Código
#include <stdio.h> #include <windows.h> #include <Tlhelp32.h> void error(char *err); static DWORD WINAPI hookear(LPVOID data); static INT WINAPI hookFunc(HWND hwnd, LPCSTR tit, LPCSTR txt, UINT flag, WORD ww); void foo(void); HANDLE myProc=NULL; typedef int (WINAPI *datLoadLibrary)(LPCTSTR); typedef int (WINAPI *datGetProcAddress)(HMODULE, LPCSTR); int main(int argc, char *argv[]) { if(argc<2) error("Uso: hook.exe PROCESO\n"); struct { datLoadLibrary apiLoadLibrary; datGetProcAddress apiGetProcAddress; char libNames[5][16]; char funNames[5][16]; char MSG[50]; void *hook; void *orApi; } thData; thData.apiLoadLibrary=GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); thData.apiGetProcAddress=GetProcAddress(GetModuleHandle("kernel32.dll"), "GetProcAddress"); HANDLE lista=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); PROCESSENTRY32 pInfo; BOOL st=TRUE; pInfo.dwSize=sizeof(PROCESSENTRY32); Process32First(lista, &pInfo); int myPid=0; do { { myPid=pInfo.th32ProcessID; break; } Process32Next(lista, &pInfo); } while(st!=FALSE); int hookSize=(int)&hookFunc - (int)&hookear; int reemSize=(int)&foo - (int)&hookFunc; // Abrir proceso myProc=OpenProcess(PROCESS_ALL_ACCESS, FALSE, myPid); if(myProc==NULL) error("[-] Error abriendo proceso.\n"); SIZE_T written=0; // Reservar memoria para funcion de hookeo LPVOID dirToHook=VirtualAllocEx(myProc, NULL, reemSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(dirToHook==NULL) error("[-] Error reservando hookeo.\n"); // Reservar memoria para argumento LPVOID dirToArg=VirtualAllocEx(myProc, NULL, sizeof(thData), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(dirToArg==NULL) error("[-] Error reservando memoria para arg.\n"); // Poner en funcion de hookeo la direccion a los args DWORD prot; BYTE *funcDir=(BYTE *)&hookFunc; while(*(++funcDir) != 0x90); VirtualProtect((LPVOID)funcDir, 4, PAGE_EXECUTE_READWRITE, &prot); signed int *ddir=(signed int *)funcDir; // Puntero a donde escribimos *ddir=(signed int)dirToArg; // Escritura // Reservar memoria para codigo LPVOID dirToWrite=VirtualAllocEx(myProc, NULL, hookSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(dirToWrite==NULL) error("[-] Error reservando memoria para codigo.\n"); // Escribir funcion de hookeo if(WriteProcessMemory(myProc, dirToHook, (LPVOID)&hookFunc, reemSize, &written)==0) error("[-] Error escribiendo hookeo.\n"); thData.hook=dirToHook; // Escribir argumentos if(WriteProcessMemory(myProc, dirToArg, (LPVOID)&thData, sizeof(thData), &written)==0) error("[-] Error escribiendo memoria.\n"); // Escribir el codigo en el proceso if(WriteProcessMemory(myProc, dirToWrite, (LPVOID)&hookear, hookSize, &written) == 0) error("[-] Error escribiendo memoria.\n"); // Lanzar el hilo a nuestro codigo HANDLE rThread=CreateRemoteThread(myProc, NULL, 0, (LPTHREAD_START_ROUTINE)dirToWrite, dirToArg, 0, NULL); if(rThread==NULL) error("[-] Error iniciando thread.\n"); CloseHandle(myProc); return 0; } void error(char *err) { if(myProc!=NULL) CloseHandle(myProc); } static DWORD WINAPI hookear(LPVOID data) { struct { datLoadLibrary apiLoadLibrary; datGetProcAddress apiGetProcAddress; char libNames[5][16]; char funNames[5][16]; char MSG[50]; void *hook; void *orApi; } *thData; thData=data; // Test Hook a MessageBoxA void *dirApi=(void *)thData->apiGetProcAddress((HANDLE)thData->apiLoadLibrary(thData->libNames[0]), thData->funNames[0]); // VirtualProtect BOOL WINAPI (*myVirtualProtect)(LPVOID, SIZE_T, DWORD, PDWORD) = (void *)thData->apiGetProcAddress((HANDLE)thData->apiLoadLibrary(thData->libNames[2]), thData->funNames[3]); // malloc void *(*myMalloc)(size_t) = (void *)thData->apiGetProcAddress((HANDLE)thData->apiLoadLibrary(thData->libNames[1]), thData->funNames[1]); // memcpy void *(*myMemcpy)(void *, const void*, size_t) = (void *)thData->apiGetProcAddress((HANDLE)thData->apiLoadLibrary(thData->libNames[1]), thData->funNames[2]); DWORD prot; BYTE *dirYo; dirYo=thData->hook; BYTE *buffer = (BYTE *)myMalloc(10); myVirtualProtect((void *)buffer, 12, PAGE_EXECUTE_READWRITE, &prot); myMemcpy(buffer, dirApi, 5); buffer+=5; *buffer=0xE9; buffer++; *((signed int *)buffer)=((BYTE *)dirApi+1)-buffer; myVirtualProtect((void *)dirApi, 5, PAGE_EXECUTE_READWRITE, &prot); *((BYTE *)dirApi)=0xE9; dirApi++; *((signed int *)dirApi)=dirYo - ((BYTE *)dirApi+4); thData->orApi=buffer-6; return; } static INT WINAPI hookFunc(HWND hwnd, LPCSTR tit, LPCSTR txt, UINT flag, WORD ww) { signed int dataDir=(signed int)0x90909090; struct { datLoadLibrary apiLoadLibrary; datGetProcAddress apiGetProcAddress; char libNames[5][16]; char funNames[5][16]; char MSG[50]; void *hook; void *orApi; } *thData; thData=(void*)dataDir; INT WINAPI (*realMbox)(HWND, LPCSTR, LPCSTR, UINT, WORD) = (void *)thData->orApi; return realMbox(hwnd, thData->MSG, thData->MSG, flag, ww); } void foo(void) { return; }