【文章标题】HOOK API续之模拟覆盖法 实例 AntiDesktop
【文章作者】nohacks(非安全,hacker0058)
【作者主页】blog.nohacks.net
【文章出处】看雪论坛(bbs.pediy.com)
这个小软件的作用是禁止程序创建虚拟桌面,防止此类软件,如防锁专家,幽灵网吧辅助工具等躲避计费软件(注:HideProcess.dll 为隐藏进程模块,因为采用病毒技术,可能会被杀毒软件查杀,不过没有它也不影响正常使用,只不过进程不能隐藏。)
软件的原理是勾住CreateDesktop这个API禁止创建虚拟桌面,小软件没啥技术含量,发表在这里只为做个备份,另外给大家参考参考,有什么错误或需要改正的地方请指出,谢谢!
软件 分DLL和调用部分,先看DLL的主要代码:
代码:
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; ; Programmed by nohacks, nohacks@163.com ; ; Website: http://blog.nohacks.net ; ; 编(MASM):HOOK API续之模拟覆盖法 实例 AntiDesktop ; ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; .486 .model flat,stdcall option casemap:none include hooklib.inc new_CreateDesktopA proto :DWORD, :DWORD , :DWORD, :DWORD , :DWORD, :DWORD new_CreateDesktopW proto :DWORD, :DWORD , :DWORD, :DWORD , :DWORD, :DWORD ; you code .data old_CreateDesktopA db 090h,090h,090h,090h,090h,090h,090h,090h,\ 090h,090h,090h,090h,090h,090h,090h,090h,\ 0E9h,000h,000h,000h,000h addres_CreateDesktopA dd 0 size_CreateDesktopA dd 0 old_CreateDesktopW db 090h,090h,090h,090h,090h,090h,090h,090h,\ 090h,090h,090h,090h,090h,090h,090h,090h,\ 0E9h,000h,000h,000h,000h addres_CreateDesktopW dd 0 size_CreateDesktopW dd 0 ;you code ;共用部分 hInstance dd 0 bakapi dd 0 .data? hHook dd ? hWnd dd ? .code DllEntry proc hInst:HINSTANCE, reason:DWORD, reserved1:DWORD .if reason==DLL_PROCESS_ATTACH ;当DLL加载时产生此事件 push hInst pop hInstance ;下面几行请根据实际API修改 ;CreateDesktopA部分 invoke GetAddress,CTEXT("user32.dll"),CTEXT("CreateDesktopA") mov addres_CreateDesktopA,eax invoke Hookapi, addres_CreateDesktopA,addr new_CreateDesktopA,addr old_CreateDesktopA mov size_CreateDesktopA,eax ;CreateDesktopW部分 invoke GetAddress,CTEXT("user32.dll"),CTEXT("CreateDesktopW") mov addres_CreateDesktopW,eax invoke Hookapi, addres_CreateDesktopW,addr new_CreateDesktopW,addr old_CreateDesktopW mov size_CreateDesktopW,eax ;you code .elseif reason==DLL_PROCESS_DETACH invoke WriteApi,addres_CreateDesktopA,addr old_CreateDesktopA,size_CreateDesktopA invoke WriteApi,addres_CreateDesktopW,addr old_CreateDesktopW,size_CreateDesktopW ; you code .endif mov eax,TRUE ret DllEntry Endp GetMsgProc proc nCode:DWORD,wParam:DWORD,lParam:DWORD invoke CallNextHookEx,hHook,nCode,wParam,lParam mov eax,TRUE ret GetMsgProc endp InstallHook proc Hwnd:dword invoke SetWindowsHookEx,WH_GETMESSAGE,addr GetMsgProc,hInstance,NULL mov hHook,eax ret InstallHook endp UninstallHook proc invoke UnhookWindowsHookEx,hHook ret UninstallHook endp new_CreateDesktopA proc uses ebx edi esi,as:DWORD , bs:DWORD,cd:DWORD , ps:DWORD,ys:DWORD , hs:DWORD mov eax,TRUE ret new_CreateDesktopA endp new_CreateDesktopW proc uses ebx edi esi,as:DWORD , bs:DWORD,cd:DWORD , ps:DWORD,ys:DWORD , hs:DWORD mov eax,TRUE ret new_CreateDesktopW endp ; you code End DllEntry
代码:
.486 .model flat,stdcall option casemap:none ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Include 数据 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> include windows.inc include kernel32.inc includelib kernel32.lib include user32.inc includelib user32.lib include debug.inc ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 数据段 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .data szMutex db "http://hi.baidu.com/nohacks",0 .data? hInstance HINSTANCE ? CommandLine LPSTR ? ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 代码段 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .code ;************************************************************ GetApi proc DllNameAddress:DWORD,ApiNameAddress:DWORD invoke GetModuleHandle,DllNameAddress ;取DLL模块句柄 .if eax==NULL invoke LoadLibrary ,DllNameAddress ;加载DLL .endif invoke GetProcAddress,eax,ApiNameAddress ;取API地址 mov eax,eax ret GetApi endp whileStar PROC LOCAL @stMsg:MSG .while TRUE invoke GetMessage,addr @stMsg,NULL,0,0 .break .if (!eax) invoke TranslateMessage,addr @stMsg invoke DispatchMessage,addr @stMsg .endw ret whileStar endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 程序开始 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> start: invoke GetModuleHandle,NULL mov hInstance,eax invoke GetCommandLine mov CommandLine,eax invoke CreateMutex,NULL,FALSE,addr szMutex invoke GetLastError .IF eax == ERROR_ALREADY_EXISTS invoke ExitProcess,NULL .endif invoke GetApi,CTEXT("antidesktop.dll"),CTEXT("InstallHook") .if eax!=0 call eax .endif invoke GetApi,CTEXT("HideProcess.dll"),CTEXT("HideProcess") .if eax!=0 call eax ;隐藏进程 .endif invoke whileStar ;进入消息循环,直到收到退出消息 invoke ExitProcess,NULL ;******************************************************************** end start
编译环境: RADASM+MASM9.0