【文章标题】HOOK API续之模拟覆盖法 实例 AntiDesktop
【文章作者】nohacks(非安全,hacker0058)
【作者主页】blog.nohacks.net
【文章出处】看雪论坛(bbs.pediy.com)
这个小软件的作用是禁止程序创建虚拟桌面,防止此类软件,如防锁专家,幽灵网吧辅助工具等躲避计费软件(注:HideProcess.dll 为隐藏进程模块,因为采用病毒技术,可能会被杀毒软件查杀,不过没有它也不影响正常使用,只不过进程不能隐藏。)
软件的原理是勾住CreateDesktop这个API禁止创建虚拟桌面,小软件没啥技术含量,发表在这里只为做个备份,另外给大家参考参考,有什么错误或需要改正的地方请指出,谢谢!
软件 分DLL和调用部分,先看DLL的主要代码:
代码:
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;
; Programmed by nohacks, nohacks@163.com ;
; Website: http://blog.nohacks.net ;
; 编(MASM):HOOK API续之模拟覆盖法 实例 AntiDesktop ;
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;
.486
.model flat,stdcall
option casemap:none
include hooklib.inc
new_CreateDesktopA proto :DWORD, :DWORD , :DWORD, :DWORD , :DWORD, :DWORD
new_CreateDesktopW proto :DWORD, :DWORD , :DWORD, :DWORD , :DWORD, :DWORD
; you code
.data
old_CreateDesktopA db 090h,090h,090h,090h,090h,090h,090h,090h,\
090h,090h,090h,090h,090h,090h,090h,090h,\
0E9h,000h,000h,000h,000h
addres_CreateDesktopA dd 0
size_CreateDesktopA dd 0
old_CreateDesktopW db 090h,090h,090h,090h,090h,090h,090h,090h,\
090h,090h,090h,090h,090h,090h,090h,090h,\
0E9h,000h,000h,000h,000h
addres_CreateDesktopW dd 0
size_CreateDesktopW dd 0
;you code
;共用部分
hInstance dd 0
bakapi dd 0
.data?
hHook dd ?
hWnd dd ?
.code
DllEntry proc hInst:HINSTANCE, reason:DWORD, reserved1:DWORD
.if reason==DLL_PROCESS_ATTACH ;当DLL加载时产生此事件
push hInst
pop hInstance
;下面几行请根据实际API修改
;CreateDesktopA部分
invoke GetAddress,CTEXT("user32.dll"),CTEXT("CreateDesktopA")
mov addres_CreateDesktopA,eax
invoke Hookapi, addres_CreateDesktopA,addr new_CreateDesktopA,addr old_CreateDesktopA
mov size_CreateDesktopA,eax
;CreateDesktopW部分
invoke GetAddress,CTEXT("user32.dll"),CTEXT("CreateDesktopW")
mov addres_CreateDesktopW,eax
invoke Hookapi, addres_CreateDesktopW,addr new_CreateDesktopW,addr old_CreateDesktopW
mov size_CreateDesktopW,eax
;you code
.elseif reason==DLL_PROCESS_DETACH
invoke WriteApi,addres_CreateDesktopA,addr old_CreateDesktopA,size_CreateDesktopA
invoke WriteApi,addres_CreateDesktopW,addr old_CreateDesktopW,size_CreateDesktopW
; you code
.endif
mov eax,TRUE
ret
DllEntry Endp
GetMsgProc proc nCode:DWORD,wParam:DWORD,lParam:DWORD
invoke CallNextHookEx,hHook,nCode,wParam,lParam
mov eax,TRUE
ret
GetMsgProc endp
InstallHook proc Hwnd:dword
invoke SetWindowsHookEx,WH_GETMESSAGE,addr GetMsgProc,hInstance,NULL
mov hHook,eax
ret
InstallHook endp
UninstallHook proc
invoke UnhookWindowsHookEx,hHook
ret
UninstallHook endp
new_CreateDesktopA proc uses ebx edi esi,as:DWORD , bs:DWORD,cd:DWORD , ps:DWORD,ys:DWORD , hs:DWORD
mov eax,TRUE
ret
new_CreateDesktopA endp
new_CreateDesktopW proc uses ebx edi esi,as:DWORD , bs:DWORD,cd:DWORD , ps:DWORD,ys:DWORD , hs:DWORD
mov eax,TRUE
ret
new_CreateDesktopW endp
; you code
End DllEntry
代码:
.486
.model flat,stdcall
option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 数据
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include kernel32.inc
includelib kernel32.lib
include user32.inc
includelib user32.lib
include debug.inc
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
szMutex db "http://hi.baidu.com/nohacks",0
.data?
hInstance HINSTANCE ?
CommandLine LPSTR ?
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;************************************************************
GetApi proc DllNameAddress:DWORD,ApiNameAddress:DWORD
invoke GetModuleHandle,DllNameAddress ;取DLL模块句柄
.if eax==NULL
invoke LoadLibrary ,DllNameAddress ;加载DLL
.endif
invoke GetProcAddress,eax,ApiNameAddress ;取API地址
mov eax,eax
ret
GetApi endp
whileStar PROC
LOCAL @stMsg:MSG
.while TRUE
invoke GetMessage,addr @stMsg,NULL,0,0
.break .if (!eax)
invoke TranslateMessage,addr @stMsg
invoke DispatchMessage,addr @stMsg
.endw
ret
whileStar endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 程序开始
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke CreateMutex,NULL,FALSE,addr szMutex
invoke GetLastError
.IF eax == ERROR_ALREADY_EXISTS
invoke ExitProcess,NULL
.endif
invoke GetApi,CTEXT("antidesktop.dll"),CTEXT("InstallHook")
.if eax!=0
call eax
.endif
invoke GetApi,CTEXT("HideProcess.dll"),CTEXT("HideProcess")
.if eax!=0
call eax ;隐藏进程
.endif
invoke whileStar ;进入消息循环,直到收到退出消息
invoke ExitProcess,NULL
;********************************************************************
end start
编译环境: RADASM+MASM9.0