Mamor's Blog
0%

IATHook

发表于 分类于
本文字数: 10k 阅读时长 ≈ 10 分钟

IATHook 即修改PE文件的输入表,将目标函数修改成我们自己的函数并执行(这里使用MessageBoxA)。 可用来HOOK自身的LoadLibrary函数防止自身进程被dll注入,也可以通过dll注入的方式达到修改其他进程的目的

ITAdll.dll

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <Windows.h>


typedef int (WINAPI* lPMessageBoxA)(HWND, LPCSTR , LPCSTR, UINT);
lPMessageBoxA 原来的MessageBox = NULL;

int WINAPI MyMessageBoxA(HWND hWnd, LPCSTR lpText,  LPCSTR lpCaption, UINT uType) {
    return 原来的MessageBox(hWnd, "textgai", lpCaption, uType);

}

PIMAGE_NT_HEADERS GetNthead() {
    PIMAGE_DOS_HEADER dos = NULL;
    PIMAGE_NT_HEADERS nt = NULL;

    DWORD temp = NULL;

    HMODULE 镜像基地址 = GetModuleHandle(NULL);
    dos = (PIMAGE_DOS_HEADER)(DWORD)镜像基地址;
    temp = (DWORD)dos + (DWORD)dos->e_lfanew;   //pe rva
    nt = (PIMAGE_NT_HEADERS)temp;

    return nt;

}

void IATHook() {
    原来的MessageBox = (lPMessageBoxA)GetProcAddress(GetModuleHandleA("user32.dll"), "MessageBoxA");
    //获取ntheader
    PIMAGE_NT_HEADERS pNtHead = GetNthead();
    //获取FileHeader
    PIMAGE_FILE_HEADER pFileHead = &pNtHead->FileHeader;
    //获取OptionalHeader
    PIMAGE_OPTIONAL_HEADER pOpHead = &pNtHead->OptionalHeader;

    HMODULE hmod = GetModuleHandle(NULL);
    DWORD 基地址 = (DWORD)hmod;
    //获取导出表RVA偏移
    DWORD RVA = pOpHead->DataDirectory[1].VirtualAddress;
    PIMAGE_IMPORT_DESCRIPTOR 导入表 = (PIMAGE_IMPORT_DESCRIPTOR)(基地址 + RVA);

    while (导入表->FirstThunk) //导入表->FirstThunk 导入表偏移
    {
        PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)(基地址 + 导入表->FirstThunk);
        while (pThunk->u1.Function)
        {
            if (pThunk->u1.Function == (DWORD)原来的MessageBox) //找到IAT导入地址表中的MessageBoxA
            {
                DWORD oldProtected;

                //将内存改为可写可读可执行
                VirtualProtect((LPVOID)&pThunk->u1.Function, 4, PAGE_EXECUTE_READWRITE, &oldProtected);  //4 32位下地址都为4个字节
                pThunk->u1.Function = (DWORD)MyMessageBoxA; //修改IAT值
                VirtualProtect((LPVOID)&pThunk->u1.Function, 4, oldProtected, &oldProtected);  
            }
            pThunk++;
        }
        导入表++;    
    }

}



BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        IATHook();
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#include <stdio.h>
#include <windows.h>
#include <TlHelp32.h>

#include <winbase.h>
#include <tchar.h>
#include <wchar.h>

#ifdef  _WIN64
typedef DWORD(WINAPI* MyZwCreateThreadEx)(
	PHANDLE ThreadHandle,
	ACCESS_MASK DesiredAccess,
	LPVOID ObjectAttributes,
	HANDLE ProcessHandle,
	LPTHREAD_START_ROUTINE lpStartAddress,
	LPVOID lpParameter,
	ULONG CreateThreadFlags,
	SIZE_T ZeroBits,
	SIZE_T StackSize,
	SIZE_T MaximumStackSize,
	LPVOID pUnkown);
#else
typedef DWORD(WINAPI* MyZwCreateThreadEx)(
	PHANDLE ThreadHandle,
	ACCESS_MASK DesiredAccess,
	LPVOID ObjectAttributes,
	HANDLE ProcessHandle,
	LPTHREAD_START_ROUTINE lpStartAddress,
	LPVOID lpParameter,
	BOOL CreateSuspended,
	DWORD dwStackSize,
	DWORD dw1,
	DWORD dw2,
	LPVOID pUnkown);
#endif

BOOL InjectDll(DWORD dwPID, char* szDllPath)
{
	HANDLE	hProcess = NULL, hThread = NULL;
	LPVOID	pRemoteBuf;
	DWORD	dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);
	LPTHREAD_START_ROUTINE  pThreadProc;
	//1.使用dwPID获取目标进程句柄
	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
	if (hProcess == NULL)
	{
		printf("OpenProcess(%d) failed!!!\n", dwPID);
		return FALSE;
	}
	printf("OpenProcess(%d) SUCCESS!!!\n", dwPID);
	//2.在目标进程内存中分配szdllname大小的内存
	pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);
	//3.在dll路径写入分配的内存 
	WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllPath, dwBufSize, NULL);
	//4.获取LoadLibrary API的地址
	HMODULE ntdll = LoadLibraryA("ntdll.dll");
	MyZwCreateThreadEx ZwCreateThreadEx = (MyZwCreateThreadEx)GetProcAddress(ntdll, "ZwCreateThreadEx");
	pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
	//5.在目标进程中运行线程
	ZwCreateThreadEx(&hThread, PROCESS_ALL_ACCESS, NULL, hProcess, pThreadProc, pRemoteBuf, 0, 0, 0, 0, NULL);
	if (hThread == NULL)
	{
		printf("(%d)进程创建远线程失败 !!!\n", dwPID);
		return FALSE;
	}
	WaitForSingleObject(hThread, 5000);

	CloseHandle(hThread);
	CloseHandle(hProcess);
	FreeLibrary(ntdll);
	return TRUE;
}


void main(int argc, char* argv[]) {

	//if (argc != 2)
	//{
	//	printf("请输入pid");
	//	return;
	//}
	//int pid = atol(argv[1]);
	InjectDll(12656, "C:\\Users\\test\\Desktop\\IATDll.dll");
}

注入工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
#include <stdio.h>
#include <windows.h>
#include <TlHelp32.h>

#include <winbase.h>
#include <tchar.h>
#include <wchar.h>


#ifdef  _WIN64
typedef DWORD(WINAPI* MyZwCreateThreadEx)(
	PHANDLE ThreadHandle,
	ACCESS_MASK DesiredAccess,
	LPVOID ObjectAttributes,
	HANDLE ProcessHandle,
	LPTHREAD_START_ROUTINE lpStartAddress,
	LPVOID lpParameter,
	ULONG CreateThreadFlags,
	SIZE_T ZeroBits,
	SIZE_T StackSize,
	SIZE_T MaximumStackSize,
	LPVOID pUnkown);
#else
typedef DWORD(WINAPI* MyZwCreateThreadEx)(
	PHANDLE ThreadHandle,
	ACCESS_MASK DesiredAccess,
	LPVOID ObjectAttributes,
	HANDLE ProcessHandle,
	LPTHREAD_START_ROUTINE lpStartAddress,
	LPVOID lpParameter,
	BOOL CreateSuspended,
	DWORD dwStackSize,
	DWORD dw1,
	DWORD dw2,
	LPVOID pUnkown);
#endif

typedef void(*SetPid)(DWORD);
enum { INJECTION_MODE = 0, EJECTION_MODE };

BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
	TOKEN_PRIVILEGES tp;
	HANDLE hToken;
	LUID luid;

	if (!OpenProcessToken(GetCurrentProcess(),
		TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
		&hToken))
	{
		printf("OpenProcessToken error: %u\n", GetLastError());
		return FALSE;
	}

	if (!LookupPrivilegeValue(NULL,            // lookup privilege on local system
		lpszPrivilege,   // privilege to lookup 
		&luid))        // receives LUID of privilege
	{
		printf("LookupPrivilegeValue error: %u\n", GetLastError());
		return FALSE;
	}

	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	if (bEnablePrivilege)
		tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	else
		tp.Privileges[0].Attributes = 0;

	// Enable the privilege or disable all privileges.
	if (!AdjustTokenPrivileges(hToken,
		FALSE,
		&tp,
		sizeof(TOKEN_PRIVILEGES),
		(PTOKEN_PRIVILEGES)NULL,
		(PDWORD)NULL))
	{
		printf("AdjustTokenPrivileges error: %u\n", GetLastError());
		return FALSE;
	}

	if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
	{
		printf("The token does not have the specified privilege. \n");
		return FALSE;
	}

	return TRUE;
}

BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath)
{
	HANDLE	hProcess = NULL, hThread = NULL;
	LPVOID	pRemoteBuf;
	DWORD	dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);
	LPTHREAD_START_ROUTINE  pThreadProc;
	//1.使用dwPID获取目标进程句柄
	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
	if (hProcess == NULL)
	{
		printf("OpenProcess(%d) failed!!!\n", dwPID);
		return FALSE;
	}
	printf("OpenProcess(%d) SUCCESS!!!\n", dwPID);
	//2.在目标进程内存中分配szdllname大小的内存
	pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);
	//3.在dll路径写入分配的内存 
	WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllPath, dwBufSize, NULL);
	//4.获取LoadLibrary API的地址
	HMODULE ntdll = LoadLibraryA("ntdll.dll");
	MyZwCreateThreadEx ZwCreateThreadEx = (MyZwCreateThreadEx)GetProcAddress(ntdll, "ZwCreateThreadEx");
	pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
	//5.在目标进程中运行线程
	ZwCreateThreadEx(&hThread, PROCESS_ALL_ACCESS, NULL, hProcess, pThreadProc, pRemoteBuf, 0, 0, 0, 0, NULL);
	if (hThread == NULL)
	{
		printf("(%d)进程创建远线程失败 !!!\n", dwPID);
		return FALSE;
	}
	WaitForSingleObject(hThread, 5000);

	CloseHandle(hThread);
	CloseHandle(hProcess);
	FreeLibrary(ntdll);
	return TRUE;
}

BOOL EjectDll(DWORD dwPID, LPCTSTR szDllPath)
{
	BOOL	bMore = FALSE, bFound = FALSE;
	HANDLE	hSnapshot, hProcess = NULL, hThread = NULL;
	MODULEENTRY32	me = { sizeof(me) };
	LPTHREAD_START_ROUTINE  pThreadProc;

	if (INVALID_HANDLE_VALUE == (hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID)))
		return FALSE;

	bMore = Module32First(hSnapshot, &me);
	LPCSTR p = NULL;
	for (; bMore; bMore = Module32Next(hSnapshot, &me))
	{
		if (!_tcsicmp(me.szModule, szDllPath) ||
			!_tcsicmp(me.szExePath, szDllPath))
		{
			bFound = TRUE;
			break;
		}
	}

	if (!bFound)
	{
		CloseHandle(hSnapshot);
		return FALSE;
	}

	if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))
	{
		CloseHandle(hSnapshot);
		return FALSE;
	}

	pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"),"FreeLibrary");

	HMODULE ntdll = LoadLibraryA("ntdll.dll");
	MyZwCreateThreadEx ZwCreateThreadEx = (MyZwCreateThreadEx)GetProcAddress(ntdll, "ZwCreateThreadEx");

	ZwCreateThreadEx(&hThread, PROCESS_ALL_ACCESS, NULL, hProcess,
		pThreadProc, me.modBaseAddr, 0, 0, 0, 0, NULL);
	if (hThread == NULL)
	{
		printf("(%d)进程创建远线程失败 !!!\n", dwPID);
		return FALSE;
	}
	WaitForSingleObject(hThread, INFINITE);
	printf("(%d)卸载DLL完成 !!!\n", dwPID);

	CloseHandle(hThread);
	CloseHandle(hProcess);
	CloseHandle(hSnapshot);
	FreeLibrary(ntdll);
	return TRUE;
}

BOOL InjectAllProcess(int nMode, LPCTSTR szDllPath)
{
	DWORD	dwPID = 0;
	HANDLE	hSnapShot = INVALID_HANDLE_VALUE;
	PROCESSENTRY32	pe;

	pe.dwSize = sizeof(PROCESSENTRY32);
	hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);

	Process32First(hSnapShot, &pe);
	do
	{
		dwPID = pe.th32ProcessID;

		if (dwPID < 100)
			continue;

		if (nMode == INJECTION_MODE)
			InjectDll(dwPID, szDllPath);
		else
			EjectDll(dwPID, szDllPath);
	} while (Process32Next(hSnapShot, &pe));

	CloseHandle(hSnapShot);
	return TRUE;
}

int _tmain(int argc, TCHAR* argv[])
{
	int	nMode = INJECTION_MODE;
	HMODULE	hLib = NULL;
	SetPid	setPid = NULL;

	if (argc != 4)
	{
		printf("\n Usage  : HideProc.exe <-i|-e>  <process id> <dll path>\n\n");
		return 1;
	}
	//提权
	SetPrivilege(SE_DEBUG_NAME, TRUE);

	hLib = LoadLibrary(argv[3]);

	setPid = (SetPid)GetProcAddress(hLib, "SetPid");
	setPid((DWORD)atoi(argv[2]));
	FreeLibrary(hLib);

	if (!_stricmp(argv[1], "-e"))
		nMode = EJECTION_MODE;

	InjectAllProcess(nMode, argv[3]);

	return 0;
}

MessageBoxA靶子程序

1
2
3
4
5
6
7
#include <stdio.h>
#include <Windows.h>

void main() {
	MessageBoxA(0, "testtext", "testtitle", 0);

}

欢迎关注我的其它发布渠道

------------- 💖 🌞 本 文 结 束 😚 感 谢 您 的 阅 读 🌞 💖 -------------