VB Hook LoadlibraryExW | 雨律在线

VB Hook LoadlibraryExW 5/27

方法一(兼容较好):

Option Explicit

Dim HookedLoadLibraryExW(0 To 9) As Long
Dim User32BaseAddress As Long, User32ImageSize As Long

Private Function FilterLoadLibraryExW(ByVal RetAddr As Long) As Long
[/font][font=Comic Sans MS]' You can do whatever you wanna do here - iceboy
[/font][font=Fixedsys]If RetAddr >= User32BaseAddress And RetAddr < User32BaseAddress + User32ImageSize Then Exit Function
FilterLoadLibraryExW = 1
End Function

Public Function TryHookLoadLibraryExW() As Boolean
Dim LoadLibraryExW As Long, Length As Long, Offset As Long

LoadLibraryExW = GetModuleHandleW(StrPtr("kernel32"))
LoadLibraryExW = GetProcAddress(LoadLibraryExW, "LoadLibraryExW")

If CharFromPtr(LoadLibraryExW) = &HE9 Then Exit Function

Do
Length = ade32_disasm(LoadLibraryExW + Offset)
If Length <= 0 Then Exit Function
Offset = Offset + Length
Loop While Offset < 5

If Offset > 11 Then Exit Function

User32BaseAddress = GetModuleHandleW(StrPtr("user32"))
User32ImageSize = DwordFromPtr(User32BaseAddress + &H3C)
User32ImageSize = DwordFromPtr(User32BaseAddress + User32ImageSize + &H50)

HookedLoadLibraryExW(0) = &HE82434FF
HookedLoadLibraryExW(1) = RetLng(AddressOf FilterLoadLibraryExW) - VarPtr(HookedLoadLibraryExW(2))
HookedLoadLibraryExW(2) = &H875C085
HookedLoadLibraryExW(3) = &HCC000CC2
HookedLoadLibraryExW(4) = &HCCCCCCCC

IcyMoveMemory VarPtr(HookedLoadLibraryExW(5)), LoadLibraryExW, Offset
CharToPtr VarPtr(HookedLoadLibraryExW(5)) + Offset, &HE9
DwordToPtr VarPtr(HookedLoadLibraryExW(5)) + Offset + 1, LoadLibraryExW - VarPtr(HookedLoadLibraryExW(5)) - 5

If IcyProtectVirtualMemoryEx(VarPtr(HookedLoadLibraryExW(0)), 44, PAGE_EXECUTE_READWRITE, VarPtr(Length)) < 0 Then Exit Function
If IcyProtectVirtualMemoryEx(LoadLibraryExW, 5, PAGE_EXECUTE_READWRITE, VarPtr(Length)) < 0 Then Exit Function
CharToPtr LoadLibraryExW, &HE9
DwordToPtr LoadLibraryExW + 1, VarPtr(HookedLoadLibraryExW(0)) - (LoadLibraryExW + 5)

TryHookLoadLibraryExW = True
End Function


方法二(通俗易懂):

Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Sub CopyMemory Lib "kernel32.dll" Alias "RtlMoveMemory" (ByVal Destination As Long, ByVal Source or="#0000FF">As Long, ByVal length As Long)
Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As Long) As Long

Dim NewAddr(7) As Byte
Dim OldAddr(7) As Byte
Dim pBaseAddr As Long

Private Sub HookLoadLibrary()
Dim hMod As Long

hMod = GetModuleHandle("kernel32")
pBaseAddr = GetProcAddress(hMod, "LoadLibraryExW")


CopyMemory VarPtr(NewAddr(1)), AddressOf LoadLibraryExWCallBack, 4 [/font][font=Comic Sans MS]'保存地址


' mov Eax, 我们的地址
' jmp Eax

[/font][font=Fixedsys]NewAddr(0) = &HB8
NewAddr(5) = &HFF
NewAddr(6) = &HE0
NewAddr(7) = &H0

CopyMemory VarPtr(OldAddr(0)), pBaseAddr, 8
WriteProcessMemory -1, ByVal pBaseAddr, NewAddr(0), 8, 0
End Sub

Private Function HookStatus(ByVal IsHook As Boolean) As Boolean
If IsHook Then
If WriteProcessMemory(-1, ByVal pBaseAddr, NewAddr(0), 8, 0) <> 0 Then HookStatus = False
Else
If WriteProcessMemory(-1, ByVal pBaseAddr, OldAddr(0), 8, 0) <> 0 Then HookStatus = False
End If
End Function

Public Function LoadLibraryExWCallBack(ByVal a As Long, ByVal b As Long, ByVal c As Long) As Long
Dim str As String, Ret As Long
Const Neet As String = "kernel32.dll advapi32.dll psapi.dll ntoskrnl.exe ntdll.dll vba6.dll" [/font][font=Comic Sans MS]'据蒜子说,系统本身的 dll 不带路径
[/font][font=Fixedsys]HookStatus False [/font][font=Comic Sans MS]'暂时恢复钩子
[/font][font=Fixedsys]str = String(lstrlen(a) * 2, 0)
CopyMemory StrPtr(str), ByVal a, lstrlen(a) * 2
str = Left$(str, lstrlen(a))
If Mid(str, 2, 1) <> ":" Then
[/font][font=Comic Sans MS]'由于 unicode 的问题,我们这里用 A,A 最终应该会调用 W,所以要恢复钩子
'如果需调用 W ,有个可爱的函数叫做 strptr
[/font][font=Fixedsys]Ret = LoadLibraryEx(str, b, c)
Else
Ret = 0
End If
HookStatus True [/font][font=Comic Sans MS]'再次 hook 该函数
[/font][font=Fixedsys]LoadLibraryExWCallBack = Ret
End Function
 
目前有0条回应
Comment
Trackback
清空内容粗体斜体下划线删除线链接字体颜色表情
icon_wink.gificon_neutral.gificon_mad.gificon_twisted.gificon_smile.gificon_eek.gificon_sad.gificon_rolleyes.gificon_razz.gificon_redface.gificon_surprised.gificon_mrgreen.gificon_lol.gificon_idea.gificon_biggrin.gificon_evil.gificon_cry.gificon_cool.gificon_arrow.gificon_confused.gificon_question.gificon_exclaim.gif
你目前的身份是游客,请输入昵称和电邮!