用FASM X64 汇编代码 hook message box 并验证附源码
本帖最后由 slzslz 于 2025-7-7 10:38 编辑format PE64 GUI 5.0
entry start
include 'win64a.inc'
section '.data' data readable writeable
origMessage db 'Original message',0
hookedMessage db 'HOOK SUCCESSFUL!',0
caption db 'MessageBox Hook',0
user32 db 'user32.dll',0
msgBoxA db 'MessageBoxA',0
; Addresses and handles
hUser32 dq ?
pMessageBoxAdq ?
hProcess dq ?
trampoline dq ? ; Address of trampoline function
oldProtect dq ? ; Old memory protection
bytesWrittendq ? ; Bytes written by WriteProcessMemory
; Original bytes storage
origBytes db 14 dup(?)
backupBytes db 14 dup(?)
section '.text' code readable executable
start:
sub rsp, 0x28 ; Allocate shadow space
; Load user32.dll and get MessageBoxA address
invoke LoadLibraryA, user32
test rax, rax
jz .exit
mov , rax
invoke GetProcAddress, rax, msgBoxA
test rax, rax
jz .exit
mov , rax
; Show original MessageBoxA
invoke MessageBoxA, 0, origMessage, caption, MB_OK
; Save original bytes
mov rsi,
lea rdi,
mov rcx, 14
rep movsb
; Create trampoline function
invoke VirtualAlloc, 0, 32, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
test rax, rax
jz .exit
mov , rax
; Copy original bytes to trampoline
mov rdi, rax
lea rsi,
mov rcx, 14
rep movsb
; Add jump back to original function+14
mov rax,
add rax, 14
mov rdi, rax
mov byte , 0x48 ; mov rax,
mov byte , 0xB8
mov rax,
add rax, 14
mov , rax
mov byte , 0xFF ; jmp rax
mov byte , 0xE0
; Prepare hook jump (14 bytes)
lea rdi, ; Where we'll build our jump
mov byte , 0x48 ; mov rax, hook_handler
mov byte , 0xB8
lea rax,
mov , rax
mov byte , 0xFF ; jmp rax
mov byte , 0xE0
; Make MessageBoxA memory writable
invoke GetCurrentProcess
mov , rax
invoke VirtualProtect, , 14, PAGE_EXECUTE_READWRITE, oldProtect
test rax, rax
jz .exit
; Write the hook using WriteProcessMemory
invoke WriteProcessMemory, , , backupBytes, 14, bytesWritten
test rax, rax
jz .restore_and_exit
; Show hooked MessageBoxA
invoke MessageBoxA, 0, origMessage, caption, MB_OK
.exit:
invoke ExitProcess, 0
.restore_and_exit:
; Restore original bytes if hook failed
invoke WriteProcessMemory, , , origBytes, 14, bytesWritten
jmp .exit
hook_handler:
; Replace message with our hooked version
lea rdx, ; New text
jmp ; Jump to trampoline
section '.idata' import data readable
library kernel32, 'kernel32.dll', \
user32, 'user32.dll'
import kernel32, \
ExitProcess, 'ExitProcess', \
LoadLibraryA, 'LoadLibraryA', \
GetProcAddress, 'GetProcAddress', \
VirtualAlloc, 'VirtualAlloc', \
VirtualProtect, 'VirtualProtect', \
WriteProcessMemory, 'WriteProcessMemory', \
GetCurrentProcess, 'GetCurrentProcess'
import user32, \
MessageBoxA, 'MessageBoxA'
本帖最后由 slzslz 于 2025-7-7 10:46 编辑
format PE GUI at 0x400000
include 'win32a.inc'
section '.data' data readable writeable
_id dd ?
_message db "222",0
_caption db "111",0
_lib db "user32.dll",0
_proc db "MessageBoxA",0
_text db "Error",0
_addr dd ?
_bytes rb 6
_patch: push .hooked
ret
section '.code' code readable executable
.hooked:
invokeBeep, 750, 300
invokeWriteProcessMemory, , , _bytes, 6, 0 ;restore original bytes
invokeMessageBox, HWND_DESKTOP, _lib, _proc, MB_OK
push .ret_addr
ret
entry $
invokeLoadLibrary, _lib
or eax, eax
jz .error
invokeGetProcAddress, eax, _proc
or eax, eax
jz .error
mov , eax
invokeGetCurrentProcess
mov , eax
invokeReadProcessMemory, , , _bytes, 6, 0
or eax, eax
jz .error
invokeWriteProcessMemory, , , _patch, 6, 0
or eax, eax
jz .exit
invokeMessageBox, HWND_DESKTOP, _caption, _message, MB_OK ;after hooked
.ret_addr:
invokeMessageBox, HWND_DESKTOP, _caption, _message, MB_OK ;after unhooked
jmp .exit
.error:
invokeMessageBox, HWND_DESKTOP, _text, _text, MB_OK or MB_ICONERROR
.exit:
invokeExitProcess,0
section '.idata' import readable writable
library kernel32, 'KERNEL32.DLL',\
user32,'USER32.DLL'
import kernel32,\
WriteProcessMemory, 'WriteProcessMemory', \
ExitProcess,'ExitProcess', \
LoadLibrary, 'LoadLibraryA', \
GetProcAddress, 'GetProcAddress', \
GetCurrentProcess, 'GetCurrentProcess', \
ReadProcessMemory, 'ReadProcessMemory', \
Beep, 'Beep'
import user32,\
MessageBox, 'MessageBoxA' 这个是 X86的代码
format PE GUI at 0x400000
include 'win32a.inc'
section '.data' data readable writeable
_id dd ?
_message db "222",0
_caption db "111",0
_lib db "user32.dll",0
_proc db "MessageBoxA",0
_text db "Error",0
_addr dd ?
_bytes rb 6
_patch: push .hooked
ret
section '.code' code readable executable
.hooked:
invokeBeep, 750, 300
invokeWriteProcessMemory, , , _bytes, 6, 0 ;restore original bytes
invokeMessageBox, HWND_DESKTOP, _lib, _proc, MB_OK
push .ret_addr
ret
entry $
invokeLoadLibrary, _lib
or eax, eax
jz .error
invokeGetProcAddress, eax, _proc
or eax, eax
jz .error
mov , eax
invokeGetCurrentProcess
mov , eax
invokeReadProcessMemory, , , _bytes, 6, 0
or eax, eax
jz .error
invokeWriteProcessMemory, , , _patch, 6, 0
or eax, eax
jz .exit
invokeMessageBox, HWND_DESKTOP, _caption, _message, MB_OK ;after hooked
.ret_addr:
invokeMessageBox, HWND_DESKTOP, _caption, _message, MB_OK ;after unhooked
jmp .exit
.error:
invokeMessageBox, HWND_DESKTOP, _text, _text, MB_OK or MB_ICONERROR
.exit:
invokeExitProcess,0
section '.idata' import readable writable
library kernel32, 'KERNEL32.DLL',\
user32,'USER32.DLL'
import kernel32,\
WriteProcessMemory, 'WriteProcessMemory', \
ExitProcess,'ExitProcess', \
LoadLibrary, 'LoadLibraryA', \
GetProcAddress, 'GetProcAddress', \
GetCurrentProcess, 'GetCurrentProcess', \
ReadProcessMemory, 'ReadProcessMemory', \
Beep, 'Beep'
import user32,\
MessageBox, 'MessageBoxA' 不错,先收藏了。 PYG有你更精彩! 感谢分享好东西。 好东西,先收藏 回头用的时候 能找到。
不错,先收藏了。 历害, 先收藏了。 .
页:
[1]