当前位置: 文江博客话题详情

系统范围的 API 挂钩

发布于 2024-10-10 09:23:32 字数 272 浏览 3 评论 0原文

我必须开发一个程序,它可以挂钩kernel32.dll,Advapi32.dll中的一些函数 例如,我必须更改某些功能的功能,例如 RegOpenKey().由于事实上,我无法向目标进程注入任何代码, 因为,当目标程序启动时,它首先调用该函数 我还被迫不向目标进程注入任何代码。 另外,我必须为每个当前正在运行的进程和应用程序(32 位、控制台应用程序、Win 应用程序)更改此函数,并且这些进程和应用程序将在将来运行。 我读过很多关于 DLL 注入、DLL 挂钩的文章,但我不知道如何克服这个问题。 所以请帮助我并分享你的知识。

原文

I have to develop a program which it can hook some functions in kernel32.dll, Advapi32.dll
for example, i have to change the functionality of some functions such as
RegOpenKey(). Due to the fact, i can not inject any code to the target process,
because, when the target program is started, first, it invoke that function
also i am forced to not inject any code to the target process.
Also, i must change this function for every current running process and application ( 32 bit , Console app , Win app) and those will be ran at the future.
I have read many many articles about DLL Injecting, DLL hooking but i have no idea how to overcome that.
So please help me and share me your knowledge.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

回忆那么伤 2024-10-17 09:23:32

拦截而不注入代码的唯一选择是内核模式驱动程序。注册表驱动程序很容易从 Vista+ 实现,但您需要进行一些 SSDT 注册表挂钩。 SSDT 在 XP 和 Vista/W7 中不能使用相同的代码,并且在 x64 环境中根本不起作用(不允许挂钩技术)。
因此,您必须为 XP 制作一个内核模式过滤驱动程序,为 Vista 和 W7 制作一个挂钩注册表 SSDT 和 CmRegisterCallback (更多信息)。

The only option to intercept without injecting code is kernel-mode driver. Registry drivers are easy to implement from Vista+ but you would need to make some SSDT registry hooking. The SSDT doesn't work with the same code in XP and Vista/W7, and it doesn't work at all in x64 environment (hooking techniques are not allowed).
So you have to make a kernel-mode filter driver hooking registry SSDT for XP and CmRegisterCallback for Vista and W7 (more info).

回复 原文
莫多说 2024-10-17 09:23:32

也许你可以看看Microsoft Detours

Maybe you can look at Microsoft Detours.

回复 原文
陌上青苔 2024-10-17 09:23:32

根据您的需要,您应该编写一个内核驱动程序,可以挂钩您想要更改(或提供)额外功能的所需调用。例如:如果您挂接 write 调用,则在您的计算机上运行的每个程序(有一些可能的例外,我认为您不应该担心),每当调用 write code> 操作,您的挂钩函数将被调用,并带有有关调用进程的适当信息和一些其他信息(通常称为回调数据)。然后你可以从你的挂钩函数中执行/添加你想要的任何内容。

如果您使用的是 Windows XP SP3 及更高版本,则可以使用过滤器驱动程序,因为与旧版 Windows 驱动程序相比,它更容易学习和实现。虽然过滤器驱动程序有局限性,但对于您的要求,它们将非常适合。

For your need, you should write a kernel driver that can hook the required calls for which, you want to change (or provide) extra functionality. For eg: if you hook write call, every program running on your machine (with a few probable exception, that I think you should not bother about), when ever calls for the write operation, your hooked function will be called with appropriate information about the calling process and some other info (generally referred as callback data). Then you can do/add what ever you are thinking of from your hooked function.

If you are using windows xp SP3 and above, you can for a filter driver as it is easy to learn and implement in comparison to the legacy windows driver. Although, filter drivers has limitations, but for your requirement, they will fit perfectly.

回复 原文
無心 2024-10-17 09:23:32

为此,您最好的选择是热补丁,这就是微软在通过更新系统修补功能时使用的方法来应用系统范围的绕道。

For this your best bet is Hot-Patching, this is what MS use them selves to apply system-wide detours when functions have been patched through their update system.

回复 原文
弥繁 2024-10-17 09:23:32

据我从您的描述中了解到,您想要改变某个 API 的行为。但是,您没有指定是要更改传递给此类 API 的数据还是只是忽略该请求。无论如何,对于这样的需求,最简单、最简单的解决方案就是编写一个迷你过滤器内核驱动程序。在此方法中,您将使用 CmRegisterCallbackEx 而不是 CmRegisterCallback(因为这个已过时)来注册回调以过滤注册表事件。然后您可以编写自己的回调函数来处理您想要更改的每个注册表事件。这是有关如何编写此类迷你过滤器内核驱动程序的简单片段。请记住,您仍然需要编写逻辑来通过简单地拒绝请求或更改其内容来更改 API。

#include <fltKernel.h>
#include <dontuse.h>
#include <suppress.h>

LARGE_INTEGER g_Cookie = { 0 };

NTSTATUS DriverRegistryCallback(
    _In_ PVOID CallbackContext, 
    _In_ PVOID Argument1, 
    _In_ PVOID Argument2
    ) {
    UNREFERENCED_PARAMETER(CallbackContext);

    PREG_POST_OPERATION_INFORMATION PreInfo;
    PREG_OPEN_KEY_INFORMATION_V1 OpenKey;
    PREG_CREATE_KEY_INFORMATION_V1 CreateKey;

    REG_NOTIFY_CLASS RegOp = (REG_NOTIFY_CLASS)(ULONG_PTR)Argument1;
    switch (RegOp) {
        case RegNtPreCreateKeyEx:
            PreInfo = (PREG_POST_OPERATION_INFORMATION)Argument2;
            CreateKey = (PREG_CREATE_KEY_INFORMATION_V1)PreInfo->PreInformation;
            if (PreInfo->Status == STATUS_SUCCESS) {
                // do something here
            }
            break;

        case RegNtPreOpenKeyEx:
            PreInfo = (PREG_POST_OPERATION_INFORMATION)Argument2;
            OpenKey = (PREG_OPEN_KEY_INFORMATION_V1)PreInfo->PreInformation;
            if (PreInfo->Status == STATUS_SUCCESS) {
                // do something here
            }
            break;

        default:
            break;
    }

    return STATUS_SUCCESS;
}

VOID 
DriverUnload(
    _In_ PDRIVER_OBJECT pDriverObject
    ) {
    UNREFERENCED_PARAMETER(pDriverObject);

    PAGED_CODE();

    NTSTATUS status = CmUnRegisterCallback(g_Cookie);
    if (!NT_SUCCESS(status)) {
        DbgPrint("[RegistryFilter] Failed to unregister callback\n");
    }

    DbgPrint("[RegistryFilter] Driver unloaded successfully\n");
}

NTSTATUS 
DriverEntry(
    _In_ PDRIVER_OBJECT pDriverObject, 
    _In_ PUNICODE_STRING pRegistryPath
    ) {
    UNREFERENCED_PARAMETER(pRegistryPath);

    pDriverObject->DriverUnload = DriverUnload;

    UNICODE_STRING AltitudeString = RTL_CONSTANT_STRING(L"360000");
    NTSTATUS status = CmRegisterCallbackEx(DriverRegistryCallback, &AltitudeString, pDriverObject, NULL, &g_Cookie, NULL);
    if (!NT_SUCCESS(status)) {
        DbgPrint("[RegistryFilter] Failed to register callback\n");

        return status;
    }

    DbgPrint("[RegistryFilter] Driver loaded successfully\n");

    return status;
}

请记住,这不是您的最终解决方案。正如我之前提到的,您需要编写自己的逻辑,通过将返回的数据与您自己的静态数据进行比较来拒绝对某个调用的访问,然后返回 STATUS_ACCESS_DENIED ,或者更改保存值的数据结构,然后把它传回来。您必须知道,如果您希望更改任何 Open* 事件,则需要先处理 Create* 事件。因为任何 Open* 事件之前都必须先有一个 Create* 事件。

顺便说一句,SSDT 并不是一个更好的解决方案,因为索引会从 Windows 版本更改为另一个版本,并且从一个 Service Pack 更改为另一个 Service Pack。一般来说,它是不可靠的,至少对于这个简单的任务不推荐。更不用说在 x64 架构上运行它会遇到问题。

编辑:我忘记提及这只能从 Vista+ 开始工作,因此要在 Windows XP 上工作,需要进行某些更改,因为注册表结构名称以及注册表事件名称都会更改。

这里还有一些可以帮助您入门的链接:
- CmRegisterCallbackEx (https://msdn .microsoft.com/en-us/library/windows/hardware/ff541921(v=vs.85).aspx)
- Windows WDK CmRegisterCallbackEx 代码示例 (https://github.com/ Microsoft/Windows-driver-samples/tree/master/general/registry)

As I understood from your description is that you want to alter the behavior of a certain API. However, you didn't specify whether you want to change the data passed to such API or simply ignore the request. In any case, for such requirement the easiest and simplest solution is to write a mini-filter kernel driver. In this approach you will use CmRegisterCallbackEx and not CmRegisterCallback (as this one is obsolete) to register a callback to filter registry events. And then you can write your own callback functions which takes care of each registry event you want to alter. Here is a simple snippet on how to write such mini-filter kernel driver. Remember you are still required to write the the logic for either altering the API by simply denying the request or changing its contents.

#include <fltKernel.h>
#include <dontuse.h>
#include <suppress.h>

LARGE_INTEGER g_Cookie = { 0 };

NTSTATUS DriverRegistryCallback(
    _In_ PVOID CallbackContext, 
    _In_ PVOID Argument1, 
    _In_ PVOID Argument2
    ) {
    UNREFERENCED_PARAMETER(CallbackContext);

    PREG_POST_OPERATION_INFORMATION PreInfo;
    PREG_OPEN_KEY_INFORMATION_V1 OpenKey;
    PREG_CREATE_KEY_INFORMATION_V1 CreateKey;

    REG_NOTIFY_CLASS RegOp = (REG_NOTIFY_CLASS)(ULONG_PTR)Argument1;
    switch (RegOp) {
        case RegNtPreCreateKeyEx:
            PreInfo = (PREG_POST_OPERATION_INFORMATION)Argument2;
            CreateKey = (PREG_CREATE_KEY_INFORMATION_V1)PreInfo->PreInformation;
            if (PreInfo->Status == STATUS_SUCCESS) {
                // do something here
            }
            break;

        case RegNtPreOpenKeyEx:
            PreInfo = (PREG_POST_OPERATION_INFORMATION)Argument2;
            OpenKey = (PREG_OPEN_KEY_INFORMATION_V1)PreInfo->PreInformation;
            if (PreInfo->Status == STATUS_SUCCESS) {
                // do something here
            }
            break;

        default:
            break;
    }

    return STATUS_SUCCESS;
}

VOID 
DriverUnload(
    _In_ PDRIVER_OBJECT pDriverObject
    ) {
    UNREFERENCED_PARAMETER(pDriverObject);

    PAGED_CODE();

    NTSTATUS status = CmUnRegisterCallback(g_Cookie);
    if (!NT_SUCCESS(status)) {
        DbgPrint("[RegistryFilter] Failed to unregister callback\n");
    }

    DbgPrint("[RegistryFilter] Driver unloaded successfully\n");
}

NTSTATUS 
DriverEntry(
    _In_ PDRIVER_OBJECT pDriverObject, 
    _In_ PUNICODE_STRING pRegistryPath
    ) {
    UNREFERENCED_PARAMETER(pRegistryPath);

    pDriverObject->DriverUnload = DriverUnload;

    UNICODE_STRING AltitudeString = RTL_CONSTANT_STRING(L"360000");
    NTSTATUS status = CmRegisterCallbackEx(DriverRegistryCallback, &AltitudeString, pDriverObject, NULL, &g_Cookie, NULL);
    if (!NT_SUCCESS(status)) {
        DbgPrint("[RegistryFilter] Failed to register callback\n");

        return status;
    }

    DbgPrint("[RegistryFilter] Driver loaded successfully\n");

    return status;
}

Remember, this is not your final solution. You need to write your own logic as I mentioned earlier for either denying access to a certain call by comparing the data returned to your own static data and then return STATUS_ACCESS_DENIED or altering the data structure holding the values and then passing it back. You will have to know that if you wish to alter any Open* event you would need to handle the Create* one first. Because any Open* event has to be preceded by and a Create* event first.

On a side note, SSDT is not a preferable solution as indexes changes from Windows version to another and from one Service Pack to another. It's unreliable, in general and not recommended at least for this simple task. Not to mention you would have problems getting that to work on x64 architecture.

EDIT: I forgot to mention this will only work starting from Vista+ so for this to work on Windows XP, certain changes needs to be made as the Registry structure names will change as well as the Registry events names as well.

Here are some links also to get you started:
- CmRegisterCallbackEx (https://msdn.microsoft.com/en-us/library/windows/hardware/ff541921(v=vs.85).aspx)
- Windows WDK CmRegisterCallbackEx code sample (https://github.com/Microsoft/Windows-driver-samples/tree/master/general/registry)

回复 原文
~没有更多了~

关于作者

晨曦÷微暖

暂无简介

0 文章
0 评论
21 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

謌踐踏愛綪

文章 0 评论 0

开始看清了

文章 0 评论 0

高速公鹿

文章 0 评论 0

alipaysp_PLnULTzf66

文章 0 评论 0

热情消退

文章 0 评论 0

白色月光

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文