This repository has been archived by the owner on Sep 7, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathX64-Hook.asm
608 lines (509 loc) · 11 KB
/
X64-Hook.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
extern MessageBoxA: proc
extern LoadLibraryA: proc
extern GetProcAddress: proc
extern VirtualProtect: proc
extern FreeLibrary: proc
extern FindWindowA: proc
extern GetWindowThreadProcessId : proc
extern OpenProcess: proc
extern VirtualAllocEx: proc
extern VirtualAllocEx: proc
extern WriteProcessMemory: proc
extern CreateRemoteThread: proc
extern VirtualFreeEx: proc
extern Sleep: proc
includelib user32.lib
includelib Kernel32.lib
;=============================================================
MB_OK equ 0
MB_YESNO equ 4
IDOK equ 1
IDYES equ 6
NULL equ 0
INVALID_HANDLE_VALUE equ -1
PAGE_EXECUTE_READWRITE equ 40h
PROCESS_ALL_ACCESS equ 1f0fffH
FALSE equ 0
MEM_COMMIT equ 1000h
MEM_RELEASE equ 8000h
PAGE_EXECUTE_READWRITE equ 40h
;=============================================================
.data
g_szText db '是否注入?', 0
g_szCaption db 'Inject', 0
g_szSucceed db 'Hook成功', 0
g_szCalc db 'CalcFrame', 0
g_szKernel32 db 'Kernel32.dll' ,0
g_szLoadLib db 'LoadLibraryA', 0
g_szGetProc db 'GetProcAddress', 0
g_szVirtualProtect db 'VirtualProtect', 0
g_szErr db 'Error', 0
.code
Inject_Code_Start:
jmp RemoteMain
;HookApi主体
MyHookApi proc
;获取返回地址
pop r15
;原生代码
push rbx
push rbp
push rsi
push rdi
;保存参数
push rcx
push rdx
push r8
push r9
;保存返回地址
push r15
;Hook主代码
sub rsp, 30h
mov rcx, 0
lea rdx, g_szHello
lea r8, g_szTitle
mov r9, MB_OK
call g_pfnMsgBoxA
add rsp, 30h
;获得返回地址
pop r15
;mov r15, [rsp]
;还原参数
pop r9
pop r8
pop rdx
pop rcx
sub rsp,68H
;跳回原API
jmp r15
MyHookApi endp
;加载Lib
;hUser32:QWORD, hShell32:QWORD
MyLoadLib proc
LOCAL @hUser32:QWORD
LOCAL @hShell32:QWORD
mov @hUser32, rcx
mov @hShell32, rdx
sub rsp, 28h
;获取User32的句柄
lea rcx, offset g_szUser32
call g_pfnLoadLibrary
cmp rax, NULL
jnz @F
JMP MyLoadLib_Safe_Ret
@@:
mov r15, @hUser32
mov [r15], rax
;获取Shell32的句柄
lea rcx, offset g_szShell32
call g_pfnLoadLibrary
cmp rax, NULL
jnz @F
JMP MyLoadLib_Safe_Ret
@@:
mov r15, @hShell32
mov [r15], rax
mov rax, 1
MyLoadLib_Safe_Ret:
add rsp, 28h
ret
MyLoadLib endp
;获取所需函数
MyGetPorc proc
LOCAL @hUser32: QWORD
LOCAL @hShell32: QWORD
LOCAL @lpShellAbout: QWORD
LOCAL @lpMsgBox: QWORD
mov @hUser32, rcx
mov @hShell32, rdx
mov @lpShellAbout, r8
mov @lpMsgBox, r9
sub rsp, 28h
;获取MsgBox地址
mov rcx, @hUser32
lea rdx, offset g_szMsgBoxA
call g_pfnGetProcAddr
cmp rax, NULL
jnz @F
JMP MyGetPorc_Safe_Ret
@@:
mov r15, @lpMsgBox
mov [r15], rax
;获取ShellAbout地址
mov rcx, @hShell32
lea rdx, offset g_szShellAboutW
call g_pfnGetProcAddr
cmp rax, NULL
jnz @F
JMP MyGetPorc_Safe_Ret
@@:
mov r15, @lpShellAbout
mov [r15], rax
mov rax, 1
MyGetPorc_Safe_Ret:
add rsp, 28h
ret
MyGetPorc endp
;远程执行的主函数
RemoteMain proc
LOCAL @hUser32: QWORD
LOCAL @hShell32: QWORD
LOCAL @lpShellAbout: QWORD
LOCAL @lpMsgBox: QWORD
LOCAL @oldProtect: QWORD
sub rsp, 28h
mov @hUser32, 0
mov @hShell32, 0
;加载所需Lib
lea rcx, @hUser32
lea rdx, @hShell32
call MyLoadLib
cmp rax, 1
jz @F
jmp Safe_Ret
@@:
;获取函数地址
mov rcx, @hUser32
mov rdx, @hShell32
lea r8, @lpShellAbout
lea r9, @lpMsgBox
call MyGetPorc
cmp rax, 1
jz @F
jmp Safe_Ret
@@:
;修改内存保护属性,用于保存函数地址
lea rcx, MyData
mov rdx, Inject_Code_End - MyData
mov r8, PAGE_EXECUTE_READWRITE
lea r9, @oldProtect
call g_pfnVirtualProtect
cmp rax, NULL
jnz @F
jmp Safe_Ret
@@:
;保存数据
mov rax, @lpMsgBox
lea rbx, g_pfnMsgBoxA
mov [rbx], rax
mov rax, @lpShellAbout
lea rbx, g_pfnShellAboutA
mov [rbx], rax
;还原内存保护属性
lea rcx, MyData
mov rdx, Inject_Code_End - MyData
mov r8, @oldProtect
lea r9, @oldProtect
call g_pfnVirtualProtect
cmp rax, NULL
jnz @F
jmp Safe_Ret
@@:
;修改内存保护属性
mov rcx, @lpShellAbout
mov rdx, 1000h
mov r8, PAGE_EXECUTE_READWRITE
lea r9, @oldProtect
call g_pfnVirtualProtect
cmp rax, NULL
jnz @F
jmp Safe_Ret
@@:
;调用Hook
;mov rcx, @lpShellAbout
;mov rdx, @lpMsgBox
;call HookApi
mov rax, @lpShellAbout
lea rdx, g_ShellCode
mov rdx, [rdx]
mov QWORD ptr[rax], rdx
mov byte ptr[rax+8], 90h
;保存跳转地址
lea rdx, MyHookApi
sub rax, 9
mov QWORD ptr [rax], rdx
;还原内存保护属性
mov rcx, @lpShellAbout
mov rdx, 1000h
mov r8, @oldProtect
lea r9, @oldProtect
call g_pfnVirtualProtect
cmp rax, NULL
jnz @F
jmp Safe_Ret
@@:
mov rax, 1
Safe_Ret:
cmp @hUser32, 0
jz @F
;释放Dll
@@:
cmp @hShell32, 0
jz @F
;释放Dll
@@:
add rsp, 28h
ret
RemoteMain endp
MyData:
g_pfnMsgBoxA QWORD 0
g_pfnShellAboutA QWORD 0
g_pfnVirtualProtect QWORD 0
g_pfnLoadLibrary QWORD 0
g_pfnGetProcAddr QWORD 0
g_ShellCode QWORD 9090FFFFFFF115FFH
;FF 15 F2 FF FF FF 90 90
;000007FEFEA79448 | FF 15 F1 FF FF FF | call qword ptr ds:[7FEFEA7943F] |
;call qword ptr [0x7fefea7943f]
g_szHello db 'Hello', 0
g_szTitle db 'Inject', 0
g_szMsgBoxA db 'MessageBoxA', 0
g_szShellAboutW db 'ShellAboutW', 0
g_szShell32 db 'Shell32.dll', 0
g_szUser32 db 'user32.dll', 0
Inject_Code_End:
;==========================================================================
MsgBox proc
sub rsp, 28h
mov rdx, rcx
mov r8, offset g_szErr
mov r9, MB_OK
xor rcx, rcx
call MessageBoxA
int 3
add rsp, 28h
ret
MsgBox endp
;注入主函数
Inject proc
LOCAL @hCalc:QWORD
LOCAL @qwPid :QWORD
LOCAL @hProcess :QWORD
LOCAL @lpBuff :QWORD
LOCAL @hKernel: QWORD
LOCAL @oldProtect:QWORD
LOCAL @lpLoadLibrary:QWORD
LOCAL @lpGetProc: QWORD
LOCAL @lpVirtualProtect :QWORD
sub rsp, 38h
;查找窗口获得进程句柄
mov rcx, offset g_szCalc
mov rdx, NULL
call FindWindowA
cmp rax, NULL
jnz @F
mov rcx, offset g_szErr
call MsgBox
jmp Safe_Ret
@@:
mov @hCalc, rax
;获取Kernel32的句柄
mov rcx, offset g_szKernel32
call LoadLibraryA
cmp rax, NULL
jnz @F
mov rcx, offset g_szErr
call MsgBox
jmp Safe_Ret
@@:
mov @hKernel, rax
;获取LoadLibrary地址
mov rcx, @hKernel
mov rdx, offset g_szLoadLib
call GetProcAddress
cmp rax, NULL
jnz @F
mov rcx, offset g_szErr
call MsgBox
jmp Safe_Ret
@@:
mov @lpLoadLibrary, rax
;获取GetprocAddr地址
mov rcx, @hKernel
mov rdx, offset g_szGetProc
call GetProcAddress
cmp rax, NULL
jnz @F
mov rcx, offset g_szErr
call MsgBox
jmp Safe_Ret
@@:
mov @lpGetProc, rax
;获取VirtualProtect地址
mov rcx, @hKernel
mov rdx, offset g_szVirtualProtect
call GetProcAddress
cmp rax, NULL
jnz @F
mov rcx, offset g_szErr
call MsgBox
jmp Safe_Ret
@@:
mov @lpVirtualProtect, rax
;修改内存保护属性
mov rcx, offset Inject_Code_Start
mov rax, offset Inject_Code_End
mov rbx, offset Inject_Code_Start
sub rax, rbx
mov rdx, rax
mov r8, PAGE_EXECUTE_READWRITE
lea r9, @oldProtect
call VirtualProtect
cmp rax, NULL
jnz @F
mov rcx, offset g_szErr
call MsgBox
jmp Safe_Ret
@@:
;保存局部地址到待注入代码中
mov rax, @lpLoadLibrary
mov g_pfnLoadLibrary, rax
mov rax, @lpGetProc
mov g_pfnGetProcAddr, rax
mov rax, @lpVirtualProtect
mov g_pfnVirtualProtect, rax
;保存Calc 的窗口句柄
;mov rax, @hCalc
;mov g_hCalc, rax
;还原内存保护属性
mov rcx, offset Inject_Code_Start
mov rax, offset Inject_Code_End
mov rbx, offset Inject_Code_Start
sub rax, rbx
mov rdx, rax
mov r8, @oldProtect
lea r9, @oldProtect
call VirtualProtect
cmp rax, NULL
jnz @F
mov rcx, offset g_szErr
call MsgBox
jmp Safe_Ret
@@:
;释放Kernel32
mov rcx, @hKernel
call FreeLibrary
cmp rax, NULL
jnz @F
mov rcx, offset g_szErr
call MsgBox
jmp Safe_Ret
@@:
;窗口句柄转进程ID
mov rcx, @hCalc
lea rdx, @qwPid
call GetWindowThreadProcessId
cmp rax, NULL
jnz @F
mov rcx, offset g_szErr
call MsgBox
jmp Safe_Ret
@@:
;打开进程
mov rcx, PROCESS_ALL_ACCESS
mov rdx, FALSE
mov r8, @qwPid
call OpenProcess
cmp rax, NULL
jnz @F
mov rcx, offset g_szErr
call MsgBox
jmp Safe_Ret
@@:
mov @hProcess, rax
;申请远程内存
mov rcx, @hProcess
mov rdx, NULL
mov r8, 1000H
mov r9, MEM_COMMIT
mov qword ptr [rsp+20h], PAGE_EXECUTE_READWRITE
call VirtualAllocEx
cmp rax, NULL
jnz @F
xor rax, rax
mov rcx, offset g_szErr
call MsgBox
jmp Safe_Ret
@@:
mov @lpBuff, rax
;写入内存
mov rcx, @hProcess
mov rdx, @lpBuff
mov r8, offset Inject_Code_Start
mov rax, offset Inject_Code_End
mov rbx, offset Inject_Code_Start
sub rax, rbx
mov r9, rax
mov qword ptr [rsp+20h], NULL
call WriteProcessMemory
cmp rax, NULL
jnz @F
mov rcx, offset g_szErr
call MsgBox
jmp Safe_Ret
@@:
;开启远程线程
mov rcx, @hProcess
mov rdx, NULL
mov r8, 0
mov r9, @lpBuff
mov qword ptr [rsp+20h], NULL
mov qword ptr [rsp+28h], 0
mov qword ptr [rsp+30h], NULL
call CreateRemoteThread
cmp rax, NULL
jnz @F
mov rcx, offset g_szErr
call MsgBox
jmp Safe_Ret
@@:
;mov rcx, 5000
;call Sleep
;释放远程内存
;mov rcx, @hProcess
;mov rdx, @lpBuff
;mov r8, 1000h
;mov r9, MEM_RELEASE
;call VirtualFreeEx
;cmp rax, NULL
;jnz @F
; mov rcx, offset g_szErr
; call MsgBox
; jmp Safe_Ret
;@@:
mov rax, 1
Safe_Ret:
add rsp, 38h
ret
Inject endp
;@@
;@F :下一个
;@B :前一个
;程序主函数
Main proc
sub rsp, 28h
;call Inject
;add rsp, 28h
;ret
xor rcx, rcx
mov rdx, offset g_szText
mov r8, offset g_szCaption
mov r9, MB_YESNO
call MessageBoxA
cmp rax, IDYES
jnz @F
call Inject ;.if eax == IDYES
cmp rax, 0
jz @F
;成功
xor rcx, rcx
mov rdx, offset g_szSucceed
mov r8, offset g_szCaption
mov r9, MB_OK
call MessageBoxA
@@:
xor rax, rax
add rsp, 28h
ret
Main endp
end