Bonjour,
j'ai ecrit une dll que j'injecte dans IE ou firefox pour savoir l'host qu'il demande a charger afin de filtrer.
voici donc le code
#include <windows.h>
#include <fstream>
#include <stdio.h>
#include <winDNS.h>
using namespace std;
#pragma comment(lib,"dnsapi.lib")
#include "main.h"
ofstream ofile;
char dlldir[320];
HANDLE oDnsQuery;
BYTE *cDnsQuery;
FARPROC fpDnsQuery;
DNS_STATUS WINAPI hkDnsQuery(PCTSTR lpstrName,WORD wType, DWORD Options, PIP4_ARRAY pExtra, PDNS_RECORD *ppQueryResultsSet, PVOID *pReserved)
{
RetourFunc((BYTE*)fpDnsQuery,(BYTE*)oDnsQuery,5);
char * temp = new char[strlen(lpstrName)+1];
strcpy(temp,lpstrName);
add_log("Called: Option : %x, Type : %x (%s)", Options,wType, temp);
DNS_STATUS out = DnsQuery_W((PCWSTR)lpstrName, wType, Options, pExtra, ppQueryResultsSet, pReserved);
CustomDetourFunc((BYTE*)fpDnsQuery,(BYTE*)&hkDnsQuery,5,(BYTE*)cDnsQuery);
return out;
}
bool WINAPI DllMain(HMODULE hDll, DWORD dwReason, PVOID pvReserved)
{
if(dwReason == DLL_PROCESS_ATTACH)
{
DisableThreadLibraryCalls(hDll);
GetModuleFileName(hDll, dlldir, 512);
for(int i strlen(dlldir); i > 0; i--) { if(dlldir[i] '\\') { dlldir[i+1] = 0; break; } }
ofile.open(GetDirectoryFile("ttnlog.txt"), ios::app);
add_log("\n---------------------\nBig Brother Loaded...\n---------------------");
HMODULE hMod = LoadLibrary("Dnsapi.dll");
fpDnsQuery = GetProcAddress(hMod,"DnsQuery_W");
if(hMod!=NULL && fpDnsQuery!=NULL)
add_log("hMod and Farproc Found !\n");
cDnsQuery = (BYTE*)malloc(5+5);
oDnsQuery = CustomDetourFunc((BYTE*)fpDnsQuery,(BYTE*)&hkDnsQuery,5,(BYTE*)cDnsQuery);
return true;
}
else if(dwReason == DLL_PROCESS_DETACH)
{
add_log("---------------------\nBig Brother Exiting...\n---------------------\n");
if(ofile) { ofile.close(); }
}
return false;
}
char *GetDirectoryFile(char *filename)
{
static char path[320];
strcpy(path, dlldir);
strcat(path, filename);
return path;
}
void *DetourFunc(BYTE *src, const BYTE *dst, const int len)
{
BYTE *jmp = (BYTE*)malloc(len+5);
DWORD dwback;
VirtualProtect(src, len, PAGE_READWRITE, &dwback);
memcpy(jmp, src, len); jmp += len;
jmp[0] = 0xE9;
*(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
src[0] = 0xE9;
*(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
VirtualProtect(src, len, dwback, &dwback);
return (jmp-len);
}
void *CustomDetourFunc(BYTE *src, BYTE *dst, const int len, BYTE *jmp)
{
DWORD dwback;
VirtualProtect(src, len, PAGE_READWRITE, &dwback);
memcpy(jmp, src, len); jmp += len;
jmp[0] = 0xE9;
*(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
src[0] = 0xE9;
*(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
VirtualProtect(src, len, dwback, &dwback);
return (jmp-len);
}
bool RetourFunc(BYTE *src, BYTE *restore, const int len)
{
DWORD dwback;
if(!VirtualProtect(src, len, PAGE_READWRITE, &dwback)) { return false; }
if(!memcpy(src, restore, len)) { return false; }
restore[0] = 0xE9;
*(DWORD*)(restore+1) = (DWORD)(src - restore) - 5;
if(!VirtualProtect(src, len, dwback, &dwback)) { return false; }
return true;
}
void __cdecl add_log (const char *fmt, ...)
{
if(ofile != NULL)
{
if(!fmt) { return; }
va_list va_alist;
char logbuf[256] = {0};
va_start (va_alist, fmt);
_vsnprintf (logbuf+strlen(logbuf), sizeof(logbuf) - strlen(logbuf), fmt, va_alist);
va_end (va_alist);
ofile << logbuf << endl;
}
}
l'injection se passe tres bien.
j'espere donc que le lpstrName que je vais logger ressemblera a "google.fr" ou un truc dans le genre, mais le probleme c'est que je ne recupere que sa :
Called: Option : 0, Type : 1 (w)
Called: Option : 0, Type : 1 (i)
Called: Option : 0, Type : 1 (p)
Called: Option : 0, Type : 1 (g)
Called: Option : 0, Type : 1 (r)
Called: Option : 0, Type : 1 (r)
Called: Option : 0, Type : 1 (b)
Called: Option : 0, Type : 1 (m)
donc le lpstrName de DnsQuery appelé par l'application n'aurait qu'une lettre ?
Je n'utilise pas la bonne fonction ? ou j'ai une erreur dans le code ?
Merci d'avance de m'éclairer
Afficher la suite