Thema: WS_32 Hook nicht auf XP?

Einzelnen Beitrag anzeigen

Snify

Registriert seit: 17. Mai 2012
6 Beiträge
 
#3

AW: WS_32 Hook nicht auf XP?

  Alt 26. Mär 2013, 15:56
Das kann wirklich daran liegen das ws2_32.dll noch nicht geladen wurde...
Ich habs jetzt nochmal probiert auf Win7. Es liegt daran dass der hook nicht anschlaegt wenn GetProcAddress(LoadLibraryA('ws2_32.dll'), 'connect') aufgerufen wird. :/

Ich mach das jetzt so aber immer noch nichts
Das ist mein Loader (um eine .exe zu starten mit nem Hook)

markieren
Code:
program Loader;

{$APPTYPE CONSOLE}

uses
  Windows;

type
  TRemoteInfo = record
  LoadLibraryA : function (lpLibFileName: PAnsiChar): HMODULE; stdcall;
  ReturnAddress : pointer;
end;

var
  SI               : TStartupInfo;
  PI               : TProcessInformation;
  Name             : String;
  CT               : TContext;
  ShellPointer     : Pointer;
  BytesWritten     : DWORD;
  RemoteInfo       : TRemoteInfo;
  ParameterPointer : Pointer;


function InjectLibrary(lpProcessID: Cardinal; lpDllname: WideString):LongBool;
var
  hProc: Cardinal;
  oAlloc: Pointer;
  cWPM: Cardinal;
  hRemThread: Cardinal;
begin
  result := false;
  SetLastError(ERROR_SUCCESS);
  hProc := OpenProcess(PROCESS_ALL_ACCESS, false, lpProcessID);
  if hProc <> 0 then
  begin
    oAlloc := VirtualAllocEx(hProc, nil, (length(lpDllname) * 2) + 1,
    MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    if oAlloc <> nil then
    begin
      if WriteProcessMemory(hProc, oAlloc, pwidechar(lpDllName), (length(lpDllname) * 2) + 1,
      cWPM) = true then
      begin
        CreateRemoteThread(hProc, nil, 0,
        GetProcAddress(GetModuleHandle('kernel32.dll'), 'LoadLibraryW'),
        oAlloc, 0, hRemThread);
        if GetLastError = ERROR_SUCCESS then
        begin
          result := true;
        end;
      end;
    end;
  end;
  CloseHandle(hProc);
end;

function TheThread ( p : pointer ) : Integer; stdcall;
var
  Address : Pointer;
  ws2_32  : array [0..6] of char;
begin
  ws2_32[0] := 'w';
  ws2_32[1] := 's';
  ws2_32[2] := '2';
  ws2_32[3] := '_';
  ws2_32[4] := '3';
  ws2_32[5] := '2';
  ws2_32[6] := #0;
  Address := TRemoteInfo(p^).ReturnAddress;
  TRemoteInfo(p^).LoadLibraryA (ws2_32);
  asm
    jmp Address;
  end;
end;

begin
  writeln ('Type in your filename:');
  readln (name);
  FillChar(SI, SizeOf(TStartupInfo), #0);
  FillChar(PI, SizeOf(TProcessInformation), #0);
  SI.cb := SizeOf(TStartupInfo);
  if CreateProcessW(pwidechar(WideString(Name)), NIL, nil, nil, FALSE, CREATE_SUSPENDED, nil, NIL, SI, PI) then begin
     CT.ContextFlags := CONTEXT_FULL;
     if GetThreadContext(PI.hThread, CT) then begin
      RemoteInfo.ReturnAddress := Pointer(CT.EAX);
      RemoteInfo.LoadLibraryA := GetProcAddress(LoadLibraryA('kernel32'), 'LoadLibraryA');
      ShellPointer := VirtualAllocEx (PI.hProcess, NIL, 95, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
      WriteProcessMemory (PI.hProcess, ShellPointer, @TheThread, 95, BytesWritten);
      ParameterPointer := VirtualAllocEx (PI.hProcess, NIL, SizeOf(TRemoteInfo), MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
      WriteProcessMemory (PI.hProcess, ParameterPointer, @RemoteInfo, SizeOf(TRemoteInfo), BytesWritten);
      CT.Ebx := DWORD(ParameterPointer);
      CT.Eax := DWORD(ShellPointer);
      SetThreadContext(PI.hThread, CT);
     end;
    InjectLibrary (PI.dwProcessId, 'hook.dll');
  end;
end.
Meine Hook.dll:

markieren
Code:
library hook;

uses
  SysUtils,
  Windows,
  afxcodehook,
  tlhelp32,
  Winsock,
  Classes;

  var
    connectCritSect : TRTLCriticalSection;
  o_connect : function (s: Integer;
  const name: sockaddr_in; namelen: Integer):Integer;stdcall;
 
    function OpenThread (dwDesiredAccess: DWORD; bInheritHandle: Bool;
  dwThreadId: DWORD) : DWORD; stdcall; external kernel32;

function ResumeThreads(PID:Cardinal): Boolean;
var
  SnapProcHandle: THandle;
  NextProc     : Boolean;
  TThreadEntry : TThreadEntry32;
  hThread : DWORD;
begin
  SnapProcHandle := CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
  Result := (SnapProcHandle <> INVALID_HANDLE_VALUE);
  if Result then
  try
    TThreadEntry.dwSize := SizeOf(TThreadEntry);
    NextProc := Thread32First(SnapProcHandle, TThreadEntry);
    while NextProc do begin
      if TThreadEntry.th32OwnerProcessID = PID then begin
        hThread := OpenThread ($00100000 or $0002, false,
        TThreadEntry.th32ThreadID);
        ResumeThread (hThread);
        CloseHandle (hThread);
      end;
      NextProc := Thread32Next(SnapProcHandle, TThreadEntry);
    end;
  finally
    CloseHandle(SnapProcHandle);
  end;
end;

function h_connect (s: Integer; const name: sockaddr_in;
namelen: Integer):Integer;stdcall;
begin
  Messageboxa (0, 'Someone called connect!','',0);
  //EnterCriticalSection (ConnectCritSect);
  //UnhookCode (@o_connect)
  //result := SOCKET_ERROR;
  //HookCode('ws2_32.dll', 'connect', @h_connect, @o_connect);
  LeaveCriticalSection (ConnectCritSect);
end;

procedure DllMain(fdwReason: Cardinal);
begin
  case fdwReason of
    DLL_PROCESS_ATTACH: begin
      InitializeCriticalSection(connectCritSect);
      if not(HookCode('ws2_32.dll', 'connect', @h_connect, @o_connect)) then begin
        MessageBoxA (0, 'connect ERROR', 'ERROR', 16);
        ExitProcess (0);
      end;
       ResumeThreads (GetCurrentProcessId);
    end;
    DLL_PROCESS_DETACH: begin
      UnhookCode (@o_connect);
      DeleteCriticalSection (connectCritSect);
    end;
  end;
end;

begin
  DllProc := @DllMain;
  DllMain(DLL_PROCESS_ATTACH);
end.
TestApplication1: (ohne IAT Eintrag, funktioniert nicht :/)

markieren
Code:
program Project1;

{$APPTYPE CONSOLE}

uses
  Windows;

type
  SunB = packed record
    s_b1, s_b2, s_b3, s_b4: char;
  end;
  SunW = packed record
    s_w1, s_w2: Word;
  end;


  in_addr = record
    case integer of
      0: (S_un_b: SunB);
      1: (S_un_w: SunW);
      2: (S_addr: Longint);
  end;
  sockaddr_in = record
    case Integer of
      0: (sin_family: Word;
          sin_port: Word;
          sin_addr: in_addr;
          sin_zero: array[0..7] of Char);
      1: (sa_family: Word;
          sa_data: array[0..13] of Char)
  end;

var
 connect : function(s: Integer; var name: sockaddr_in; namelen: Integer): Integer; stdcall;
 test : sockaddr_in;

begin
  connect := GetProcAddress(LoadLibraryA('ws2_32.dll'), 'connect');
  //connect := GetProcAddress(GetModuleHandle('ws2_32.dll'), 'connect');
  connect (0, test, 0);
  while true do begin
    sleep (100);
  end;
end.
TestApplication2:

markieren
Code:
program Project2;
{$APPTYPE CONSOLE}
uses
  Winsock,
  Windows;

  var
    test : TSockAddr;

begin
  Connect (0, test, 0);
  while true do begin
    sleep (100);
  end;
end.
Geändert von Snify (26. Mär 2013 um 16:17 Uhr)
  Mit Zitat antworten Zitat