📄 hooki_dll.cpp
字号:
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
//#define AH_STATIC_LINKING
#include <ApiHooks.h>
__EXPORT API_HOOK ApiHookChain[];
typedef BOOL (APIENTRY *TDllMain)(HINSTANCE, DWORD, LPVOID);
extern "C" __declspec(dllimport) BOOL DbgPrint(PSTR, ...);
// DllMain of dynamically loaded modules
BOOL APIENTRY DllMainCommon(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
TDllMain DllMainNext;
_asm mov DllMainNext, eax;
DbgPrint("DllMainCommon: hDLL=0x%08X, fdwReason=%u, lpvReserved=0x%08X\n", hinstDLL, fdwReason, lpvReserved);
if(fdwReason == DLL_PROCESS_ATTACH) {
RCINFO rci = {0};
hEstablishApiHooks(&rci, (LPCSTR)ApiHookChain, (HANDLE)-1, 0);
}
if(DllMainNext)
return(DllMainNext(hinstDLL, fdwReason, lpvReserved));
else
return(TRUE);
}
typedef LONG (WINAPI *TNtMapViewOfSection)(HANDLE, HANDLE, PVOID, ULONG, ULONG,
PLARGE_INTEGER, PULONG, DWORD, ULONG, ULONG);
TNtMapViewOfSection OldNtMapViewOfSection = NULL;
LONG WINAPI NewNtMapViewOfSection(HANDLE SectionHandle, HANDLE ProcessHandle,
PVOID *BaseAddress, ULONG ZeroBits, ULONG CommitSize,
PLARGE_INTEGER SectionOffset, PULONG ViewSize,
DWORD InheritDisposition, ULONG AllocationType, ULONG Protect) {
LONG Result = OldNtMapViewOfSection(SectionHandle, ProcessHandle, BaseAddress, ZeroBits,
CommitSize, SectionOffset, ViewSize, InheritDisposition, AllocationType,
Protect);
if( (Result>=0) && (ProcessHandle == (HANDLE)-1) && (ZeroBits==0) && (CommitSize==0) &&
(SectionOffset==NULL) && (InheritDisposition == 1) && (AllocationType==0) && (Protect==4)
) {
if(ViewSize && *ViewSize >= 0x40) {
DWORD Base = (DWORD)*BaseAddress;
if(Base && (*(PWORD)Base == IMAGE_DOS_SIGNATURE)) {
DWORD pPE = Base + *(PDWORD)(Base+0x3C);
if(*ViewSize > *(PDWORD)(Base+0x3C)+0x2C) {
if(*(PDWORD)pPE == IMAGE_NT_SIGNATURE) {
PDWORD pPEentry = (PDWORD)(pPE+0x28);
DWORD PEentry = *pPEentry;
if(PEentry)
PEentry += Base;
PBYTE la = (PBYTE)LocalAlloc(LPTR, 16);
if(la) {
la[0] = 0xB8;
*(PDWORD)&la[1] = PEentry;
la[5] = 0xE9;
*(PDWORD)&la[6] = (DWORD)DllMainCommon - (DWORD)&la[10];
DWORD OldProt;
if(VirtualProtect(pPEentry, sizeof(DWORD), PAGE_READWRITE, &OldProt)) {
*pPEentry = (DWORD)la - Base;
VirtualProtect(pPEentry, sizeof(DWORD), OldProt, &OldProt);
}
}
}
}
}
}
}
return(Result);
}
__EXPORT API_HOOK ApiHookChain[3] = {
{HOOKS_DYNAMIC},
{"ntdll.dll", "NtMapViewOfSection", HOOK_OVERWRITE, &OldNtMapViewOfSection, NULL, NewNtMapViewOfSection},
{HOOKS_END}
};
BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
DbgPrint("HookI_DLL: hDLL=0x%08X, fdwReason=%u, lpvReserved=0x%08X\n", hinstDLL, fdwReason, lpvReserved);
if(fdwReason == DLL_PROCESS_ATTACH) {
if(lpvReserved != NULL) { //static attach - hooks not applied
// now are all statically loaded modules mapped and fixed - ideal for hooking
RCINFO rci = {0};
hEstablishApiHooks(&rci, (LPCSTR)ApiHookChain, (HANDLE)-1, 0);
}
}
return(TRUE);
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -