调用MinHook.dll实现hook代码的学习
By
admin
at 2018-12-11 • 0人收藏 • 3208人看过
另类的hook学习:
这个dll来自https://www.codeproject.com/Articles/44326/MinHook-The-Minimalistic-x-x-API-Hooking-Libra
import win.ui;
/*DSG{{*/
mainForm = win.form(text="aardio工程29";right=959;bottom=591)
mainForm.add()
/*}}*/
import console
console.open()
var dll = ..raw.loadDll("\res\MinHook.x86.dll","MinHook.x86.dll");
MH_Initialize = dll.api("MH_Initialize","int()" )
MH_Uninitialize = dll.api("MH_Uninitialize","int()" )
MH_CreateHook = dll.api("MH_CreateHook","int(pointer pTarget, pointer pDetour, pointer& ppOriginal)" )
MH_CreateHookApi = dll.api("MH_CreateHookApi","int(ustring pszModule, string pszProcName, pointer pDetour, pointer& ppOriginal)" )
MH_CreateHookApiEx = dll.api("MH_CreateHookApiEx","int(ustring pszModule, string pszProcName, pointer pDetour, pointer& ppOriginal, pointer& ppTarget)" )
MH_RemoveHook = dll.api("MH_RemoveHook","int(pointer pTarget)" )
MH_EnableHook = dll.api("MH_EnableHook","int(pointer pTarget)" )
MH_DisableHook = dll.api("MH_DisableHook","int(pointer pTarget)" )
MH_QueueEnableHook = dll.api("MH_QueueEnableHook","int(pointer pTarget)" )
MH_QueueDisableHook = dll.api("MH_QueueDisableHook","int(pointer pTarget)")
MH_ApplyQueued = dll.api("MH_ApplyQueued","int()" )
MH_StatusToString = dll.api("MH_StatusToString","str(int status)" )
var ret = MH_Initialize();
console.log( ret )
MessageBoxW = ::User32.api("MessageBoxW","int(int,ustring,ustring,int" )
fpMessageBoxW =function(){
MH_EnableHook(MessageBoxW)
}
DetourMessageBoxW = function (hWnd, lpText, lpCaption, uType)
{
MH_DisableHook(MessageBoxW);
MessageBoxW(hWnd, "hook"++lpText, lpCaption, uType);
MH_EnableHook(MessageBoxW)
}
//转换为函数指针
DetourMessageBoxW_c = raw.tostdcall(DetourMessageBoxW,"int(int,ustring,ustring,int)" )
fpMessageBoxW_c = raw.tostdcall(fpMessageBoxW,"void()" )
if(ret == 0){
console.log("初始化成功")
console.pause()
console.log( MH_CreateHook(MessageBoxW,DetourMessageBoxW_c,fpMessageBoxW_c) )
console.pause()
console.log( MH_EnableHook(MessageBoxW) );
console.pause()
MessageBoxW(0,"提示信息1","test",0)
console.pause()
MessageBoxW(0,"提示信息2","测试",0)
}else {
console.log("初始化失败")
}
mainForm.onClose = function(hwnd,message,wParam,lParam){
console.log( MH_DisableHook() )
console.log( MH_Uninitialize() )
}
mainForm.show();
return win.loopMessage();
2 个回复 | 最后更新于 2018-12-11
Hook了串口通信的读取和写入, hook它的pcomm.dll
import win.ui;
/*DSG{{*/
var winform = win.form(text="aardio form";right=759;bottom=469)
winform.add(
button={cls="button";text="打开串口";left=46;top=51;right=239;bottom=132;z=1};
button2={cls="button";text="写入";left=49;top=151;right=305;bottom=264;z=2};
button3={cls="button";text="读取";left=322;top=149;right=591;bottom=262;z=3};
button4={cls="button";text="定时读取";left=322;top=281;right=591;bottom=394;z=4};
button5={cls="button";text="先运行弹窗那个hook,再随便弹一弹2";left=48;top=400;right=305;bottom=465;z=5}
)
/*}}*/
import sio;
import console
console.open()
var dll = ..raw.loadDll("\res\MinHook.x86.dll","MinHook.x86.dll");
MH_Initialize = dll.api("MH_Initialize","int()" )
MH_Uninitialize = dll.api("MH_Uninitialize","int()" )
MH_CreateHook = dll.api("MH_CreateHook","int(pointer pTarget, pointer pDetour, pointer& ppOriginal)" )
MH_CreateHookApi = dll.api("MH_CreateHookApi","int(ustring pszModule, string pszProcName, pointer pDetour, pointer& ppOriginal)" )
MH_CreateHookApiEx = dll.api("MH_CreateHookApiEx","int(ustring pszModule, string pszProcName, pointer pDetour, pointer& ppOriginal, pointer& ppTarget)" )
MH_RemoveHook = dll.api("MH_RemoveHook","int(pointer pTarget)" )
MH_EnableHook = dll.api("MH_EnableHook","int(pointer pTarget)" )
MH_DisableHook = dll.api("MH_DisableHook","int(pointer pTarget)" )
MH_QueueEnableHook = dll.api("MH_QueueEnableHook","int(pointer pTarget)" )
MH_QueueDisableHook = dll.api("MH_QueueDisableHook","int(pointer pTarget)")
MH_ApplyQueued = dll.api("MH_ApplyQueued","int()" )
MH_StatusToString = dll.api("MH_StatusToString","str(int status)" )
var ret = MH_Initialize();
console.log("Hook初始化", ret )
var func_api;
Detoursio_read = function (port,buf,len)
{
var ret = func_api(port,buf,len);
console.log("Hook收到数据如下:",port,raw.tostring(buf),len)
return ret;
}
//函数转换为函数指针
Detoursio_read_c = raw.tostdcall(Detoursio_read,"int(int,pointer,int)" )
//定义需要Hook的函数
sio_write = ::Pcomm.api("sio_write","int(int port,pointer buf, int len)" )
sio_read = ::Pcomm.api("sio_read","int(int port,pointer buf, int len)" )
//创建Hook钩子
var ret,FunA = MH_CreateHook(sio_read,Detoursio_read_c,null)
console.log("创建tHook",ret,FunA)
//转换指针为函数,供钩子回调原来的函数用
//struct = {pointer ptr = FunA }
//ptr = raw.convert( struct,struct ).ptr
funcAddr = tonumber(FunA)
exe = raw.loadDll();
func_api = exe.api( funcAddr ,"int(int,pointer,int)" )
//console.pause()
console.log("使能Hook:", MH_EnableHook(sio_read) );
winform.onClose = function(hwnd,message,wParam,lParam){
//关闭并释放hook,参数为Null则取消所有的hook
console.log( MH_DisableHook() )
console.log( MH_Uninitialize() )
}
winform.button.oncommand = function(id,event){
//设置串口, 打开串口
sport = sio.port("COM1");
sport.ioctl(9600,8,1,"even");
/*
//测试发现不能用中断读取方式, 收到多次数据会崩溃
sport.termCntIrqThread(1,function(port){
import sio;
var sport = sio.port(port);
sport.read(); //或sport.readHex()
} )
*/
}
var ff = 1;
winform.button2.oncommand = function(id,event){
sport.write("test"++ff);
ff++;
}
winform.button3.oncommand = function(id,event){
sport.read()
}
var tmid;
winform.button4.oncommand = function(id,event){
if(tmid){
winform.killtimer(tmid)
return;
}
tmid = winform.addtimer(
100/*毫秒*/,
function(hwnd,msg,id,tick){//定时执行代码
sport.read()
}
);
}
winform.button5.oncommand = function(id,event){
winform.msgbox("随便弹一弹2")
}
winform.show();
win.loopMessage();
return winform;
总结下:
最简单的hook步骤
初始化hook组件
定义一个方程用来替换原来的dll中的函数
讲上面的函数转换为函数指针
创建hook, 参数是:[dll中原来的函数名],[替换成为的函数名指针],null
使能这个hook, 参数是: dll中原来的函数名
使用完成后, 注意释放hook
var ret = MH_Initialize();
console.log("Hook初始化", ret )
findkey = function(cont){
console.log("-----findname------")
//按顺序返回参数
return 0,1;
}
findkey_c = raw.tostdcall(findname,"int(INT& cont)",owner);
var ret,Fun1 = MH_CreateHook(ViFindName,findname_c,null);
MH_EnableHook(ViFindName);登录后方可回帖
第二种调用防多次触发:
import win.ui; /*DSG{{*/ mainForm = win.form(text="aardio工程29";right=959;bottom=591) mainForm.add() /*}}*/ import console console.open() var dll = ..raw.loadDll("\res\MinHook.x86.dll","MinHook.x86.dll"); MH_Initialize = dll.api("MH_Initialize","int()" ) MH_Uninitialize = dll.api("MH_Uninitialize","int()" ) MH_CreateHook = dll.api("MH_CreateHook","int(pointer pTarget, pointer pDetour, pointer& ppOriginal)" ) MH_CreateHookApi = dll.api("MH_CreateHookApi","int(ustring pszModule, string pszProcName, pointer pDetour, pointer& ppOriginal)" ) MH_CreateHookApiEx = dll.api("MH_CreateHookApiEx","int(ustring pszModule, string pszProcName, pointer pDetour, pointer& ppOriginal, pointer& ppTarget)" ) MH_RemoveHook = dll.api("MH_RemoveHook","int(pointer pTarget)" ) MH_EnableHook = dll.api("MH_EnableHook","int(pointer pTarget)" ) MH_DisableHook = dll.api("MH_DisableHook","int(pointer pTarget)" ) MH_QueueEnableHook = dll.api("MH_QueueEnableHook","int(pointer pTarget)" ) MH_QueueDisableHook = dll.api("MH_QueueDisableHook","int(pointer pTarget)") MH_ApplyQueued = dll.api("MH_ApplyQueued","int()" ) MH_StatusToString = dll.api("MH_StatusToString","str(int status)" ) var ret = MH_Initialize(); console.log( ret ) MessageBoxW = ::User32.api("MessageBoxW","int(int,ustring,ustring,int" ) var func_api; DetourMessageBoxW = function (hWnd, lpText, lpCaption, uType) { console.log("hook le ") return func_api(hWnd, "hook"++lpText, lpCaption, uType); } //转换为函数指针 DetourMessageBoxW_c = raw.tostdcall(DetourMessageBoxW,"int(int,ustring,ustring,int)" ) if(ret == 0){ console.log("初始化成功") console.pause() var ret,FunA = MH_CreateHook(MessageBoxW,DetourMessageBoxW_c,null) //下面这三句可以省略为一句 //struct = {pointer ptr = FunA } //ptr = raw.convert( struct,struct ).ptr //funcAddr = tonumber(ptr) funcAddr = tonumber(FunA) exe = raw.loadDll(); func_api = exe.api( funcAddr ,"int(int,ustring,ustring,int)" ) console.pause() console.log( MH_EnableHook(MessageBoxW) ); MessageBoxW(0,"提示信息1","test",0) console.pause() console.log( MH_DisableHook(MessageBoxW) ); MessageBoxW(0,"提示信息2","测试",0) console.pause() console.log( MH_EnableHook(MessageBoxW) ); MessageBoxW(0,"提示信息3","test",0) console.pause() console.log( MH_DisableHook(MessageBoxW) ); MessageBoxW(0,"提示信息4","测试",0) }else { console.log("初始化失败") } mainForm.onClose = function(hwnd,message,wParam,lParam){ console.log( MH_DisableHook() ) console.log( MH_Uninitialize() ) } mainForm.show(); return win.loopMessage();