Windows 下 API hook 和 Windows hook 应用区别
2016-10-08 17:21
183 查看
http://wenku.baidu.com/view/0946ce1155270722192ef74f.html
demo1
#include "stdafx.h"
#include <Windows.h>
#include <dbghelp.h>
#pragma comment( lib, "dbghelp.lib")
ULONG ReplaceIATEntryInOneMod( PCSTR pszCalleeModName,
PROC pfnCurent, PROC pfnNew, HMODULE hmodCaller)
{
ULONG ulSize = 0;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = ( PIMAGE_IMPORT_DESCRIPTOR )
ImageDirectoryEntryToData( hmodCaller, TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize );
if ( NULL == pImportDesc )
return 0;
for ( ; pImportDesc->Name; pImportDesc++)
{
PSTR pszModName = (PSTR)
((PBYTE) hmodCaller + pImportDesc->Name );
if ( 0 == lstrcmpiA( pszModName, pszCalleeModName) )
break;
}
if ( 0 == pImportDesc->Name )
{
return 0;
}
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)
((PBYTE) hmodCaller + pImportDesc->FirstThunk );
for (; pThunk->u1.Function; pThunk++ )
{
PROC *ppfn = ( PROC *)&pThunk->u1.Function;
BOOL bFound = (*ppfn == pfnCurent );
if ( bFound )
{
MEMORY_BASIC_INFORMATION mbi = { 0 };
VirtualQuery( pfnCurent, &mbi, sizeof(mbi) );
DWORD dwOldProtect = 0;
VirtualProtect( pfnCurent, sizeof(PROC), PAGE_READWRITE, &dwOldProtect );
ULONG upfAddress = 0;
ReadProcessMemory( GetCurrentProcess(),
ppfn,
&upfAddress,
sizeof(PROC),
NULL );
WriteProcessMemory( GetCurrentProcess(),
ppfn,
&pfnNew,
sizeof(pfnNew),
NULL );
VirtualProtect( ppfn, sizeof(PROC), dwOldProtect, 0 );
return upfAddress;
}
}
return 0;
}
typedef int(
WINAPI
*PMyMessageBoxW)(
__in_opt HWND hWnd,
__in_opt LPCWSTR lpText,
__in_opt LPCWSTR lpCaption,
__in UINT uType);
PROC g_Proc = NULL;
int
WINAPI
MyMessageBoxW(
__in_opt HWND hWnd,
__in_opt LPCWSTR lpText,
__in_opt LPCWSTR lpCaption,
__in UINT uType)
{
wprintf(L"%s\n", lpText );
wprintf(L"%s\n", lpCaption );
return ((PMyMessageBoxW)g_Proc)(
hWnd,
lpText,
lpCaption,
uType);
}
extern "C" IMAGE_DOS_HEADER __ImageBase;
int _tmain(int argc, _TCHAR* argv[])
{
g_Proc = (PROC)ReplaceIATEntryInOneMod(
"user32.dll",
(PROC)MessageBoxW,
(PROC)MyMessageBoxW,
(HMODULE)&__ImageBase);
MessageBoxW(NULL, L"TEST", L"HOOK", MB_OK );
return 0;
}
demo2
// hooktest.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <Windows.h>
PROC install_api_hook(
HMODULE hHookModule,
const char * szDllName,
PROC uHookFunAddr,
PROC uNewFundAddr
);
BOOL TestFunctionInIAT( HMODULE hModule, ULONG FunctionAddress )
{
BOOL bReturn = FALSE;
unsigned char *pBaseAddr = reinterpret_cast<unsigned char *>(hModule);
// 获取DOS header 的位置
PIMAGE_DOS_HEADER pDosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(pBaseAddr);
// 获取NTImage header 的位置
PIMAGE_NT_HEADERS pNtHeader = reinterpret_cast<PIMAGE_NT_HEADERS>(
pBaseAddr + pDosHeader->e_lfanew );
// 获取 PE option header的位置
PIMAGE_OPTIONAL_HEADER pPEOptionHeader = &pNtHeader->OptionalHeader;
// 获取导入表的目录结构
PIMAGE_DATA_DIRECTORY pIATDataDirectory = &(pPEOptionHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);
// 获取导入表 descriptor
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(
pBaseAddr + pIATDataDirectory->VirtualAddress );
// 从pImportDescriptor 开始是一堆导入表,一张接着一张,直到
// 导入表的名字为空为止,其实就是对应Windows 的一个dll,有几张表,就表示
// 该模块依赖几个dll 的导出函数, Name 字段是dll的名称的相对虚拟地址
while ( pImportDescriptor->Name != 0 )
{
// thunk data 就是表示导入dll 中函数描述
PIMAGE_THUNK_DATA pThunkData = reinterpret_cast<PIMAGE_THUNK_DATA>(
pBaseAddr + pImportDescriptor->FirstThunk);
while( pThunkData->u1.Function != 0 )
{
ULONG *ppfn = ( ULONG *)&pThunkData->u1.Function;
if ( *ppfn == FunctionAddress )
{
bReturn = TRUE;
break;
}
++pThunkData;
}
++pImportDescriptor;
}
return bReturn;
}
PROC g_CreateFunc = NULL;
typedef BOOL (WINAPI *PCreateProcessW)(
__in_opt LPCWSTR lpApplicationName,
__inout_opt LPWSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCWSTR lpCurrentDirectory,
__in LPSTARTUPINFOW lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation);
BOOL WINAPI MyCreateProcessW(
__in_opt LPCWSTR lpApplicationName,
__inout_opt LPWSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCWSTR lpCurrentDirectory,
__in LPSTARTUPINFOW lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation)
{
MessageBoxW(NULL, lpCommandLine, L"CreateProcessW", MB_OK);
return ((PCreateProcessW)g_CreateFunc)(
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
}
int _tmain(int argc, _TCHAR* argv[])
{
HMODULE hModule = NULL;
GetModuleHandleEx(
GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS,
(LPCTSTR)TestFunctionInIAT,
&hModule);
BOOL bReturn = TestFunctionInIAT( hModule , (ULONG_PTR)CreateProcessW );
if ( bReturn )
{
printf("Found address CreateProcessW!\n");
}
else
{
printf("found failed!\n");
}
g_CreateFunc = install_api_hook(hModule, "kernel32.dll", (PROC)CreateProcessW, (PROC)MyCreateProcessW);
wchar_t szProcessName[] = L"notepad.exe";
STARTUPINFO si = {sizeof(si)};
PROCESS_INFORMATION pi;
CreateProcessW(NULL,
szProcessName,
NULL,
NULL,
FALSE,
0,
NULL,
NULL,
&si,
&pi);
return 0;
}
PROC install_api_hook(
HMODULE hHookModule,
const char * szDllName,
PROC pfnHookFunAddr,
PROC pfnNewFundAddr
)
{
PROC pOrigFunc = NULL;
unsigned char *pBaseAddr =
reinterpret_cast<unsigned char *>(hHookModule);
PIMAGE_DOS_HEADER pDosHeader =
reinterpret_cast<PIMAGE_DOS_HEADER>(pBaseAddr);
PIMAGE_NT_HEADERS pNtHeader =
reinterpret_cast<PIMAGE_NT_HEADERS>(
pBaseAddr + pDosHeader->e_lfanew );
PIMAGE_OPTIONAL_HEADER pPEOptionHeader =
&pNtHeader->OptionalHeader;
PIMAGE_DATA_DIRECTORY pIATDataDirectory =
&(pPEOptionHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor =
reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(
pBaseAddr + pIATDataDirectory->VirtualAddress );
for ( ; pImportDescriptor->Name; pImportDescriptor++ )
{
const char* pszModName =
reinterpret_cast<const char*>(
pBaseAddr + pImportDescriptor->Name);
if ( 0 == lstrcmpiA( pszModName, szDllName ) )
{
break;
}
}
if ( 0 == pImportDescriptor->Name )
{
return pOrigFunc;
}
PIMAGE_THUNK_DATA pThunkData =
reinterpret_cast<PIMAGE_THUNK_DATA>(
pBaseAddr + pImportDescriptor->FirstThunk);
while( pThunkData->u1.Function != 0 )
{
PROC *ppFunc = reinterpret_cast<PROC*>(
&pThunkData->u1.Function);
if ( *ppFunc == pfnHookFunAddr )
{
DWORD dwOldProtect = 0;
VirtualProtect( ppFunc, sizeof(PROC), PAGE_READWRITE, &dwOldProtect );
pOrigFunc = *ppFunc;
CopyMemory(ppFunc, &pfnNewFundAddr, sizeof(PROC));
// SIZE_T stMemorySize = 0;
// WriteProcessMemory(
// GetCurrentProcess(),
// ppFunc,
// &uNewFundAddr,
// sizeof(*ppFunc),
// &stMemorySize);
VirtualProtect( ppFunc, sizeof(PROC), dwOldProtect, 0 );
break;
}
}
return pOrigFunc;
}
//demo3
// JmpHook.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
unsigned char g_StubCode[6] = {0x0};
PROC g_CreateFunc = 0;
void restore_hook(PROC pfnOrigAddr);
void set_hook(PROC pfnOrigAddr, PROC pfnNewAddr );
typedef BOOL (WINAPI *PCreateProcessW)(
__in_opt LPCWSTR lpApplicationName,
__inout_opt LPWSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCWSTR lpCurrentDirectory,
__in LPSTARTUPINFOW lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation);
BOOL WINAPI MyCreateProcessW1(
__in_opt LPCWSTR lpApplicationName,
__inout_opt LPWSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCWSTR lpCurrentDirectory,
__in LPSTARTUPINFOW lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation)
{
restore_hook(g_CreateFunc);
MessageBoxW(NULL, lpCommandLine, L"CreateProcessW", MB_OK);
BOOL bRetCode = ((PCreateProcessW)g_CreateFunc)(
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
set_hook(g_CreateFunc, (PROC)MyCreateProcessW1);
return bRetCode;
}
void set_hook(PROC pfnOrigAddr, PROC pfnNewAddr )
{
unsigned char *pSrcAddr =
reinterpret_cast<unsigned char *>( pfnOrigAddr );
unsigned char *pDestAddr =
reinterpret_cast<unsigned char *>( pfnNewAddr );
ULONG uOperand = static_cast<ULONG>
( pDestAddr - (pSrcAddr + 5) );
CopyMemory(g_StubCode, pSrcAddr, 5);
DWORD dwOldProtect = 0;
VirtualProtect( pSrcAddr, 5, PAGE_READWRITE, &dwOldProtect );
unsigned char szJMPCode[5] = {0xE9};
CopyMemory(&szJMPCode[1], &uOperand, 4);
CopyMemory(pSrcAddr, szJMPCode, 5 );
VirtualProtect( pSrcAddr, 5, dwOldProtect, NULL );
}
void restore_hook(PROC pfnOrigAddr)
{
unsigned char *pSrcAddr =
reinterpret_cast<unsigned char *>( pfnOrigAddr );
DWORD dwOldProtect = 0;
VirtualProtect( pSrcAddr, 5, PAGE_READWRITE, &dwOldProtect );
CopyMemory(pSrcAddr, g_StubCode, 5);
VirtualProtect( pSrcAddr, 5, dwOldProtect, NULL );
}
int _tmain(int argc, _TCHAR* argv[])
{
g_CreateFunc = GetProcAddress(GetModuleHandle(L"kernel32.dll"),"CreateProcessW");
set_hook(g_CreateFunc, (PROC)MyCreateProcessW1);
wchar_t szProcessName[] = L"notepad.exe";
STARTUPINFO si = {sizeof(si)};
PROCESS_INFORMATION pi;
CreateProcessW(NULL,
szProcessName,
NULL,
NULL,
FALSE,
0,
NULL,
NULL,
&si,
&pi);
return 0;
}
<script>window._bd_share_config={"common":{"bdSnsKey":{},"bdText":"","bdMini":"2","bdMiniList":false,"bdPic":"","bdStyle":"0","bdSize":"16"},"share":{}};with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='http://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js?cdnversion='+~(-new Date()/36e5)];</script>
阅读(296) | 评论(0) | 转发(0) |
0
上一篇: API Hook完全手册
下一篇:Detours vs. Mhook
相关热门文章
LNK1123: 转换到 COFF 期间失...
WIN7访问共享:0x80070035 找不...
Delphi 2010下载+完美破解...
vs2010调试C++程序时提示 无...
VISIO,不规则封闭图形填充方...
linux dhcp peizhi roc
关于Unix文件的软链接
求教这个命令什么意思,我是新...
sed -e "/grep/d" 是什么意思...
谁能够帮我解决LINUX 2.6 10...
给主人留下些什么吧!~~
评论热议
demo1
#include "stdafx.h"
#include <Windows.h>
#include <dbghelp.h>
#pragma comment( lib, "dbghelp.lib")
ULONG ReplaceIATEntryInOneMod( PCSTR pszCalleeModName,
PROC pfnCurent, PROC pfnNew, HMODULE hmodCaller)
{
ULONG ulSize = 0;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = ( PIMAGE_IMPORT_DESCRIPTOR )
ImageDirectoryEntryToData( hmodCaller, TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize );
if ( NULL == pImportDesc )
return 0;
for ( ; pImportDesc->Name; pImportDesc++)
{
PSTR pszModName = (PSTR)
((PBYTE) hmodCaller + pImportDesc->Name );
if ( 0 == lstrcmpiA( pszModName, pszCalleeModName) )
break;
}
if ( 0 == pImportDesc->Name )
{
return 0;
}
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)
((PBYTE) hmodCaller + pImportDesc->FirstThunk );
for (; pThunk->u1.Function; pThunk++ )
{
PROC *ppfn = ( PROC *)&pThunk->u1.Function;
BOOL bFound = (*ppfn == pfnCurent );
if ( bFound )
{
MEMORY_BASIC_INFORMATION mbi = { 0 };
VirtualQuery( pfnCurent, &mbi, sizeof(mbi) );
DWORD dwOldProtect = 0;
VirtualProtect( pfnCurent, sizeof(PROC), PAGE_READWRITE, &dwOldProtect );
ULONG upfAddress = 0;
ReadProcessMemory( GetCurrentProcess(),
ppfn,
&upfAddress,
sizeof(PROC),
NULL );
WriteProcessMemory( GetCurrentProcess(),
ppfn,
&pfnNew,
sizeof(pfnNew),
NULL );
VirtualProtect( ppfn, sizeof(PROC), dwOldProtect, 0 );
return upfAddress;
}
}
return 0;
}
typedef int(
WINAPI
*PMyMessageBoxW)(
__in_opt HWND hWnd,
__in_opt LPCWSTR lpText,
__in_opt LPCWSTR lpCaption,
__in UINT uType);
PROC g_Proc = NULL;
int
WINAPI
MyMessageBoxW(
__in_opt HWND hWnd,
__in_opt LPCWSTR lpText,
__in_opt LPCWSTR lpCaption,
__in UINT uType)
{
wprintf(L"%s\n", lpText );
wprintf(L"%s\n", lpCaption );
return ((PMyMessageBoxW)g_Proc)(
hWnd,
lpText,
lpCaption,
uType);
}
extern "C" IMAGE_DOS_HEADER __ImageBase;
int _tmain(int argc, _TCHAR* argv[])
{
g_Proc = (PROC)ReplaceIATEntryInOneMod(
"user32.dll",
(PROC)MessageBoxW,
(PROC)MyMessageBoxW,
(HMODULE)&__ImageBase);
MessageBoxW(NULL, L"TEST", L"HOOK", MB_OK );
return 0;
}
demo2
// hooktest.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <Windows.h>
PROC install_api_hook(
HMODULE hHookModule,
const char * szDllName,
PROC uHookFunAddr,
PROC uNewFundAddr
);
BOOL TestFunctionInIAT( HMODULE hModule, ULONG FunctionAddress )
{
BOOL bReturn = FALSE;
unsigned char *pBaseAddr = reinterpret_cast<unsigned char *>(hModule);
// 获取DOS header 的位置
PIMAGE_DOS_HEADER pDosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(pBaseAddr);
// 获取NTImage header 的位置
PIMAGE_NT_HEADERS pNtHeader = reinterpret_cast<PIMAGE_NT_HEADERS>(
pBaseAddr + pDosHeader->e_lfanew );
// 获取 PE option header的位置
PIMAGE_OPTIONAL_HEADER pPEOptionHeader = &pNtHeader->OptionalHeader;
// 获取导入表的目录结构
PIMAGE_DATA_DIRECTORY pIATDataDirectory = &(pPEOptionHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);
// 获取导入表 descriptor
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(
pBaseAddr + pIATDataDirectory->VirtualAddress );
// 从pImportDescriptor 开始是一堆导入表,一张接着一张,直到
// 导入表的名字为空为止,其实就是对应Windows 的一个dll,有几张表,就表示
// 该模块依赖几个dll 的导出函数, Name 字段是dll的名称的相对虚拟地址
while ( pImportDescriptor->Name != 0 )
{
// thunk data 就是表示导入dll 中函数描述
PIMAGE_THUNK_DATA pThunkData = reinterpret_cast<PIMAGE_THUNK_DATA>(
pBaseAddr + pImportDescriptor->FirstThunk);
while( pThunkData->u1.Function != 0 )
{
ULONG *ppfn = ( ULONG *)&pThunkData->u1.Function;
if ( *ppfn == FunctionAddress )
{
bReturn = TRUE;
break;
}
++pThunkData;
}
++pImportDescriptor;
}
return bReturn;
}
PROC g_CreateFunc = NULL;
typedef BOOL (WINAPI *PCreateProcessW)(
__in_opt LPCWSTR lpApplicationName,
__inout_opt LPWSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCWSTR lpCurrentDirectory,
__in LPSTARTUPINFOW lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation);
BOOL WINAPI MyCreateProcessW(
__in_opt LPCWSTR lpApplicationName,
__inout_opt LPWSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCWSTR lpCurrentDirectory,
__in LPSTARTUPINFOW lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation)
{
MessageBoxW(NULL, lpCommandLine, L"CreateProcessW", MB_OK);
return ((PCreateProcessW)g_CreateFunc)(
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
}
int _tmain(int argc, _TCHAR* argv[])
{
HMODULE hModule = NULL;
GetModuleHandleEx(
GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS,
(LPCTSTR)TestFunctionInIAT,
&hModule);
BOOL bReturn = TestFunctionInIAT( hModule , (ULONG_PTR)CreateProcessW );
if ( bReturn )
{
printf("Found address CreateProcessW!\n");
}
else
{
printf("found failed!\n");
}
g_CreateFunc = install_api_hook(hModule, "kernel32.dll", (PROC)CreateProcessW, (PROC)MyCreateProcessW);
wchar_t szProcessName[] = L"notepad.exe";
STARTUPINFO si = {sizeof(si)};
PROCESS_INFORMATION pi;
CreateProcessW(NULL,
szProcessName,
NULL,
NULL,
FALSE,
0,
NULL,
NULL,
&si,
&pi);
return 0;
}
PROC install_api_hook(
HMODULE hHookModule,
const char * szDllName,
PROC pfnHookFunAddr,
PROC pfnNewFundAddr
)
{
PROC pOrigFunc = NULL;
unsigned char *pBaseAddr =
reinterpret_cast<unsigned char *>(hHookModule);
PIMAGE_DOS_HEADER pDosHeader =
reinterpret_cast<PIMAGE_DOS_HEADER>(pBaseAddr);
PIMAGE_NT_HEADERS pNtHeader =
reinterpret_cast<PIMAGE_NT_HEADERS>(
pBaseAddr + pDosHeader->e_lfanew );
PIMAGE_OPTIONAL_HEADER pPEOptionHeader =
&pNtHeader->OptionalHeader;
PIMAGE_DATA_DIRECTORY pIATDataDirectory =
&(pPEOptionHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor =
reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(
pBaseAddr + pIATDataDirectory->VirtualAddress );
for ( ; pImportDescriptor->Name; pImportDescriptor++ )
{
const char* pszModName =
reinterpret_cast<const char*>(
pBaseAddr + pImportDescriptor->Name);
if ( 0 == lstrcmpiA( pszModName, szDllName ) )
{
break;
}
}
if ( 0 == pImportDescriptor->Name )
{
return pOrigFunc;
}
PIMAGE_THUNK_DATA pThunkData =
reinterpret_cast<PIMAGE_THUNK_DATA>(
pBaseAddr + pImportDescriptor->FirstThunk);
while( pThunkData->u1.Function != 0 )
{
PROC *ppFunc = reinterpret_cast<PROC*>(
&pThunkData->u1.Function);
if ( *ppFunc == pfnHookFunAddr )
{
DWORD dwOldProtect = 0;
VirtualProtect( ppFunc, sizeof(PROC), PAGE_READWRITE, &dwOldProtect );
pOrigFunc = *ppFunc;
CopyMemory(ppFunc, &pfnNewFundAddr, sizeof(PROC));
// SIZE_T stMemorySize = 0;
// WriteProcessMemory(
// GetCurrentProcess(),
// ppFunc,
// &uNewFundAddr,
// sizeof(*ppFunc),
// &stMemorySize);
VirtualProtect( ppFunc, sizeof(PROC), dwOldProtect, 0 );
break;
}
}
return pOrigFunc;
}
//demo3
// JmpHook.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
unsigned char g_StubCode[6] = {0x0};
PROC g_CreateFunc = 0;
void restore_hook(PROC pfnOrigAddr);
void set_hook(PROC pfnOrigAddr, PROC pfnNewAddr );
typedef BOOL (WINAPI *PCreateProcessW)(
__in_opt LPCWSTR lpApplicationName,
__inout_opt LPWSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCWSTR lpCurrentDirectory,
__in LPSTARTUPINFOW lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation);
BOOL WINAPI MyCreateProcessW1(
__in_opt LPCWSTR lpApplicationName,
__inout_opt LPWSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCWSTR lpCurrentDirectory,
__in LPSTARTUPINFOW lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation)
{
restore_hook(g_CreateFunc);
MessageBoxW(NULL, lpCommandLine, L"CreateProcessW", MB_OK);
BOOL bRetCode = ((PCreateProcessW)g_CreateFunc)(
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
set_hook(g_CreateFunc, (PROC)MyCreateProcessW1);
return bRetCode;
}
void set_hook(PROC pfnOrigAddr, PROC pfnNewAddr )
{
unsigned char *pSrcAddr =
reinterpret_cast<unsigned char *>( pfnOrigAddr );
unsigned char *pDestAddr =
reinterpret_cast<unsigned char *>( pfnNewAddr );
ULONG uOperand = static_cast<ULONG>
( pDestAddr - (pSrcAddr + 5) );
CopyMemory(g_StubCode, pSrcAddr, 5);
DWORD dwOldProtect = 0;
VirtualProtect( pSrcAddr, 5, PAGE_READWRITE, &dwOldProtect );
unsigned char szJMPCode[5] = {0xE9};
CopyMemory(&szJMPCode[1], &uOperand, 4);
CopyMemory(pSrcAddr, szJMPCode, 5 );
VirtualProtect( pSrcAddr, 5, dwOldProtect, NULL );
}
void restore_hook(PROC pfnOrigAddr)
{
unsigned char *pSrcAddr =
reinterpret_cast<unsigned char *>( pfnOrigAddr );
DWORD dwOldProtect = 0;
VirtualProtect( pSrcAddr, 5, PAGE_READWRITE, &dwOldProtect );
CopyMemory(pSrcAddr, g_StubCode, 5);
VirtualProtect( pSrcAddr, 5, dwOldProtect, NULL );
}
int _tmain(int argc, _TCHAR* argv[])
{
g_CreateFunc = GetProcAddress(GetModuleHandle(L"kernel32.dll"),"CreateProcessW");
set_hook(g_CreateFunc, (PROC)MyCreateProcessW1);
wchar_t szProcessName[] = L"notepad.exe";
STARTUPINFO si = {sizeof(si)};
PROCESS_INFORMATION pi;
CreateProcessW(NULL,
szProcessName,
NULL,
NULL,
FALSE,
0,
NULL,
NULL,
&si,
&pi);
return 0;
}
<script>window._bd_share_config={"common":{"bdSnsKey":{},"bdText":"","bdMini":"2","bdMiniList":false,"bdPic":"","bdStyle":"0","bdSize":"16"},"share":{}};with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='http://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js?cdnversion='+~(-new Date()/36e5)];</script>
阅读(296) | 评论(0) | 转发(0) |
0
上一篇: API Hook完全手册
下一篇:Detours vs. Mhook
相关热门文章
LNK1123: 转换到 COFF 期间失...
WIN7访问共享:0x80070035 找不...
Delphi 2010下载+完美破解...
vs2010调试C++程序时提示 无...
VISIO,不规则封闭图形填充方...
linux dhcp peizhi roc
关于Unix文件的软链接
求教这个命令什么意思,我是新...
sed -e "/grep/d" 是什么意思...
谁能够帮我解决LINUX 2.6 10...
给主人留下些什么吧!~~
评论热议
相关文章推荐
- API hook 原理与Windows hook 应用
- API hook 原理与Windows hook 应用
- API hook 原理与Windows hook 应用
- Windows内核API HOOK 之 Inline Hook
- Windows内核API HOOK 之 Inline Hook
- 学习windows 应用层 inline hook 原理总结
- 学习windows 应用层 inline hook 原理总结
- phantomjs 截图应用,windows下和linux下用方法区别
- Windows 内核API HOOK 之 Inline Hook
- Windows内核API HOOK 之 Inline Hook
- Windows Hook经验总结之一:API Hook方法汇总
- SetWindowsHook详解及应用实例
- Windows Hook和Dtrace的区别
- 学习windows 应用层 inline hook 原理总结
- 应用SetWinEventHook截获Windows事件
- 学习windows 应用层 inline hook 原理总结
- Hook及其应用(续)
- Windows NT Session 概念的原理与应用浅析 [1] 遍历并获取信息 [草稿]
- Windows应用开发中常用的设计模式
- C#中来应用Hook