Api Hook 例程
2015-10-08 00:24
417 查看
#include "windows.h"
DWORD* lpAddr;
PROC OldProc;
HMODULE MyTerminateProcess(HANDLE hProcess,UINT
uExitCode)
{
MessageBox(NULL,"硬不起来了把","API HOOK",0);
return 0;
}
int ApiHook(char *DllName,//DLL文件名
PROC
OldFunAddr,//要HOOK的函数地址
PROC
NewFunAddr//我们够造的函数地址
)
{
//得到函数进程模块基地址
HMODULE lpBase =
GetModuleHandle(NULL);
IMAGE_DOS_HEADER
*dosHeader;
IMAGE_NT_HEADERS
*ntHeader;
IMAGE_IMPORT_BY_NAME
*ImportName;
//定位到DOS头
dosHeader=(IMAGE_DOS_HEADER*)lpBase;
//定位到PE头
ntHeader=(IMAGE_NT_HEADERS32*)((BYTE*)lpBase+dosHeader->e_lfanew);
//定位到导入表
IMAGE_IMPORT_DESCRIPTOR
*pImportDesc=(IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)lpBase+ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
//循环遍历IMAGE_IMPORT_DESCRIPTOR机构数组
while(pImportDesc->FirstThunk)
{
//得到DLL文件名
char* pszDllName = (char*)((BYTE*)lpBase +
pImportDesc->Name);
//比较得到的DLL文件名是否和要HOOK函数所在的DLL相同
//定位到FirstThunk参数指向的IMAGE_THUNK_DATA,此时这个结构已经是函数入口点地址了
IMAGE_THUNK_DATA* pThunk =
(IMAGE_THUNK_DATA*)
((BYTE*)lpBase +
pImportDesc->FirstThunk);
//遍历这部分IAT表
MessageBox(NULL,pszDllName,"Output",MB_OK);
while(pThunk->u1.Function)
{
lpAddr =
(DWORD*)&(pThunk->u1.Function);
//比较函数地址是否相同
if(*lpAddr
== (DWORD)OldFunAddr)
{
DWORD dwOldProtect;
//修改内存包含属性
VirtualProtect(lpAddr,
sizeof(DWORD), PAGE_READWRITE,
&dwOldProtect);
//API函数的入口点地址改成我们构造的函数的地址
WriteProcessMemory(GetCurrentProcess(),lpAddr,
&NewFunAddr, sizeof(DWORD), NULL);
MessageBox(NULL,"FindIt","",MB_OK);
}
pThunk++;
}
pImportDesc++;
}
return 0;
}
extern "C" {
BOOL APIENTRY DllMain(
HANDLE hModule,
DWORD
ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
//得到TerminateProcess函数地址
OldProc =
(PROC)GetProcAddress(GetModuleHandle("Kernel32"),"TerminateProcess");
if(OldProc==NULL)
{
MessageBox(NULL,"FAILED","",MB_OK);
return 0;
}
//定位,修改IAT表
ApiHook((char*)"kernel32.dll",OldProc,(PROC)MyTerminateProcess);
//MessageBox(NULL,"Success","Ok",MB_OK);
break;
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
//恢复IAT表中API函数的入口点地址
WriteProcessMemory(GetCurrentProcess(),lpAddr,
&OldProc, sizeof(DWORD), NULL);
break;
}
return TRUE;
}
}
DWORD* lpAddr;
PROC OldProc;
HMODULE MyTerminateProcess(HANDLE hProcess,UINT
uExitCode)
{
MessageBox(NULL,"硬不起来了把","API HOOK",0);
return 0;
}
int ApiHook(char *DllName,//DLL文件名
PROC
OldFunAddr,//要HOOK的函数地址
PROC
NewFunAddr//我们够造的函数地址
)
{
//得到函数进程模块基地址
HMODULE lpBase =
GetModuleHandle(NULL);
IMAGE_DOS_HEADER
*dosHeader;
IMAGE_NT_HEADERS
*ntHeader;
IMAGE_IMPORT_BY_NAME
*ImportName;
//定位到DOS头
dosHeader=(IMAGE_DOS_HEADER*)lpBase;
//定位到PE头
ntHeader=(IMAGE_NT_HEADERS32*)((BYTE*)lpBase+dosHeader->e_lfanew);
//定位到导入表
IMAGE_IMPORT_DESCRIPTOR
*pImportDesc=(IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)lpBase+ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
//循环遍历IMAGE_IMPORT_DESCRIPTOR机构数组
while(pImportDesc->FirstThunk)
{
//得到DLL文件名
char* pszDllName = (char*)((BYTE*)lpBase +
pImportDesc->Name);
//比较得到的DLL文件名是否和要HOOK函数所在的DLL相同
//定位到FirstThunk参数指向的IMAGE_THUNK_DATA,此时这个结构已经是函数入口点地址了
IMAGE_THUNK_DATA* pThunk =
(IMAGE_THUNK_DATA*)
((BYTE*)lpBase +
pImportDesc->FirstThunk);
//遍历这部分IAT表
MessageBox(NULL,pszDllName,"Output",MB_OK);
while(pThunk->u1.Function)
{
lpAddr =
(DWORD*)&(pThunk->u1.Function);
//比较函数地址是否相同
if(*lpAddr
== (DWORD)OldFunAddr)
{
DWORD dwOldProtect;
//修改内存包含属性
VirtualProtect(lpAddr,
sizeof(DWORD), PAGE_READWRITE,
&dwOldProtect);
//API函数的入口点地址改成我们构造的函数的地址
WriteProcessMemory(GetCurrentProcess(),lpAddr,
&NewFunAddr, sizeof(DWORD), NULL);
MessageBox(NULL,"FindIt","",MB_OK);
}
pThunk++;
}
pImportDesc++;
}
return 0;
}
extern "C" {
BOOL APIENTRY DllMain(
HANDLE hModule,
DWORD
ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
//得到TerminateProcess函数地址
OldProc =
(PROC)GetProcAddress(GetModuleHandle("Kernel32"),"TerminateProcess");
if(OldProc==NULL)
{
MessageBox(NULL,"FAILED","",MB_OK);
return 0;
}
//定位,修改IAT表
ApiHook((char*)"kernel32.dll",OldProc,(PROC)MyTerminateProcess);
//MessageBox(NULL,"Success","Ok",MB_OK);
break;
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
//恢复IAT表中API函数的入口点地址
WriteProcessMemory(GetCurrentProcess(),lpAddr,
&OldProc, sizeof(DWORD), NULL);
break;
}
return TRUE;
}
}
相关文章推荐
- Dll注入器
- 添加用户到Sudo组
- [观点] 真正的程序员,请你站出来
- WinAPI: SetWindowsHookEx - 设置…
- MCI 命令:(发送命令消息到指定的…
- 用谷歌浏览器来当手机模拟器
- API Hook完全手册
- 波哥写的钩子教程4
- 波哥写的钩子教程3
- 波哥写的钩子教程2
- 编译错误:Clock skew detected
- 波哥写的钩子教程
- ThinkPad x200 安装 mac Os x10.6…
- Mac OS X Snow Leopard 10.6下载及…
- 全局钩子详解
- 《Pro Git》读书笔记
- 哥写的线程注入程序 可以在线程中…
- 计算机界某神人
- 标准C++类string的内存共享和Cop…
- Windows下透明窗口