"binish.or.kr", just one bit can change the world! 0 or 1
[ 1ntroduction | g0ssip | binish's paper | white papers | community | blutooth hacking | hack the WM 6.1 ]
{ hacking / security / other papers / pictures }

SetWindowsHookEx ÈÄÅ· Á¦°Å
Ãßõ : 241 À̸§ : binish ÀÛ¼ºÀÏ : 2009-06-30 22:47:53 Á¶È¸¼ö : 2,256
»ç½Ç ÀÌ ¹æ¹ýÀº ¸¹Àº »ç¶÷µéÀÌ ¾Ë°í ÀÖÀ» ¸¸ÇÑ ¹æ¹ýÀÔ´Ï´Ù¸¸ °£·«È÷ ´Ù½Ã Á¤¸®ÇØ º¸°Ú½À´Ï´Ù. ÁøÂ¥ °£·«ÇÏ°Ô..

PTHREADINFO pti = NULL;

__asm
{
        mov eax, fs:[0x18] ; get address of TEB
        mov eax, [eax+0x40] ; get address of Win32ThreadInfo
        mov pti, eax ; okay!
}

ÀÌ·¸°Ô Çϸé pti º¯¼ö¸¦ ÅëÇØ PTHREADINFO ±¸Á¶Ã¼¸¦ ¾ò°Ô µÇÁÒ..?
pti->pDeskInfo->aphkStart[] ¹è¿­¿¡ ¹Ù·Î SetWindowsHookEx()¸¦ ÅëÇØ Àü¿ª ÈÄÅ·µÈ ÇÔ¼ö°¡ µî·Ï µÇ´Ï±î,
¾Æ·¡¿Í °°Àº ¿¹Á¦¸¦ ÅëÇØ È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù.

aphkStart[ WH_KEYBOARD + 1 ]°¡ NULLÀÌ ¾Æ´Ï¶ó¸é?!
aphkStart[ WH_KEYBOARD + 1 ]¸¦ NULL·Î ¸¸µç´Ù¸é?!

good luck!

¡Ø Âü°í
typedef struct tagTHREADINFO
¡¡¡¡{
¡¡¡¡ //W32THREAD;
¡¡¡¡ //PTL ptl; // Listhead for thread lock list
¡¡¡¡// W32THREAD ûú PTL ãÀä²á¶Üôò±Ô³îÜ结构,÷×过SoftICEîÜ帮ð¾,ä²ò±Ô³Öõ它们îÜÓÞá³,
¡¡¡¡//éÍãÀä²ÖçÖõ个东东来填õö它
¡¡¡¡ PADDING(padding1 , 0x2c);
¡¡¡¡ PVOID ppi; // process info struct for this thread
¡¡¡¡ // type is PPROCESSINFO
¡¡¡¡ PVOID rpdesk; // type is PDESKTOP
¡¡¡¡ PDESKTOPINFO pDeskInfo; // Desktop info visible to client
¡¡¡¡ // type is PDESKTOPINFO
¡¡¡¡ PCLIENTINFO pClientInfo; // Client info stored in TEB
¡¡¡¡ // type is PCLIENTINFO
¡¡¡¡ DWORD TIF_flags; // TIF_ flags go here.
¡¡¡¡ PUNICODE_STRING pstrAppName; // Application module name.
¡¡¡¡ PVOID psmsSent; // Most recent SMS this thread has sent
¡¡¡¡ // type is PSMS
¡¡¡¡ PVOID psmsCurrent; // Received SMS this thread is currently processing
¡¡¡¡ // type is PSMS
¡¡¡¡ PVOID psmsReceiveList; // SMSs to be processed
¡¡¡¡ // type is PSMS
¡¡¡¡ LONG timeLast; // Time, position, and ID of last message
¡¡¡¡ ULONG_PTR idLast;
¡¡¡¡ int cQuit;
¡¡¡¡ int exitCode;
¡¡¡¡ HDESK hdesk; // Desktop handle
¡¡¡¡ // HDESK
¡¡¡¡ int cPaintsReady;
¡¡¡¡ UINT cTimersReady;
¡¡¡¡ PVOID pMenuState; // type is PMENUSTATE
¡¡¡¡ union {
¡¡¡¡ PVOID ptdb; // Win16Task Schedule data for WOW thread
¡¡¡¡ // type is PTDB
¡¡¡¡ PVOID pwinsta; // Window station for SYSTEM thread
¡¡¡¡// type is PWINDOWSTATION
¡¡¡¡ };
¡¡¡¡ PVOID psiiList; // thread DDEML instance list
¡¡¡¡ // type is PSVR_INSTANCE_INFO
¡¡¡¡ DWORD dwExpWinVer;
¡¡¡¡ DWORD dwCompatFlags; // The Win 3.1 Compat flags
¡¡¡¡ DWORD dwCompatFlags2; // new DWORD to extend compat flags for NT5+ features
¡¡¡¡ PVOID pqAttach; // calculation variabled used in
¡¡¡¡ // type is PQ
¡¡¡¡ // zzzAttachThreadInput()
¡¡¡¡
¡¡¡¡ PTHREADINFO ptiSibling; // pointer to sibling thread info
¡¡¡¡
¡¡¡¡ PVOID pmsd; // type is PMOVESIZEDATA
¡¡¡¡
¡¡¡¡ DWORD fsHooks; // WHF_ Flags for which hooks are installed
¡¡¡¡
¡¡¡¡ PHOOK sphkCurrent; // Hook this thread is currently processing
¡¡¡¡ // type is PHOOK
¡¡¡¡
¡¡¡¡ PVOID pSBTrack; // type is PSBTRACK
¡¡¡¡
¡¡¡¡ HANDLE hEventQueueClient;
¡¡¡¡ PVOID pEventQueueServer; // type is PKEVENT
¡¡¡¡ PVOID PtiLink; // Link to other threads on desktop
¡¡¡¡ // type is LIST_ENTRY
¡¡¡¡ int iCursorLevel; // keep track of each thread's level
¡¡¡¡
¡¡¡¡ PADDING(padding2 , 4);
¡¡¡¡ POINT ptLast;
¡¡¡¡
¡¡¡¡ PWND spwndDefaultIme; // Default IME Window for this thread
¡¡¡¡ // type is PWND
¡¡¡¡ PVOID spDefaultImc; // Default input context for this thread
¡¡¡¡ // type is PIMC
¡¡¡¡ HANDLE hklPrev; // Previous active keyboard layout
¡¡¡¡// type is HKL
¡¡¡¡ int cEnterCount;
¡¡¡¡
¡¡¡¡ MLIST mlPost; // posted message list.
¡¡¡¡ USHORT fsChangeBitsRemoved;// Bits removed during PeekMessage
¡¡¡¡ WCHAR wchInjected; // character from last VK_PACKET
¡¡¡¡ DWORD fsReserveKeys; // Keys that must be sent to the active
¡¡¡¡ // active console window.
¡¡¡¡ PVOID *apEvent; // Wait array for xxxPollAndWaitForSingleObject
¡¡¡¡ // type is PKEVENT
¡¡¡¡ ACCESS_MASK amdesk; // Granted desktop access
¡¡¡¡ UINT cWindows; // Number of windows owned by this thread
¡¡¡¡ UINT cVisWindows; // Number of visible windows on this thread
¡¡¡¡
¡¡¡¡ PHOOK aphkStart[CWINHOOKS]; // Hooks registered for this thread
¡¡¡¡ // type is PHOOK
¡¡¡¡ BYTE cti; // Use this when no desktop is available
¡¡¡¡ // type is CLIENTTHREADINFO
¡¡¡¡
¡¡¡¡ }THREADINFO ,* PTHREADINFO;
binish   2009-06-30 22:51:24  
PHOOK aphkStart[CWINHOOKS] <---- Áß¿äÇÑ ¹è¿­
Name Pass  
±¤°í±Û µî·Ï ¹æÁö¸¦ À§ÇØ ¿À¸¥ÂÊ ÀÔ·Ââ¿¡ binish¶ó°í ÀÔ·ÂÇϽñ⠹ٶø´Ï´Ù.
(just, input binish for preventing spam)
16.   11
¹øÈ£ Á¦¸ñ ÀÛ¼ºÀÚ ³¯Â¥ Ãßõ Á¶È¸
16  Shellcode for CTF based on Linux (read file and send back using TCP and UDP)  [2] binish 2009-10-09 212 1563
 SetWindowsHookEx ÈÄÅ· Á¦°Å  [1] binish 2009-06-30 241 2256
14  A day of handsome hacker @ Argos 3rd Workshop  [4] binish 2009-03-03 222 1591
13  SPAM, review and prediction for 2009 binish 2009-02-15 269 1482
12  ISR ÄÚµå ÆÐÄ¡¸¦ ÅëÇÑ IDT ÈÄÅ· ¹«·ÂÈ­ ¹æ¹ý  [3] binish 2008-10-31 302 2456
11  MS À©µµ¿ì ¾Ïȣü°è ±â¼ú(EFS, BitLocker) Á¶»ç binish 2008-10-14 278 2312
10  Forensic  [2] binish 2008-09-25 290 1653
9  ³×ÀÌÆ®¿Â(NateOn) 3.7.10.3(966) ·Î±×ÀÎ °úÁ¤ ºÐ¼®  [10] binish 2008-09-01 451 7084
8  Keylogging Analysis (using polling interrupt)  [2] binish 2008-05-01 447 2443
7  Anti-Anti Virus binish 2008-04-08 429 1897
6  ÇØÄ¿µéÀÇ ¹«±â, ÇØÅ·Åø @ ¸¶¼Ò 05³â 4¿ùÈ£ binish 2008-04-03 412 2145
5  A work of vulnerable code and Practical use @ PADOCON 2005 binish 2008-04-03 428 2617
4  ZEROBOARD Session Sniffing, Hijacking and Spoofing Attack binish 2008-04-03 435 2172
3  Corea Hacking Challenge 2007 º¸°í¼­  [1] binish 2008-04-03 439 1836
2  Keyboard Security  [2] binish 2008-03-17 393 2031
1  Advanced BufferOverflow Attack Skill  [3] binish 2008-03-11 429 2169
1
Copyright 1999-2010 Zeroboard / skin by

free counters
Yo! What's up my brother, 38.107.191.81
Favorite site
  • PADOCON
  • CoInzBlog
  • CodeEngn
  • Exploits Database
  • Neodal
  • oroi
  • Alexander Sotirov
  • The grey corner
  • Reversecore
    		•
    맞춤검색