攔截其它程序的網(wǎng)絡(luò)數(shù)據(jù)封包

2019-11-18 18:27:41

字體：大中小

供稿：網(wǎng)友

有時候我們需要對其它應(yīng)用程序發(fā)送和接收的網(wǎng)絡(luò)數(shù)據(jù)進(jìn)行攔截,比如要對IE發(fā)送的HTTP頭進(jìn)行分析,得到請求的地址等.這次我們可以用一些例如WPE, Sniffer之類的工具來達(dá)到目的.但是工具功能有限,要想實現(xiàn)更強(qiáng)大的功能,還是我們自己動手來DIY吧.

攔截網(wǎng)絡(luò)數(shù)據(jù)封包的方法有三種,一是將網(wǎng)卡設(shè)為混雜模式,這次就可以監(jiān)視到局域網(wǎng)上所有的數(shù)據(jù)包,二是HOOK目標(biāo)進(jìn)程的發(fā)送和接收的API函數(shù),第三種方法是自己實現(xiàn)一個代理的DLL.在這里我們使用HOOK API的方法,這樣易于實現(xiàn),而且也不會得到大量的無用數(shù)據(jù)(如第一種方法就會監(jiān)視到所有的網(wǎng)絡(luò)數(shù)據(jù)).

下面是一個盡量簡化了的API HOOK的模版,原理是利用消息鉤子將DLL中的代碼注入到目標(biāo)進(jìn)程中,再用GetPRocAddress得到API函數(shù)入口地址,將函數(shù)入口址改為自己定義的函數(shù)入口,這樣就得到了API函數(shù)的相應(yīng)參數(shù),處理完后,再改回真實API函數(shù)入口地址,并調(diào)用它.

HOOK.DLL的代碼:
library Hook;

uses
SysUtils,
windows,
Messages,
APIHook in 'APIHook.pas';

type
PData = ^TData;
TData = record
Hook: THandle;
Hooked: Boolean;
end;

var
DLLData: PData;

{------------------------------------}
{過程名:HookProc
{過程功能:HOOK過程
{過程參數(shù):nCode, wParam, lParam消息的相
{         關(guān)參數(shù)
{------------------------------------}
procedure HookProc(nCode, wParam, lParam: LongWord);stdcall;
begin
if not DLLData^.Hooked then
begin
    HookAPI;
    DLLData^.Hooked := True;
end;
//調(diào)用下一個Hook
CallNextHookEx(DLLData^.Hook, nCode, wParam, lParam);
end;

{------------------------------------}
{函數(shù)名:InstallHook
{函數(shù)功能:在指定窗口上安裝HOOK
{函數(shù)參數(shù):sWindow:要安裝HOOK的窗口
{返回值:成功返回TRUE,失敗返回FALSE
{------------------------------------}
function InstallHook(SWindow: LongWORD):Boolean;stdcall;
var
ThreadID: LongWORD;
begin
Result := False;
DLLData^.Hook := 0;
ThreadID := GetWindowThreadProcessId(sWindow, nil);
//給指定窗口掛上鉤子
DLLData^.Hook := SetWindowsHookEx(WH_GETMESSAGE, @HookProc, Hinstance, ThreadID);
if DLLData^.Hook > 0 then
Result := True //是否成功HOOK
else
exit;
end;

{------------------------------------}
{過程名:UnHook
{過程功能:卸載HOOK
{過程參數(shù):無
{------------------------------------}
procedure UnHook;stdcall;
begin
UnHookAPI;
//卸載Hook
UnhookWindowsHookEx(DLLData^.Hook);
end;

{------------------------------------}
{過程名:DLL入口函數(shù)
{過程功能:進(jìn)行DLL初始化,釋放等
{過程參數(shù):DLL狀態(tài)
{------------------------------------}
procedure MyDLLHandler(Reason: Integer);
var
FHandle: LongWORD;
begin
case Reason of
    DLL_PROCESS_ATTACH:
    begin            //建立文件映射,以實現(xiàn)DLL中的全局變量
      FHandle := CreateFileMapping($FFFFFFFF, nil, PAGE_READWRITE, 0, $ffff, 'MYDLLDATA');
      if FHandle = 0 then
      if GetLastError = ERROR_ALREADY_EXISTS then
      begin
        FHandle := OpenFileMapping(FILE_MAP_ALL_access, False, 'MYDLLDATA');
        if FHandle = 0 then Exit;
      end else Exit;
      DLLData := MapViewOfFile(FHandle, FILE_MAP_ALL_ACCESS, 0, 0, 0);
      if DLLData = nil then
        CloseHandle(FHandle);
    end;
    DLL_PROCESS_DETACH:
    begin
      if Assigned(DLLData) then
      begin
        UnmapViewOfFile(DLLData);
        DLLData := nil;
      end;
    end;
end;
end;

{$R *.res}
exports
InstallHook, UnHook, HookProc;

begin
DLLProc := @MyDLLHandler;
MyDLLhandler(DLL_PROCESS_ATTACH);
DLLData^.Hooked := False;
end.

----------------------------------------------------------------------------------------
APIHook.Pas的代碼:

unit APIHook;

interface

uses
SysUtils,
Windows, WinSock;

type
//要HOOK的API函數(shù)定義
TSockProc = function (s: TSocket; var Buf; len, flags: Integer): Integer; stdcall;

PJmpCode = ^TJmpCode;
TJmpCode = packed record
    JmpCode: BYTE;
    Address: TSockProc;
    MovEAX: Array [0..2] of BYTE;
end;

//--------------------函數(shù)聲明---------------------------
procedure HookAPI;
procedure UnHookAPI;

var
OldSend, OldRecv: TSockProc; //原來的API地址
JmpCode: TJmpCode;
OldProc: array [0..1] of TJmpCode;
AddSend, AddRecv: pointer; //API地址
TmpJmp: TJmpCode;
ProcessHandle: THandle;
implementation

{---------------------------------------}
{函數(shù)功能:Send函數(shù)的HOOK
{函數(shù)參數(shù):同Send
{函數(shù)返回值:integer
{---------------------------------------}
function MySend(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall;
var
dwSize: cardinal;
begin
//這兒進(jìn)行發(fā)送的數(shù)據(jù)處理
MessageBeep(1000); //簡單的響一聲
//調(diào)用直正的Send函數(shù)
WriteProcessMemory(ProcessHandle, AddSend, @OldProc[0], 8, dwSize);
Result := OldSend(S, Buf, len, flags);
JmpCode.Address := @MySend;
WriteProcessMemory(ProcessHandle, AddSend, @JmpCode, 8, dwSize);
end;

{---------------------------------------}
{函數(shù)功能:Recv函數(shù)的HOOK
{函數(shù)參數(shù):同Recv
{函數(shù)返回值:integer
{---------------------------------------}
function MyRecv(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall;
var
dwSize: cardinal;
begin
//這兒進(jìn)行接收的數(shù)據(jù)處理
MessageBeep(1000); //簡單的響一聲
//調(diào)用直正的Recv函數(shù)
WriteProcessMemory(ProcessHandle, AddRecv, @OldProc[1], 8, dwSize);
Result := OldRecv(S, Buf, len, flags);
JmpCode.Address := @MyRecv;
WriteProcessMemory(ProcessHandle, AddRecv, @JmpCode, 8, dwSize);
end;

{------------------------------------}
{過程功能:HookAPI
{過程參數(shù):無
{------------------------------------}
procedure HookAPI;
var
DLLModule: THandle;
dwSize: cardinal;
begin
ProcessHandle := GetCurrentProcess;
DLLModule := LoadLibrary('ws2_32.dll');
AddSend := GetProcAddress(DLLModule, 'send'); //取得API地址
AddRecv := GetProcAddress(DLLModule, 'recv');
JmpCode.JmpCode := $B8;
JmpCode.MovEAX[0] := $FF;
JmpCode.MovEAX[1] := $E0;
JmpCode.MovEAX[2] := 0;
ReadProcessMemory(ProcessHandle, AddSend, @OldProc[0], 8, dwSize);
JmpCode.Address := @MySend;
WriteProcessMemory(ProcessHandle, AddSend, @JmpCode, 8, dwSize);   //修改Send入口
ReadProcessMemory(ProcessHandle, AddRecv, @OldProc[1], 8, dwSize);
JmpCode.Address := @MyRecv;
WriteProcessMemory(ProcessHandle, AddRecv, @JmpCode, 8, dwSize);   //修改Recv入口
OldSend := AddSend;
OldRecv := AddRecv;
end;

{------------------------------------}
{過程功能:取消HOOKAPI
{過程參數(shù):無
{------------------------------------}
procedure UnHookAPI;
var
dwSize: Cardinal;
begin
WriteProcessMemory(ProcessHandle, AddSend, @OldProc[0], 8, dwSize);
WriteProcessMemory(ProcessHandle, AddRecv, @OldProc[1], 8, dwSize);
end;

end.

---------------------------------------------------------------------------------------------
編譯這個DLL后,再新建一個程序調(diào)用這個DLL的InstallHook并傳入目標(biāo)進(jìn)程的主窗口句柄就可:
unit fmMain;

interface

uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;

type
TForm1 = class(TForm)
    Button1: TButton;
    Button2: TButton;
    Edit1: TEdit;
    procedure Button1Click(Sender: TObject);
    procedure Button2Click(Sender: TObject);
private
    { Private declarations }
public
    { Public declarations }
end;

var
Form1: TForm1;
InstallHook: function (SWindow: THandle):Boolean;stdcall;
UnHook: procedure;stdcall;
implementation

{$R *.dfm}

procedure TForm1.Button1Click(Sender: TObject);
var
ModuleHandle: THandle;
TmpWndHandle: THandle;
begin
TmpWndHandle := 0;
TmpWndHandle := FindWindow(nil, '目標(biāo)窗口的標(biāo)題');
if not isWindow(TmpWndHandle) then
begin
    MessageBox(self.Handle, '沒有找到窗口', '!!!', MB_OK);
    exit;
end;
ModuleHandle := LoadLibrary('Hook.dll');
@InstallHook := GetProcAddress(ModuleHandle, 'InstallHook');
@UnHook := GetProcAddress(ModuleHandle, 'UnHook');
if InstallHook(FindWindow(nil, 'Untitled')) then
    ShowMessage('Hook OK');
end;