第四章：安全的交互通道
消息鉤子，Hook游戲消息處理過程，GetKeyState(),GetAsyncKeyState()和GetKeyBoardState()函數，進程間通信。
消息鉤子：SetWindowsHookEx(),UnhookWindowsHookEx()
Hook游戲消息處理過程：GetWindowLong(),SetWindowLong()
GetKeyState(),GetAsyncKeyState()和GetKeyBoardState()函數：容易Hook檢測到。
?按鍵->鍵盤驅動捕捉這個中斷轉為Virtual Key Code -> I/O管理器裝成IRP(中斷請求包)->OS組裝VK_XX為WM_CHAR.
?GetKeyState,GetKeyBoardState兩個在消息過程（此時狀態才會變）中使用前者取一個，后者取所有的。
?GetAsyncKeyState其返回值內容，最高位表示是否按下，最低位表示上次調用此函數后，這個按鍵是否按下。

?

棧回塑檢查就是檢查返回地址是否合法，偽造就是push一個偽造的棧幀進去。

game.exe??游戲映像
normal.dll? 游戲功能模塊

invader.dll 非法模塊

//game.exe #include "normaldll\normaldll.h" #include "invader\invader.h" #include <vector> #include <Windows.h> using namespace std;vector<int> vecAddr;int ebpret[6][2] = { 0 };void fun1() {__asm{push eaxpush ebxpush ecxlea eax, [ebpret]mov [eax], ebpmov ecx, ebpadd ecx, 4mov ebx, [ecx]add eax, 4mov [eax], ebxpop ecxpop ebxpop eax}for(int i = 0; i < 6; ++i){printf("ebp:%08x retaddr:%08x \n",ebpret[i][0],ebpret[i][1]);}fnnormaldll(); } void fun2() {__asm{push eaxpush ebxpush ecxlea eax, [ebpret]add eax, 8mov [eax], ebpmov ecx, ebpadd ecx, 4mov ebx, [ecx]add eax, 4mov [eax], ebxpop ecxpop ebxpop eax}fun1(); } void fun3() {__asm{push eaxpush ebxpush ecxlea eax, [ebpret]add eax, 0x10mov [eax], ebpmov ecx, ebpadd ecx, 4mov ebx, [ecx]add eax, 4mov [eax], ebxpop ecxpop ebxpop eax}fun2(); }void fun4() {__asm{push eaxpush ebxpush ecxlea eax, [ebpret]add eax, 0x18mov [eax], ebpmov ecx, ebpadd ecx, 4mov ebx, [ecx]add eax, 4mov [eax], ebxpop ecxpop ebxpop eax}fun3(); }void main() {HMODULE baseAddr = GetModuleHandle(L"testFakeStackFrames.exe");nnormaldll = (int)baseAddr;ninvader = (int)baseAddr;ninvader = (int)baseAddr;fninvader();__asm{push eaxpush ebxpush ecxlea eax, [ebpret]add eax, 0x20mov [eax], ebpmov ecx, ebpadd ecx, 4mov ebx, [ecx]add eax, 4mov [eax], ebxpop ecxpop ebxpop eax}fun4();while(true){Sleep(1000);} }

?

//normal.dll // normaldll.cpp : Defines the exported functions for the DLL application. //#include "stdafx.h" #include "normaldll.h" #include <string>// This is an example of an exported variable NORMALDLL_API int nnormaldll=0;int ebpretdll[6][2] = { 0 };bool CheckStackFrame() {int bRet = 0;__asm{push eaxpush ebxpush ecxpush edxpush edipush ebplea edx, [ebpretdll]mov ebx, nnormaldllmov ecx, 5 label:mov [edx], ebpadd edx, 4mov ebx, ebpadd ebx, 4mov edi, [ebx]mov [edx],ediadd edx, 4mov edi, [ebp]mov ebp, edidec ecxjge labelpop ebppop edipop edxpop ecxpop ebxpop eax}printf("EXE Baseaddr:%08x\n follow is check statck info:\n",nnormaldll);for(int i = 0; i < 6; ++i){printf("ebp:%08x retaddr:%08x \n",ebpretdll[i][0],ebpretdll[i][1]);}return bRet; } // This is an example of an exported function. NORMALDLL_API int fnnormaldll(void) {CheckStackFrame();wchar_t buf[100] = { 0 };wsprintfW(buf,L"EXE address:%08x, current dll address:%08x",nnormaldll,GetModuleHandle(L"normaldll.dll"));MessageBoxW(NULL,buf, L"normal dll caption", MB_OK);return 42; }// This is the constructor of a class that has been exported. // see normaldll.h for the class definition Cnormaldll::Cnormaldll() {return; }

?

//invader.dll // invader.cpp : Defines the exported functions for the DLL application. //#include "stdafx.h" #include "invader.h" #include <windows.h> #include <stdio.h> #include <process.h>#include "..\normaldll\normaldll.h"// This is an example of an exported variable INVADER_API int ninvader=0;HANDLE g_event = NULL; typedef int (*PFUN)(void); DWORD fakestack[20] = { 0 }; DWORD addr = 0;_declspec (naked) void fakeframe(DWORD funaddr,DWORD fakestack) {__asm{mov edi, edipush ebpmov ebp, esppush eaxpush ebx//push ebpmov eax, addradd eax,18*4mov ebx, [ebp]mov [eax], ebxadd eax,4mov [eax], espjmp PUSH_REAL_RET_ADDR FUN:push 0x771f000a ;//retmov eax, ebpmov ebx, addrmov [eax],ebxmov eax, funaddrjmp eax PUSH_REAL_RET_ADDR:call FUNmov eax, addradd eax,19*4mov esp, [eax]sub eax, 4mov ebx, [eax]mov [ebp], ebxpop ebxpop eaxmov esp, ebppop ebpret 8} }void hah1() {for(int i = 0; i< 20; ){fakestack[i] = (DWORD)&fakestack[i+2];fakestack[i+1] = 0x00000021;i += 2;}HMODULE hnormaldll = GetModuleHandleW(L"C:\\test\\testFakeStackFrames\\Debug\\normaldll.dll");PFUN p = (PFUN)GetProcAddress(hnormaldll,"?fnnormaldll@@YAHXZ");//nnormaldll = (int)GetModuleHandle(L"invader.dll");addr = (DWORD)&fakestack;fakeframe((DWORD)p,addr); } void hah2() {hah1(); } void hah3() {hah2(); } void hah4() {hah3(); }unsigned __stdcall start_address( void * pa ) {g_event = CreateEventW(NULL,FALSE,FALSE,L"SNOWMAN");printf("11111\n");WaitForSingleObject( g_event, INFINITE );hah4();while(true){printf("dddddddddddddd\n");Sleep(1000);}_endthreadex( 0 );return 0; }// This is an example of an exported function. INVADER_API int fninvader(void) {HANDLE hthread = (HANDLE)_beginthreadex(NULL,0,&start_address,NULL,0,NULL);//Sleep(3000);//hah4();return 42; }// This is the constructor of a class that has been exported. // see invader.h for the class definition Cinvader::Cinvader() {return; }

?

//trigeror #include <windows.h> #include <stdio.h> #include <process.h>void main() {HANDLE g_event = CreateEventW(NULL,FALSE,FALSE,L"SNOWMAN");if(GetLastError() == ERROR_ALREADY_EXISTS){printf(" OK is exist, only triger\n");SetEvent(g_event);} }

測試結果：

normal.dll調用時棧如下：

非法調用時的棧：

《新程序員》：云原生和全面數字化實踐50位技術專家共同創作，文字、視頻、音頻交互閱讀

總結

以上是生活随笔為你收集整理的安全的交互通道 及 栈回塑检查与伪造的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。