-
Автор темы
- #1
Привет.
Почему крашит?
P.s. pid прод процесс меняю
P.p.s Хочу так-же как у GH
Почему крашит?
P.s. pid прод процесс меняю
P.p.s Хочу так-же как у GH
Souce:
#include <Windows.h>
#include <stdio.h>
#include <iostream>
#include <TlHelp32.h>
#include <tchar.h>
#include <Psapi.h>
bool IsFunctionHooked(HANDLE hProcess, DWORD dwFuncAddr, const unsigned char* pHookPattern)
{
const int nNumBytesToCheck = 16;
unsigned char buf[nNumBytesToCheck];
SIZE_T numBytesRead;
if (!ReadProcessMemory(hProcess, (LPCVOID)dwFuncAddr, buf, nNumBytesToCheck, &numBytesRead) || numBytesRead != nNumBytesToCheck)
{
// Failed to read the function bytes
return false;
}
if (pHookPattern)
{
int nPatternSize = strlen((char*)pHookPattern);
if (memcmp(buf, pHookPattern, nPatternSize) != 0)
{
return false;
}
}
else
{
const unsigned char defaultHookPattern[] = { 0x68, 0xCC, 0xCC, 0xCC, 0xCC, 0xC3 }; // "\x68\xCC\xCC\xCC\xCC\xC3" (PUSH <address>; RET)
if (memcmp(buf, defaultHookPattern, sizeof(defaultHookPattern)) != 0)
{
return false;
}
}
return true;
}
int main()
{
DWORD pid = 15312;
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
if (hProcess == NULL)
{
printf("Failed to open process\n");
return 1;
}
HMODULE hMods[1024];
DWORD cbNeeded;
if (EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded))
{
for (DWORD i = 0; i < (cbNeeded / sizeof(HMODULE)); i++)
{
TCHAR szModName[MAX_PATH];
if (GetModuleFileNameEx(hProcess, hMods[i], szModName, sizeof(szModName) / sizeof(TCHAR)))
{
printf("\n%s (%p):\n", szModName, hMods[i]);
DWORD dwBaseAddr = (DWORD)hMods[i];
IMAGE_DOS_HEADER dosHeader;
IMAGE_NT_HEADERS ntHeader;
ReadProcessMemory(hProcess, (LPCVOID)dwBaseAddr, &dosHeader, sizeof(dosHeader), NULL);
ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddr + dosHeader.e_lfanew), &ntHeader, sizeof(ntHeader), NULL);
DWORD dwExportAddr = ntHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
DWORD dwExportSize = ntHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
if (dwExportAddr == 0 || dwExportSize == 0)
{
printf(" No export table\n");
continue;
}
IMAGE_EXPORT_DIRECTORY exportDir;
ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddr + dwExportAddr), &exportDir, sizeof(exportDir), NULL);
DWORD* pFuncAddrs = new DWORD[exportDir.NumberOfFunctions];
ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddr + exportDir.AddressOfFunctions), pFuncAddrs, exportDir.NumberOfFunctions * sizeof(DWORD), NULL);
DWORD* pNameAddrs = new DWORD[exportDir.NumberOfNames];
ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddr + exportDir.AddressOfNames), pNameAddrs, exportDir.NumberOfNames * sizeof(DWORD), NULL);
WORD* pNameOrdinals = new WORD[exportDir.NumberOfNames];
ReadProcessMemory(hProcess, (LPCVOID)(dwBaseAddr + exportDir.AddressOfNameOrdinals), pNameOrdinals, exportDir.NumberOfNames * sizeof(WORD), NULL);
for (DWORD j = 0; j < exportDir.NumberOfFunctions; j++)
{
DWORD dwFuncAddr = dwBaseAddr + pFuncAddrs[j];
bool bIsHooked = false;
IMAGE_IMPORT_DESCRIPTOR importDesc;
DWORD dwImportAddr = dwBaseAddr + ntHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
while (ReadProcessMemory(hProcess, (LPCVOID)dwImportAddr, &importDesc, sizeof(importDesc), NULL))
{
DWORD dwImportNameAddr = dwBaseAddr + importDesc.Name;
char szImportName[256];
ReadProcessMemory(hProcess, (LPCVOID)dwImportNameAddr, szImportName, sizeof(szImportName), NULL);
if (strcmp(szModName, szImportName) == 0)
{
DWORD dwImportAddrOffset = dwImportAddr + sizeof(IMAGE_IMPORT_DESCRIPTOR);
IMAGE_THUNK_DATA thunkData;
while (ReadProcessMemory(hProcess, (LPCVOID)dwImportAddrOffset, &thunkData, sizeof(thunkData), NULL))
{
if (thunkData.u1.AddressOfData == 0)
{
break;
}
DWORD dwImportNameOffset = dwBaseAddr + thunkData.u1.AddressOfData + 2;
char szImportFuncName[256];
ReadProcessMemory(hProcess, (LPCVOID)dwImportNameOffset, szImportFuncName, sizeof(szImportFuncName), NULL);
DWORD dwImportFuncAddrOffset = dwBaseAddr + thunkData.u1.Function;
DWORD dwImportFuncAddr = 0;
ReadProcessMemory(hProcess, (LPCVOID)dwImportFuncAddrOffset, &dwImportFuncAddr, sizeof(dwImportFuncAddr), NULL);
if (dwImportFuncAddr == dwFuncAddr)
{
unsigned char szFuncName[MAX_PATH];
strcpy_s((char*)szFuncName, MAX_PATH, szImportFuncName);
// This function is imported by the module and could be hooked
bIsHooked = IsFunctionHooked(hProcess, dwFuncAddr, szFuncName);
if (bIsHooked)
{
std::cout << "Hook detected in function " << szImportFuncName << " imported by " << szModName << std::endl;
}
}
dwImportAddrOffset += sizeof(IMAGE_THUNK_DATA);
}
}
dwImportAddr += sizeof(IMAGE_IMPORT_DESCRIPTOR);
}
if (!bIsHooked)
{
bIsHooked = IsFunctionHooked(hProcess, dwFuncAddr, NULL);
if (bIsHooked)
{
std::cout << "Hook detected in function at address 0x" << std::hex << dwFuncAddr << std::endl;
}
}
}
}
}
}
CloseHandle(hProcess);
system("pause");
return 0;
}
