-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathscanhook.h
145 lines (116 loc) · 3.55 KB
/
scanhook.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
#pragma once
#include <windows.h>
#include <vector>
#include<TlHelp32.h>
#include <VersionHelpers.h>
#include "pe.h"
class AntiHook final
{
public:
AntiHook(DWORD pid);
~AntiHook();
VOID ScanMain();
VOID RecoveryHook(PROCESS_HOOK_INFO info);
std::vector<MODULE_INFO> getModuleInfo()const;
std::vector<PROCESS_HOOK_INFO> getHookInfo()const;
private:
std::vector<MODULE_INFO> moduleInfo; //模块列表
std::vector<MODULE_INFO>::iterator modInfoItr; //模块迭代器
std::vector<PROCESS_HOOK_INFO> hookInfo; //所有hook
std::vector<PROCESS_HOOK_INFO>::iterator hookItr;
DWORD pid;
HANDLE m_hProcess;
BOOL m_IsFromIat = 0, m_IsFromEat = 0;
BOOL isWOW64 = FALSE;
private:
/// <summary>
/// 加载模块信息
/// </summary>
VOID queryModuleInfo();
/// <summary>
/// pe加载器
/// </summary>
/// <param name="FilePath"></param>
/// <param name="DllBase"></param>
/// <param name="Buffer"></param>
/// <param name="BufferSize"></param>
VOID peLoad(WCHAR* FilePath, LPVOID DllBase, LPVOID Buffer, DWORD BufferSize);
/// <summary>
/// pe解析器
/// </summary>
/// <param name="ImageBase"></param>
/// <param name="Pe"></param>
BOOL peAnalysis(LPVOID ImageBase, PPE_INFO Pe);
inline DWORD AlignSize(UINT Size, UINT Align);
/// <summary>
/// pe重定位
/// </summary>
/// <param name="NewImageBase"></param>
/// <param name="ExistImageBase"></param>
VOID baseReloc(LPVOID NewImageBase, LPVOID ExistImageBase);
PIMAGE_BASE_RELOCATION RelocBlock(ULONG_PTR VA, ULONG SizeOfBlock, PUSHORT NextOffset, INT64 Diff);
/// <summary>
/// 读取/释放 当前迭代器指向模块的内存镜像
/// </summary>
VOID ReadMemoryImage();
VOID FreeMemoryImage();
/// <summary>
/// 扫描eat和inline
/// </summary>
VOID ScanEATHook();
/// <summary>
/// 扫描iat
/// </summary>
VOID ScanIATHook();
VOID ScanInlineHook(char* ApiName, LPVOID Address);
/// <summary>
/// 是否是全局变量
/// </summary>
/// <param name="PeHead"></param>
/// <param name="Rva"></param>
/// <returns></returns>
BOOL IsGlobalVar(PIMAGE_NT_HEADERS PeHead, DWORD Rva);
BOOL IsGlobalVar32(PIMAGE_NT_HEADERS32 PeHead, DWORD Rva);
/// <summary>
/// 函数名重定位
/// </summary>
/// <param name="RedirectionName"></param>
/// <returns></returns>
LPVOID FileNameRedirection(char* RedirectionName);
/// <summary>
/// 取模块信息
/// </summary>
/// <param name="DllName"></param>
/// <param name="iter"></param>
/// <returns></returns>
BOOL GetModuleInfomation(WCHAR* DllName, std::vector<MODULE_INFO>::iterator& iter);
BOOL GetModuleInfomation(LPVOID address, std::vector<MODULE_INFO>::iterator& iter);
/// <summary>
/// 原文件取导出
/// </summary>
/// <param name="ImageBase"></param>
/// <param name="Ordinal"></param>
/// <returns></returns>
LPVOID GetExportByOrdinal(LPVOID ImageBase, LPVOID Ordinal);
/// <summary>
/// 镜像文件取导出
/// </summary>
/// <param name="ImageBase"></param>
/// <param name="ProcName"></param>
/// <returns></returns>
LPVOID GetExportByName(LPVOID ImageBase, char* ProcName);
/// <summary>
/// 取模块基质
/// </summary>
/// <param name="Address"></param>
/// <param name="ModulePath"></param>
VOID GetModulePathByAddress(LPVOID Address, WCHAR* ModulePath);
/// <summary>
/// 获取函数地址
/// </summary>
/// <param name="DllName"></param>
/// <param name="ApiName"></param>
/// <param name="RealDllName"></param>
/// <returns></returns>
LPVOID GetProcessAddressLocal(char* DllName, char* ApiName, WCHAR* RealDllName);
};