注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

熊猫正正的博客

熊猫正正的天空

 
 
 

日志

 
 

遍历全局钩子(转)  

2011-04-11 16:06:53|  分类: Win32汇编学习 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

一、主程序代码:
;===================================================================================
;
;  作者:一块三毛钱
;  邮箱:zhongts@163.com
;  日期:2005.6.18
;
;  遍历全局钩子
;
;  v0.0.1 (2005.6.18)
;
;      [+] 遍历全局钩子,显示哪些动态库添加了钩子
;
;          * 刷新前需要先动一动鼠标,摁几下键盘什么的才能显示某些模块的名字。
;
;===================================================================================
.386
.model flat, stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include gdi32.inc
include comctl32.inc
include advapi32.inc
includelib kernel32.lib
includelib user32.lib
includelib gdi32.lib
includelib comctl32.lib
includelib advapi32.lib
include strings.mac
include common.inc
DlgProc proto :DWORD,:DWORD,:DWORD,:DWORD
_OpenDevice proto
_CloseDevice proto
_Init proto :DWORD
_Refresh proto
_InsertHookInfo proto :DWORD,:DWORD,:DWORD
_GetHookModuleName proto :DWORD,:DWORD
.const
 DLG_MAIN equ 1000
 IDC_LIST equ 1001
 IDC_REFRESH equ 1002
 
 szHandle db  "钩子句柄",0
 szFunc  db  "钩子函数地址",0
 szType  db  "钩子类型",0
 szModule db  "钩子所在模块",0
 
 szFlags db "WH_MSGFILTER      ",0
  db "WH_JOURNALRECORD  ",0
  db "WH_JOURNALPLAYBACK",0
  db "WH_KEYBOARD       ",0
  db "WH_GETMESSAGE     ",0
  db "WH_CALLWNDPROC    ",0
  db "WH_CBT            ",0
  db "WH_SYSMSGFILTER   ",0
  db "WH_MOUSE          ",0
  db "WH_HARDWARE       ",0
  db "WH_DEBUG          ",0
  db "WH_SHELL          ",0
  db "WH_FOREGROUNDIDLE ",0
.data?
 hInst  dd  ?
 hList  dd  ?
 hDevice  dd  ?
.code
start:
 invoke GetModuleHandle,NULL
 mov hInst,eax
 invoke _OpenDevice
 .if eax
  invoke DialogBoxParam, hInst, DLG_MAIN, NULL, addr DlgProc, NULL
  invoke InitCommonControls
  invoke _CloseDevice
 .endif
 invoke ExitProcess, 0
DlgProc proc uses ebx, hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
 LOCAL rect : RECT
 mov eax,uMsg
 .if eax==WM_INITDIALOG
  invoke _Init, hWnd
 
 .elseif eax==WM_COMMAND
  mov eax, wParam
  and eax, 0ffffh
  .if eax==IDC_REFRESH
   invoke SendMessage, hList, LVM_DELETEALLITEMS, 0, 0
   invoke _Refresh
  .endif
 
 .elseif eax==WM_CLOSE
  invoke EndDialog, hWnd, 0
 .else
  mov eax, FALSE
  ret
 .endif
 mov eax, TRUE
 ret
DlgProc endp
_OpenDevice proc
 LOCAL _hSCManager
 LOCAL _hService
 LOCAL _szDriverPath[MAX_PATH] : BYTE
 
 ;打开驱动链接
 invoke CreateFile, $CTA0("\\\\.\\slEnumHook"), GENERIC_READ+GENERIC_WRITE, \
   FILE_SHARE_READ+FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL
 .if eax!=INVALID_HANDLE_VALUE
  mov hDevice, eax
  ret
 .endif
 
 ;如果上面的打开失败,则说明驱动没有安装或者没有启动
 invoke OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE
 .if eax!=0
  mov _hSCManager, eax
 
  ;如果驱动已经安装了,则启动驱动程序
  invoke OpenService, _hSCManager, $CTA0("EnumHook"), SERVICE_START+DELETE
  .if eax!=0
   mov _hService, eax
   invoke StartService, _hService, 0, NULL
   invoke CloseServiceHandle, _hService
  
  ;如果驱动程序没有安装,则先安装,再启动
  .else
   push eax
   invoke GetFullPathName, $CTA0("EnumHook.sys"), sizeof _szDriverPath, addr _szDriverPath, esp
   pop eax
   invoke CreateService, _hSCManager, $CTA0("EnumHook"), $CTA0("ZTS's Enumerate Global Windows Service"), \
     SERVICE_START+DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
     SERVICE_ERROR_IGNORE, addr _szDriverPath, NULL, NULL, NULL, NULL, NULL
   .if eax!=0
    mov _hService, eax
    invoke StartService, _hService, 0, NULL
    invoke CloseServiceHandle, _hService
   .endif
  .endif
  invoke CloseServiceHandle, _hSCManager
 .endif
 
 ;启动驱动程序后,再一次打开驱动链接,如果不出意外,这一次应该可以成功
 invoke CreateFile, $CTA0("\\\\.\\slEnumHook"), GENERIC_READ+GENERIC_WRITE, \
   FILE_SHARE_READ+FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL
 .if eax!=INVALID_HANDLE_VALUE
  mov hDevice, eax
 .else
  xor eax, eax
 .endif
 ret
_OpenDevice endp
_CloseDevice proc
 LOCAL _hSCManager
 LOCAL _hService
 LOCAL _sest : SERVICE_STATUS
 
 .if hDevice
  invoke CloseHandle, hDevice
 .endif
 
 invoke OpenSCManager, NULL, NULL, SC_MANAGER_CONNECT
 .if eax!=0
  mov _hSCManager, eax
 
  invoke OpenService, _hSCManager, $CTA0("EnumHook"), SERVICE_STOP+DELETE
  .if eax!=0
   mov _hService, eax
   invoke ControlService, _hService, SERVICE_CONTROL_STOP, addr _sest
   invoke DeleteService, _hService
   invoke CloseServiceHandle, _hService
  .endif
  invoke CloseServiceHandle, _hSCManager
 .endif
 
 ret
_CloseDevice endp
_Init proc uses ebx, hWnd:DWORD
 LOCAL lvc:LV_COLUMN
 
 invoke GetDlgItem, hWnd, IDC_LIST
 mov hList, eax
 
 mov lvc.imask, LVCF_TEXT+LVCF_WIDTH
 mov lvc.pszText, offset szHandle
 mov lvc.lx, 100
 invoke SendMessage, hList, LVM_INSERTCOLUMN, 0, addr lvc
 mov lvc.pszText, offset szFunc
 mov lvc.lx, 100
 invoke SendMessage, hList, LVM_INSERTCOLUMN, 1, addr lvc
 mov lvc.pszText, offset szType
 mov lvc.lx, 120
 invoke SendMessage, hList, LVM_INSERTCOLUMN, 2, addr lvc
 mov lvc.pszText, offset szModule
 mov lvc.lx, 400
 invoke SendMessage, hList, LVM_INSERTCOLUMN, 3, addr lvc
 
 invoke SendMessage, hList, LVM_SETEXTENDEDLISTVIEWSTYLE, LVS_EX_FULLROWSELECT, LVS_EX_FULLROWSELECT
 
 ret
_Init endp
_Refresh proc
 LOCAL lpHookInfo
 LOCAL dwByteReturned
 LOCAL dwHooks
 
 mov eax, sizeof HOOK_INFO
 imul eax, MAX_HOOKS
 invoke GlobalAlloc, GMEM_FIXED + GMEM_ZEROINIT, eax
 mov lpHookInfo, eax
 
 and dwByteReturned, 0
 invoke DeviceIoControl, hDevice, IOCTL_GET_HOOKINFO, 0, 0, \
   lpHookInfo, (sizeof HOOK_INFO)*MAX_HOOKS, addr dwByteReturned, NULL
 
 .if dwByteReturned!=0
  mov eax, dwByteReturned
  cdq
  mov ebx, sizeof HOOK_INFO
  div ebx
  mov dwHooks, eax
 
  sub ebx, ebx
  mov esi, lpHookInfo
  .while ebx<dwHooks
   invoke _InsertHookInfo, hList, esi, ebx
   add esi, sizeof HOOK_INFO
   inc ebx
  .endw
 
 .endif
 
 ret
_Refresh endp
; 把每一个钩子的信息插入到列表控件中
_InsertHookInfo proc uses esi edi ebx, hWnd:DWORD, lpHookInfo:DWORD, dwNum:DWORD
 LOCAL _lvi : LV_ITEM
 LOCAL _buf[MAX_PATH] : byte
 
 mov esi, lpHookInfo
 assume esi : ptr HOOK_INFO
 
 ;Handle
 mov _lvi.imask, LVIF_TEXT
 m2m _lvi.iItem, dwNum
 lea edi, _buf
 invoke wsprintf, edi, $CTA0("%08X"), [esi].Handle
 mov _lvi.iSubItem, 0
 mov _lvi.pszText, edi
 invoke SendMessage, hWnd, LVM_INSERTITEM, 0, addr _lvi
 
 ;Func
 mov eax, [esi].FuncOffset
 add eax, [esi].FuncBaseAddr
 lea edi, _buf
 invoke wsprintf, edi, $CTA0("%08X"), eax
 mov _lvi.iSubItem, 1
 mov _lvi.pszText, edi
 invoke SendMessage, hWnd, LVM_SETITEM, 0, addr _lvi
 
 ;Type
 mov eax, [esi].iHook
 inc eax
 imul eax, 19
 mov edi, offset szFlags
 add edi, eax
 mov _lvi.iSubItem, 2
 mov _lvi.pszText, edi
 invoke SendMessage, hWnd, LVM_SETITEM, 0, addr _lvi
 
 ;Module Name
 mov eax, [esi].FuncBaseAddr
 .if eax!=0
  lea edi, _buf
  mov dword ptr [edi], 0
  invoke _GetHookModuleName, [esi].FuncBaseAddr, edi
  mov _lvi.iSubItem, 3
  mov _lvi.pszText, edi
  invoke SendMessage, hWnd, LVM_SETITEM, 0, addr _lvi
 .endif
 
 ret
_InsertHookInfo endp
; 返回进程空间中所有被加载的模块的基地址为 dwBaseAddress 的模块的路径和文件名
_GetHookModuleName proc uses ebx, dwBaseAddress:DWORD, lpModuleName:DWORD
 LOCAL _stModule : MODULEENTRY32
 LOCAL _hSnapshot
 
 invoke RtlZeroMemory, addr _stModule, sizeof _stModule
 mov _stModule.dwSize, sizeof _stModule
 invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, 0
 mov _hSnapshot, eax
 invoke Module32First, _hSnapshot, addr _stModule
 .while eax
  mov eax, _stModule.modBaseAddr
  .if eax==dwBaseAddress
   invoke lstrcpyn, lpModuleName, addr _stModule.szExePath, MAX_PATH
   .break
  .endif
  invoke Module32Next, _hSnapshot, addr _stModule
 .endw
 invoke CloseHandle, _hSnapshot
 
 ret
_GetHookModuleName endp
end start
 
==========================inc==============
 

include winioctl.inc
HOOK struct
 hmodule  dd  ?
 _Z_  dd  4 dup (?)
 phkNext  dd  ?  ;14h
 iHook  dd  ?  ;18h
 offPfn  dd  ?  ;1Ch
 flags  dd  ?  ;20h
 ihmod  dd  ?  ;24h
 ptiHooked dd  ?
 rpdesk  dd  ?
HOOK ends
WH_MSGFILTER  equ  -1
WH_JOURNALRECORD equ  0
WH_JOURNALPLAYBACK equ  1
WH_KEYBOARD  equ  2
WH_GETMESSAGE  equ  3
WH_CALLWNDPROC  equ  4
WH_CBT   equ  5
WH_SYSMSGFILTER  equ  6
WH_MOUSE  equ  7
WH_HARDWARE  equ  8
WH_DEBUG  equ  9
WH_SHELL  equ  10
WH_FOREGROUNDIDLE equ  11

IOCTL_GET_HOOKINFO equ CTL_CODE(FILE_DEVICE_UNKNOWN, 800h, METHOD_BUFFERED, FILE_READ_ACCESS+FILE_WRITE_ACCESS)
HOOK_INFO struct
 Handle  dd  ?
 FuncOffset dd  ?
 FuncBaseAddr dd  ?
 iHook  dd  ?
HOOK_INFO ends
MAX_HOOKS  equ 100
m2m MACRO M1, M2
 push M2
 pop  M1
ENDM

=======================rc====================================
#include "c:\masm32\include\resource.h"
1  24  "XpTheme.xml"
#define  DLG_MAIN  1000
#define  IDC_LIST  1001
#define  IDC_REFRESH  1002
DLG_MAIN DIALOG DISCARDABLE  0, 0, 450, 200
STYLE    DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
CAPTION  "枚举全局钩子 v0.0.1 by 一块三毛钱"
FONT     9, "宋体"
BEGIN
    CONTROL         "HookInfo",IDC_LIST,"SysListView32",LVS_REPORT | LVS_NOSORTHEADER | WS_BORDER | WS_TABSTOP,7,7,436,166
    PUSHBUTTON      "刷新(&R)",IDC_REFRESH,398,180,46,14,0
END

 
 
二、驱动源码
;==============================================================================
;
;  作者:一块三毛钱
;  邮箱:zhongts@163.com
;  日期:2005.6.18
;
;  遍历全局钩子
;
;  v0.0.1 (2005.6.18)
;
;      [+] 遍历全局钩子,显示哪些动态库添加了钩子
;
;==============================================================================
.386
.model flat, stdcall
option casemap:none
include d:\masm32\include\w2k\ntstatus.inc
include d:\masm32\include\w2k\ntoskrnl.inc
include d:\masm32\include\wxp\wxpundoc.inc
include d:\masm32\Macros\Strings.mac
includelib d:\masm32\lib\w2k\ntoskrnl.lib
include ..\common.inc
_DriverUnload proto :PDRIVER_OBJECT
_DispatchCreateClose proto :PDEVICE_OBJECT,:PIRP
_DispatchControl proto :PDEVICE_OBJECT,:PIRP
_PhkFirstValid proto :DWORD,:DWORD
_PhkNextValid proto :DWORD
.const
 CCOUNTED_UNICODE_STRING "\\Device\\devEnumHook", g_usDeviceName, 4
 CCOUNTED_UNICODE_STRING "\\??\\slEnumHook", g_usSymbolicLinkName, 4
 
.data
; lpPhkFirstValid  pFuncProto2  0BF81BB63h
; lpPhkNextValid  pFuncProto1  0BF8DBC6Dh
 
 _gptiCurrent dd  0
.code
DriverEntry proc uses ebx, pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
 LOCAL status : NTSTATUS
 LOCAL pDeviceObject : PDEVICE_OBJECT
 
; int 3
 invoke DbgPrint, $CTA0("EnumHook v0.0.1 by 一块三毛钱 2005.6.18\n")
 
 mov status, STATUS_DEVICE_CONFIGURATION_ERROR
 invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
 .if eax==STATUS_SUCCESS
  invoke IoCreateSymbolicLink, addr g_usSymbolicLinkName, addr g_usDeviceName
  .if eax==STATUS_SUCCESS
   mov eax, pDriverObject
   assume eax:ptr DRIVER_OBJECT
   mov [eax].DriverUnload,      offset _DriverUnload
   mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)],  offset _DispatchCreateClose
   mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)],  offset _DispatchCreateClose
   mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset _DispatchControl
   assume eax:nothing
  
   mov status, STATUS_SUCCESS
  .else
   invoke IoDeleteDevice, pDeviceObject
  .endif
 .endif
 mov eax, status
 ret
DriverEntry endp
_DispatchControl proc uses esi edi ebx,pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
 LOCAL status : NTSTATUS
 LOCAL dwBytesReturned
 
; int 3
 
 and dwBytesReturned, 0
 mov status, STATUS_UNSUCCESSFUL
 mov esi, pIrp
 assume esi : ptr _IRP
 
 IoGetCurrentIrpStackLocation esi
 mov edi, eax
 assume edi : ptr IO_STACK_LOCATION
 
 mov eax, [edi].Parameters.DeviceIoControl.IoControlCode
 push edi
 .if eax==IOCTL_GET_HOOKINFO
  assume esi : ptr _IRP
  assume edi : ptr IO_STACK_LOCATION
  mov eax, sizeof HOOK_INFO
  imul eax, MAX_HOOKS
  .if [edi].Parameters.DeviceIoControl.OutputBufferLength >= eax
   mov edi, [esi].AssociatedIrp.SystemBuffer
   assume edi : ptr HOOK_INFO
  
   invoke PsGetCurrentThread
   mov ebx, [eax+130h]
   mov _gptiCurrent, ebx
   invoke DbgPrint, $CTA0("ETHREAD:%08X, Win32Thread:%08X\n"), eax, _gptiCurrent
  
   assume esi : nothing
   mov ebx, -1
   .while ebx!=12
    invoke _PhkFirstValid, _gptiCurrent, ebx
    assume eax : ptr HOOK
    .while eax
     push eax ;_PhkNextValid 的参数
    
     ;根据 win32k.sys 中的 _xxxHkCallHook 得到下面的代码
     mov edx, [eax].ihmod
     cmp edx, -1
     jz @F
     mov esi, _gptiCurrent ;esi -> ThreadInfo
     mov esi, [esi+2Ch]  ;esi -> ProcessInfo
     mov edx, [esi+edx*4+0A8h] ;edx = [esi].ahmodLibLoaded[ihmod]
     @@:
    
     ;-------------------------------------
     m2m [edi].Handle, [eax].hmodule
     m2m [edi].FuncOffset, [eax].offPfn
     mov [edi].FuncBaseAddr, edx
     m2m [edi].iHook, [eax].iHook
     ;-------------------------------------
    
     invoke DbgPrint, $CTA0("Handle:%08X    FuncOffset:%08X    FuncBaseAddr:%08X    iHook:%d    ihmod:%d\n"), \
       [eax].hmodule, [eax].offPfn, edx, [eax].iHook, [eax].ihmod
    
     call _PhkNextValid
     add dwBytesReturned, sizeof HOOK_INFO
     add edi, sizeof HOOK_INFO
    .endw
    inc ebx
   .endw
  
   mov status, STATUS_SUCCESS
  .else
   mov status, STATUS_BUFFER_TOO_SMALL
  .endif
 .endif
 pop edi
 assume edi : ptr IO_STACK_LOCATION
 mov esi, pIrp
 assume esi : ptr _IRP
 
 m2m [esi].IoStatus.Status, status
 m2m [esi].IoStatus.Information, dwBytesReturned
 assume esi : nothing
 assume edi : nothing
 invoke IoCompleteRequest, pIrp, IO_NO_INCREMENT
 mov eax, status
 ret
_DispatchControl endp
_DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
 mov eax, pIrp
 assume eax:ptr _IRP
 mov [eax].IoStatus.Status, STATUS_SUCCESS
 and [eax].IoStatus.Information, 0
 assume eax:nothing
 invoke IoCompleteRequest, pIrp, IO_NO_INCREMENT
 mov eax, STATUS_SUCCESS
 ret
_DispatchCreateClose endp
_DriverUnload proc pDriverObject:PDRIVER_OBJECT
 invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
 mov eax, pDriverObject
 invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
 ret
_DriverUnload endp
; 直接取之 win32k.sys 的反汇编代码
_PhkFirstValid proc pThreadInfo:DWORD, nFlags:DWORD
                mov     ecx, pThreadInfo
                mov     edx, nFlags
                mov     eax, [ecx+edx*4+0F8h]
                test    eax, eax
                jnz     short loc_BF81BB88
                mov     eax, [ecx+40h]
                mov     eax, [eax+edx*4+14h]
                test    eax, eax
                jnz     short loc_BF81BB88
loc_BF81BB84:
                ret
loc_BF81BB88:
                test    byte ptr [eax+20h], 80h
                jz      short loc_BF81BB84
                push    eax
                call    _PhkNextValid
                jmp     short loc_BF81BB84
_PhkFirstValid endp
; 直接取之 win32k.sys 的反汇编代码
_PhkNextValid proc pHook:DWORD
                mov     eax, pHook
loc_BF8DBC75:
                mov     ecx, [eax+14h]
                test    ecx, ecx
                jnz     short loc_BF8DBC9A
                test    byte ptr [eax+20h], 1
                jnz     short loc_BF8DBC5C
                mov     ecx, _gptiCurrent
                mov     eax, [eax+18h]
                mov     ecx, [ecx+40h]
                mov     eax, [ecx+eax*4+14h]
loc_BF8DBC92:
                test    eax, eax
                jnz     short loc_BF8DBC60
loc_BF8DBC96:
                ret
loc_BF8DBC9A:
                mov     eax, ecx
                jmp     short loc_BF8DBC92
loc_BF8DBC5C:
                xor     eax, eax
                jmp     short loc_BF8DBC96
loc_BF8DBC60:
                test    byte ptr [eax+20h], 80h
                jnz     short loc_BF8DBC75
                jmp     short loc_BF8DBC96
_PhkNextValid endp
end DriverEntry

 

本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/correy/archive/2010/06/06/5650569.aspx

  评论这张
 
阅读(166)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017