1. Introduce the principle of hijacking
(1) by hijacking technology we can achieve intercept certain processes, such as document creation blocked, prohibiting open qq, prohibiting off a series of operations, etc.
(2) pop interception is to achieve the most common form of hijacking techniques.
2. Use the tools
(1) vs2017 // c language program can use the other version but is not recommended for 2010 and the following other IDE I have not used
(2) DllInject.exe // View all current processes and can be injected DLL
3. Use of Technology and principle
(1) function name and function entity
The nature of the function name is an address, but the address of the function name and the address of the entity is not a function of the same address.
E.g:
. 1 void Show () { 2 the MessageBoxA (NULL, " my text " , " I title " , 0 ); 3 }
In the show () function, show () function name is an address, show () function code MessageBoxA (NULL, " my text ", " I am heading ," 0 ); that is, a function entity also has an address . So how do you prove it?
Use in vs2017 disassembly debugging source code as follows :()
. 1 #include <stdio.h> 2 #include <stdlib.h> . 3 #include <the Windows.h> . 4 void Show () { . 5 the MessageBoxA (NULL, " my text " , " I title " , 0 ); . 6 } . 7 int main () { . 8 the printf ( " % P \ n-\ n- " , Show); . 9 Show (); 10 return 0 ; . 11 }
1> Set a breakpoint
2> Run
3> obtained show () function address (not the same as the results of each run)
4> Open Debug window Disassembly
5> will show () address 002B128F input to the arrow position (and instead 0x002B128 or 002B128F Both should be able to, first I used), and press Enter
6> is now jump to the show () function at the first address
_show:
002B128F jmp show(02B3C90h)
This sentence description, address from 002B128F will jump to 02B3C90h, this is the address of the function entity 02B3C90h
7> View function entity - the address entered show (02B3C90h) in, and press Enter
8> Conclusion: function name and function entity is not the same address
(2) the principle of hijacking
The function name and function entity is not the same address, it is this:
So if we put the address of the function entities from 02B3C90h changed 0x0000, is not the function performed by an entity is not the same then?
Principle: The physical address modification function, namely the function name change (the same house, the people inside the house changed)
(3) a function pointer
Since it is a function name address, then we can operate by way of a pointer.
The basic format:
void (* p) () = function name;
p();
1 #include<stdio.h> 2 #include<stdlib.h> 3 #include<Windows.h> 4 void show(){ 5 MessageBoxA(NULL,"我是文本","我是标题",0); 6 } 7 8 void go(){ 9 printf("%s","create process failed"); 10 } 11 int main(){ 12 /*printf("%p\n\n",show); 13 show();* / 14 15 void (* P) () = Show; 16 P (); // function pointer addresses may be stored in different function blocks to execute different code . 17 P = Go; 18 is P (); . 19 return 0 ; 20 is }
(4) hijacking realization of the principle --- exe file generation
1 #include<stdio.h> 2 #include<stdlib.h> 3 #include<Windows.h> 4 void show() { 5 MessageBoxA(NULL, "我是文本", "我是标题", 0); 6 } 7 8 void go() { 9 printf("%s\n", "create process failed"); 10 } 11 int main() { 12 void (*p)() = go; 13 printf("show=%p\tgo=%p\t&p=%p\n",show,p,&p); 14 while (1) 15 { 16 p(); 17 Sleep(1000); 18 } 19 return 0; 20 }
(5) hijacking realization of the principle --- dll file generation (see specific code next step, which is only to say how to generate dll)
1> Right-click the project and select Properties
2> Follow the arrows to go
3> Follow the arrows to go to click generate -> click Build Solution
(6) realization of the principle hijacking
1> Open the generated exe file
2> write dll file
First, we need to find the address of the pointer p, so p is a pointer, it is necessary to obtain a two pointer address
Secondly exe program currently running a go (), I want to change to show () function
1 _declspec(dllexport)void go(){ 2 void (**p)() = 0x008ffce8; 3 *p= 0x001212a3; 4 }
Rebuild Solution
3> Open DllInject.exe find you just open the exe
4> Click injected -> Find your generated dll file -> Click OK -> Enter the name of the function you write
5> effects (cmd console will not print, then pop-up dialog box)
