FileMoniotor1.0 for ring3

标题： FileMoniotor1.0 for ring3
作者：laomms
时间：2007-06-11 14:25
附件：Moniotor.rar
链接：http://bbs.pediy.com/showthread.php?t=46148

纯汇编写的,主要拦截KERNEL32.DLL中的OpenFile、CreateFileA、CreateFileW、ReadFile、ReadFileEx、WriteFile、WriteFileEx、DeviceIoControl等函数，HOOK到的数据未做过滤处理。
其中MYDLL利用了skyer的HOOKAPI LIB,放出源码,主程序的过程是创建进程后挂起,注入MYDLL后恢复进程,拦截过程中的相关函数,汇编写的程序,反汇编后基本上可以理出代码,就不放源码了.

代码:

.data OutHwndAdr Proc mov eax,offset lbHwnd ret lbHwnd DD ? lbStr DD 10h dup (?) OutHwndAdr Endp lpbuffer byte BUFLEN dup(0), 0 .data? NewOpenFile dd ? NewCreateFileA dd ? NewCreateFileW dd ? NewReadFile dd ? NewReadFileEx dd ? NewWriteFile dd ? NewWriteFileEx dd ? NewDeviceIoControl dd ? .code DllEntry proc hInstance:HINSTANCE, reason:DWORD, reserved1:DWORD .if reason==DLL_PROCESS_ATTACH mov eax,TRUE call hookstart .elseif reason==DLL_PROCESS_DETACH call hookend invoke CloseHandle,hInstance .endif ret DllEntry Endp myOpenFile proc lpFileName:LPCSTR,lpReOpenBuff:DWORD, wStyle:UINT LOCAL temp[200]:byte invoke GetModuleFileName,NULL, addr temp, sizeof temp invoke lstrcpyA,addr temp,CTEXT("OpenFile-lpFileName:") invoke lstrcatA,addr temp,lpFileName invoke SendMessageA, lbHwnd, LB_ADDSTRING, 0, addr temp push wStyle push lpReOpenBuff push lpFileName call NewOpenFile ret myOpenFile endp myCreateFileA proc lpFileName:LPCSTR, dwDesiredAccess:DWORD, dwShareMode: DWORD, lpSecurityAttributes:DWORD, dwCreationDisposition:DWORD, dwFlagsAndAttributes:DWORD, hTemplateFile:HANDLE LOCAL temp[200]:byte invoke GetModuleFileName,NULL, addr temp, sizeof temp invoke lstrcpyA,addr temp,CTEXT("CreateFileA-lpFileName:") invoke lstrcatA,addr temp,lpFileName invoke SendMessageA, lbHwnd, LB_ADDSTRING, 0, addr temp push hTemplateFile push dwFlagsAndAttributes push dwCreationDisposition push lpSecurityAttributes push dwShareMode push dwDesiredAccess push lpFileName call NewCreateFileA ret myCreateFileA endp myCreateFileW proc lpFileName:LPCSTR, dwDesiredAccess:DWORD, dwShareMode: DWORD, lpSecurityAttributes:DWORD, dwCreationDisposition:DWORD, dwFlagsAndAttributes:DWORD, hTemplateFile:HANDLE LOCAL temp[200]:byte LOCAL fname[128]:byte invoke GetModuleFileName,NULL, addr temp, sizeof temp invoke lstrcpyA,addr temp,CTEXT("CreateFileW-lpFileName:"); invoke WideCharToMultiByte,CP_ACP, 0, lpFileName, -1, addr fname, 128,NULL,NULL invoke lstrcatA,addr temp,addr fname invoke SendMessageA, lbHwnd, LB_ADDSTRING, 0, addr temp push hTemplateFile push dwFlagsAndAttributes push dwCreationDisposition push lpSecurityAttributes push dwShareMode push dwDesiredAccess push lpFileName call NewCreateFileW ret myCreateFileW endp myReadFile proc hFile:HANDLE,lpBuffer:LPVOID,nNumberOfBytesToRead:DWORD,lpOverlapped:DWORD,lpCompletionRoutine:DWORD LOCAL temp[200]:byte LOCAL buf:dword invoke lstrcpyA,addr temp,CTEXT("ReadFile-hFile:0x"); invoke wsprintfA,addr buf,CTEXT("%x"), hFile invoke lstrcatA,addr temp,addr buf invoke SendMessageA, lbHwnd, LB_ADDSTRING, 0, addr temp push lpCompletionRoutine push lpOverlapped push nNumberOfBytesToRead push lpBuffer push hFile call NewReadFile ret myReadFile endp myReadFileEx proc hFile:HANDLE,lpBuffer:LPVOID,nNumberOfBytesToRead:DWORD,lpOverlapped:DWORD,lpCompletionRoutine:DWORD LOCAL temp[200]:byte LOCAL buf:dword invoke lstrcpyA,addr temp,CTEXT("ReadFileEx-hFileEx:0x"); invoke wsprintfA,addr buf,CTEXT("%x"), hFile invoke lstrcatA,addr temp,addr buf invoke SendMessageA, lbHwnd, LB_ADDSTRING, 0, addr temp push lpCompletionRoutine push lpOverlapped push nNumberOfBytesToRead push lpBuffer push hFile call NewReadFileEx ret myReadFileEx endp myWriteFile proc hFile:HANDLE,lpBuffer:LPCVOID, nNumberOfBytesToWrite:DWORD,lpNumberOfBytesWritten:LPDWORD,lpOverlapped:DWORD LOCAL temp[200]:byte LOCAL buf:dword invoke lstrcpyA,addr temp,CTEXT("WriteFile-hFile:0x"); invoke wsprintfA,addr buf,CTEXT("%x"), hFile invoke lstrcatA,addr temp,addr buf invoke SendMessageA, lbHwnd, LB_ADDSTRING, 0, addr temp push lpOverlapped push lpNumberOfBytesWritten push nNumberOfBytesToWrite push lpBuffer push hFile call NewWriteFile ret myWriteFile endp myWriteFileEx proc hFile:HANDLE,lpBuffer:LPCVOID, nNumberOfBytesToWrite:DWORD,lpNumberOfBytesWritten:LPDWORD,lpOverlapped:DWORD LOCAL temp[200]:byte LOCAL buf:dword invoke lstrcpyA,addr temp,CTEXT("WriteFileEx-hFile:0x"); invoke wsprintfA,addr buf,CTEXT("%x"), hFile invoke lstrcatA,addr temp,addr buf invoke SendMessageA, lbHwnd, LB_ADDSTRING, 0, addr temp push lpOverlapped push lpNumberOfBytesWritten push nNumberOfBytesToWrite push lpBuffer push hFile call NewWriteFile ret myWriteFileEx endp myDeviceIoControl proc hDevice:HANDLE,dwIoControlCode:DWORD,IpInBuffer:LPVOID,nInbufferSize:DWORD,IpOutBuffer:LPVOID,nOutBufferSize:DWORD,IpBytesReturned:LPDWORD,IpOverlapped:DWORD LOCAL temp[200]:byte LOCAL buf1:dword LOCAL buf2:dword LOCAL buf3:dword LOCAL buf4:dword LOCAL buf5:dword LOCAL InbufferSize:dword LOCAL IoControlCode:dword LOCAL OutBuffer:dword LOCAL OutBufferSize:dword LOCAL BytesReturned:dword invoke lstrcpyA,addr temp,CTEXT("hDevice:"); invoke lstrcatA,addr temp,hDevice invoke SendMessageA, lbHwnd, LB_ADDSTRING, 0, addr temp invoke lstrcpyA,addr IoControlCode,CTEXT("dwIoControlCode:"); invoke wsprintfA,addr buf1,CTEXT("%x"), dwIoControlCode invoke lstrcatA,addr IoControlCode,addr buf1 invoke SendMessageA, lbHwnd, LB_ADDSTRING, 0, addr IoControlCode invoke lstrcpyA,addr OutBuffer,CTEXT("nInbufferSize:"); invoke wsprintfA,addr buf5,CTEXT("%d"), nInbufferSize invoke lstrcatA,addr InbufferSize,addr buf5 invoke SendMessageA, lbHwnd, LB_ADDSTRING, 0, addr InbufferSize invoke lstrcpyA,addr OutBuffer,CTEXT("IpOutBuffer:"); invoke wsprintfA,addr buf2,CTEXT("0x%x"), IpOutBuffer invoke lstrcatA,addr OutBuffer,addr buf2 invoke SendMessageA, lbHwnd, LB_ADDSTRING, 0, addr OutBuffer invoke lstrcpyA,addr OutBufferSize,CTEXT("nOutBufferSize:"); invoke wsprintfA,addr buf3,CTEXT("%d"), nOutBufferSize invoke lstrcatA,addr OutBufferSize,addr buf3 invoke SendMessageA, lbHwnd, LB_ADDSTRING, 0, addr OutBufferSize invoke lstrcpyA,addr BytesReturned,CTEXT("IpBytesReturned:"); invoke wsprintfA,addr buf4,CTEXT("0x%x"), IpBytesReturned invoke lstrcatA,addr BytesReturned,addr buf4 invoke SendMessageA, lbHwnd, LB_ADDSTRING, 0, addr BytesReturned push IpOverlapped push IpBytesReturned push nOutBufferSize push IpOutBuffer push nInbufferSize push IpInBuffer push dwIoControlCode push hDevice call NewDeviceIoControl ret myDeviceIoControl endp hookstart proc invoke HookAPI,CTEXT("KERNEL32.DLL"),CTEXT("OpenFile"),offset myOpenFile mov NewOpenFile, eax invoke HookAPI,CTEXT("KERNEL32.DLL"),CTEXT("CreateFileA"),offset myCreateFileA mov NewCreateFileA, eax invoke HookAPI,CTEXT("KERNEL32.DLL"),CTEXT("CreateFileW"),offset myCreateFileW mov NewCreateFileW, eax invoke HookAPI,CTEXT("KERNEL32.DLL"),CTEXT("ReadFile"),offset myReadFile mov NewReadFile, eax invoke HookAPI,CTEXT("KERNEL32.DLL"),CTEXT("ReadFileEx"),offset myReadFileEx mov NewReadFileEx, eax invoke HookAPI,CTEXT("KERNEL32.DLL"),CTEXT("WriteFile"),offset myWriteFile mov NewWriteFile, eax invoke HookAPI,CTEXT("KERNEL32.DLL"),CTEXT("WriteFileEx"),offset myWriteFileEx mov NewWriteFileEx, eax invoke HookAPI,CTEXT("KERNEL32.DLL"),CTEXT("DeviceIoControl"),offset myDeviceIoControl mov NewDeviceIoControl, eax ret hookstart Endp hookend proc invoke UnhookAPI,myOpenFile invoke UnhookAPI,myCreateFileA invoke UnhookAPI,myCreateFileW invoke UnhookAPI,myReadFile invoke UnhookAPI,myReadFileEx invoke UnhookAPI,myWriteFile invoke UnhookAPI,myWriteFileEx invoke UnhookAPI,myDeviceIoControl ret hookend Endp End DllEntry