AGB  ·  Datenschutz  ·  Impressum  







Anmelden
Nützliche Links
Registrieren
Thema durchsuchen
Ansicht
Themen-Optionen

WS_32 Hook nicht auf XP?

Ein Thema von Snify · begonnen am 25. Mär 2013 · letzter Beitrag vom 26. Mär 2013
 
Vorheriger Beitrag Vorheriger Beitrag   Nächster Beitrag Nächster Beitrag
Snify

Registriert seit: 17. Mai 2012
6 Beiträge
 
#3

AW: WS_32 Hook nicht auf XP?

  Alt 26. Mär 2013, 14:56
Das kann wirklich daran liegen das ws2_32.dll noch nicht geladen wurde...
Ich habs jetzt nochmal probiert auf Win7. Es liegt daran dass der hook nicht anschlaegt wenn GetProcAddress(LoadLibraryA('ws2_32.dll'), 'connect') aufgerufen wird. :/

Ich mach das jetzt so aber immer noch nichts
Das ist mein Loader (um eine .exe zu starten mit nem Hook)

markieren
Code:
program Loader;

{$APPTYPE CONSOLE}

uses
  Windows;

type
  TRemoteInfo = record
  LoadLibraryA : function (lpLibFileName: PAnsiChar): HMODULE; stdcall;
  ReturnAddress : pointer;
end;

var
  SI               : TStartupInfo;
  PI               : TProcessInformation;
  Name             : String;
  CT               : TContext;
  ShellPointer     : Pointer;
  BytesWritten     : DWORD;
  RemoteInfo       : TRemoteInfo;
  ParameterPointer : Pointer;


function InjectLibrary(lpProcessID: Cardinal; lpDllname: WideString):LongBool;
var
  hProc: Cardinal;
  oAlloc: Pointer;
  cWPM: Cardinal;
  hRemThread: Cardinal;
begin
  result := false;
  SetLastError(ERROR_SUCCESS);
  hProc := OpenProcess(PROCESS_ALL_ACCESS, false, lpProcessID);
  if hProc <> 0 then
  begin
    oAlloc := VirtualAllocEx(hProc, nil, (length(lpDllname) * 2) + 1,
    MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    if oAlloc <> nil then
    begin
      if WriteProcessMemory(hProc, oAlloc, pwidechar(lpDllName), (length(lpDllname) * 2) + 1,
      cWPM) = true then
      begin
        CreateRemoteThread(hProc, nil, 0,
        GetProcAddress(GetModuleHandle('kernel32.dll'), 'LoadLibraryW'),
        oAlloc, 0, hRemThread);
        if GetLastError = ERROR_SUCCESS then
        begin
          result := true;
        end;
      end;
    end;
  end;
  CloseHandle(hProc);
end;

function TheThread ( p : pointer ) : Integer; stdcall;
var
  Address : Pointer;
  ws2_32  : array [0..6] of char;
begin
  ws2_32[0] := 'w';
  ws2_32[1] := 's';
  ws2_32[2] := '2';
  ws2_32[3] := '_';
  ws2_32[4] := '3';
  ws2_32[5] := '2';
  ws2_32[6] := #0;
  Address := TRemoteInfo(p^).ReturnAddress;
  TRemoteInfo(p^).LoadLibraryA (ws2_32);
  asm
    jmp Address;
  end;
end;

begin
  writeln ('Type in your filename:');
  readln (name);
  FillChar(SI, SizeOf(TStartupInfo), #0);
  FillChar(PI, SizeOf(TProcessInformation), #0);
  SI.cb := SizeOf(TStartupInfo);
  if CreateProcessW(pwidechar(WideString(Name)), NIL, nil, nil, FALSE, CREATE_SUSPENDED, nil, NIL, SI, PI) then begin
     CT.ContextFlags := CONTEXT_FULL;
     if GetThreadContext(PI.hThread, CT) then begin
      RemoteInfo.ReturnAddress := Pointer(CT.EAX);
      RemoteInfo.LoadLibraryA := GetProcAddress(LoadLibraryA('kernel32'), 'LoadLibraryA');
      ShellPointer := VirtualAllocEx (PI.hProcess, NIL, 95, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
      WriteProcessMemory (PI.hProcess, ShellPointer, @TheThread, 95, BytesWritten);
      ParameterPointer := VirtualAllocEx (PI.hProcess, NIL, SizeOf(TRemoteInfo), MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
      WriteProcessMemory (PI.hProcess, ParameterPointer, @RemoteInfo, SizeOf(TRemoteInfo), BytesWritten);
      CT.Ebx := DWORD(ParameterPointer);
      CT.Eax := DWORD(ShellPointer);
      SetThreadContext(PI.hThread, CT);
     end;
    InjectLibrary (PI.dwProcessId, 'hook.dll');
  end;
end.
Meine Hook.dll:

markieren
Code:
library hook;

uses
  SysUtils,
  Windows,
  afxcodehook,
  tlhelp32,
  Winsock,
  Classes;

  var
    connectCritSect : TRTLCriticalSection;
  o_connect : function (s: Integer;
  const name: sockaddr_in; namelen: Integer):Integer;stdcall;
 
    function OpenThread (dwDesiredAccess: DWORD; bInheritHandle: Bool;
  dwThreadId: DWORD) : DWORD; stdcall; external kernel32;

function ResumeThreads(PID:Cardinal): Boolean;
var
  SnapProcHandle: THandle;
  NextProc     : Boolean;
  TThreadEntry : TThreadEntry32;
  hThread : DWORD;
begin
  SnapProcHandle := CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
  Result := (SnapProcHandle <> INVALID_HANDLE_VALUE);
  if Result then
  try
    TThreadEntry.dwSize := SizeOf(TThreadEntry);
    NextProc := Thread32First(SnapProcHandle, TThreadEntry);
    while NextProc do begin
      if TThreadEntry.th32OwnerProcessID = PID then begin
        hThread := OpenThread ($00100000 or $0002, false,
        TThreadEntry.th32ThreadID);
        ResumeThread (hThread);
        CloseHandle (hThread);
      end;
      NextProc := Thread32Next(SnapProcHandle, TThreadEntry);
    end;
  finally
    CloseHandle(SnapProcHandle);
  end;
end;

function h_connect (s: Integer; const name: sockaddr_in;
namelen: Integer):Integer;stdcall;
begin
  Messageboxa (0, 'Someone called connect!','',0);
  //EnterCriticalSection (ConnectCritSect);
  //UnhookCode (@o_connect)
  //result := SOCKET_ERROR;
  //HookCode('ws2_32.dll', 'connect', @h_connect, @o_connect);
  LeaveCriticalSection (ConnectCritSect);
end;

procedure DllMain(fdwReason: Cardinal);
begin
  case fdwReason of
    DLL_PROCESS_ATTACH: begin
      InitializeCriticalSection(connectCritSect);
      if not(HookCode('ws2_32.dll', 'connect', @h_connect, @o_connect)) then begin
        MessageBoxA (0, 'connect ERROR', 'ERROR', 16);
        ExitProcess (0);
      end;
       ResumeThreads (GetCurrentProcessId);
    end;
    DLL_PROCESS_DETACH: begin
      UnhookCode (@o_connect);
      DeleteCriticalSection (connectCritSect);
    end;
  end;
end;

begin
  DllProc := @DllMain;
  DllMain(DLL_PROCESS_ATTACH);
end.
TestApplication1: (ohne IAT Eintrag, funktioniert nicht :/)

markieren
Code:
program Project1;

{$APPTYPE CONSOLE}

uses
  Windows;

type
  SunB = packed record
    s_b1, s_b2, s_b3, s_b4: char;
  end;
  SunW = packed record
    s_w1, s_w2: Word;
  end;


  in_addr = record
    case integer of
      0: (S_un_b: SunB);
      1: (S_un_w: SunW);
      2: (S_addr: Longint);
  end;
  sockaddr_in = record
    case Integer of
      0: (sin_family: Word;
          sin_port: Word;
          sin_addr: in_addr;
          sin_zero: array[0..7] of Char);
      1: (sa_family: Word;
          sa_data: array[0..13] of Char)
  end;

var
 connect : function(s: Integer; var name: sockaddr_in; namelen: Integer): Integer; stdcall;
 test : sockaddr_in;

begin
  connect := GetProcAddress(LoadLibraryA('ws2_32.dll'), 'connect');
  //connect := GetProcAddress(GetModuleHandle('ws2_32.dll'), 'connect');
  connect (0, test, 0);
  while true do begin
    sleep (100);
  end;
end.
TestApplication2:

markieren
Code:
program Project2;
{$APPTYPE CONSOLE}
uses
  Winsock,
  Windows;

  var
    test : TSockAddr;

begin
  Connect (0, test, 0);
  while true do begin
    sleep (100);
  end;
end.
Geändert von Snify (26. Mär 2013 um 15:17 Uhr)
  Mit Zitat antworten Zitat
 

« Vorheriges Thema | Nächstes Thema »

Forumregeln

Es ist dir nicht erlaubt, neue Themen zu verfassen.
Es ist dir nicht erlaubt, auf Beiträge zu antworten.
Es ist dir nicht erlaubt, Anhänge hochzuladen.
Es ist dir nicht erlaubt, deine Beiträge zu bearbeiten.
BB-Code ist an.
Smileys sind an.
[IMG] Code ist an.
HTML-Code ist aus.
Trackbacks are an
Pingbacks are an
Refbacks are aus
Gehe zu:

Impressum · AGB · Datenschutz · Nach oben
Alle Zeitangaben in WEZ +1. Es ist jetzt 08:26 Uhr.
Powered by vBulletin® Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO © 2011, Crawlability, Inc.
Delphi-PRAXiS (c) 2002 - 2023 by Daniel R. Wolf, 2024-2025 by Thomas Breitkreuz