编程技术- 一种更激进的Hook实现方案猜想。

原创不原创不清楚，暂定为原创。毕竟windows 大神很多

技术原理。

1	`系统提供服务接口,以dll形式提供，如创建文件CreateFile存在于kernel32.dll,访问网络WSAConnect存在于Ws2_32.dll。API是函数，所在页属性为可读和执行。`

如果把API所在页的**内存页属性改为不可以执行** ，执行API时候就会产生异常，若是能捕获该异常在异常处理程序中就可以获取异常发生的地址，通过地址可以反查询调用的API信息，在从异常中获取参数。同时将该异常所在页的属性改为**可以执行**，将调用地址所在的页设置成**不可以执行**。这样当API执行完之后返回到调用地址时又产生异常，此时在异常处理程序中获取API的返回值。重复以上操作就可以了。
```。
利用Exception 来实现Hook Api。在Exception处理程序里获得参数和返回值。

代码模拟：

PVOID HeapMemory = NULL;
PVOID MainFunctionAddress = NULL;
int RunFunction(int* a, int* b){
    *a = *a + 1;    *b = *b + 1;return *a + *b;
}
 
VOID main(int argc, char* argv[])
{ 
    MainFunctionAddress = GetDbgFunctionPointerAddress(main);
     
    //申请内存属性为读写权限
    HeapMemory = VirtualAlloc(NULL, PAGE_SIZE, MEM_COMMIT | MEM_RESERVE,PAGE_READWRITE);
    int a=1, b=11;
    LPVOID Address = (LPVOID)RunFunction;
    Address = GetDbgFunctionPointerAddress(RunFunction);
    //将RunFunction的内容复制到HeapMemory。
    RtlCopyMemory(HeapMemory, Address, 0x3b);
    ZxDebug(("HeapMemory = %p MainFunctionAddress=%p \n", HeapMemory, MainFunctionAddress));
    __try
    {
        //执行HeapMemory,asmcall jmp r8
        //内存属性为读写，执行函数会产生异常
        for(int i =0 ; i < 3; i++)
            asmcall((PVOID)&a, (PVOID)&b, HeapMemory);
    }__except(FilterException(GetExceptionCode(), GetExceptionInformation()))
    {
        ZxDebug((__FUNCTION__"():: EXCEPTION_EXECUTE_HANDLE\n"));
    }
    ZxDebug((__FUNCTION__"():: a = %d b = %d\n", a, b));
}
 
int FilterException(ULONG ExceptionCode, _EXCEPTION_POINTERS* Exception)
{
    MEMORY_BASIC_INFORMATION Mbi={};
    SIZE_T Size = VirtualQuery(Exception->ExceptionRecord->ExceptionAddress, &Mbi, sizeof(MEMORY_BASIC_INFORMATION));
    DWORD flOldProtect = 0;
    ZxDebug((__FUNCTION__"():: ExceptionAddress:%p \n", Exception->ExceptionRecord->ExceptionAddress));
    if (Exception->ExceptionRecord->ExceptionAddress == HeapMemory)
    {
        assert(ExceptionCode == STATUS_ACCESS_VIOLATION && Mbi.Protect == PAGE_READWRITE);
        assert(Exception->ExceptionRecord->ExceptionAddress == HeapMemory);
        PVOID NextRip = (PVOID)(*(ULONG_PTR*)Exception->ContextRecord->Rsp);
        int a = *(int*)Exception->ContextRecord->Rcx; int b = *(int*)Exception->ContextRecord->Rdx;
        ZxDebug((__FUNCTION__"():: RunFunction(a = %d b= %d) NextRip=%p\n", a, b, NextRip));
        //将HeapMemory内存属性改为可执行。将Main函数改为不可执行
        VirtualProtect(HeapMemory, PAGE_SIZE, PAGE_EXECUTE_READ,&flOldProtect);
        VirtualProtect((PVOID)MainFunctionAddress, PAGE_SIZE, PAGE_READWRITE,&flOldProtect);
    }else
    {
        assert(ExceptionCode == STATUS_ACCESS_VIOLATION && Mbi.Protect == PAGE_READWRITE);
        if ((ULONG_PTR)MainFunctionAddress <= (ULONG_PTR)Exception->ExceptionRecord->ExceptionAddress 
            &&(ULONG_PTR)Exception->ExceptionRecord->ExceptionAddress <= (ULONG_PTR)MainFunctionAddress +PAGE_SIZE)
        {
            int Ret = (Exception->ContextRecord->Rax);
            PVOID NextRip = (PVOID)(*(ULONG_PTR*)Exception->ContextRecord->Rsp);
            ZxDebug((__FUNCTION__"():: (%d)RunFunction(a , b) NextRip=%p\n", Ret, NextRip));
            //将Main函数改为可执行
            VirtualProtect((PVOID)MainFunctionAddress, PAGE_SIZE, PAGE_EXECUTE_READ,&flOldProtect);
            //将HeapMemory内存属性改为不可执行。
            VirtualProtect(HeapMemory, PAGE_SIZE, PAGE_READWRITE,&flOldProtect);
        }
 
    }
 
    return EXCEPTION_CONTINUE_EXECUTION;
}

程序输出

HeapMemory = 0000000000BD0000 MainFunctionAddress=00007FF756A4B480
First-chance exception at 0x00bd0000 in KDemoLog64.exe: 0xC0000005: Access violation at location 0x0000000000bd0000.
FilterException():: ExceptionAddress:0000000000BD0000
FilterException():: RunFunction(a = 1 b= 11) NextRip=00007FF756A4B56A
First-chance exception at 0x00007ff756a4b56a in KDemoLog64.exe: 0xC0000005: Access violation at location 0x00007ff756a4b56a.
FilterException():: ExceptionAddress:00007FF756A4B56A
FilterException():: (14)RunFunction(a , b) NextRip=0000000000EFFB84
First-chance exception at 0x00bd0000 in KDemoLog64.exe: 0xC0000005: Access violation at location 0x0000000000bd0000.
FilterException():: ExceptionAddress:0000000000BD0000
FilterException():: RunFunction(a = 2 b= 12) NextRip=00007FF756A4B56A
First-chance exception at 0x00007ff756a4b56a in KDemoLog64.exe: 0xC0000005: Access violation at location 0x00007ff756a4b56a.
FilterException():: ExceptionAddress:00007FF756A4B56A
FilterException():: (16)RunFunction(a , b) NextRip=0000000000EFFB84
First-chance exception at 0x00bd0000 in KDemoLog64.exe: 0xC0000005: Access violation at location 0x0000000000bd0000.
FilterException():: ExceptionAddress:0000000000BD0000
FilterException():: RunFunction(a = 3 b= 13) NextRip=00007FF756A4B56A
First-chance exception at 0x00007ff756a4b56a in KDemoLog64.exe: 0xC0000005: Access violation at location 0x00007ff756a4b56a.
FilterException():: ExceptionAddress:00007FF756A4B56A
FilterException():: (18)RunFunction(a , b) NextRip=0000000000EFFB84
main():: a = 4 b = 14

难点：如何捕获进程异常。

最后于 2小时前被NoHeart编辑，原因：

更多【编程技术- 一种更激进的Hook实现方案猜想。】相关视频教程：www.yxfzedu.com

编程技术- 一种更激进的Hook实现方案猜想。

技术原理。

相关文章推荐

Markdown Editor

友情链接

课程目录

技术交流QQ群