說明
該函數通過消息hook注入dll到目標程序,之后通過inline hook 了messageboxw函數的頭補個字節來實現MessageBox的HOOK
代碼1是dll內容,代碼2是hook程序
源碼
#include
#include
HWND hwnd = NULL;
DWORD dwPid = 0;
void HookOff();
void HookOn();
VOID InlineHook();
typedef int (WINAPI* MBW)(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType);
MBW OldMsgBoxW = NULL;//指向原函數的指針
FARPROC pfOldMsgBoxW;//指向函數的遠指針
BYTE OldCode[5];//原API入口
BYTE NewCode[5];//新API的入口代碼(jmp xxxxxxxx)
HANDLE hProcess = NULL;//本程序進程句柄
HINSTANCE hInst = NULL;//API所在的dll文件句柄
BOOL APIENTRY DllMain(HMODULE hModule, DWORD fdwReason, LPVOID lpvReserved){
switch (fdwReason){
case DLL_PROCESS_ATTACH://進程加載DLL
{
DWORD dwPid = GetCurrentProcessId();
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPid);
InlineHook();
MessageBox(NULL, "DLL_PROCESS_ATTACH", "DLL HOOK", MB_OK);
}
break;
case DLL_THREAD_ATTACH://線程加載DLL
//MessageBox(NULL, "DLL_THREAD_ATTACH", "DLL HOOK", MB_OK);
break;
case DLL_THREAD_DETACH://線程卸載DLL
//MessageBox(NULL, "DLL_THREAD_DETACH", "DLL HOOK", MB_OK);
break;
case DLL_PROCESS_DETACH://進程卸載DLL
HookOff();
MessageBox(NULL, "DLL_PROCESS_DETACH", "DLL HOOK", MB_OK);
break;
}
return TRUE;
}
//自己的MessageBox函數
int WINAPI MyMessageBoxW(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType){
HookOff();
int nRet = MessageBoxW(hWnd, L"哈哈,MessageBoxW被HOOK了", lpCaption, uType);
HookOn();
return nRet;
}
//導出?或許不需要 開始inline hook
VOID InlineHook(){
//獲取原API入口地址
HMODULE hmod = LoadLibrary(TEXT("User32.dll"));
OldMsgBoxW = (MBW)GetProcAddress(hmod, "MessageBoxW");
pfOldMsgBoxW = (FARPROC)OldMsgBoxW;
//出錯判定
if (NULL == pfOldMsgBoxW){
MessageBox(NULL, TEXT("獲取原API入口地址出錯"), TEXT("error!"), 0);
return;
}
//asm獲取前5個字節,復制到OldCode
__asm{
lea edi, OldCode//獲取OldCode數組的地址,放到edi
mov esi, pfOldMsgBoxW//獲取原API入口地址,放到esi
cld//方向標志位,為以下兩條指令做準備,從低地址到高地址
movsd//復制原API入口前4個字節到OldCode數組
movsb//復制原API入口第5個字節到OldCode數組
}
//這是準備跳轉到我們函數的code
NewCode[0] = 0xe9;//jmp
__asm{
lea eax, MyMessageBoxW//獲取我們的MyMessageBoxW函數地址 1000
mov ebx, pfOldMsgBoxW//原系統API函數地址 2000
sub eax, ebx//intnAddr= UserFunAddr ?SysFunAddr 這里得到相對地址?沒看太明白
sub eax, 5//nAddr=nAddr-5
mov dword ptr[NewCode + 1], eax//將算出的地址nAddr保存到NewCode后面個字節
//注:一個函數地址占5個字節
}
HookOn();
}
//開啟鉤子的函數
void HookOn(){
if (NULL == hProcess){
return;
}
DWORD dwTemp = 0;
DWORD dwOldProtect;
//修改API函數入口前個字節為jmp xxxxxx
VirtualProtectEx(hProcess, pfOldMsgBoxW, 5, PAGE_READWRITE, &dwOldProtect);
WriteProcessMemory(hProcess, pfOldMsgBoxW, NewCode, 5, 0);
VirtualProtectEx(hProcess, pfOldMsgBoxW, 5, dwOldProtect, &dwTemp);
}
//關閉鉤子的函數
void HookOff(){
if (NULL == hProcess){
return;
}
DWORD dwTemp = 0;
DWORD dwOldProtect;
//恢復API函數入口前個字節
VirtualProtectEx(hProcess, pfOldMsgBoxW, 5, PAGE_READWRITE, &dwOldProtect);
WriteProcessMemory(hProcess, pfOldMsgBoxW, OldCode, 5, 0);
VirtualProtectEx(hProcess, pfOldMsgBoxW, 5, dwOldProtect, &dwTemp);
}
LRESULT WINAPI myproc(int code, WPARAM w, LPARAM l){
//只是使用鉤子注入DLL到進程
return CallNextHookEx(myproc, code, w, l);
}
源碼
#include
#include
typedef BOOL(_stdcall *LPAPI_IDP)(VOID);
int main(int argc, PCHAR argv[]){
HMODULE hModule = LoadLibrary("Kernel32");// 加載模塊Kernel32
if (hModule == NULL)
{
printf("被調試,無法獲取 kernel32.dll模塊\n");//ExitProcess(0); // 如果發現程序被調試 直接退出進程
}
LPAPI_IDP IsDebuggerPresent = GetProcAddress(hModule, "IsDebuggerPresent");// 獲取下地址
if (IsDebuggerPresent == NULL)
{
printf("被調試,無法獲取 IsDebuggerPresent 地址\n");//ExitProcess(0); // 如果發現程序被調試 直接退出進程
}
if (*(BYTE *)IsDebuggerPresent == 0xcc ||// 調用前檢測下是否被下了斷點
*(BYTE *)IsDebuggerPresent != 0x64 ||
IsDebuggerPresent())// 調用
{
printf("被調試,下斷點\n");//ExitProcess(0); // 如果發現程序被調試 直接退出進程
}
LPSTR name;
__asm{
mov eax, fs:[0x18]//_NT_TIB
mov eax, [eax + 0x30]//_NT_TIB
mov eax, [eax + 0xc]//_PEB_LDR_DATA
mov eax, [eax + 0xc]//_LIST_ENTRY
mov eax, [eax + 0x30]
mov name, eax
}
wprintf(L"%s\n", name);
BOOL ret = IsDebuggerPresent();
printf("IsDebuggerPresent = %d\n", ret);
HHOOK kbhook;
HMODULE mydll = LoadLibrary("mydll.dll");
HMODULE myproc = GetProcAddress(mydll, "myproc");
kbhook = SetWindowsHookEx(WH_KEYBOARD, myproc, mydll, 0);
if (kbhook == NULL){
printf("SetWindowsHookEx failed %d\n", GetLastError());
} else
{
printf("執行SetWindowsHookEx完成.\n");
printf("額,不執行?\n");
}
//BOOL crdp = CheckRemoteDebuggerPresent();
//消息循環
MSG msg;
while (GetMessage(&msg, NULL, 0, 0)){
TranslateMessage(&msg);
DispatchMessage(&msg);
};
UnhookWindowsHookEx(kbhook);
getchar();
return 0;
}