收藏
下载资源下载资源 加入VIP,免费下载

hookapi技术.docx

上传人:b****5 文档编号:11505572 上传时间:2023-03-02 格式:DOCX 页数:15 大小:21.93KB
下载 相关 举报
hookapi技术.docx_第1页
第1页 / 共15页
hookapi技术.docx_第2页
第2页 / 共15页
hookapi技术.docx_第3页
第3页 / 共15页
hookapi技术.docx_第4页
第4页 / 共15页
hookapi技术.docx_第5页
第5页 / 共15页
点击查看更多>>
下载资源
资源描述

hookapi技术.docx

《hookapi技术.docx》由会员分享,可在线阅读,更多相关《hookapi技术.docx(15页珍藏版)》请在冰豆网上搜索。

hookapi技术.docx

hookapi技术

¶ÔÓÚ³ÌÐòÔ±À´½²£¬APIÀ¹½Ø¼¼ÊõÊÇÒ»ÖÖÖØÒªµÄ»ù´¡¼¼Êõ¡£ÕâÏî¼¼ÄÜΪ±àдijЩ¹¤¾ßÈí¼þÌṩÁË¿ÉÄÜ£¬²¢¿ÉÒÔ´ó´óÌá¸ßÎÒÃǶԵÚÈý·½Ó¦ÓóÌÐòµÄ¿ØÖÆÄÜÁ¦¡£²»¹ý£¬Ä¿Ç°APIÀ¹½ØµÄ¼¼Êõ×ÊÁÏÍùÍù¾ÖÏÞÓÚÔÀí·½ÃæµÄÂÛÊö£¬¶ÔÓÚÈçºÎ¾ßÌåµØ±àÒëÒ»¸öAPIÀ¹½Ø³ÌÐòÈ´ÊØ¿ÚÈçÆ¿¡£±Ï¾¹£¬¶ÔÓÚ³ÌÐòÔ±À´½²£¬µ±³õѧϰÕâÏî¼¼ÄÜ»¨·ÑÁ˲»ÉÙÐÄѪ£¬Èç¹ûÈÃËûÃÇÎÞ³¥µØ·îÏ׳öÀ´£¬¿ÖŲ»Ì«ÏÖʵ£»ÁíÍâµÄÒ»¸öÒòËؾÍÊǾºÕù£¬¶àÒ»¸öÈËѧ»áÕâÏî¼¼ÄÜ£¬¾Í¶àÒ»·Ý¾ºÕù¡£ÎÒÔÚÕÆÎÕÕâÏî¼¼ÄܵÄʱºò£¬¾Í×ßÁ˲»ÉÙÍä·£¬Èç¹ûµ±³õÓÐÒ»·ÝÏêϸµÄ×ÊÁÏ£¬ÕâЩ²»±ØÒªµÄÍä·ÊÇÍêÈ«¿ÉÒÔ±ÜÃâ¡£¶øÕâÕýÊÇÎÒ±àдÕâ·Ý¼¼Êõ×ÊÁϵÄÄ¿µÄ¡£

±¾³ÌÐòÊÇÒ»¸öʾÀý³ÌÐò£¬ÓÃÒÔÑÝʾÈçºÎÀ¹½ØAPIµ÷Ó᣿ªÊ¼À¹½ØCreateProcessÖ®ºó£¬µ±Óû§Í¨¹ý×ÊÔ´¹ÜÀíÆ÷ÔËÐгÌÐòʱ£¬¾Í»áµ¯³öÒ»¸ö¶Ô»°¿òÌáʾÓû§ÔËÐÐÁËʲô³ÌÐò¡£Í£Ö¹À¹½ØÖ®ºó£¬Óû§ÔËÐгÌÐòʱÔò²»»áµ¯³ö¶Ô»°¿ò¡£

Ëæ±¾³ÌÐò¸½´øµÄ½Ì³ÌÊÇδע²á°æ±¾£¬Èç¹ûÄúÐèÒªÏêϸµÄ×ÊÁÏ£¬Çëͨ¹ýÍøÉÏÉ̳ǽøÐÐ×¢²á¡£×¢²á·ÑÓÃΪ320ÔªÈËÃñ±Ò¡£×îÖÕ¼Û¸ñÇëÒÔÍøÉÏÉ̳ǵļ۸ñΪ׼¡£

Õâ¾ÍÒýÆðÁËÎҵĺÃÆ棬ÄѵÀÕâ¸öÈí¼þÓÃÁËʲôţxµÄм¼Êõ£¿¾ÓÈ»ÕâôֵǮ£¡Äǵÿ´¿´£¬ÓÚÊǾͰѸÃÈí¼þÏÂÔØÏÂÀ´Ñо¿ÁËÑо¿¡£ËÖªµÀ£¬ËûËùÓõļ¼Êõ²»µ«Ò»µã´´Ð¶¼Ã»ÓУ¬»¹ÓÐןܴóµÄ¾ÖÏÞÐÔ¡£ÓÚÊǾÍÓÐÁËÕâƪÎÄÕ£¬»¹Ï£Íû¸ßÊÖ²»Òª¼ûЦ¡£

Õâ¸ö³ÌÐòµÄÔ°æ´ó¼Ò×Ô¼ºÕÒ£¬Ãû×־ͽÐ×öAPIÀ¹½Ø½Ì³Ì¡£Æô¶¯¸Ã³ÌÐòºó£¬°´ÏÂÀ¹½ØcreateprocessµÄ°´Å¥ºó£¬ÔËÐÐÈκγÌÐò¶¼»áµ¯³öÔËÐгÌÐòµÄ·¾¶¡£ÉÔ΢Á˽âapihookµÄ¶¼Á˽⣬ͨ³£ring3ÏÂhookapiµÄ°ì·¨ÓÐÈýÖÖ£¬Ò»ÊÇÐ޸ijÌÐòµÄiat±í£¬Ê¹apiµ÷ÓÃÌøÏò×Ô¼ºµÄº¯Êý¶ø²»ÊÇתÏòapiÈë¿Ú¡£¶þÊÇÐÞ¸ÄapiÈë¿ÚµÄ»úÆ÷Âë¡£ÈýÊÇÓô´½¨Ô¶Ïß³ÌCreateRemoteThreadµÄ°ì·¨À´Íê³É¡£ÄÇôÕâ¸ö½Ì³Ì¾¿¾¹ÓÃÁËʲôÏȽøÊÖ·¨ÄØ£¿

ÏÈÔËÐÐÒ»´Î£¬°´Ï°´Å¥ºó£¬¹ûÈ»explorerµ¯³öÁ˳ÌÐòµÄ·¾¶¡£´Ëʱ£¬ÄãÈç¹ûʹÓÃiceswordÀàµÄ¿ÉÒԲ鿴³ÌÐòÄ£¿éµÄ³ÌÐò²é¿´explorerµÄÄ£¿é£¬Äã¾Í»á·¢ÏÖexplorerÀïÃæ¶àÁ˸öInterceptDll.dllµÄÄ£¿é£¬µ±ÎÒÃÇжÔØÁËÕâ¸ödllºó£¬Õâ¸öÀ¹½ØµÄЧ¹û¾ÍûÓÐÁË¡£¿´À´Õâ¸ö³ÌÐòµÄºËÐIJ»ÊÇÄǸöÆô¶¯µÄ³ÌÐò£¬¶øÊÇÕâ¸ödll¡£ÏÖÔÚÈÃÎÒÃÇ¿´¿´Õâ¸öInterceptDll.dllµ½µ××öÁËʲô¡£

ÏÈʹÓÃVC++µÄ¹¤¾ßDUMPBIN½«DLLÖеĵ¼³öº¯Êý±íµ¼³öµ½Ò»¶¨Òå(.DEF)Îļþ

DUMPBINInterceptDll.dll/EXPROTS/OUT:

InterceptDll.def

ordinalhintRVAname

1000001230InstallHook

2100001270UninstallHook

Ö»ÓÐÁ½¸öµ¼³öº¯Êý£¬¿´Ãû×Ö¾ÍÖªµÀ£¬Ò»¸öÊÇ°²×°¹³×Ó£¬Ò»¸öжÔع³×Ó¡£ÎÒÃǵ÷Óÿ´¿´£¬½á¹ûÁ¬²ÎÊý¶¼²»Óã¬Ö»Òªµ÷ÓÃInstallHook¾Í¿ÉÒÔ°ÑInterceptDll.dll²åÈëexplorer£¬ÓÃUninstallHook¾Í¿ÉÒÔжÔع³×Ó¡£¿´À´ÎÒÃDz»Ó÷ÖÎöËûµÄexeÎļþÁË£¬ÒòΪÓÐÓõĶ«Î÷¾ÍÔÚÕâ¸ödllÀï¡£ÄÇôÈçºÎ·ÖÎöÕâ¸ödllÕâô¹¤×÷µÄÄØ£¿Ö±½ÓÓÃida¿´¾²Ì¬´úÂ룬¿ÉÒÔ¿´¼ûdllÀïÓÐvivirtualalloc,setwindowshookexaµÈ¹³×Óº¯Êý¡£µ«ÊÇ£¬ÀïÃæØ¿‡SCreateRemoteThreadÕâ¸öº¯Êý£¬ÄÇô»ù±¾¿ÉÒÔÅųýÁ˵ÚÈýÖÖ·½·¨ÁË¡£ÐÞ¸Äiat»òÕß×Ö½ÚÊýµÄ¿ÉÄÜÐԱȽϴóһЩ¡£ÄÇô¾ßÌ徿¾¹ÊÇÓÃÁËʲôÊֶΣ¬ÓÖÊÇÔõôʵÏÖµÄÄØ£¿¹â¾²Ì¬¿´Ô´´úÂë¿´³öÀ´£¬ÎÒ¿ÉûÄÇÖÖ±¾Ê¡£Èç¹û˵Ҫʵʱµ÷ÊÔexplorerÓַdz£µÄÂé·³£¬ÄÇôÔõô°ìÄØ£¿Æäʵ°ì·¨ºÜ¼òµ¥À²£¬Ö»Òª×Ô¼ºÐÞ¸ÄÒ»¸öexeÎļþÃûÈÃËû¸úexplorerͬÃû¾Í¿ÉÒÔÁË¡£Õâ¼Ò»ï¿É²»¹ÜÄãÊÇÕæÀîåÓ»¹ÊǼÙÀî¹í£¬Í³Í³¶¼²å£¡ÎÒÏÈдÁ˸öºÜ¼òµ¥µÄexe³ÌÐò£¬Ö»ÓÐÒ»¸ö°´Å¥Ö±½ÓµôÓÃcreateprocessÆô¶¯notepadµÄС³ÌÐò£¬È»ºó¸ÄÃûΪexplorer¡£ÔËÐкóÈóÌÐòÀ¹½Ø£¬¹ûÈ»ÔÙÓÃicesword¿´Ä£¿é£¬ÄǸöInterceptDll.dll͵͵µÄ×ê½øÁËÎÒдµÄÕâ¸ö³ÌÐò¡£

ºÃ£¬ÏÖÔÚ¶¯ÊÖ×ê½øInterceptDll.dllµÄÄÚ²¿£¬¿´¿´Ëûµ½µ×¸ÉÁËʲô£¡ÎÒÓõÄÊÇolldbg£¬ÆäʵwindbgÒ²¿ÉÒÔ£¬ÎÒÓÃodÏ°¹ßÁË¡£Ïȸ½¼Óµ½ÎÒ×Ô¼ºÐ´µÄÕâ¸öСexplorer³ÌÐò£¬È»ºóÔÚcreateprocess϶ϵ㣬°´ÏÂÆô¶¯notepadµÄ°´Å¥£¬¶ÏÏÂÒÔºó£¬Ò»²½Ò»²½¸ú×Ù¡£µ±½øÈëµ½ÔÏÈcreateprocessµÄÁì¿ÕµÄʱºò£¬Èë¿Ú±äÁË

7C802332>-E9B9ED7F93jmp100010F0

7C8023376A00push0

±ä³ÉÁËÌøÏò100010F0£¬ÔËÐÐÁËÕâ¸öÌøת£¬¾Í½øÈëÁËdllµÄ³ÌÐò´úÂë¶Î¡£¾ßÌå»ã±à´úÂëÈçÏ¡£

100010F18BECmovebp,esp

100010F36AFFpush-1

100010F56850710010push10007150

100010FA687C220010push1000227C

100010FF64:

A100000000moveax,dwordptrfs:

[0]

1000110550pusheax

1000110664:

89250000000>movdwordptrfs:

[0],esp

1000110D83EC0Csubesp,0C

1000111053pushebx

1000111156pushesi

1000111257pushedi

1000111333C0xoreax,eax

100011158945E4movdwordptr[ebp-1C],eax

100011188945FCmovdwordptr[ebp-4],eax

1000111B50pusheax

1000111C6844710010push10007144;ASCII"æb*b"

100011218B750Cmovesi,dwordptr[ebp+C]

1000112456pushesi

1000112550pusheax

10001126FF15FC700010calldwordptr[100070FC];USER32.MessageBoxW

1000112C8B452Cmoveax,dwordptr[ebp+2C]

1000112F50pusheax

100011308B4D28movecx,dwordptr[ebp+28]

1000113351pushecx

100011348B5524movedx,dwordptr[ebp+24]

1000113752pushedx

100011388B4520moveax,dwordptr[ebp+20]

1000113B50pusheax

1000113C8B4D1Cmovecx,dwordptr[ebp+1C]

1000113F51pushecx

100011408B5518movedx,dwordptr[ebp+18]

1000114352pushedx

100011448B4514moveax,dwordptr[ebp+14]

1000114750pusheax

100011488B4D10movecx,dwordptr[ebp+10]

1000114B51pushecx

1000114C56pushesi

1000114D8B5508movedx,dwordptr[ebp+8]

1000115052pushedx

10001151E87AFFFFFFcall100010D0

µ±ÔËÐе½call100010D0ʱ¿ªÊ¼Ìø»ØÔÁì¿Õ

call100010D0ÀïÃæµÄʵ¼Ê´úÂëÊÇÕâÑùµÄ¡£

100010D08BFFmovedi,edi

100010D255pushebp

100010D38BECmovebp,esp

100010D5-E95D12806Cjmpkernel32.7C802337

¶økernel32.7C802337´¦

100010D08BFFmovedi,edi

100010D255pushebp

100010D38BECmovebp,esp

ÕýÊÇÔ±¾createprocess´úÂë½ÓÏÂÀ´µÄÒ»¶Î

µ½ÕâÀÕâ¸ödllµÄhook¹¦ÄܾÍÕæÏà´ó°×ÁË£¬ËûÍêȫûÓÐʹÓÃʲôм¼ÊõÀ´Íê³Éhook¡£ÕÕÑùÊÇÐÞ¸Äapiº¯ÊýµÄÍ·5¸ö×Ö½Ú£¬È»ºóÌøתµ½×Ô¼ºµÄº¯Êý£¬Ö®ºóÔÙ¹¹ÔìÒ»¸öÀàËƵÄÍ·£¬×îºóÌø»ØÔÀ´µÄapiÁì¿Õ¼ÌÐøÔËÐС£Õâ¸öÍêÈ«¾ÍÊÇwindowsºËÐıà³ÌÀïµÄ´úÂëµÄÕÕ³£¬¾ÍÕâ³һϾÍÒªÈË320Ôª£¬ÊÇÔÚÓеãÌ«ºÚÁË°É£¡

¸üΪÖØÒªµÄÊÇ£¬apihookÖÐÕâÑùµÄhookÓкܴóµÄȱÏÝ£¬ÎªÊ²Ã´Õâô˵ÄØ£¿ÎÒÃÇ¿ÉÒÔ¿´¼ûËûÊǽ«Èë¿ÚÐÞ¸ÄΪjmp100010F0

7C802332>-E9B9ED7F93jmp100010F0

ÎÒÃÇÖªµÀÒ»°ãµÄapiº¯ÊýÍ·²¿ÊDz»»á³öÏÖÕâÑùµÄÔ¶¾àÀëµÄjmpµÄ£¬ËùÒÔÖ»Òª¼ì²âapiµÄº¯ÊýÍ·Ò»¸ö×Ö½ÚÊÇ·ñe9¾Í¿ÉÒÔºÜÇáËɵļì²â³öapiÊÇ·ñ±»hookסÁË¡£»¹ÓÐÒ»¸öÎÊÌâ¾ÍÊÇ£¬Èç¹ûÎÒÃǵÄÄ¿µÄ²¢²»Í£Ö¹ÓÚ£¬Ö»ÊÇÔÚapiº¯Êý´¦Àí֮ǰÐÞ¸ÄijЩÈë¿Úº¯Êý»òÕß×öЩ´¦Àí£¬¶øÊÇÕû¸öÖØд¦Àí¶ø²»»Øµ½ÏµÍ³µÄapi´¦Àí´¦£¬Õâ¸öÁ÷³ÌÒ²²»·ûºÏÎÒÃǵÄÒªÇó¡£

²»¹ýûÓйØϵ£¬¼ÈÈ»ÏÖÔÚÎÒÃÇÒѾÖªµÀÁËÕâ¸ödll¹¤×÷µÄ´óÖÁÁ÷³Ì£¬ÎÒÃÇÒ²¿ÉÒÔ×Ô¼ºÐ´Ò»¸öÀ¹½ØcreateprocessµÄdllÁË£¬¶øÎÒÃÇ°ÑÕâ¸ö³ÌÐò¸Ä½øһϣ¬Ê¹Ëû³ÉΪһ¸öÈ«¾ÖµÄ¹³×Ó£¬¶øÇÒÎÒÃÇ¿ÉÒÔÑ¡Ôñ³ÌÐòµÄ¿ªÆô£¬ÔÚ³ÌÐò¿ªÆôÒÔÇ°µ¯³öÒ»¸ömsgbox£¬ÉÏÃæÓÐÊǺͷñµÄ°´Å¥£¬Äã°´ÏÂÊdzÌÐò¾Í²»ÄÜÆô¶¯£¬¶ø°´Ï·ñ³ÌÐò¾ÍÕÕ³£Æô¶¯£¬¶øµ¯³öµÄ°´Å¥Àï²»µ«ÓÐÕâ¸ö³ÌÐòµÄ·¾¶£¬»¹ÓÐÆô¶¯Õâ¸ö³ÌÐòµÄ·¾¶¡£ÔõôÑù£¬±ÈËûµÄ»¹Òª¸ß¼¶Ò»Ð©°É¡£

ÒòΪ±íÃæÉÏDetours¿ÉÒÔºÜÈÝÒ׵Ĺ³×¡api£¬µ«ÊÇËûµÄ×ÔÓɶÈÌ«µÍÁË¡£×îÖØÒªµÄÊÇ£¬ËûÎÞ·¨Íê³Éssdthook£¬»¹ÊÇÌá¸ß×Ô¼ºµÄˮƽ×îÖØÒª¡£

ÎҸijöÁËÁ½¸ö°æ±¾Ò»¸öÊÇasmµÄÒ»¸öÊÇvcµÄ£¬µ«ÊÇÆæ¹ÖµÄÊÇasm´úÂëûÓÐÎÊÌ⣬¶øvcµÄ´úÂëÈ´³öÁËÎÊÌ⣬ÎÒÏ£Íû¸ßÊÖÄÜ°ïÎÒ½â¾öÒÔÏÂÁ½¸öÎÊÌ⣬

 

µÚÒ»¸öÎÊÌ⣺¾ÍÊÇÔÚvc´úÂëÖÐ(¸ù¾ÝÍõÑÞƼµÄwindows³ÌÐòÉè¼Æ´úÂëÐÞ¸Ä)

ÔÚ¹¹½¨ÐµÄÌøת×Ö½ÚÊÇ¿¿Õâ¶Î´úÂë

BYTEbtNewBytes[8]={0xB8,0xE0,0x18,0x00,0x10,0xFF,0xE0,0x00};

Õâ¸ö»úÆ÷ÂðµÄº¬ÒåÊÇ£¬jmpµ½ÎÒÃÇ×Ô¼º¶¨ÒåµÄMyCreateProcessAº¯Êý´¦¡£

ÕâÀïʹÓÃÊǹ̶¨Öµ£¬Ö»ÒªÎÒÃÇÉÔ΢ÐÞ¸ÄһϴúÂ룬ÕâÀï¾ÍÒªÐ޸ģ¬ºÜÂé·³µÄÊÇ£¬Èç¹ûʹÓ÷Çdebug°æ±¾£¬ÄãÕÒ²»µ½jmpµ½Õâ¸öº¯ÊýµÄÖ±½Ó´úÂ룬ÐèÒªÄã×Ô¼ºÈ¥µ÷ÊÔ²éÕҷdz£Âé·³¡£

¶øasmÖÐÊÇ×Ô¼º¶¯Ì¬»ñµÃµÄ

»ñµÃ´úÂëÈçÏÂ

movhacker.a,0B8h;moveax,

;movhacker.dPMyapi;0x000000

movhacker.d,0FFh;jmp

movhacker.e,0E0h;eax

ÖмäÓмä¸ô

movhacker.PMyapi,offsetMyAPI;0x000010;ÒªÌæ´úAPIµÄº¯ÊýµØÖ·

ÕâÑùµÄ»°£¬ÍêÈ«²»Óÿ¼ÂÇapiµÄµØÖ·ÓɳÌÐò×Ô¼ºÀ´¶¨Î»£¬ÓÉÓÚ±¾ÈËvc¹¦Á¦²»¹»£¬ÊµÔÚ²»ÖªµÀÈçºÎʵÏÖÕâ¸ö´úÂ룬ϣÍû¸ßÊÖÄÜÖ¸µãÒ»¶þ¡£

 

µÚ¶þ¸öÎÊÌâÏà¶Ô¼òµ¥µã£¬´ó¼Ò¿ÉÒÔ¿´¼û£¬ÎÒasmµÄ´úÂëÖй³µÄÊÇcreateprocessw¶øvc¹³µÄÊÇcreateprocessa£¬ÎªÊ²Ã´ÄØ£¿explorerʵ¼ÊÉÏÊǵ÷ÓÃcreateprocesswÀ´Æô¶¯³ÌÐòµÄ£¬ÓÃcreateprocessaÊǹ³²»×¡explorerÆô¶¯µÄ³ÌÐò¡£¶øÎÒÔÚÓÃvcдcreateprocessw¹³×ÓµÄʱºò£¬½â¾ö²»ÁËunicodeµÄÎÊÌ⣬ÒòΪMyCreateProcessAµÄÌØÊâÐÔ£¬ËûÒªÇó¸úÔÀ´µÄº¯Êý¸ñʽһÑù£¬ËùÒÔÖ»ÒªÎÒһʹÓÃWideCharToMultiByteÕâÀàµÄº¯Êý£¬·µ»ØÖµ¾Í³ö´íÁË¡£¶øÈç¹ûÍêÈ«ÓÃunicodeÀ´Ð´Õâ¸öº¯Êý£¬ÎÒÓÖ²»ÖªµÀLPSTARTUPINFOÕâ¸öµÄ¿í×Ö·û¸ñʽÊÇʲô£¿ËùÒÔÒ²Çë¸ßÊÖͬÑù¸øÓëÖ¸µã£¡

 

#pragmacomment(linker,"/BASE:

0xBFF70000")

#include"stdafx.h"

#include"dllin.h"

PROCm_pfnOrig;

BYTEm_btNewBytes[8];

BYTEm_btOldBytes[8];

HMODULEm_hMod;

BOOLWriteBack()

{

if(m_pfnOrig!

=NULL)

{

DWORDdwOldProtect;

MEMORY_BASIC_INFORMATIONmbi;

:

:

VirtualQuery(m_pfnOrig,&mbi,sizeof(mbi));

:

:

VirtualProtect(m_pfnOrig,8,PAGE_READWRITE,&dwOldProtect);

//дÈëÔÀ´µÄÖ´ÐдúÂë

:

:

WriteProcessMemory(:

:

GetCurrentProcess(),(void*)m_pfnOrig,

m_btOldBytes,sizeof(DWORD)*2,NULL);

:

:

VirtualProtect(m_pfnOrig,8,mbi.Protect,0);

returntrue;

}

returnfalse;

}

BOOLAPIENTRYDllMain(HANDLEhModule,

DWORDul_reason_for_call,

LPVOIDlpReserved

{BYTEbtNewBytes[8]={0xB8,0xE0,0x18,0x00,0x10,0xFF,0xE0,0x00};

 

memcpy(m_btNewBytes,btNewBytes,8);

if(ul_reason_for_call==DLL_PROCESS_ATTACH)//µ±DLL¼ÓÔØʱ²úÉú´Ëʼþ

{

m_hMod=:

:

LoadLibrary("kernel32.dll");//È¡APIµØÖ·//±£´æAPIµØÖ·

 

if(m_hMod==NULL)

{

m_pfnOrig=NULL;

returntrue;

}

m_pfnOrig=:

:

GetProcAddress(m_hMod,"CreateProcessA");

if(m_pfnOrig!

=NULL)

{

DWORDoldProc;

MEMORY_BASIC_INFORMATIONmbi;

:

:

VirtualQuery(m_pfnOrig,&mbi,sizeof(mbi));

:

:

VirtualProtect(m_pfnOrig,8,PAGE_READWRITE,&oldProc);

memcpy(m_btOldBytes,m_pfnOrig,8);

:

:

WriteProcessMemory(:

:

GetCurrentProcess(),(void*)m_pfnOrig,m_btNewBytes,sizeof(DWORD)*2,NULL);

:

:

VirtualProtect(m_pfnOrig,8,mbi.Protect,0);

returntrue;

}

}

if(ul_reason_for_call==DLL_PROCESS_DETACH)//µ±DLL¼ÓÔØʱ²úÉú´Ëʼþ

{

WriteBack();

returnTRUE;

}

returnTRUE;

}

 

BOOLRehook()

{

//ÐÞ¸ÄÔAPIº¯ÊýÖ´ÐдúÂëµÄÇ°8¸ö×Ö½Ú£¬Ê¹ËüÌøÏòÎÒÃǵĺ¯Êý

if(m_pfnOrig!

=NULL)

{

DWORDdwOldProtect;

MEMORY_BASIC_INFORMATIONmbi;

:

:

VirtualQuery(m_pfnOrig,&mbi,sizeof(mbi));

:

:

VirtualProtect(m_pfnOrig,8,PAGE_READWRITE,&dwOldProtect);

//дÈëеÄÖ´ÐдúÂë

:

:

WriteProcessMemory(:

:

GetCurrentProcess(),(void*)m_pfnOrig,

m_btNewBytes,sizeof(DWORD)*2,NULL);

:

:

VirtualProtect(m_pfnOrig,8,mbi.Protect,0);

returntrue;

}

returnFALSE;

}

 

BOOLMyCreateProcessA(

LPCTSTRlpApplicationName,//pointertonameofexecutablemodule

LPTSTRlpCommandLine,//pointertocommandlinestring

LPSECURITY_ATTRIBUTESlpProcessAttributes,//pointertoprocesssecurityattributes

LPSECURITY_ATTRIBUTESlpThreadAttributes,//pointertothreadsecurityattributes

BOOLbInheritHandles,//handleinheritanceflag

DWORDdwCreationFlags,

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 工作范文 > 演讲主持

copyright@ 2008-2022 冰豆网网站版权所有

经营许可证编号:鄂ICP备2022015515号-1