HOOK了MessageBoxW函數

說明

該函數通過消息hook注入dll到目標程序,之后通過inline hook 了messageboxw函數的頭補個字節來實現MessageBox的HOOK

代碼1是dll內容,代碼2是hook程序

源碼

#include

#include

HWND hwnd = NULL;

DWORD dwPid = 0;

void HookOff();

void HookOn();

VOID InlineHook();

typedef int (WINAPI* MBW)(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType);

MBW OldMsgBoxW = NULL;//指向原函數的指針

FARPROC pfOldMsgBoxW;//指向函數的遠指針

BYTE OldCode[5];//原API入口

BYTE NewCode[5];//新API的入口代碼(jmp xxxxxxxx)

HANDLE hProcess = NULL;//本程序進程句柄

HINSTANCE hInst = NULL;//API所在的dll文件句柄

BOOL APIENTRY DllMain(HMODULE hModule, DWORD fdwReason, LPVOID lpvReserved){

switch (fdwReason){

case DLL_PROCESS_ATTACH://進程加載DLL

{

DWORD dwPid = GetCurrentProcessId();

hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPid);

InlineHook();

MessageBox(NULL, "DLL_PROCESS_ATTACH", "DLL HOOK", MB_OK);

}

break;

case DLL_THREAD_ATTACH://線程加載DLL

//MessageBox(NULL, "DLL_THREAD_ATTACH", "DLL HOOK", MB_OK);

break;

case DLL_THREAD_DETACH://線程卸載DLL

//MessageBox(NULL, "DLL_THREAD_DETACH", "DLL HOOK", MB_OK);

break;

case DLL_PROCESS_DETACH://進程卸載DLL

HookOff();

MessageBox(NULL, "DLL_PROCESS_DETACH", "DLL HOOK", MB_OK);

break;

}

return TRUE;

}

//自己的MessageBox函數

int WINAPI MyMessageBoxW(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType){

HookOff();

int nRet = MessageBoxW(hWnd, L"哈哈,MessageBoxW被HOOK了", lpCaption, uType);

HookOn();

return nRet;

}

//導出?或許不需要 開始inline hook

VOID InlineHook(){

//獲取原API入口地址

HMODULE hmod = LoadLibrary(TEXT("User32.dll"));

OldMsgBoxW = (MBW)GetProcAddress(hmod, "MessageBoxW");

pfOldMsgBoxW = (FARPROC)OldMsgBoxW;

//出錯判定

if (NULL == pfOldMsgBoxW){

MessageBox(NULL, TEXT("獲取原API入口地址出錯"), TEXT("error!"), 0);

return;

}

//asm獲取前5個字節,復制到OldCode

__asm{

lea edi, OldCode//獲取OldCode數組的地址,放到edi

mov esi, pfOldMsgBoxW//獲取原API入口地址,放到esi

cld//方向標志位,為以下兩條指令做準備,從低地址到高地址

movsd//復制原API入口前4個字節到OldCode數組

movsb//復制原API入口第5個字節到OldCode數組

}

//這是準備跳轉到我們函數的code

NewCode[0] = 0xe9;//jmp

__asm{

lea eax, MyMessageBoxW//獲取我們的MyMessageBoxW函數地址 1000

mov ebx, pfOldMsgBoxW//原系統API函數地址 2000

sub eax, ebx//intnAddr= UserFunAddr ?SysFunAddr 這里得到相對地址?沒看太明白

sub eax, 5//nAddr=nAddr-5

mov dword ptr[NewCode + 1], eax//將算出的地址nAddr保存到NewCode后面個字節

//注:一個函數地址占5個字節

}

HookOn();

}

//開啟鉤子的函數

void HookOn(){

if (NULL == hProcess){

return;

}

DWORD dwTemp = 0;

DWORD dwOldProtect;

//修改API函數入口前個字節為jmp xxxxxx

VirtualProtectEx(hProcess, pfOldMsgBoxW, 5, PAGE_READWRITE, &dwOldProtect);

WriteProcessMemory(hProcess, pfOldMsgBoxW, NewCode, 5, 0);

VirtualProtectEx(hProcess, pfOldMsgBoxW, 5, dwOldProtect, &dwTemp);

}

//關閉鉤子的函數

void HookOff(){

if (NULL == hProcess){

return;

}

DWORD dwTemp = 0;

DWORD dwOldProtect;

//恢復API函數入口前個字節

VirtualProtectEx(hProcess, pfOldMsgBoxW, 5, PAGE_READWRITE, &dwOldProtect);

WriteProcessMemory(hProcess, pfOldMsgBoxW, OldCode, 5, 0);

VirtualProtectEx(hProcess, pfOldMsgBoxW, 5, dwOldProtect, &dwTemp);

}

LRESULT WINAPI myproc(int code, WPARAM w, LPARAM l){

//只是使用鉤子注入DLL到進程

return CallNextHookEx(myproc, code, w, l);

}

源碼

#include

#include

typedef BOOL(_stdcall *LPAPI_IDP)(VOID);

int main(int argc, PCHAR argv[]){

HMODULE hModule = LoadLibrary("Kernel32");// 加載模塊Kernel32

if (hModule == NULL)

{

printf("被調試,無法獲取 kernel32.dll模塊\n");//ExitProcess(0); // 如果發現程序被調試 直接退出進程

}

LPAPI_IDP IsDebuggerPresent = GetProcAddress(hModule, "IsDebuggerPresent");// 獲取下地址

if (IsDebuggerPresent == NULL)

{

printf("被調試,無法獲取 IsDebuggerPresent 地址\n");//ExitProcess(0); // 如果發現程序被調試 直接退出進程

}

if (*(BYTE *)IsDebuggerPresent == 0xcc ||// 調用前檢測下是否被下了斷點

*(BYTE *)IsDebuggerPresent != 0x64 ||

IsDebuggerPresent())// 調用

{

printf("被調試,下斷點\n");//ExitProcess(0); // 如果發現程序被調試 直接退出進程

}

LPSTR name;

__asm{

mov eax, fs:[0x18]//_NT_TIB

mov eax, [eax + 0x30]//_NT_TIB

mov eax, [eax + 0xc]//_PEB_LDR_DATA

mov eax, [eax + 0xc]//_LIST_ENTRY

mov eax, [eax + 0x30]

mov name, eax

}

wprintf(L"%s\n", name);

BOOL ret = IsDebuggerPresent();

printf("IsDebuggerPresent = %d\n", ret);

HHOOK kbhook;

HMODULE mydll = LoadLibrary("mydll.dll");

HMODULE myproc = GetProcAddress(mydll, "myproc");

kbhook = SetWindowsHookEx(WH_KEYBOARD, myproc, mydll, 0);

if (kbhook == NULL){

printf("SetWindowsHookEx failed %d\n", GetLastError());

} else

{

printf("執行SetWindowsHookEx完成.\n");

printf("額,不執行?\n");

}

//BOOL crdp = CheckRemoteDebuggerPresent();

//消息循環

MSG msg;

while (GetMessage(&msg, NULL, 0, 0)){

TranslateMessage(&msg);

DispatchMessage(&msg);

};

UnhookWindowsHookEx(kbhook);

getchar();

return 0;

}

最后編輯于
?著作權歸作者所有,轉載或內容合作請聯系作者
平臺聲明:文章內容(如有圖片或視頻亦包括在內)由作者上傳并發布,文章內容僅代表作者本人觀點,簡書系信息發布平臺,僅提供信息存儲服務。

推薦閱讀更多精彩內容