID)FuncAddress, 12, OldProtect, &OldProtect);
}
void HookFunction64(char *lpModule, LPCSTR lpFuncName, LPVOID lpFunction, BYTE OldCode[12])
{
DWORD_PTR FuncAddress = (UINT64)GetProcAddressPeb(GetModuleHandle(lpModule), lpFuncName);
DWORD OldProtect = 0;
if (VirtualProtect((LPVOID)FuncAddress, 12, PAGE_EXECUTE_READWRITE, &OldProtect))
{
memcpy(OldCode, (LPVOID)FuncAddress, 12); // 拷贝原始机器码指令
*(PINT64)(HookCode + 2) = (UINT64)lpFunction; // 填充90为指定跳转地址
}
memcpy((LPVOID)FuncAddress, &HookCode, sizeof(HookCode)); // 拷贝Hook机器指令
VirtualProtect((LPVOID)FuncAddress, 12, OldProtect, &OldProtect);
}
void UnHookFunction64(char *lpModule, LPCSTR lpFuncName, BYTE OldCode[12])
{
DWORD OldProtect = 0;
UINT64 FuncAddress = (UINT64)GetProcAddressPeb(GetModuleHandleA(lpModule), lpFuncName);
if (VirtualProtect((LPVOID)FuncAddress, 12, PAGE_EXECUTE_READWRITE, &OldProtect))
{
memcpy((LPVOID)FuncAddress, OldCode, 12);
}
VirtualProtect((LPVOID)FuncAddress, 12, OldProtect, &OldProtect);
}
void HookFuncAddress64(DWORD_PTR FuncAddress, LPVOID lpFunction, BYTE OldCode[12])
{
DWORD OldProtect = 0;
if (VirtualProtect((LPVOID)FuncAddress, 12, PAGE_EXECUTE_READWRITE, &OldProtect))
{
memcpy(OldCode, (LPVOID)FuncAddress, 12); // 拷贝原始机器码指令
*(PINT64)(HookCode + 2) = (UINT64)lpFunction; // 填充90为指定跳转地址
}
memcpy((LPVOID)FuncAddress, &HookCode, sizeof(HookCode)); // 拷贝Hook机器指令
VirtualProtect((LPVOID)FuncAddress, 12, OldProtect, &OldProtect);
}