📄 apihook32.h
字号:
//*********************************************************//
// //
// APIHook32.h 定义了APIHOOK系列函数 //
// //
//*********************************************************//
#include <imagehlp.h>
//*******************************************************************//
// APIHook32.h 存放钩子函数的声明和实现 //
//*******************************************************************//
#include <tlhelp32.h>
typedef struct _APIHOOK32_ENTRY
{
LPCTSTR pszAPIName;
LPCTSTR pszCalleeModuleName;
PROC pfnOriginApiAddress;
PROC pfnDummyFuncAddress;
HMODULE hModCallerModule;
}APIHOOK32_ENTRY, *PAPIHOOK32_ENTRY;
//APIHOOK32_ENTRY MyAPIHook;
void _SetApiHookUp(PAPIHOOK32_ENTRY phk)
{
ULONG size;
//获取指向PE文件中的Import中IMAGE_DIRECTORY_DESCRIPTOR数组的指针
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)
ImageDirectoryEntryToData(phk->hModCallerModule,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&size);
if (pImportDesc == NULL)
return;
//查找记录,看看有没有我们想要的DLL
for (;pImportDesc->Name;pImportDesc++)
{
LPSTR pszDllName = (LPSTR)((PBYTE)phk->hModCallerModule+pImportDesc->Name);
if (lstrcmpiA(pszDllName,phk->pszCalleeModuleName) == 0)
break;
}
if (pImportDesc->Name == NULL)
{
return;
}
//寻找我们想要的函数
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA) ((PBYTE)phk->hModCallerModule+pImportDesc->FirstThunk);//IAT
for (;pThunk->u1.Function;pThunk++)
{
//ppfn记录了与IAT表项相应的函数的地址
PROC * ppfn= (PROC *)&pThunk->u1.Function;
if (*ppfn == phk->pfnOriginApiAddress)
{
//如果地址相同,也就是找到了我们想要的函数,进行改写,将其指向我们所定义的函数
WriteProcessMemory(GetCurrentProcess(),ppfn,&(phk->pfnDummyFuncAddress),sizeof(phk->pfnDummyFuncAddress),NULL);
return;
}
}
}
//***************************************************************************************//
// SetWindowsAPIHook 挂接WindowsAPI函数 当phk->hModCallerModule == NULL //
// 会在整个系统内挂接函数 //
// 仿照SetWindowsHookEx 建立 //
//***************************************************************************************//
BOOL SetWindowsAPIHook(PAPIHOOK32_ENTRY phk)
{
if (phk->pszAPIName == NULL)
{
return FALSE;
}
if (phk->pszCalleeModuleName == NULL)
{
return FALSE;
}
if (phk->pfnOriginApiAddress == NULL)
{
return FALSE;
}
if (phk->hModCallerModule == NULL)
{
MEMORY_BASIC_INFORMATION mInfo;
HMODULE hModHookDLL;
HANDLE hSnapshot;
MODULEENTRY32 me = {sizeof(MODULEENTRY32)};
VirtualQuery(_SetApiHookUp,&mInfo,sizeof(mInfo));
hModHookDLL=(HMODULE)mInfo.AllocationBase;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,0);
BOOL bOk = Module32First(hSnapshot,&me);
while (bOk)
{
if (me.hModule!=hModHookDLL)
{
phk->hModCallerModule = me.hModule;
_SetApiHookUp(phk);
}
bOk = Module32Next(hSnapshot,&me);
}
return TRUE;
}
else
{
_SetApiHookUp(phk);
return TRUE;
}
return FALSE;
}
void SetMyHooksHere(APIHOOK32_ENTRY hk,HMODULE hMod)
{
hk.hModCallerModule = hMod;
_SetApiHookUp(&hk);
}
HINSTANCE MyLoadLibraryA(LPCSTR lpLibFileName)
{
HMODULE hMod = LoadLibraryA(lpLibFileName);
if (hMod != NULL)
{
//SetMyHooksHere(MyAPIHook,hMod);
}
return hMod;
}
HINSTANCE MyLoadLibraryExW(LPCWSTR lpLibFileName,HANDLE hFile,DWORD dwFlags)
{
HMODULE hMod = LoadLibraryExW(lpLibFileName,hFile,dwFlags);
if ((hMod !=NULL) && ((dwFlags & LOAD_LIBRARY_AS_DATAFILE) == 0))
{
//SetMyHooksHere(MyAPIHook,hMod);
}
return hMod;
}
BOOL UnhookWindowsAPIHooks(APIHOOK32_ENTRY & hk)
{
PROC temp;
temp = hk.pfnOriginApiAddress;
hk.pfnOriginApiAddress = hk.pfnDummyFuncAddress;
hk.pfnDummyFuncAddress = temp;
return SetWindowsAPIHook(&hk);
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -