甜心很棒 發表於 2022-2-19 11:29:00

易语言微信逆向hook内存原理分析+代码

<p></p>
<table cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td id="postmessage_22914556" class="t_f"><span style="font-size: large">论坛很多教程都是直接找偏移调用模块直接HOOK的,今天从hook原理层分析下hook实现的方式,用wx为例</span><br><span style="font-size: large">文章内容只做技术分析,技术交流,为保护分析软件隐私部分代码已经被更改,不能直接使用。</span><br><br>Hook (wechatwin_基址 + 偏移, 6, { 96, 86, 232, 0, 0, 0, 0, 97 }, 到整数 (&amp;接收消息), 真)&nbsp;&nbsp;5个参数<br><br>hook地址:wechatwin_基址 + 偏移,<br><br>备份长度:6<br>调用数据: { 96, 86, 232, 0, 0, 0, 0, 97 }<br>回调地址:到整数 (&amp;接收消息)<br>是否前置我们的代码: 真<br>===============================================<br>&nbsp; &nbsp; 回调偏移 = 寻找字节集 (调用数据, { 232 }, )<br>&nbsp; &nbsp; 原字节集 = 取空白字节集 (备份长度)<br>&nbsp; &nbsp; 写入长度 = 取字节集长度 (调用数据)<br>&nbsp; &nbsp; ReadProcessMemory (-1, Hook地址, 原字节集, 备份长度, 备份长度)&nbsp;&nbsp;' 备份Hook前数据<br>&nbsp; &nbsp; JPM_地址 = VirtualAlloc (0, 1024, 位或 (#MEM_COMMIT, #MEM_RESERVE), #PAGE_EXECUTE_READWRITE)&nbsp;&nbsp;' &lt;!!!&gt; 申请地址<br><br>&nbsp; &nbsp; 回调偏移 = 回调偏移 + 备份长度<br>&nbsp; &nbsp; WriteProcessMemory (-1, JPM_地址, 原字节集, 取字节集长度 (原字节集), 0)&nbsp;&nbsp;' 恢复之前Hook覆盖掉的代码<br>&nbsp; &nbsp; WriteProcessMemory (-1, JPM_地址 + 备份长度, 调用数据, 写入长度, 0)&nbsp;&nbsp;' 往申请的内存写入我们首次传过来的数据<br>&nbsp; &nbsp; WriteProcessMemory (-1, JPM_地址 + 回调偏移, 偏移计算 (JPM_地址 + 回调偏移 - 1, 回调地址), 4, 0)&nbsp;&nbsp;' 目标地址 - 原地址 - 5<br>&nbsp; &nbsp; WriteProcessMemory (-1, JPM_地址 + 备份长度 + 写入长度, { 233 } + 偏移计算 (JPM_地址 + 写入长度 + 备份长度, Hook地址 + 备份长度), 5, 0)&nbsp;&nbsp;' 跳回Hook后下条执行的地址<br><br>&nbsp; &nbsp; WriteProcessMemory (-1, Hook地址, { 233 } + 偏移计算 (Hook地址, JPM_地址), 5, 0)&nbsp;&nbsp;' 写入Hook的Jmp地址<br>&nbsp; &nbsp; .计次循环首 (备份长度 - 5, )&nbsp;&nbsp;' 这里默认为Jmp&nbsp;&nbsp;5个字节 多余的填充PON<br>&nbsp; &nbsp; 填充Dm = 填充Dm + { 144 }<br>&nbsp; &nbsp;&nbsp;&nbsp;.计次循环尾 ()<br>&nbsp; &nbsp; .如果真 (取字节集长度 (填充Dm) ≠ 0)<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;WriteProcessMemory (-1, Hook地址 + 5, 填充Dm, 取字节集长度 (填充Dm), 0)&nbsp;&nbsp;' 超过5个字节用PON填充<br>===============================================<br><br>&nbsp; &nbsp;&nbsp;&nbsp;hook前OD代码样子 (要hook选中项位置)<br>&nbsp; &nbsp;&nbsp;&nbsp;(图1)&nbsp;&lt;ignore_js_op&gt;<img width="519" id="aimg_1154243" class="zoom lazyload" data-src="https://att.125.la/data/attachment/forum/202202/19/112646qbgpg7zbogmo1p11.png"><br>&nbsp; &nbsp;&nbsp; &nbsp;hook后OD代码样子 (hook点已被我们自己的代码所替换)<br>&nbsp; &nbsp;&nbsp;&nbsp;(图2)&nbsp;&lt;ignore_js_op&gt;<img width="581" id="aimg_1154244" class="zoom lazyload" data-src="https://att.125.la/data/attachment/forum/202202/19/112646o5esem54bufcm2f2.png"><br>&nbsp; &nbsp;&nbsp;&nbsp;上方代码具体步骤:<br>&nbsp; &nbsp;&nbsp;&nbsp;一、备份原先hook点数据:<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; 回调偏移 = 寻找字节集 (调用数据, { 232 }, )&nbsp; &nbsp;‘调用数据:{ 96, 86, 232, 0, 0, 0, 0, 97 }&nbsp;&nbsp;回调偏移计算结果为3,即取96,86,232的位置<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; 原字节集 = 取空白字节集 (备份长度)&nbsp; &nbsp;&nbsp; &nbsp;‘====6长度的字节集<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; 写入长度 = 取字节集长度 (调用数据)&nbsp; &nbsp;&nbsp; &nbsp;‘====8<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; ReadProcessMemory (-1, Hook地址, 原字节集, 备份长度, 备份长度)&nbsp;&nbsp;' 备份Hook前数据&nbsp;&nbsp;(第一张图片选中行数据)<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;(图3)&nbsp;&lt;ignore_js_op&gt;<img width="778" id="aimg_1154245" class="zoom lazyload" data-src="https://att.125.la/data/attachment/forum/202202/19/112646uw5sz54v1w2m4m1s.png"><br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; JPM_地址 = VirtualAlloc (0, 1024, 位或 (#MEM_COMMIT, #MEM_RESERVE), #PAGE_EXECUTE_READWRITE)&nbsp;&nbsp;' &lt;!!!&gt; 申请地址<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; JPM_地址 =00AF0000&nbsp;&nbsp;(如上图)<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; 回调偏移 = 回调偏移 + 备份长度&nbsp; &nbsp;‘3+6=9<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; WriteProcessMemory (-1, JPM_地址, 原字节集, 取字节集长度 (原字节集), 0)&nbsp;&nbsp;' 在我们新申请的地址,恢复之前Hook覆盖掉的代码<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; WriteProcessMemory (-1, JPM_地址 + 备份长度, 调用数据, 写入长度, 0)&nbsp;&nbsp;' 往申请的内存写入我们首次传过来的数据{ 96, 86, 232, 0, 0, 0, 0, 97 }<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; WriteProcessMemory (-1, JPM_地址 + 回调偏移, 偏移计算 (JPM_地址 + 回调偏移 - 1, 回调地址), 4, 0)&nbsp;&nbsp;'偏移计算= 目标地址 - 原地址 - 5<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; ***偏移计算=回调地址-(JPM_地址 + 回调偏移 - 1)-5&nbsp; &nbsp;‘计算出我们自己回调函数的jmp地址,写入{ 96, 86, 232, 0, 0, 0, 0, 97 } 中,0,0,0,0的位置<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;(图4)&nbsp;&lt;ignore_js_op&gt;<img width="506" id="aimg_1154246" class="zoom lazyload" data-src="https://att.125.la/data/attachment/forum/202202/19/112646mx8zxe7oeteh2dee.png"><br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; WriteProcessMemory (-1, JPM_地址 + 备份长度 + 写入长度, { 233 } + 偏移计算 (JPM_地址 + 写入长度 + 备份长度, Hook地址 + 备份长度), 5, 0)&nbsp;&nbsp;' 跳回Hook后下条执行的地址<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; (图5)&nbsp;&lt;ignore_js_op&gt;<img width="527" id="aimg_1154247" class="zoom lazyload" data-src="https://att.125.la/data/attachment/forum/202202/19/112646lvmmtq0lg221gtmj.png"><br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;写入这条语句<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; WriteProcessMemory (-1, Hook地址, { 233 } + 偏移计算 (Hook地址, JPM_地址), 5, 0)&nbsp;&nbsp;' 写入Hook的Jmp地址<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;(图6)&nbsp;&lt;ignore_js_op&gt;<img width="542" id="aimg_1154248" class="zoom lazyload" data-src="https://att.125.la/data/attachment/forum/202202/19/112646tpb96uxnb64xjlqn.png"><br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; 在原程序hook点写入我们的jmp地址<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; 由于jmp 地址只需要五位,如果备份的数据多,这里要把多余的数据用nop填充<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;(图7)&nbsp;&lt;ignore_js_op&gt;<img width="484" id="aimg_1154249" class="zoom lazyload" data-src="https://att.125.la/data/attachment/forum/202202/19/112646rdin15yqqaoqrryn.png"><br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;WriteProcessMemory (-1, Hook地址 + 5, 填充Dm, 取字节集长度 (填充Dm), 0)&nbsp;&nbsp;' 超过5个字节用PON填充<br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;到此先备份数据,再执行我们函数的hook代码结束。<br><br>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;码字不易,请多点赞,赞赏,欢迎技术交流分析 群:674056030</td>

</tr>

</tbody>
</table><br><br>
来源:https://www.cnblogs.com/tutule/p/15912158.html
頁: [1]
查看完整版本: 易语言微信逆向hook内存原理分析+代码