生活随笔
收集整理的這篇文章主要介紹了
hook虚表监控虚表
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
RTTI(Runtime Type Identification,運行時類型識別)由c++編譯器將對象的類型信息嵌入程序的只讀數據段,以 支持C++的各種操作符在運行時確定(typeid)和檢查(dynamic_cast)一個對象的數據類型。
對微軟的編譯器而言,RTTI和虛表位置在-4的地址構建。
#include <stdio.h>
#include <Windows.h>
#define VTSIZE 6
#pragma pack(1)
class Parent
{
public:virtual void Fun1() = 0;virtual void Fun2() = 0;virtual void Fun3() = 0;virtual void Fun4() = 0;virtual void Fun5() = 0;
};class Child: public Parent
{
public:void Fun1(){printf("11111\n");}void Fun2(){printf("22222\n");}void Fun3(){printf("33333\n");}void Fun4(){printf("44444\n");}void Fun5(){printf("55555\n");}};typedef struct _JMP_TABLE_ITEM{//UCHAR uPushesi; //backup esi for checkesp push esi, pop esiUCHAR uMoveEaxForFactAddr;DWORD dwFactAddr;UCHAR uPashEaxForFactAddr;//UCHAR uPushad; //0x60//UCHAR uPushfd; //0x9c//UCHAR uJmp;//DWORD dwCheckAddr;//jmp to check function//simulate messagebox exist issue
#ifdef DEBUGUCHAR push0;UCHAR zero0;UCHAR push1;UCHAR zero1;UCHAR push2;UCHAR zero2;UCHAR push3;UCHAR zero3;UCHAR tempmoveax;DWORD dwmsgAddr;UCHAR uJmpmsg; //FFDWORD uJmpeaxaddr; UCHAR add;UCHAR esp;UCHAR four;
#endif//UCHAR uPopad; //61//UCHAR uPopfd; //9dUCHAR uPopeax; //58UCHAR uJmp22; //FFUCHAR uJmpEax; //EO}JMP_TABLE_ITEM;void CheckFunc(DWORD checkNum)
{}void InitFakeVirtualTable(DWORD *pfakevt,JMP_TABLE_ITEM *pJMPTable, DWORD pFactvt, DWORD msgaddr)
{DWORD *pvt = (DWORD*)*(DWORD*)pFactvt;for(int i = 0; i < VTSIZE; ++i){*pfakevt = (DWORD)pJMPTable;pJMPTable->uMoveEaxForFactAddr = 0xB8;pJMPTable->dwFactAddr = *(DWORD*)(pvt+i);pJMPTable->uPashEaxForFactAddr = 0x50; //push fact virtual function address//pJMPTable->uPushad = 0x60;//pJMPTable->uPushfd = 0x9C;//pJMPTable->uJmp = 0xE9;//pJMPTable->dwCheckAddr = (DWORD)CheckFunc;
#ifdef DEBUGpJMPTable->push0 = 0x6A;pJMPTable->zero0 = 0x0;pJMPTable->push1 = 0x6A;pJMPTable->zero1 = 0x0;pJMPTable->push2 = 0x6A;pJMPTable->zero2 = 0x0;pJMPTable->push3 = 0x6A;pJMPTable->zero3 = 0x0;pJMPTable->tempmoveax = 0xB8;pJMPTable->dwmsgAddr = msgaddr;pJMPTable->uJmpmsg = 0xFF; //FFpJMPTable->uJmpeaxaddr = 0xE0;pJMPTable->add = 0x83;pJMPTable->esp = 0xC4; pJMPTable->four = 0x10;
#endif//pJMPTable->uPopad = 0x61;//pJMPTable->uPopfd = 0x9d;pJMPTable->uPopeax = 0x58;pJMPTable->uJmp22 = 0xFF;pJMPTable->uJmpEax = 0xE0;pfakevt++;pJMPTable++;}
}void main()
{//Fake virtual tableDWORD *pfakeVirtualTable = new DWORD[VTSIZE]();JMP_TABLE_ITEM *pJMPTable = new JMP_TABLE_ITEM[VTSIZE]();DWORD oldprotect = 0;VirtualProtect(pfakeVirtualTable,1024,PAGE_EXECUTE_READWRITE,&oldprotect);//VirtualProtect(pJMPTable,1024,PAGE_EXECUTE_READWRITE,&oldprotect);Parent *pChild = new Child();DWORD ptemp = (DWORD)pChild;//simulate checkfuncHMODULE hNtdll = GetModuleHandleA("user32.dll");DWORD addr = (DWORD)GetProcAddress(hNtdll,"MessageBoxA");InitFakeVirtualTable(pfakeVirtualTable,pJMPTable,ptemp,addr);*(DWORD*)pChild = (DWORD)pfakeVirtualTable;pChild->Fun1();pChild->Fun2();pChild->Fun3();pChild->Fun4();pChild->Fun5();VirtualProtect(pfakeVirtualTable,1024,oldprotect,&oldprotect);//VirtualProtect(pJMPTable,1024,oldprotect,&oldprotect);
}
?
《新程序員》:云原生和全面數字化實踐50位技術專家共同創作,文字、視頻、音頻交互閱讀
總結
以上是生活随笔為你收集整理的hook虚表监控虚表的全部內容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網站內容還不錯,歡迎將生活随笔推薦給好友。
