- #include "stdio.h"
- #include "tchar.h"
- #include "windows.h"
-
-
- //offset=目标地址-(jmp指令起始地址+5)
- //跳转指令解码:[0xe9][offset]
- // offset:有符号整型,四字节.它等于jmp指令的下一指令地址到目标地址的相对距离
- // 计算公式:
- // offset=目标地址-(jmp指令起始地址+5)
- //其实还有0xeb等短跳转指令可用的,但用的最多的还是0xe9跳转
-
- BYTE jmp[5]={0};
- BYTE enter[5]={0};
- HANDLE hProcess=NULL;
- DWORD pfnMsgBox=0;
- DWORD dwOld=0;
-
- int WINAPI MessageBoxProxy(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType)
- {
- int ret=0;
- printf("this is MessageBoxProxy begin!\n");
- printf("Caption:%s\n",lpCaption);
- printf("Text:%s\n",lpText);
-
- memcpy((void*)pfnMsgBox,enter,5);//恢复入口指令
- FlushInstructionCache(hProcess,(void*)pfnMsgBox,5);
-
- ret=MessageBox(hWnd,lpText,lpCaption,uType);//调用原函数
-
- memcpy((void*)pfnMsgBox,jmp,5);//写入跳转指令
- FlushInstructionCache(hProcess,(void*)pfnMsgBox,5);
- printf("this is MessageBoxProxy end!\n");
- return ret;
- }
-
- void SetupHook(void)
- {
- pfnMsgBox=(DWORD)GetProcAddress(GetModuleHandle(_T("user32.dll")),_T("MessageBoxA"));
- memcpy(enter,(void*)pfnMsgBox,5);//保存入口指令
-
- jmp[0]=0xe9;
- *(int*)&jmp[1]=(int)&MessageBoxProxy-((int)pfnMsgBox+5);
-
- //写入跳转指令,调用MessageBoxA时会跳到MessageBoxProxy
- VirtualProtect((void*)pfnMsgBox,5,PAGE_EXECUTE_READWRITE,&dwOld);
- memcpy((void*)pfnMsgBox,jmp,5);
- }
-
- void RemoveHook(void)
- {
- DWORD dwtemp;
- memcpy((void*)pfnMsgBox,enter,5);
- FlushInstructionCache(hProcess,(void*)pfnMsgBox,5);
- VirtualProtect((void*)pfnMsgBox,5,dwOld,&dwtemp);
- }
-
- int main(void)
- {
- hProcess=GetCurrentProcess();
-
- SetupHook();
- MessageBox(NULL,_T("Hook Demo!"),_T("API Hook"),MB_ICONINFORMATION);
-
- RemoveHook();
- MessageBox(NULL,_T("Hook Demo!"),_T("API Hook"),MB_ICONINFORMATION);
- system("pause");
- return 0;
- }
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)
