投稿
  1. 首页
  2. 教程

windows api 被木马hook了怎样恢复?

阻抗匹配 2023-4-27 教程 阅读 10

windows api 被木马hook了怎样恢复?,第1张

在安全模式下删除木马的dll,

你都知道是hook的

你只要找到木马的运行文件,清除就正常了。(在系统文件没被篡改的前提下)

如果系统文件被篡改了,就得找到异常的文件替换成正常的文件了

hook api有几种方式

1、导入表hook,枚举导入表,找到位置,替换函数指针即可,api加算法即可完成,因此c#也可以调用api来完成

2、inline hook,找到函数地址,开头写入跳转指令跳转到新位置,新位置执行后可以选择调用原函数,原函数之前可以先执行被覆盖的指令在跳转到剩余函数指令上。api加算法即可完成,因此c#也可以调用api来完成

主要是第一个窗体类.其他的2个类是我封装的WINDOWS API

using System

using System.Collections.Generic

using System.ComponentModel

using System.Data

using System.Drawing

using System.Text

using System.Windows.Forms

using System.Runtime.InteropServices

namespace HookDemo

{

public partial class Form1 : Form

{

private System.Windows.Forms.Timer monitorTimer = null

private Kits.Hook.WinHook mouseHook = null

private IntPtr HWND = IntPtr.Zero

public Form1()

{

InitializeComponent()

this.monitorTimer = new Timer()

this.monitorTimer.Tick += new EventHandler(this.TimeProc)

this.monitorTimer.Interval = 1000

mouseHook = new Kits.Hook.WinHook(Kits.Win32API.HookType.WH_MOUSE_LL)

}

private void Form1_Load(object sender, EventArgs e)

{

this.WindowState = FormWindowState.Minimized

this.monitorTimer.Enabled = true

}

private void TimeProc(object sender, EventArgs e)

{

HWND = Kits.Win32API.WinAPI.FindWindow("Notepad", null)

if (HWND != IntPtr.Zero)

{

//Kits.Win32API.CSharpRect rect = new Kits.Win32API.CSharpRect()

//Kits.Win32API.WinAPI.GetWindowRect(HWND, ref rect)

//this.Text = string.Format("{0},{1},{2},{3}",rect.top,rect.left,rect.width,rect.height)

if (HWND == Kits.Win32API.WinAPI.GetForegroundWindow())

{

mouseHook.SetWindowsHookEx(new Kits.Win32API.HookProc(this.MouseHookProc))

}

else

{

if (mouseHook.HHook != 0)

{

mouseHook.UnhookWindowsHookEx()

}

}

}

}

private int MouseHookProc(int nCode, IntPtr wParam, IntPtr lParam)

{

if (wParam == new IntPtr((int)Kits.Win32API.WindowsMessages.WM_MOUSEMOVE))

{

bool isOut = false

Kits.Win32API.MouseHookStruct MyMouseHookStruct = (Kits.Win32API.MouseHookStruct)Marshal.PtrToStructure(lParam, typeof(Kits.Win32API.MouseHookStruct))

Kits.Win32API.CSharpRect rect = new Kits.Win32API.CSharpRect()

Kits.Win32API.WinAPI.GetWindowRect(HWND, ref rect)

if (MyMouseHookStruct.pt.x >= rect.right)

isOut = true

if (MyMouseHookStruct.pt.x <= rect.left)

isOut = true

if (MyMouseHookStruct.pt.y <= rect.top)

isOut = true

if (MyMouseHookStruct.pt.y >= rect.bottom)

isOut = true

//Cursor.Position = new Point(MyMouseHookStruct.pt.x, MyMouseHookStruct.pt.y)

if (isOut)

return -1

}

return Kits.Win32API.WinAPI.CallNextHookEx(mouseHook.HHook, nCode, wParam, lParam)

}

}

}

using System

using System.Collections.Generic

using System.Text

using System.Runtime.InteropServices

namespace Kits.Win32API

{

public delegate int HookProc(int nCode, IntPtr wParam, IntPtr lParam)

public class WinAPI

{

[DllImport("User32.dll", CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]

public static extern int SetWindowsHookEx(int idHook, HookProc lpfn, IntPtr hInstance, int threadId)

[DllImport("User32.dll", CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]

public static extern bool UnhookWindowsHookEx(int idHook)

[DllImport("User32.dll", CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]

public static extern int CallNextHookEx(int idHook, int nCode, IntPtr wParam, IntPtr lParam)

[DllImport("kernel32.dll", CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]

private static extern IntPtr GetModuleHandle(string lpModuleName)

[DllImport("User32.dll")]

public static extern IntPtr FindWindow(string lpClassName,string lpWindowName)

[DllImport("User32.dll")]

public static extern bool SetForegroundWindow(IntPtr hWnd)

[DllImport("User32.dll")]

public static extern void keybd_event(Byte bVk, Byte bScan, Int32 dwFlags, Int32 dwExtraInfo)

[DllImport("user32")]

public static extern IntPtr GetActiveWindow()

[DllImport("user32")]

public static extern IntPtr GetForegroundWindow()

[DllImport("user32")]

public static extern int GetWindowRect(IntPtr hwnd, ref CSharpRect lpRect)

[DllImport("user32")]

public static extern int SetCaretPos(int x, int y)

[DllImport("user32")]

public static extern int ScreenToClient(IntPtr hwnd, ref POINTAPI lpPoint)

[DllImport("user32")]

public static extern int ClientToScreen(IntPtr hwnd, ref POINTAPI lpPoint)

[DllImport("user32")]

public static extern int SetCursorPos(int x, int y)

}

public struct POINTAPI

{

public int x

public int y

}

public struct RECT

{

public long left

public long top

public long right

public long bottom

}

public struct CSharpRect

{

public int top

public int left

public int right

public int bottom

}

public enum HookType : int

{

WH_JOURNALRECORD = 0,

WH_JOURNALPLAYBACK = 1,

WH_KEYBOARD = 2,

WH_GETMESSAGE = 3,

WH_CALLWNDPROC = 4,

WH_CBT = 5,

WH_SYSMSGFILTER = 6,

WH_MOUSE = 7,

WH_HARDWARE = 8,

WH_DEBUG = 9,

WH_SHELL = 10,

WH_FOREGROUNDIDLE = 11,

WH_CALLWNDPROCRET = 12,

WH_KEYBOARD_LL = 13,

WH_MOUSE_LL = 14

}

[StructLayout(LayoutKind.Sequential)]

public class POINT

{

public int x

public int y

}

[StructLayout(LayoutKind.Sequential)]

public class MouseHookStruct

{

public POINT pt

public int wHitTestCode

public int dwExtraInfo

}

[StructLayout(LayoutKind.Sequential)]

public class MouseLLHookStruct

{

public POINT pt

public int mouseData

public int flags

public int time

public int dwExtraInfo

}

[StructLayout(LayoutKind.Sequential)]

public class KeyboardHookStruct

{

public int vkCode

public int scanCode

public int flags

public int time

public int dwExtraInfo

}

public enum WindowsMessages:int

{

WM_ACTIVATE = 0x6,

WM_ACTIVATEAPP = 0x1C,

WM_AFXFIRST = 0x360,

WM_AFXLAST = 0x37F,

WM_APP = 0x8000,

WM_ASKCBFORMATNAME = 0x30C,

WM_CANCELJOURNAL = 0x4B,

WM_CANCELMODE = 0x1F,

WM_CAPTURECHANGED = 0x215,

WM_CHANGECBCHAIN = 0x30D,

WM_CHAR = 0x102,

WM_CHARTOITEM = 0x2F,

WM_CHILDACTIVATE = 0x22,

WM_CLEAR = 0x303,

WM_CLOSE = 0x10,

WM_COMMAND = 0x111,

WM_COMPACTING = 0x41,

WM_COMPAREITEM = 0x39,

WM_CONTEXTMENU = 0x7B,

WM_COPY = 0x301,

WM_COPYDATA = 0x4A,

WM_CREATE = 0x1,

WM_CTLCOLORBTN = 0x135,

WM_CTLCOLORDLG = 0x136,

WM_CTLCOLOREDIT = 0x133,

WM_CTLCOLORLISTBOX = 0x134,

WM_CTLCOLORMSGBOX = 0x132,

WM_CTLCOLORSCROLLBAR = 0x137,

WM_CTLCOLORSTATIC = 0x138,

WM_CUT = 0x300,

WM_DEADCHAR = 0x103,

WM_DELETEITEM = 0x2D,

WM_DESTROY = 0x2,

WM_DESTROYCLIPBOARD = 0x307,

WM_DEVICECHANGE = 0x219,

WM_DEVMODECHANGE = 0x1B,

WM_DISPLAYCHANGE = 0x7E,

WM_DRAWCLIPBOARD = 0x308,

WM_DRAWITEM = 0x2B,

WM_DROPFILES = 0x233,

WM_ENABLE = 0xA,

WM_ENDSESSION = 0x16,

WM_ENTERIDLE = 0x121,

WM_ENTERMENULOOP = 0x211,

WM_ENTERSIZEMOVE = 0x231,

WM_ERASEBKGND = 0x14,

WM_EXITMENULOOP = 0x212,

WM_EXITSIZEMOVE = 0x232,

WM_FONTCHANGE = 0x1D,

WM_GETDLGCODE = 0x87,

WM_GETFONT = 0x31,

WM_GETHOTKEY = 0x33,

WM_GETICON = 0x7F,

WM_GETMINMAXINFO = 0x24,

WM_GETOBJECT = 0x3D,

WM_GETTEXT = 0xD,

WM_GETTEXTLENGTH = 0xE,

WM_HANDHELDFIRST = 0x358,

WM_HANDHELDLAST = 0x35F,

WM_HELP = 0x53,

WM_HOTKEY = 0x312,

WM_HSCROLL = 0x114,

WM_HSCROLLCLIPBOARD = 0x30E,

WM_ICONERASEBKGND = 0x27,

WM_IME_CHAR = 0x286,

WM_IME_COMPOSITION = 0x10F,

WM_IME_COMPOSITIONFULL = 0x284,

WM_IME_CONTROL = 0x283,

WM_IME_ENDCOMPOSITION = 0x10E,

WM_IME_KEYDOWN = 0x290,

WM_IME_KEYLAST = 0x10F,

WM_IME_KEYUP = 0x291,

WM_IME_NOTIFY = 0x282,

WM_IME_REQUEST = 0x288,

WM_IME_SELECT = 0x285,

WM_IME_SETCONTEXT = 0x281,

WM_IME_STARTCOMPOSITION = 0x10D,

WM_INITDIALOG = 0x110,

WM_INITMENU = 0x116,

WM_INITMENUPOPUP = 0x117,

WM_INPUTLANGCHANGE = 0x51,

WM_INPUTLANGCHANGEREQUEST = 0x50,

WM_KEYDOWN = 0x100,

WM_KEYFIRST = 0x100,

WM_KEYLAST = 0x108,

WM_KEYUP = 0x101,

WM_KILLFOCUS = 0x8,

WM_LBUTTONDBLCLK = 0x203,

WM_LBUTTONDOWN = 0x201,

WM_LBUTTONUP = 0x202,

WM_MBUTTONDBLCLK = 0x209,

WM_MBUTTONDOWN = 0x207,

WM_MBUTTONUP = 0x208,

WM_MDIACTIVATE = 0x222,

WM_MDICASCADE = 0x227,

WM_MDICREATE = 0x220,

WM_MDIDESTROY = 0x221,

WM_MDIGETACTIVE = 0x229,

WM_MDIICONARRANGE = 0x228,

WM_MDIMAXIMIZE = 0x225,

WM_MDINEXT = 0x224,

WM_MDIREFRESHMENU = 0x234,

WM_MDIRESTORE = 0x223,

WM_MDISETMENU = 0x230,

WM_MDITILE = 0x226,

WM_MEASUREITEM = 0x2C,

WM_MENUCHAR = 0x120,

WM_MENUCOMMAND = 0x126,

WM_MENUDRAG = 0x123,

WM_MENUGETOBJECT = 0x124,

WM_MENURBUTTONUP = 0x122,

WM_MENUSELECT = 0x11F,

WM_MOUSEACTIVATE = 0x21,

WM_MOUSEFIRST = 0x200,

WM_MOUSEHOVER = 0x2A1,

WM_MOUSELAST = 0x20A,

WM_MOUSELEAVE = 0x2A3,

WM_MOUSEMOVE = 0x200,

WM_MOUSEWHEEL = 0x20A,

WM_MOVE = 0x3,

WM_MOVING = 0x216,

WM_NCACTIVATE = 0x86,

WM_NCCALCSIZE = 0x83,

WM_NCCREATE = 0x81,

WM_NCDESTROY = 0x82,

WM_NCHITTEST = 0x84,

WM_NCLBUTTONDBLCLK = 0xA3,

WM_NCLBUTTONDOWN = 0xA1,

WM_NCLBUTTONUP = 0xA2,

WM_NCMBUTTONDBLCLK = 0xA9,

WM_NCMBUTTONDOWN = 0xA7,

WM_NCMBUTTONUP = 0xA8,

WM_NCMOUSEHOVER = 0x2A0,

WM_NCMOUSELEAVE = 0x2A2,

WM_NCMOUSEMOVE = 0xA0,

WM_NCPAINT = 0x85,

WM_NCRBUTTONDBLCLK = 0xA6,

WM_NCRBUTTONDOWN = 0xA4,

WM_NCRBUTTONUP = 0xA5,

WM_NEXTDLGCTL = 0x28,

WM_NEXTMENU = 0x213,

WM_NOTIFY = 0x4E,

WM_NOTIFYFORMAT = 0x55,

WM_NULL = 0x0,

WM_PAINT = 0xF,

WM_PAINTCLIPBOARD = 0x309,

WM_PAINTICON = 0x26,

WM_PALETTECHANGED = 0x311,

WM_PALETTEISCHANGING = 0x310,

WM_PARENTNOTIFY = 0x210,

WM_PASTE = 0x302,

WM_PENWINFIRST = 0x380,

WM_PENWINLAST = 0x38F,

WM_POWER = 0x48,

WM_PRINT = 0x317,

WM_PRINTCLIENT = 0x318,

WM_QUERYDRAGICON = 0x37,

WM_QUERYENDSESSION = 0x11,

WM_QUERYNEWPALETTE = 0x30F,

WM_QUERYOPEN = 0x13,

WM_QUEUESYNC = 0x23,

WM_QUIT = 0x12,

WM_RBUTTONDBLCLK = 0x206,

WM_RBUTTONDOWN = 0x204,

WM_RBUTTONUP = 0x205,

WM_RENDERALLFORMATS = 0x306,

WM_RENDERFORMAT = 0x305,

WM_SETCURSOR = 0x20,

WM_SETFOCUS = 0x7,

WM_SETFONT = 0x30,

WM_SETHOTKEY = 0x32,

WM_SETICON = 0x80,

WM_SETREDRAW = 0xB,

WM_SETTEXT = 0xC,

WM_SETTINGCHANGE = 0x1A,

WM_SHOWWINDOW = 0x18,

WM_SIZE = 0x5,

WM_SIZECLIPBOARD = 0x30B,

WM_SIZING = 0x214,

WM_SPOOLERSTATUS = 0x2A,

WM_STYLECHANGED = 0x7D,

WM_STYLECHANGING = 0x7C,

WM_SYNCPAINT = 0x88,

WM_SYSCHAR = 0x106,

WM_SYSCOLORCHANGE = 0x15,

WM_SYSCOMMAND = 0x112,

WM_SYSDEADCHAR = 0x107,

WM_SYSKEYDOWN = 0x104,

WM_SYSKEYUP = 0x105,

WM_TCARD = 0x52,

WM_TIMECHANGE = 0x1E,

WM_TIMER = 0x113,

WM_UNDO = 0x304,

WM_UNINITMENUPOPUP = 0x125,

WM_USER = 0x400,

WM_USERCHANGED = 0x54,

WM_VKEYTOITEM = 0x2E,

WM_VSCROLL = 0x115,

WM_VSCROLLCLIPBOARD = 0x30A,

WM_WINDOWPOSCHANGED = 0x47,

WM_WINDOWPOSCHANGING = 0x46,

WM_WININICHANGE = 0x1A

}

}

using System

using System.Collections.Generic

using System.Text

using System.Diagnostics

using Kits.Win32API

namespace Kits.Hook

{

public class WinHook

{

private int _hookType = 0

public int HookType { get { return this._hookType} }

private HookProc _hookProc = null

public HookProc HookProc { get { return this._hookProc} }

private int _hHook = 0

public int HHook { get { return this._hHook} }

public WinHook(HookType type) {

this._hookType = (int)type

}

public bool SetWindowsHookEx(HookProc Proc) {

bool Success = false

if (this._hHook == 0) {

this._hookProc = Proc

_hHook = WinAPI.SetWindowsHookEx(this._hookType, this._hookProc, Process.GetCurrentProcess().MainModule.BaseAddress, 0)

if (this._hHook != 0)

Success = true

}

return Success

}

public bool UnhookWindowsHookEx() {

bool Success = false

if (this._hHook != 0)

{

Success = WinAPI.UnhookWindowsHookEx(this._hHook)

}

return Success

}

}

}

欢迎分享,转载请注明来源:内存溢出

原文地址: http://outofmemory.cn/tougao/9359696.html

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
阻抗匹配 阻抗匹配 一级用户组
0 0
上一篇 2023-04-27
下一篇 2023-04-27

发表评论

登录后才能评论

评论列表(0条)

保存