标签:
#include "stdafx.h"
#include <tchar.h>
#include <io.h>
#define STATUS_SUCCESS (0x00000000L)
typedef LONG NTSTATUS;
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
typedef struct _IO_STATUS_BLOCK
{
union {
NTSTATUS Status;
PVOID Pointer;
}DUMMYUNIONNAME;
ULONG_PTR Infomation;
}IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
}OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef
NTSTATUS
(NTAPI
*PFZWCREATEFILE)(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength
);
#define DEF_NTDLL ("ntdll.dll")
#define DEF_ZWCREATEFILE ("NtCreateFile")
// global variable (in sharing memory)
#pragma comment(linker, "/SECTION:.SHARE,RWS")
#pragma data_seg(".SHARE")
TCHAR g_szProcName[MAX_PATH] = {0};
wchar_t suffix[MAXBYTE] = L"apeflacwavwvtakaac";
#pragma data_seg()
BYTE g_pOrgBytes[5] = { 0, };
BOOL hook_by_code(LPCSTR szDllName, LPCSTR szFuncName, PROC pfnNew, PBYTE pOrgBytes)
{
FARPROC pfnOrg;
DWORD dwOldProtect, dwAddress;
BYTE pBuf[5] = { 0xE9, 0, };
PBYTE pByte;
pfnOrg = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);
pByte = (PBYTE)pfnOrg;
if (pByte[0] == 0xE9)
{
return FALSE;
}
VirtualProtect((LPVOID)pfnOrg, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);
memcpy(pOrgBytes, pfnOrg, 5);
dwAddress = (DWORD)pfnNew - (DWORD)pfnOrg - 5;
memcpy(&pBuf[1], &dwAddress, 4);
memcpy(pfnOrg, pBuf, 5);
VirtualProtect((LPVOID)pfnOrg, 5, dwOldProtect, &dwOldProtect);
return TRUE;
}
BOOL unhook_by_code(LPCSTR szDllName, LPCSTR szFuncName, PBYTE pOrgBytes)
{
FARPROC pFunc;
DWORD dwOldProtect;
PBYTE pByte;
pFunc = GetProcAddress(GetModuleHandleA(szDllName), szFuncName);
pByte = (PBYTE)pFunc;
if (pByte[0] != 0xE9)
return FALSE;
VirtualProtect((LPVOID)pFunc, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);
memcpy(pFunc, pOrgBytes, 5);
VirtualProtect((LPVOID)pFunc, 5, dwOldProtect, &dwOldProtect);
return TRUE;
}
NTSTATUS WINAPI NewZwCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength
)
{
NTSTATUS status;
FARPROC pFunc;
wchar_t szProcName[MAX_PATH] = { 0, };
unhook_by_code(DEF_NTDLL, DEF_ZWCREATEFILE, g_pOrgBytes);
if (ObjectAttributes&&ObjectAttributes->ObjectName&&ObjectAttributes->ObjectName->Length)
{
wcscpy_s(szProcName, ObjectAttributes->ObjectName->Length, ObjectAttributes->ObjectName->Buffer);
wchar_t*p = wcsrchr(szProcName, ‘\\‘);
if (p)
{
p = wcsrchr(p, ‘.‘);
if (p)
{
if (wcscmp(p+1, L"cue") == 0)
{
wcscpy_s(g_szProcName, wcslen(szProcName)*sizeof(wchar_t), szProcName);
}
else if(wcsstr(suffix,p+1)!=NULL)
{
WIN32_FIND_DATA FindFileData;
HANDLE hFind;
hFind = FindFirstFile(wcsrchr(szProcName, ‘:‘)-1, &FindFileData);
if (hFind == INVALID_HANDLE_VALUE)
{
CloseHandle(hFind);
if (wcslen(g_szProcName))
{
wchar_t *p2 = wcsrchr(g_szProcName, ‘.‘);
if (p2)
{
wcscpy_s(p2 + 1, wcslen(p + 1)*sizeof(wchar_t), p + 1);
p2[wcslen(p + 1) + 1] = 0;
UNICODE_STRING newbuf;
newbuf.Buffer = g_szProcName;
newbuf.Length = wcslen(g_szProcName)*sizeof(wchar_t);
newbuf.MaximumLength = newbuf.Length + sizeof(wchar_t);
ObjectAttributes->ObjectName = &newbuf;
Sleep(0);
}
}
}
}
}
}
}
pFunc = GetProcAddress(GetModuleHandleA(DEF_NTDLL), DEF_ZWCREATEFILE);
status = ((PFZWCREATEFILE)pFunc)(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
Sleep(0);
hook_by_code(DEF_NTDLL, DEF_ZWCREATEFILE,(PROC)NewZwCreateFile, g_pOrgBytes);
return status;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
char szCurProc[MAX_PATH] = { 0, };
char *p = NULL;
GetModuleFileNameA(NULL, szCurProc, MAX_PATH);
p = strrchr(szCurProc, ‘\\‘)+1;
if (p == NULL)return TRUE;
if (_stricmp(p, "foobar2000.exe"))
return TRUE;
switch (fdwReason)
{
// #2. API Hooking
case DLL_PROCESS_ATTACH:
hook_by_code(DEF_NTDLL, DEF_ZWCREATEFILE,
(PROC)NewZwCreateFile, g_pOrgBytes);
break;
// #3. API Unhooking
case DLL_PROCESS_DETACH:
unhook_by_code(DEF_NTDLL, DEF_ZWCREATEFILE,
g_pOrgBytes);
break;
}
return TRUE;
}
#ifdef __cplusplus
extern "C" {
#endif
__declspec(dllexport) void SetProcName(LPCTSTR szProcName)
{
_tcscpy_s(g_szProcName, szProcName);
}
#ifdef __cplusplus
}
#endif
标签:
原文地址:http://www.cnblogs.com/DJ0322/p/4853077.html
