|
|
最精简的API钩子示范 C语言版-HOOK SetWindowTextA 设置窗口标题函数。。
这个是个DLL 测试时候注入或者在主程序载入编译后的DLL看看效果
#include "StdAfx.h"
#include<stdio.h>
//声明处
void myhook();
void UnHOOK(DWORD ProcAddr);
DWORD a;//原函数地址数据
//假冒API函数
DWORD WINAPI MySetWindowTextA(HWND,LPCTSTR)
{
MessageBox(NULL,"亲爱的您要使用的函数被拦截了!","友情提示",1);
//UnHOOK(a);
return 0;
}
// 加载修改-------------------
void WriteJMP(DWORD ProcAddr,LPVOID lpData)
{
BYTE _data[5];
_data[0]=0xE9;
DWORD OldPro;
VirtualProtect((LPVOID)(ProcAddr),5,PAGE_EXECUTE_READWRITE,&OldPro);
memcpy((LPVOID)(_data+1),lpData,4);//_data是变量的内存地址
memcpy((LPVOID)(ProcAddr),_data,5);
VirtualProtect((LPVOID)(ProcAddr),5,OldPro,&OldPro);//内存属性恢复为只读
}
//卸载修改
void UnHOOK(DWORD ProcAddr)
{
BYTE _data[5]={0x8b,0xff,0x55,0x8b,0xec};//
DWORD OldPro;
VirtualProtect((LPVOID)(ProcAddr),5,PAGE_EXECUTE_READWRITE,&OldPro);
memcpy((LPVOID)(ProcAddr),_data,5);
VirtualProtect((LPVOID)(ProcAddr),5,OldPro,&OldPro);
}
//DLL入口函数
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH: myhook();//MessageBox(NULL,"亲爱的我被加载咯","友情提示:",1);break; //测试
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH: break;
}
return TRUE;
}
//
void myhook()
{
HMODULE hWsock32=GetModuleHandle("user32");
a=(DWORD)GetProcAddress(hWsock32,"SetWindowTextA");
DWORD tmp=(DWORD)MySetWindowTextA-(a+5);
WriteJMP(a,&tmp);
} |
|
发表于 2013-6-8 10:31:54
发表于 2013-6-9 07:52:19