用FASM X64 汇编代码 hook message box 并验证附源码

slzslz · 发表于 6 小时前

本帖最后由 slzslz 于 2025-7-7 10:38 编辑

[AppleScript] 纯文本查看 复制代码

format PE64 GUI 5.0
entry start

include 'win64a.inc'

section '.data' data readable writeable
  origMessage   db 'Original message',0
  hookedMessage db 'HOOK SUCCESSFUL!',0
  caption       db 'MessageBox Hook',0
  user32        db 'user32.dll',0
  msgBoxA       db 'MessageBoxA',0

  ; Addresses and handles
  hUser32       dq ?
  pMessageBoxA  dq ?
  hProcess      dq ?
  trampoline    dq ?        ; Address of trampoline function
  oldProtect    dq ?        ; Old memory protection
  bytesWritten  dq ?        ; Bytes written by WriteProcessMemory

  ; Original bytes storage
  origBytes     db 14 dup(?)
  backupBytes   db 14 dup(?)

section '.text' code readable executable

start:
  sub rsp, 0x28            ; Allocate shadow space

  ; Load user32.dll and get MessageBoxA address
  invoke LoadLibraryA, user32
  test rax, rax
  jz .exit
  mov [hUser32], rax

  invoke GetProcAddress, rax, msgBoxA
  test rax, rax
  jz .exit
  mov [pMessageBoxA], rax

  ; Show original MessageBoxA
  invoke MessageBoxA, 0, origMessage, caption, MB_OK

  ; Save original bytes
  mov rsi, [pMessageBoxA]
  lea rdi, [origBytes]
  mov rcx, 14
  rep movsb

  ; Create trampoline function
  invoke VirtualAlloc, 0, 32, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
  test rax, rax
  jz .exit
  mov [trampoline], rax

  ; Copy original bytes to trampoline
  mov rdi, rax
  lea rsi, [origBytes]
  mov rcx, 14
  rep movsb

  ; Add jump back to original function+14
  mov rax, [trampoline]
  add rax, 14
  mov rdi, rax
  mov byte [rdi],   0x48    ; mov rax, [pMessageBoxA+14]
  mov byte [rdi+1], 0xB8
  mov rax, [pMessageBoxA]
  add rax, 14
  mov [rdi+2], rax
  mov byte [rdi+10], 0xFF   ; jmp rax
  mov byte [rdi+11], 0xE0

  ; Prepare hook jump (14 bytes)
  lea rdi, [backupBytes]    ; Where we'll build our jump
  mov byte [rdi],   0x48    ; mov rax, hook_handler
  mov byte [rdi+1], 0xB8
  lea rax, [hook_handler]
  mov [rdi+2], rax
  mov byte [rdi+10], 0xFF   ; jmp rax
  mov byte [rdi+11], 0xE0

  ; Make MessageBoxA memory writable
  invoke GetCurrentProcess
  mov [hProcess], rax
  invoke VirtualProtect, [pMessageBoxA], 14, PAGE_EXECUTE_READWRITE, oldProtect
  test rax, rax
  jz .exit

  ; Write the hook using WriteProcessMemory
  invoke WriteProcessMemory, [hProcess], [pMessageBoxA], backupBytes, 14, bytesWritten
  test rax, rax
  jz .restore_and_exit

  ; Show hooked MessageBoxA
  invoke MessageBoxA, 0, origMessage, caption, MB_OK

.exit:
  invoke ExitProcess, 0

.restore_and_exit:
  ; Restore original bytes if hook failed
  invoke WriteProcessMemory, [hProcess], [pMessageBoxA], origBytes, 14, bytesWritten
  jmp .exit

hook_handler:
  ; Replace message with our hooked version
  lea rdx, [hookedMessage]  ; New text
  jmp [trampoline]          ; Jump to trampoline

section '.idata' import data readable
  library kernel32, 'kernel32.dll', \
          user32, 'user32.dll'

  import kernel32, \
         ExitProcess, 'ExitProcess', \
         LoadLibraryA, 'LoadLibraryA', \
         GetProcAddress, 'GetProcAddress', \
         VirtualAlloc, 'VirtualAlloc', \
         VirtualProtect, 'VirtualProtect', \
         WriteProcessMemory, 'WriteProcessMemory', \
         GetCurrentProcess, 'GetCurrentProcess'

  import user32, \
         MessageBoxA, 'MessageBoxA'

slzslz · 发表于 6 小时前

本帖最后由 slzslz 于 2025-7-7 10:46 编辑

[AppleScript] 纯文本查看 复制代码

format PE GUI at 0x400000
include 'win32a.inc'

section '.data' data readable writeable

_id             dd      ?
_message        db      "222",0
_caption        db      "111",0
_lib            db      "user32.dll",0
_proc           db      "MessageBoxA",0
_text           db      "Error",0
_addr           dd      ?
_bytes          rb      6
_patch:         push .hooked
                ret

section '.code' code readable executable

.hooked:
        invoke  Beep, 750, 300
        invoke  WriteProcessMemory, [_id], [_addr], _bytes, 6, 0   ;restore original bytes
        invoke  MessageBox, HWND_DESKTOP, _lib, _proc, MB_OK
        push    .ret_addr
        ret

entry $
        invoke  LoadLibrary, _lib
        or      eax, eax
        jz      .error
        invoke  GetProcAddress, eax, _proc
        or      eax, eax
        jz      .error
        mov     [_addr], eax
        invoke  GetCurrentProcess
        mov     [_id], eax
        invoke  ReadProcessMemory, [_id], [_addr], _bytes, 6, 0
        or      eax, eax
        jz      .error
        invoke  WriteProcessMemory, [_id], [_addr], _patch, 6, 0
        or      eax, eax
        jz      .exit
        invoke  MessageBox, HWND_DESKTOP, _caption, _message, MB_OK   ;after hooked
.ret_addr:
        invoke  MessageBox, HWND_DESKTOP, _caption, _message, MB_OK   ;after unhooked
        jmp     .exit
.error:
        invoke  MessageBox, HWND_DESKTOP, _text, _text, MB_OK or MB_ICONERROR
.exit:
        invoke  ExitProcess,0

section '.idata' import readable writable

 library kernel32, 'KERNEL32.DLL',\
         user32,'USER32.DLL'

 import kernel32,\
        WriteProcessMemory, 'WriteProcessMemory', \
        ExitProcess,'ExitProcess', \
        LoadLibrary, 'LoadLibraryA', \
        GetProcAddress, 'GetProcAddress', \
        GetCurrentProcess, 'GetCurrentProcess', \
        ReadProcessMemory, 'ReadProcessMemory', \
        Beep, 'Beep'


 import user32,\
        MessageBox, 'MessageBoxA'

这个是 X86的代码

[Asm] 纯文本查看 复制代码

format PE GUI at 0x400000
include 'win32a.inc'

section '.data' data readable writeable

_id             dd      ?
_message        db      "222",0
_caption        db      "111",0
_lib            db      "user32.dll",0
_proc           db      "MessageBoxA",0
_text           db      "Error",0
_addr           dd      ?
_bytes          rb      6
_patch:         push .hooked
                ret

section '.code' code readable executable

.hooked:
        invoke  Beep, 750, 300
        invoke  WriteProcessMemory, [_id], [_addr], _bytes, 6, 0   ;restore original bytes
        invoke  MessageBox, HWND_DESKTOP, _lib, _proc, MB_OK
        push    .ret_addr
        ret

entry $
        invoke  LoadLibrary, _lib
        or      eax, eax
        jz      .error
        invoke  GetProcAddress, eax, _proc
        or      eax, eax
        jz      .error
        mov     [_addr], eax
        invoke  GetCurrentProcess
        mov     [_id], eax
        invoke  ReadProcessMemory, [_id], [_addr], _bytes, 6, 0
        or      eax, eax
        jz      .error
        invoke  WriteProcessMemory, [_id], [_addr], _patch, 6, 0
        or      eax, eax
        jz      .exit
        invoke  MessageBox, HWND_DESKTOP, _caption, _message, MB_OK   ;after hooked
.ret_addr:
        invoke  MessageBox, HWND_DESKTOP, _caption, _message, MB_OK   ;after unhooked
        jmp     .exit
.error:
        invoke  MessageBox, HWND_DESKTOP, _text, _text, MB_OK or MB_ICONERROR
.exit:
        invoke  ExitProcess,0

section '.idata' import readable writable

 library kernel32, 'KERNEL32.DLL',\
         user32,'USER32.DLL'

 import kernel32,\
        WriteProcessMemory, 'WriteProcessMemory', \
        ExitProcess,'ExitProcess', \
        LoadLibrary, 'LoadLibraryA', \
        GetProcAddress, 'GetProcAddress', \
        GetCurrentProcess, 'GetCurrentProcess', \
        ReadProcessMemory, 'ReadProcessMemory', \
        Beep, 'Beep'


 import user32,\
        MessageBox, 'MessageBoxA'

zenix · 发表于 6 小时前

不错，先收藏了。

linxiansen · 发表于 4 小时前

PYG有你更精彩！

gujin162 · 发表于半小时前

感谢分享好东西。

		自动登录	找回密码
密码			加入我们

[原创] 用FASM X64 汇编代码 hook message box 并验证附源码

评分