This commit is contained in:
HIllya51 2024-01-12 22:44:21 +08:00
parent f06244e125
commit 0e3b3a1a02
4 changed files with 33 additions and 129 deletions

View File

@ -39,7 +39,7 @@ class ThreadParam(Structure):
def __eq__(self, __value ):
return self.__hash__()==__value.__hash__()
class HookParam64(Structure):
class HookParam(Structure):
_fields_=[
('address',c_uint64),
('offset',c_int),
@ -63,35 +63,10 @@ class HookParam64(Structure):
('_3',c_uint64),
('_4',c_uint64),
('name',c_char*HOOK_NAME_SIZE)
]
class HookParam32(Structure):
]
class TextHook(Structure):
_fields_=[
('address',c_uint64),
('offset',c_int),
('index',c_int),
('split',c_int),
('split_index',c_int),
('null_length',c_int),
('module',c_wchar*MAX_MODULE_SIZE),
('function',c_char*MAX_MODULE_SIZE),
('type',c_uint),
('codepage', c_uint),
('length_offset',c_short),
('padding',c_uint32), #uintptr_t
('user_value',c_uint),
('text_fun',c_uint32),
('filter_fun',c_uint32),
('hook_fun',c_uint32),
('length_fun',c_uint32), #函数指针
('_1',c_uint32),
('_2',c_uint32),
('_3',c_uint32),
('_4',c_uint32),
('name',c_char*HOOK_NAME_SIZE)
]
class TextHook64(Structure):
_fields_=[
('hp',HookParam64),
('hp',HookParam),
('address',c_uint64), #union{uint64 && void*}
('useCount',c_uint),
('readerThread',c_uint64), #HANLDE ->void*
@ -100,38 +75,9 @@ class TextHook64(Structure):
('trampoline',c_ubyte*140),
('local_buffer',c_uint64)
]
class TextHook32(Structure):
_fields_=[
('hp',HookParam32),
('address',c_uint64), #union{uint64 && void*}
('useCount',c_uint),
('readerThread',c_uint32), #HANLDE ->void*
('readerEvent',c_uint32),
('err',c_bool),
('trampoline',c_ubyte*40),
('local_buffer',c_uint32)
]
MAX_HOOK=2500
class SearchParam32(Structure):
_fields_=[
('pattern',c_char*30),
('address_method',c_int),
('search_method',c_int),
('length',c_int),
('offset',c_int),
('searchTime',c_int),
('maxRecords',c_int),
('codepage',c_int),
('padding',c_uint),
('minAddress',c_uint),
('maxAddress',c_uint),
('boundaryModule',c_wchar*120),
('exportModule',c_wchar*120),
('text',c_wchar*30)
]
class SearchParam64(Structure):
class SearchParam(Structure):
_fields_=[
('pattern',c_char*30),
('address_method',c_int),
@ -164,18 +110,11 @@ class RemoveHookCmd(Structure):
def __init__(self, address) -> None:
self.command=HOST_COMMAND_REMOVE_HOOK
self.address=address
class InsertHookCmd32(Structure):
class InsertHookCmd(Structure):
_fields_=[
('command',HostCommandType),
('hp',HookParam32)
]
def __init__(self, hp) -> None:
self.command=HOST_COMMAND_NEW_HOOK
self.hp=hp
class InsertHookCmd64(Structure):
_fields_=[
('command',HostCommandType),
('hp',HookParam64)
('hp',HookParam)
]
def __init__(self, hp) -> None:
self.command=HOST_COMMAND_NEW_HOOK
@ -188,18 +127,11 @@ class InsertHookCodeNaive(Structure):
def __init__(self, hp) -> None:
self.command=HOST_COMMAND_NEW_HOOK_NAIVE
self.hcode=hp
class FindHookCmd32(Structure):
class FindHookCmd(Structure):
_fields_=[
('command',HostCommandType),
('sp',SearchParam32)
]
def __init__(self, sp) -> None:
self.command=HOST_COMMAND_FIND_HOOK
self.sp=sp
class FindHookCmd64(Structure):
_fields_=[
('command',HostCommandType),
('sp',SearchParam64)
('sp',SearchParam)
]
def __init__(self, sp) -> None:
self.command=HOST_COMMAND_FIND_HOOK
@ -216,18 +148,10 @@ class hookfoundtext(Structure):
_fields_=[('text',c_wchar*MESSAGE_SIZE)]
class HookFoundNotif32(Structure):
class HookFoundNotif(Structure):
_fields_=[
('command',HostNotificationType),
('hp',HookParam32),
('hcode',c_wchar*500),
('text',hookfoundtext)
]
class HookFoundNotif64(Structure):
_fields_=[
('command',HostNotificationType),
('hp',HookParam64),
('hp',HookParam),
('hcode',c_wchar*500),
('text',hookfoundtext)
]

View File

@ -31,8 +31,8 @@ def ConsumeHexInt(HCode):
return HCode,0
def Hex(st):
return hex(st).replace('0x','').upper()
def ParseRCode(RCode,hp) :
def ParseRCode(RCode) :
hp=define.HookParam()
hp.type |= DIRECT_READ
if RCode[0]=='S':
pass
@ -62,8 +62,8 @@ def ParseRCode(RCode,hp) :
hp.address = int(match.group(1), 16)
return hp
def ParseHCode(HCode,hp):
#print(HCode)
def ParseHCode(HCode):
hp=define.HookParam()
if HCode[0] == 'A':
hp.type |= BIG_ENDIAN
hp.length_offset = 1
@ -144,14 +144,14 @@ def ParseHCode(HCode,hp):
hp.split -= 4
return hp
def Parse(code,hp):
def Parse(code):
code=code.strip().replace('\r','').replace('\n','').replace('\t','')
if(code[0]=='/'):code=code[1:]
if('/' in code):code=code.split('/')[0]
if(code[0]=='R'):
hp=ParseRCode(code[1:],hp)
hp=ParseRCode(code[1:])
elif(code[0]=='H'):
hp=ParseHCode(code[1:],hp)
hp=ParseHCode(code[1:])
else:
hp=None
return hp
@ -254,13 +254,12 @@ def Generate(_hp,process_id):
return code
if __name__=='__main__':
hp=define.HookParam32()
# print(Parse("/HQN936#1+-c*C:C*1C@4AA:gdi.dll:GetTextOutA",hp))
# print(Parse("/HQN936#-c*C:C*1C@4AA:gdi.dll:GetTextOutA /KF",hp))
# print(Parse("HB4@0" ,hp)),
# print(Parse("/RS65001#@44",hp)),
# print(Parse("HQ@4",hp,))
print(Parse('HS8:-14@76D85270',hp))
print(Parse('/HS8:-14@76D85270'))
# print(Parse("/RW@44",hp)),
# print(Parse("/HWG@33",hp))

View File

@ -13,16 +13,11 @@ from myutils.hwnd import testprivilege
import ctypes
import textsource.hook.hookcode as hookcode
class ProcessRecord():
def __init__(self,pipe,processId,_is64bit) -> None:
def __init__(self,pipe,processId) -> None:
self.pipe=pipe
self.processId=processId
self._is64bit=_is64bit
if _is64bit:
buff=define.MAX_HOOK*define.TextHook64
else:
buff=define.MAX_HOOK*define.TextHook32
buff=define.MAX_HOOK*define.TextHook
HOOK_SECTION_SIZE=sizeof(buff)
self.buff=buff
self.OnHookFound=0
fmap1=windows.OpenFileMapping(windows.FILE_MAP_READ,False,define.SHAREDMEMDPREFIX+str(processId))
address1=windows.MapViewOfFile(fmap1, windows.FILE_MAP_READ, HOOK_SECTION_SIZE)
@ -49,27 +44,18 @@ class ProcessRecord():
def InsertHookCode(self,string):
if len(string) and string[0]=='E':
self.Send(define.InsertHookCodeNaive(string))
else:
if self._is64bit:
hp_t=define.HookParam64
cmd_t=define.InsertHookCmd64
else:
hp_t=define.HookParam32
cmd_t=define.InsertHookCmd32
hp=hookcode.Parse(string,hp_t())
else:
hp=hookcode.Parse(string)
print(hp)
if hp:
self.Send(cmd_t(hp))
self.Send(define.InsertHookCmd(hp))
return True
else:
return False
def FindHooks(self,sp,OnHookFound):
self.OnHookFound=OnHookFound
if self._is64bit:
self.Send(define.FindHookCmd64(sp))
else:
self.Send(define.FindHookCmd32(sp))
self.Send(define.FindHookCmd(sp))
self.OnHookFound=OnHookFound
def RemoveHook(self,addr):
self.Send(define.RemoveHookCmd(addr));
@ -206,15 +192,14 @@ class RPC():
windows.CloseHandle(pipeAvailableEvent)
processId = self.toint(windows.ReadFile(hookPipe, 4,None) )
_is64bit=windows.Is64bit(processId)
self.ProcessRecord[processId]=ProcessRecord(hostPipe,processId,_is64bit)
self.ProcessRecord[processId]=ProcessRecord(hostPipe,processId)
self.OnConnect(processId)
while True:
data=windows.ReadFile(hookPipe,50000,None)
if len(data)==0 :break
if len(data)==50000:continue
self.OnMessage(data,processId,_is64bit)
self.OnMessage(data,processId)
self.ProcessRecord.pop(processId)
windows.CloseHandle(hookPipe)
windows.CloseHandle(hostPipe)
@ -235,7 +220,7 @@ class RPC():
self.textthreads.pop(_)
self.OnDestroy(_)
self.textthreadslock.release()
def OnMessage(self,data,processId,_is64bit):
def OnMessage(self,data,processId):
cmd=self.toint(data[:4])
if(cmd==define. HOST_NOTIFICATION_TEXT):
try:
@ -245,14 +230,11 @@ class RPC():
self.Console(message)
elif(cmd==define.HOST_NOTIFICATION_FOUND_HOOK):
if _is64bit:
_HookFoundNotif=define.HookFoundNotif64
else:
_HookFoundNotif=define.HookFoundNotif32
_HookFoundNotif=define.HookFoundNotif
_HookFoundNotif=_HookFoundNotif.from_buffer_copy(data)
text=_HookFoundNotif.text.text
#print(_HookFoundNotif.hcode,hookcode.Generate(_HookFoundNotif.hp,processId))
hp=hookcode.Parse(_HookFoundNotif.hcode,_HookFoundNotif.hp)
hp=hookcode.Parse(_HookFoundNotif.hcode)
if len(text)>12:
self.ProcessRecord[processId].OnHookFound(hookcode.Generate(hp,processId),text)
hp.type&=~hookcode.USING_UNICODE

View File

@ -180,14 +180,13 @@ class texthook(basetext ):
return cp
def defaultsp(self):
usestruct=define.SearchParam()
if not self.is64bit:
usestruct=define.SearchParam32()
usestruct.pattern=bytes([0x55,0x8b,0xec])
usestruct.length=3
usestruct.offset=0
usestruct.maxAddress=0xFFFFFFFF
else:
usestruct=define.SearchParam64()
usestruct.pattern=bytes([0xCC,0xCC,0x48,0x89])
usestruct.length=4
usestruct.offset=2