This commit is contained in:
HIllya51 2024-01-12 22:44:21 +08:00
parent f06244e125
commit 0e3b3a1a02
4 changed files with 33 additions and 129 deletions

View File

@ -39,7 +39,7 @@ class ThreadParam(Structure):
def __eq__(self, __value ): def __eq__(self, __value ):
return self.__hash__()==__value.__hash__() return self.__hash__()==__value.__hash__()
class HookParam64(Structure): class HookParam(Structure):
_fields_=[ _fields_=[
('address',c_uint64), ('address',c_uint64),
('offset',c_int), ('offset',c_int),
@ -64,34 +64,9 @@ class HookParam64(Structure):
('_4',c_uint64), ('_4',c_uint64),
('name',c_char*HOOK_NAME_SIZE) ('name',c_char*HOOK_NAME_SIZE)
] ]
class HookParam32(Structure): class TextHook(Structure):
_fields_=[ _fields_=[
('address',c_uint64), ('hp',HookParam),
('offset',c_int),
('index',c_int),
('split',c_int),
('split_index',c_int),
('null_length',c_int),
('module',c_wchar*MAX_MODULE_SIZE),
('function',c_char*MAX_MODULE_SIZE),
('type',c_uint),
('codepage', c_uint),
('length_offset',c_short),
('padding',c_uint32), #uintptr_t
('user_value',c_uint),
('text_fun',c_uint32),
('filter_fun',c_uint32),
('hook_fun',c_uint32),
('length_fun',c_uint32), #函数指针
('_1',c_uint32),
('_2',c_uint32),
('_3',c_uint32),
('_4',c_uint32),
('name',c_char*HOOK_NAME_SIZE)
]
class TextHook64(Structure):
_fields_=[
('hp',HookParam64),
('address',c_uint64), #union{uint64 && void*} ('address',c_uint64), #union{uint64 && void*}
('useCount',c_uint), ('useCount',c_uint),
('readerThread',c_uint64), #HANLDE ->void* ('readerThread',c_uint64), #HANLDE ->void*
@ -100,38 +75,9 @@ class TextHook64(Structure):
('trampoline',c_ubyte*140), ('trampoline',c_ubyte*140),
('local_buffer',c_uint64) ('local_buffer',c_uint64)
] ]
class TextHook32(Structure):
_fields_=[
('hp',HookParam32),
('address',c_uint64), #union{uint64 && void*}
('useCount',c_uint),
('readerThread',c_uint32), #HANLDE ->void*
('readerEvent',c_uint32),
('err',c_bool),
('trampoline',c_ubyte*40),
('local_buffer',c_uint32)
]
MAX_HOOK=2500 MAX_HOOK=2500
class SearchParam(Structure):
class SearchParam32(Structure):
_fields_=[
('pattern',c_char*30),
('address_method',c_int),
('search_method',c_int),
('length',c_int),
('offset',c_int),
('searchTime',c_int),
('maxRecords',c_int),
('codepage',c_int),
('padding',c_uint),
('minAddress',c_uint),
('maxAddress',c_uint),
('boundaryModule',c_wchar*120),
('exportModule',c_wchar*120),
('text',c_wchar*30)
]
class SearchParam64(Structure):
_fields_=[ _fields_=[
('pattern',c_char*30), ('pattern',c_char*30),
('address_method',c_int), ('address_method',c_int),
@ -164,18 +110,11 @@ class RemoveHookCmd(Structure):
def __init__(self, address) -> None: def __init__(self, address) -> None:
self.command=HOST_COMMAND_REMOVE_HOOK self.command=HOST_COMMAND_REMOVE_HOOK
self.address=address self.address=address
class InsertHookCmd32(Structure):
class InsertHookCmd(Structure):
_fields_=[ _fields_=[
('command',HostCommandType), ('command',HostCommandType),
('hp',HookParam32) ('hp',HookParam)
]
def __init__(self, hp) -> None:
self.command=HOST_COMMAND_NEW_HOOK
self.hp=hp
class InsertHookCmd64(Structure):
_fields_=[
('command',HostCommandType),
('hp',HookParam64)
] ]
def __init__(self, hp) -> None: def __init__(self, hp) -> None:
self.command=HOST_COMMAND_NEW_HOOK self.command=HOST_COMMAND_NEW_HOOK
@ -188,18 +127,11 @@ class InsertHookCodeNaive(Structure):
def __init__(self, hp) -> None: def __init__(self, hp) -> None:
self.command=HOST_COMMAND_NEW_HOOK_NAIVE self.command=HOST_COMMAND_NEW_HOOK_NAIVE
self.hcode=hp self.hcode=hp
class FindHookCmd32(Structure):
class FindHookCmd(Structure):
_fields_=[ _fields_=[
('command',HostCommandType), ('command',HostCommandType),
('sp',SearchParam32) ('sp',SearchParam)
]
def __init__(self, sp) -> None:
self.command=HOST_COMMAND_FIND_HOOK
self.sp=sp
class FindHookCmd64(Structure):
_fields_=[
('command',HostCommandType),
('sp',SearchParam64)
] ]
def __init__(self, sp) -> None: def __init__(self, sp) -> None:
self.command=HOST_COMMAND_FIND_HOOK self.command=HOST_COMMAND_FIND_HOOK
@ -216,18 +148,10 @@ class hookfoundtext(Structure):
_fields_=[('text',c_wchar*MESSAGE_SIZE)] _fields_=[('text',c_wchar*MESSAGE_SIZE)]
class HookFoundNotif32(Structure): class HookFoundNotif(Structure):
_fields_=[ _fields_=[
('command',HostNotificationType), ('command',HostNotificationType),
('hp',HookParam32), ('hp',HookParam),
('hcode',c_wchar*500),
('text',hookfoundtext)
]
class HookFoundNotif64(Structure):
_fields_=[
('command',HostNotificationType),
('hp',HookParam64),
('hcode',c_wchar*500), ('hcode',c_wchar*500),
('text',hookfoundtext) ('text',hookfoundtext)
] ]

View File

@ -31,8 +31,8 @@ def ConsumeHexInt(HCode):
return HCode,0 return HCode,0
def Hex(st): def Hex(st):
return hex(st).replace('0x','').upper() return hex(st).replace('0x','').upper()
def ParseRCode(RCode,hp) : def ParseRCode(RCode) :
hp=define.HookParam()
hp.type |= DIRECT_READ hp.type |= DIRECT_READ
if RCode[0]=='S': if RCode[0]=='S':
pass pass
@ -62,8 +62,8 @@ def ParseRCode(RCode,hp) :
hp.address = int(match.group(1), 16) hp.address = int(match.group(1), 16)
return hp return hp
def ParseHCode(HCode,hp): def ParseHCode(HCode):
#print(HCode) hp=define.HookParam()
if HCode[0] == 'A': if HCode[0] == 'A':
hp.type |= BIG_ENDIAN hp.type |= BIG_ENDIAN
hp.length_offset = 1 hp.length_offset = 1
@ -144,14 +144,14 @@ def ParseHCode(HCode,hp):
hp.split -= 4 hp.split -= 4
return hp return hp
def Parse(code,hp): def Parse(code):
code=code.strip().replace('\r','').replace('\n','').replace('\t','') code=code.strip().replace('\r','').replace('\n','').replace('\t','')
if(code[0]=='/'):code=code[1:] if(code[0]=='/'):code=code[1:]
if('/' in code):code=code.split('/')[0] if('/' in code):code=code.split('/')[0]
if(code[0]=='R'): if(code[0]=='R'):
hp=ParseRCode(code[1:],hp) hp=ParseRCode(code[1:])
elif(code[0]=='H'): elif(code[0]=='H'):
hp=ParseHCode(code[1:],hp) hp=ParseHCode(code[1:])
else: else:
hp=None hp=None
return hp return hp
@ -254,13 +254,12 @@ def Generate(_hp,process_id):
return code return code
if __name__=='__main__': if __name__=='__main__':
hp=define.HookParam32()
# print(Parse("/HQN936#1+-c*C:C*1C@4AA:gdi.dll:GetTextOutA",hp)) # print(Parse("/HQN936#1+-c*C:C*1C@4AA:gdi.dll:GetTextOutA",hp))
# print(Parse("/HQN936#-c*C:C*1C@4AA:gdi.dll:GetTextOutA /KF",hp)) # print(Parse("/HQN936#-c*C:C*1C@4AA:gdi.dll:GetTextOutA /KF",hp))
# print(Parse("HB4@0" ,hp)), # print(Parse("HB4@0" ,hp)),
# print(Parse("/RS65001#@44",hp)), # print(Parse("/RS65001#@44",hp)),
# print(Parse("HQ@4",hp,)) # print(Parse("HQ@4",hp,))
print(Parse('HS8:-14@76D85270',hp)) print(Parse('/HS8:-14@76D85270'))
# print(Parse("/RW@44",hp)), # print(Parse("/RW@44",hp)),
# print(Parse("/HWG@33",hp)) # print(Parse("/HWG@33",hp))

View File

@ -13,16 +13,11 @@ from myutils.hwnd import testprivilege
import ctypes import ctypes
import textsource.hook.hookcode as hookcode import textsource.hook.hookcode as hookcode
class ProcessRecord(): class ProcessRecord():
def __init__(self,pipe,processId,_is64bit) -> None: def __init__(self,pipe,processId) -> None:
self.pipe=pipe self.pipe=pipe
self.processId=processId self.processId=processId
self._is64bit=_is64bit buff=define.MAX_HOOK*define.TextHook
if _is64bit:
buff=define.MAX_HOOK*define.TextHook64
else:
buff=define.MAX_HOOK*define.TextHook32
HOOK_SECTION_SIZE=sizeof(buff) HOOK_SECTION_SIZE=sizeof(buff)
self.buff=buff
self.OnHookFound=0 self.OnHookFound=0
fmap1=windows.OpenFileMapping(windows.FILE_MAP_READ,False,define.SHAREDMEMDPREFIX+str(processId)) fmap1=windows.OpenFileMapping(windows.FILE_MAP_READ,False,define.SHAREDMEMDPREFIX+str(processId))
address1=windows.MapViewOfFile(fmap1, windows.FILE_MAP_READ, HOOK_SECTION_SIZE) address1=windows.MapViewOfFile(fmap1, windows.FILE_MAP_READ, HOOK_SECTION_SIZE)
@ -50,26 +45,17 @@ class ProcessRecord():
if len(string) and string[0]=='E': if len(string) and string[0]=='E':
self.Send(define.InsertHookCodeNaive(string)) self.Send(define.InsertHookCodeNaive(string))
else: else:
if self._is64bit: hp=hookcode.Parse(string)
hp_t=define.HookParam64
cmd_t=define.InsertHookCmd64
else:
hp_t=define.HookParam32
cmd_t=define.InsertHookCmd32
hp=hookcode.Parse(string,hp_t())
print(hp) print(hp)
if hp: if hp:
self.Send(cmd_t(hp)) self.Send(define.InsertHookCmd(hp))
return True return True
else: else:
return False return False
def FindHooks(self,sp,OnHookFound): def FindHooks(self,sp,OnHookFound):
self.OnHookFound=OnHookFound self.OnHookFound=OnHookFound
if self._is64bit: self.Send(define.FindHookCmd(sp))
self.Send(define.FindHookCmd64(sp))
else:
self.Send(define.FindHookCmd32(sp))
self.OnHookFound=OnHookFound self.OnHookFound=OnHookFound
def RemoveHook(self,addr): def RemoveHook(self,addr):
self.Send(define.RemoveHookCmd(addr)); self.Send(define.RemoveHookCmd(addr));
@ -206,15 +192,14 @@ class RPC():
windows.CloseHandle(pipeAvailableEvent) windows.CloseHandle(pipeAvailableEvent)
processId = self.toint(windows.ReadFile(hookPipe, 4,None) ) processId = self.toint(windows.ReadFile(hookPipe, 4,None) )
_is64bit=windows.Is64bit(processId) self.ProcessRecord[processId]=ProcessRecord(hostPipe,processId)
self.ProcessRecord[processId]=ProcessRecord(hostPipe,processId,_is64bit)
self.OnConnect(processId) self.OnConnect(processId)
while True: while True:
data=windows.ReadFile(hookPipe,50000,None) data=windows.ReadFile(hookPipe,50000,None)
if len(data)==0 :break if len(data)==0 :break
if len(data)==50000:continue if len(data)==50000:continue
self.OnMessage(data,processId,_is64bit) self.OnMessage(data,processId)
self.ProcessRecord.pop(processId) self.ProcessRecord.pop(processId)
windows.CloseHandle(hookPipe) windows.CloseHandle(hookPipe)
windows.CloseHandle(hostPipe) windows.CloseHandle(hostPipe)
@ -235,7 +220,7 @@ class RPC():
self.textthreads.pop(_) self.textthreads.pop(_)
self.OnDestroy(_) self.OnDestroy(_)
self.textthreadslock.release() self.textthreadslock.release()
def OnMessage(self,data,processId,_is64bit): def OnMessage(self,data,processId):
cmd=self.toint(data[:4]) cmd=self.toint(data[:4])
if(cmd==define. HOST_NOTIFICATION_TEXT): if(cmd==define. HOST_NOTIFICATION_TEXT):
try: try:
@ -245,14 +230,11 @@ class RPC():
self.Console(message) self.Console(message)
elif(cmd==define.HOST_NOTIFICATION_FOUND_HOOK): elif(cmd==define.HOST_NOTIFICATION_FOUND_HOOK):
if _is64bit: _HookFoundNotif=define.HookFoundNotif
_HookFoundNotif=define.HookFoundNotif64
else:
_HookFoundNotif=define.HookFoundNotif32
_HookFoundNotif=_HookFoundNotif.from_buffer_copy(data) _HookFoundNotif=_HookFoundNotif.from_buffer_copy(data)
text=_HookFoundNotif.text.text text=_HookFoundNotif.text.text
#print(_HookFoundNotif.hcode,hookcode.Generate(_HookFoundNotif.hp,processId)) #print(_HookFoundNotif.hcode,hookcode.Generate(_HookFoundNotif.hp,processId))
hp=hookcode.Parse(_HookFoundNotif.hcode,_HookFoundNotif.hp) hp=hookcode.Parse(_HookFoundNotif.hcode)
if len(text)>12: if len(text)>12:
self.ProcessRecord[processId].OnHookFound(hookcode.Generate(hp,processId),text) self.ProcessRecord[processId].OnHookFound(hookcode.Generate(hp,processId),text)
hp.type&=~hookcode.USING_UNICODE hp.type&=~hookcode.USING_UNICODE

View File

@ -180,14 +180,13 @@ class texthook(basetext ):
return cp return cp
def defaultsp(self): def defaultsp(self):
usestruct=define.SearchParam()
if not self.is64bit: if not self.is64bit:
usestruct=define.SearchParam32()
usestruct.pattern=bytes([0x55,0x8b,0xec]) usestruct.pattern=bytes([0x55,0x8b,0xec])
usestruct.length=3 usestruct.length=3
usestruct.offset=0 usestruct.offset=0
usestruct.maxAddress=0xFFFFFFFF usestruct.maxAddress=0xFFFFFFFF
else: else:
usestruct=define.SearchParam64()
usestruct.pattern=bytes([0xCC,0xCC,0x48,0x89]) usestruct.pattern=bytes([0xCC,0xCC,0x48,0x89])
usestruct.length=4 usestruct.length=4
usestruct.offset=2 usestruct.offset=2