别的先不说,上图来看看效果。
一、说明
本软件通过对CreateProcessW、RegSetValueExW、RegDeleteValueW等和创建进程、修改和删除注册表键值的行为进行拦截,从而达到一种安全防护的目的。这里拦截的内容比较少,大家可以根据自己的需要进行拓展。
二、主要代码
1、动态链接库部分代码
#include "InlineHook.h" #define HIPS_CREATEPROCESS 0x00000001L #define HIPS_REGSETVALUE 0x00000002L #define HIPS_REGDELETEVALUE 0x00000003L CInlineHook RegSetValueExWHook; CInlineHook CreateProcessWHook; CInlineHook RegDeleteValueWHook; HINSTANCE g_hInst = NULL; typedef struct _HIPS_INFO { WCHAR wProcessName[0x200]; DWORD dwHipsClass; }HIPS_INFO, *PHIPS_INFO; #pragma data_seg(".shared") HHOOK g_hHook = NULL; HWND g_ExeHwnd = NULL; #pragma data_seg() #pragma comment(linker, "/.shared,RWS") extern "C" __declspec(dllexport) VOID SetHookOn(HWND hWnd); extern "C" __declspec(dllexport) VOID SetHookOff(); BOOL WINAPI MyCreateProcessW ( LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformatin ) { HIPS_INFO sz = {0}; if (wcslen(lpCommandLine) != 0) { wcscpy_s(sz.wProcessName, lpCommandLine); } else { wcscpy_s(sz.wProcessName, lpApplicationName); } sz.dwHipsClass = HIPS_CREATEPROCESS; COPYDATASTRUCT cds = {NULL, sizeof(HIPS_INFO), (void*)&sz}; BOOL bRet = FALSE; if (SendMessage(FindWindow(NULL, L"Easy Hips For R3"), WM_COPYDATA, GetCurrentProcessId(), (LPARAM)&cds) != -1) { CreateProcessWHook.UnHook(); bRet = CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformatin); CreateProcessWHook.ReHook(); } return bRet; } LSTATUS APIENTRY MyRegSetValueExW ( HKEY hKey, LPCWSTR lpValueName, DWORD Reserved, DWORD dwType, CONST BYTE* lpData, DWORD cbData ) { HIPS_INFO sz = {0}; wcscpy_s(sz.wProcessName, (LPCWSTR)lpData); sz.dwHipsClass = HIPS_REGSETVALUE; COPYDATASTRUCT cds = {NULL, sizeof(HIPS_INFO), (void*)&sz}; BOOL bRet = FALSE; if (SendMessage(FindWindow(NULL, L"Easy Hips For R3"), WM_COPYDATA, GetCurrentProcessId(), (LPARAM)&cds) != -1) { RegSetValueExWHook.UnHook(); bRet = RegSetValueExW(hKey, lpValueName, Reserved, dwType, lpData, cbData); RegSetValueExWHook.ReHook(); } return bRet; } LSTATUS APIENTRY MyRegDeleteValueW(HKEY hKey, LPCWSTR lpValueName) { HIPS_INFO sz = {0}; wcscpy_s(sz.wProcessName, lpValueName); sz.dwHipsClass = HIPS_REGDELETEVALUE; COPYDATASTRUCT cds = {NULL, sizeof(HIPS_INFO), (void*)&sz}; BOOL bRet = FALSE; if (SendMessage(FindWindow(NULL, L"Easy Hips For R3"), WM_COPYDATA, GetCurrentProcessId(), (LPARAM)&cds) != -1) { RegDeleteValueWHook.UnHook(); bRet = RegDeleteValueW(hKey, lpValueName); RegDeleteValueWHook.ReHook(); } return bRet; } LRESULT CALLBACK GetMsgProc(int iCode, WPARAM wParam, LPARAM lParam) { return CallNextHookEx(g_hHook, iCode, wParam, lParam); } VOID SetHookOn(HWND hWnd) { g_ExeHwnd = hWnd; SetWindowsHookEx(WH_GETMESSAGE, &GetMsgProc, g_hInst, 0); } VOID SetHookOff() { UnhookWindowsHookEx(g_hHook); g_hHook = NULL; } BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: g_hInst = (HINSTANCE)hModule; RegSetValueExWHook.Hook(L"advapi32.dll", "RegSetValueExW", (PROC)MyRegSetValueExW); RegDeleteValueWHook.Hook(L"advapi32.dll", "RegDeleteValueW", (PROC)MyRegDeleteValueW); CreateProcessWHook.Hook(L"kernel32.dll", "CreateProcessW", (PROC)MyCreateProcessW); break; case DLL_PROCESS_DETACH: RegSetValueExWHook.UnHook(); RegDeleteValueWHook.UnHook(); CreateProcessWHook.UnHook(); if (g_hHook != NULL) { SetHookOff(); } break; } return TRUE; }
#include "InlineHook.h" CInlineHook::CInlineHook(void) { m_pfnOrig = NULL; ZeroMemory(m_bNewBytes, 5); ZeroMemory(m_bOldBytes, 5); } CInlineHook::~CInlineHook(void) { UnHook(); } ////////////////////////////////////////////////////////////////////////////////// //函数功能:对指定模块中的函数进行挂钩 //参数说明: // pszModuleName:模块名称 // pszFuncName:函数名称 // pfnHookFunc:钩子函数 ///////////////////////////////////////////////////////////////////////////////// BOOL CInlineHook::Hook(LPTSTR pszModuleName, LPSTR pszFuncName, PROC pfnHookFunc) { BOOL bRet = FALSE; //获取指定模块中函数地址 m_pfnOrig = (PROC)GetProcAddress(GetModuleHandle(pszModuleName), pszFuncName); if (NULL != m_pfnOrig) { //保存该地址处5个字节的内容 DWORD dwNum = 0; ReadProcessMemory(GetCurrentProcess(), m_pfnOrig, m_bOldBytes, 5, &dwNum); //构造JMP指令 m_bNewBytes[0] = TEXT('xe9'); //pfnHookFunc是Hook后的目标地址 //m_pfnOrig是原来的地址 //5是指令长度 *(DWORD*)(m_bNewBytes + 1) = (DWORD)pfnHookFunc - (DWORD)m_pfnOrig - 5; //将构造好的地址写入该地址处 WriteProcessMemory(GetCurrentProcess(), m_pfnOrig, m_bNewBytes, 5, &dwNum); bRet = TRUE; } return bRet; } ///////////////////////////////////// //函数功能:取消函数的挂钩 ///////////////////////////////////// VOID CInlineHook::UnHook(void) { if (0 != m_pfnOrig) { DWORD dwNum = 0; WriteProcessMemory(GetCurrentProcess(), m_pfnOrig, m_bOldBytes, 5, &dwNum); } } ////////////////////////////////////////////////////// //函数功能:重新对函数进行挂钩 ////////////////////////////////////////////////////// BOOL CInlineHook::ReHook(void) { BOOL bRet = FALSE; if (0 != m_pfnOrig) { DWORD dwNum = 0; WriteProcessMemory(GetCurrentProcess(), m_pfnOrig, m_bNewBytes, 5, &dwNum); bRet = TRUE; } return bRet; }
#pragma once #include <Windows.h> class CInlineHook { public: CInlineHook(void); //构造 ~CInlineHook(void); //析构 //Hook函数 BOOL Hook(LPTSTR pszModuleName, LPSTR pszFuncName, PROC pfnHookFunc); //取消Hook函数 VOID UnHook(void); //重新进行Hook函数 BOOL ReHook(void); private: PROC m_pfnOrig; //函数地址 BYTE m_bOldBytes[5]; //函数入口代码 BYTE m_bNewBytes[5]; //Inline代码 };
2、调用部分代码
#define HIPS_CREATEPROCESS 0x00000001L #define HIPS_REGSETVALUE 0x00000002L #define HIPS_REGDELETEVALUE 0x00000003L typedef struct _HIPS_INFO { WCHAR wProcessName[0x200]; DWORD dwHipsClass; }HIPS_INFO, *PHIPS_INFO; typedef VOID (*SETHOOKON)(HWND); typedef VOID (*SETHOOKOFF)(); void CHipsCallDlg::InitLogList(void) { m_ctrlLogList.SetExtendedStyle(m_ctrlLogList.GetExtendedStyle() | LVS_EX_FULLROWSELECT | LVS_EX_GRIDLINES); m_ctrlLogList.InsertColumn(0, L"序号"); m_ctrlLogList.InsertColumn(1, L"时间"); m_ctrlLogList.InsertColumn(2, L"信息"); m_ctrlLogList.InsertColumn(3, L"类型"); m_ctrlLogList.InsertColumn(4, L"事件"); CRect Rect; m_ctrlLogList.GetClientRect(&Rect); m_ctrlLogList.SetColumnWidth(0, Rect.Width() / 10); m_ctrlLogList.SetColumnWidth(1, 2 * Rect.Width() / 10); m_ctrlLogList.SetColumnWidth(2, 4 * Rect.Width() / 10); m_ctrlLogList.SetColumnWidth(3, 2 * Rect.Width() / 10); m_ctrlLogList.SetColumnWidth(4, Rect.Width() / 10); } void CHipsCallDlg::OnBnClickedButtonCleanuplog() { // TODO: 在此添加控件通知处理程序代码 m_ctrlLogList.DeleteAllItems(); } void CHipsCallDlg::OnBnClickedButtonStart() { // TODO: 在此添加控件通知处理程序代码 m_hInst = LoadLibrary(TEXT("HipsDll.dll")); SETHOOKON SetHookOn = (SETHOOKON)GetProcAddress(m_hInst, "SetHookOn"); SetHookOn(GetSafeHwnd()); FreeLibrary(m_hInst); m_BtnOn.EnableWindow(FALSE); m_BtnOff.EnableWindow(TRUE); } void CHipsCallDlg::OnBnClickedButtonStop() { // TODO: 在此添加控件通知处理程序代码 m_hInst = GetModuleHandle(TEXT("HipsDll.dd")); SETHOOKOFF SetHookOff = (SETHOOKOFF)GetProcAddress(m_hInst, "SetHookOff"); SetHookOff(); CloseHandle(m_hInst); FreeLibrary(m_hInst); m_BtnOn.EnableWindow(TRUE); m_BtnOff.EnableWindow(FALSE); } BOOL CHipsCallDlg::OnCopyData(CWnd* pWnd, COPYDATASTRUCT* pCopyDataStruct) { // TODO: 在此添加消息处理程序代码和/或调用默认值 CString strNum; CString strTime; CString strInfo; CString strType; CString strResult; CString strTemp; SYSTEMTIME stTime; BOOL bRet = FALSE; int nNum = m_ctrlLogList.GetItemCount(); strNum.Format(_T("%d"), nNum); GetLocalTime(&stTime); strTime.Format(_T("%04d-%02d-%02d %02d:%02d:%02d"), stTime.wYear, stTime.wMonth, stTime.wDay, stTime.wMonth, stTime.wMinute, stTime.wSecond); strInfo = ((PHIPS_INFO)(pCopyDataStruct->lpData))->wProcessName; strTemp = _T("是否启动该进程:"); strTemp += strInfo; if (IDYES == AfxMessageBox(strTemp, MB_YESNO)) { strResult = _T("放行"); bRet = TRUE; } else { strResult = _T("拦截"); bRet = FALSE; } switch (((PHIPS_INFO)(pCopyDataStruct->lpData))->dwHipsClass) { case HIPS_CREATEPROCESS: strType = _T("进程创建"); break; case HIPS_REGSETVALUE: strType = _T("修改注册表项"); break; case HIPS_REGDELETEVALUE: strType = _T("删除注册表项"); break; } m_ctrlLogList.InsertItem(nNum, strNum); m_ctrlLogList.SetItemText(nNum, 1, strTime); m_ctrlLogList.SetItemText(nNum, 2, strInfo); m_ctrlLogList.SetItemText(nNum, 3, strType); m_ctrlLogList.SetItemText(nNum, 4, strResult); return bRet; }
三、下载