<![CDATA[
<P>#include <windows.h><BR>#include <stdio.h></P>
<P>LPVOID g_pfWriteFile = NULL;<BR>CREATE_PROCESS_DEBUG_INFO g_cpdi;<BR>BYTE g_chINT3 = 0xCC, g_chOrgByte = 0;</P>
<P>HWND g_hWnd;<BR>//Define the local function<BR>void DebugLoop(void);<BR>BOOL OnCreateProcessDebugEvent (LPDEBUG_EVENT pde);<BR>BOOL OnExceptionDebugEvent(LPDEBUG_EVENT pde);<BR>int main(int argc, char* argv[])<BR>{<BR> DWORD dwPID;</P>
<P> if( argc != 2 )<BR> {<BR> printf("\nUSAGE : hookdbg.exe <pid>\n");<BR> // return 1;<BR> }</P>
<P> // Attach Process</P>
<P> ShellExecute(NULL, "open", "C:\\Api후킹대상파일.exe", NULL, NULL, SW_SHOWNORMAL);</P>
<P> Sleep(1000);<BR> if(argv[1] == NULL)<BR> {<BR> g_hWnd = FindWindow(NULL, "제목없음 - _________");<BR> if(g_hWnd == NULL)<BR> {<BR> MessageBox(NULL, "찾기실패", "대상 파일을 찾을 수 없습니다.", MB_OK);<BR> return 1;<BR> }<BR> GetWindowThreadProcessId(g_hWnd, &dwPID);<BR> } <BR> else<BR> {<BR> dwPID = atoi(argv[1]);<BR> }</P>
<P> if(!DebugActiveProcess(dwPID))<BR> {<BR> printf( "DebugActiveProcess(%d) failed!!! \n"<BR> "Error Code = %d\n", dwPID, GetLastError());<BR> return 1;<BR> }</P>
<P><BR> //Debuger loop<BR> DebugLoop();</P>
<P> return 0;<BR>}</P>
<P>void DebugLoop()<BR>{<BR> DEBUG_EVENT de;<BR> DWORD dwContinueStatus;</P>
<P> //Wait for event signal Create for Debuggee<BR> while(WaitForDebugEvent(&de, INFINITE) )<BR> {<BR> dwContinueStatus = DBG_CONTINUE;</P>
<P> //Debuggee process create or attach event<BR> if( CREATE_PROCESS_DEBUG_EVENT == de.dwDebugEventCode )<BR> {<BR> OnCreateProcessDebugEvent(&de);<BR> }<BR> //Exception event<BR> else if( EXCEPTION_DEBUG_EVENT == de.dwDebugEventCode )<BR> {<BR> if( OnExceptionDebugEvent(&de) )<BR> continue;<BR> }<BR> //Debuggee process exit event<BR> else if( EXIT_PROCESS_DEBUG_EVENT == de.dwDebugEventCode )<BR> {<BR> // Debuggee exit -> Debugger exit<BR> break;<BR> }</P>
<P> // Debuggee's resume<BR> ContinueDebugEvent(de.dwProcessId, de.dwThreadId, dwContinueStatus);<BR> }<BR>}</P>
<P>BOOL OnCreateProcessDebugEvent (LPDEBUG_EVENT pde)<BR>{<BR> // Get the address of WriteFile() API <BR> g_pfWriteFile = GetProcAddress(GetModuleHandle("gdi32.dll"),<BR> "TextOutA");<BR> //API Hook - WriteFile()<BR> //첫번째 byte를 0xCC (INT3)로 변경<BR> //(orginal byte는 백업 - g_chOrgByte)<BR> g_cpdi = pde->u.CreateProcessInfo; // CREATE_PROCESS_DEBUG_INFO</P>
<P> ReadProcessMemory(g_cpdi.hProcess, g_pfWriteFile,<BR> &g_chOrgByte, sizeof(BYTE), NULL);</P>
<P> WriteProcessMemory(g_cpdi.hProcess, g_pfWriteFile,<BR> &g_chINT3, sizeof(BYTE), NULL);</P>
<P> return TRUE;<BR>}</P>
<P>BOOL OnExceptionDebugEvent(LPDEBUG_EVENT pde)<BR>{<BR> CONTEXT ctx;<BR> PBYTE lpBuffer = NULL;<BR> DWORD dwNumOfBytesToWrite, dwAddrOfBuffer, i;</P>
<P> INT nX, nY, nStrlen;<BR> LPVOID lpString;</P>
<P> PEXCEPTION_RECORD per = &pde->u.Exception.ExceptionRecord;<BR> char szTaeho1[256];<BR> char szTaeho2[256];<BR> //BreakPoint exception (INT 3)인 경우<BR> if( EXCEPTION_BREAKPOINT == per->ExceptionCode)<BR> {<BR> //BP주소가 WriteFile() API 주소인 경우<BR> if( g_pfWriteFile == per->ExceptionAddress)<BR> {<BR> //#1. Unhook<BR> //0xCC로 덮어쓴 부분을 original byte로 되돌림<BR> WriteProcessMemory(g_cpdi.hProcess, g_pfWriteFile,<BR> &g_chOrgByte, sizeof(BYTE), NULL);<BR> //#2. Thread Context 구하기<BR> ctx.ContextFlags = CONTEXT_CONTROL;<BR> GetThreadContext(g_cpdi.hThread, &ctx);</P>
<P> //#3. WriteFiel()의 param 2, 3값 구하기<BR> // 함수의 파라미터는 해당 프로세스의 스택에 존재함<BR> // param 2 : ESP + 0x8<BR> // param 3 : ESP + 0xC<BR> ReadProcessMemory(g_cpdi.hProcess, (LPVOID)(ctx.Esp + 0x8),<BR> &dwAddrOfBuffer, sizeof(DWORD), NULL);<BR> ReadProcessMemory(g_cpdi.hProcess, (LPVOID)(ctx.Esp + 0xC),<BR> &dwNumOfBytesToWrite, sizeof(DWORD), NULL);</P>
<P> {<BR> //TextOut의 X좌표<BR> ReadProcessMemory(g_cpdi.hProcess, (LPVOID)( ctx.Esp + sizeof(HDC) + 0x4 ),<BR> (int*)&nX, sizeof(INT), NULL);</P>
<P> //TextOut의 Y좌표<BR> ReadProcessMemory(g_cpdi.hProcess, (LPVOID)( ctx.Esp + sizeof(HDC) + 0x8 ),<BR> (int*)&nY, sizeof(INT), NULL);<BR> //TextOut의 문자열 버퍼 주소를 구함<BR> ReadProcessMemory(g_cpdi.hProcess, (LPVOID)( ctx.Esp + sizeof(HDC) + 0x8 + sizeof(LPVOID) ),<BR> &lpString, sizeof(LPVOID), NULL);</P>
<P> //TextOut의 문자열 길이를 구함.<BR> ReadProcessMemory(g_cpdi.hProcess, (LPVOID)( ctx.Esp + sizeof(HDC) + 0x8 + sizeof( LPCTSTR) + sizeof(INT) ),<BR> (int*)&nStrlen, sizeof(INT), NULL);<BR> <BR> //TextOut의 문자열 버퍼 주소에 있는 문자열을 문자열의 길이만큼 긁어 옴.<BR> ReadProcessMemory(g_cpdi.hProcess, lpString,<BR> szTaeho1, nStrlen, NULL);<BR> szTaeho1[nStrlen] = NULL;</P>
<P> // printf("\nlpString = %x \n", lpString);</P>
<P> // printf("x=%d, y=%d,\tLength= %d\n", nX, nY, nStrlen);<BR> if(lstrcmp(szTaeho1, "갑오") == 0)<BR> {<BR> printf("\n+_+ TextOutMsg : %s\n", szTaeho1);<BR> }</P>
<P><BR> }</P>
<P> //#4. 임시 버퍼 할당<BR> lpBuffer = (PBYTE)malloc(dwNumOfBytesToWrite + 1);<BR> memset(lpBuffer, 0, dwNumOfBytesToWrite + 1);</P>
<P> //#5. WriteFile()의 버퍼를 임시 버퍼에 복사<BR> ReadProcessMemory(g_cpdi.hProcess, (LPVOID)dwAddrOfBuffer,<BR> lpBuffer, dwNumOfBytesToWrite, NULL);<BR> // printf("\n+_+ original string : %s\n", lpBuffer);</P>
<P> //#6. 소문자 -> 대문자 변환<BR> for( i = 0; i < dwNumOfBytesToWrite; i++)<BR> {<BR> if(0x61 <= lpBuffer[i] && lpBuffer[i] <= 0x7A )<BR> lpBuffer[i] -= 0x20;<BR> }</P>
<P> // printf("\n+_+ Converted string : %s\n", lpBuffer);</P>
<P> //#7. 변환된 버퍼를 WriteFile() 버퍼로 복사<BR> WriteProcessMemory(g_cpdi.hProcess, (LPVOID)dwAddrOfBuffer,<BR> lpBuffer, dwNumOfBytesToWrite, NULL);<BR> //#8. 임시 버퍼 해제<BR> free(lpBuffer);</P>
<P> //#9. Thread Context의 EIP를 WriteFile() 시작으로 변경<BR> // (현재는 WriteFile() + 1 위치 <- INT3 명령 이후)<BR> ctx.Eip = (DWORD) g_pfWriteFile;<BR> SetThreadContext(g_cpdi.hThread, &ctx);</P>
<P> //#10. Debuggee 프로세스를 진행시킴<BR> ContinueDebugEvent(pde->dwProcessId, pde->dwThreadId, DBG_CONTINUE);<BR> Sleep(0);</P>
<P> //#11. API Hook<BR> WriteProcessMemory(g_cpdi.hProcess, g_pfWriteFile,<BR> &g_chINT3, sizeof(BYTE), NULL);</P>
<P> return TRUE;<BR> }<BR> }<BR> return FALSE;<BR>}</P>
<!-- -->
]]>
