dllmain.cpp

一个可以拦截DeviceIoControl的程序

#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shlwapi.h>
#include <ddraw.h>
#include "testdll.h"
#include "..\apihijack.h"
#include <stdio.h>
#include <tchar.h>
#include <io.h>
//#include "apihook32.h"
#include "hookapi.h"

APIHOOKSTRUCT g_DeviceIoControlHook = {
	"kernel32.dll",
	"DeviceIoControl",
	0,
	NULL,
	{0, 0, 0, 0, 0, 0, 0},
	NULL,
	"MyDeviceIoControl",
	NULL,
	{0, 0, 0, 0, 0, 0, 0},
	0,
	{0XFF, 0X15, 0XFA, 0X13, 0XF3, 0XBF, 0X33}
};

//APIHOOK32_ENTRY hkA,hkW;
// This segment must be defined as SHARED in the .DEF
#pragma data_seg (".HookSection")		
// Shared instance for all processes.
HHOOK hHook = NULL;
TCHAR g_szConfigFile[MAX_PATH] = {0};
TCHAR SIGN[] = _T("作者：吉林大学 王长春 Lingtu.Inc boyachang@sina.com");
#pragma data_seg ()

HINSTANCE hDLL;

// Function pointer types.
typedef BOOL (WINAPI *DeviceIoControlFunc)( HANDLE hDevice, DWORD dwIoControlCode, LPVOID lpInBuffer, DWORD nInBufferSize, LPVOID lpOutBuffer, DWORD nOutBufferSize, LPDWORD lpBytesReturned, LPOVERLAPPED lpOverlapped);

// Hook function.
#define  DFP_RECEIVE_DRIVE_DATA   0x0007c088
#pragma pack(1)
typedef struct _DRIVERSTATUS {
	BYTE     bDriverError;           // Error code from driver,
	// or 0 if no error.
	BYTE     bIDEError;                      // Contents of IDE Error register.
	// Only valid when bDriverError
	// is SMART_IDE_ERROR.
	BYTE     bReserved[2];           // Reserved for future expansion.
	DWORD   dwReserved[2];          // Reserved for future expansion.
} DRIVERSTATUS, *PDRIVERSTATUS, *LPDRIVERSTATUS;
#pragma pack()

#pragma pack(1)
typedef struct _SENDCMDOUTPARAMS {
	DWORD                   cBufferSize;            // Size of bBuffer in bytes
	DRIVERSTATUS            DriverStatus;           // Driver status structure.
	BYTE                    bBuffer[1];             // Buffer of arbitrary length in which to store the data read from the                                                                                  // drive.
} SENDCMDOUTPARAMS, *PSENDCMDOUTPARAMS, *LPSENDCMDOUTPARAMS;
#pragma pack()

int SearchIndex( FILE* fp, int dwIoControlCode )
{
//	__asm int 3;
	
	int nIndexCount = 0;
	fread( &nIndexCount, sizeof(int), 1, fp );
	
	int* pIndex = new int[nIndexCount];
	fread( pIndex, sizeof(int), nIndexCount, fp );
	
	for ( int i=0; i<nIndexCount; i++ )
	{
		if ( pIndex[i] == dwIoControlCode )
		{
			fseek( fp, sizeof(int)*(nIndexCount+1), SEEK_SET );
			delete []pIndex;
			return i;
		}
	}
	delete []pIndex;
	return -1;
}

// Hook function.
BOOL WINAPI MyDeviceIoControl(
							  HANDLE hDevice,	// handle to device of interest
							  DWORD dwIoControlCode,	// control code of operation to perform
							  LPVOID lpInBuffer,	// pointer to buffer to supply input data
							  DWORD nInBufferSize,	// size of input buffer
							  LPVOID lpOutBuffer,	// pointer to buffer to receive output data
							  DWORD nOutBufferSize,	// size of output buffer
							  LPDWORD lpBytesReturned,	// pointer to variable to receive output byte count
							  LPOVERLAPPED lpOverlapped 	// pointer to overlapped structure for asynchronous operation
							  )
{
	RestoreWin32Api(&g_DeviceIoControlHook, HOOK_NEED_CHECK);

//	DeviceIoControlFunc OldFn = (DeviceIoControlFunc)hkW.pfnOriginApiAddress;
	BOOL ret = DeviceIoControl( hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer,
		nOutBufferSize, lpBytesReturned, lpOverlapped );
	
	HookWin32Api(&g_DeviceIoControlHook, HOOK_NEED_CHECK);

	TCHAR buff[256];
	GetPrivateProfileString( _T("Config"), _T("Action"), _T(""), buff, 256, g_szConfigFile );

	TCHAR szSaveFile[MAX_PATH];
	GetPrivateProfileString( _T("Config"), _T("File"), _T(""), szSaveFile, MAX_PATH, g_szConfigFile );
	if ( szSaveFile[1] != _T(':') )
	{
		TCHAR szBasePath[MAX_PATH];
		_tcscpy( szBasePath, g_szConfigFile );
		LPTSTR lpszPathEnd = _tcsrchr( szBasePath, _T('\\') );
		lpszPathEnd[1] = _T('\0');

		_tcscat( szBasePath, szSaveFile );
		_tcscpy( szSaveFile, szBasePath );
	}

	DWORD dwSeparator = 0xcccc;

	if ( _tcscmp( buff, _T("simulate") ) == 0 )
	{
		FILE* fp = fopen( szSaveFile, "rb");
		if ( fp != NULL )
		{
			int i = SearchIndex( fp, dwIoControlCode );
//			TCHAR szPrompt[256];
//			wsprintf( szPrompt, _T("Index=%d;dwIoControlCode=%x"), i, dwIoControlCode );
//			MessageBox( NULL, szPrompt, _T("提示信息"), MB_OK );

			if ( i != -1 )
			{	
				for ( int j=0; j<i; j++ )
				{
					int nCount = 0;
					fread( &dwSeparator, sizeof(int), 1, fp );
					fread( &nCount, sizeof(int), 1, fp );
					fseek( fp, nCount, SEEK_CUR );
				}

				int nCount = 0;
				
				fread( &dwSeparator, sizeof(int), 1, fp );
				fread( &nCount, sizeof(int), 1, fp );
				fread( lpOutBuffer, 1, nOutBufferSize, fp );
			}			
			fclose(fp);
		}		
	}
	else if ( _tcscmp( buff, _T("spydata") ) == 0 )
	{		
		FILE* fp = fopen( szSaveFile, "rb");
		if ( fp != NULL )
		{
			int i = SearchIndex( fp, dwIoControlCode );
			if ( i == -1 )
			{
				fseek( fp, 0, SEEK_SET );
				
				int nIndexCount = 0;
				fread( &nIndexCount, sizeof(int), 1, fp );
				
				int* pIndex = new int[nIndexCount+1];
				fread( pIndex, sizeof(int), nIndexCount, fp );
				pIndex[nIndexCount] = dwIoControlCode;
				
				++nIndexCount;

				int nFileLength = filelength( fileno(fp) );
				int nLen = nFileLength - sizeof(int)*( nIndexCount );

				BYTE* pBuff = new BYTE[nLen];
				fread( pBuff, sizeof(BYTE), nLen, fp );
				
				fclose( fp );

				FILE* fp = fopen( szSaveFile, "wb");
				if ( fp != NULL )
				{
					fwrite( &nIndexCount, sizeof(int), 1, fp );
					fwrite( pIndex, sizeof(int), nIndexCount, fp );
					fwrite( pBuff, sizeof(BYTE), nLen, fp );
					
					fwrite( &dwSeparator, sizeof(int), 1, fp );
					fwrite( &nOutBufferSize, sizeof(int), 1, fp );
					fwrite( lpOutBuffer, 1, nOutBufferSize, fp );
					fclose(fp);
				}		
			}
		}		
		else
		{
			FILE* fp = fopen( szSaveFile, "wb");
			if ( fp != NULL )
			{
				int nIndexCount = 1;
				fwrite( &nIndexCount, sizeof(int), 1, fp );
				fwrite( &dwIoControlCode, sizeof(int), 1, fp );
				
				fwrite( &dwSeparator, sizeof(int), 1, fp );
				fwrite( &nOutBufferSize, sizeof(int), 1, fp );
				fwrite( lpOutBuffer, 1, nOutBufferSize, fp );
				fclose(fp);
			}		
		}
	}
	if ( DFP_RECEIVE_DRIVE_DATA == dwIoControlCode )
	{
//		MessageBox( NULL, _T("应用程序正在获取硬盘序列号…"), _T("提示信息"), MB_OK );
	}

	return ret;	
}

// CBT Hook-style injection.
BOOL APIENTRY DllMain( HINSTANCE hModule, DWORD fdwReason, LPVOID lpReserved )
{
//	hkW.hModCallerModule = 0;
//	hkW.pfnOriginApiAddress = GetProcAddress( GetModuleHandle("kernel32.dll"), "DeviceIoControl" );
//	hkW.pszAPIName = "DeviceIoControl";
//	hkW.pszCalleeModuleName = "kernel32.dll";
//	hkW.pfnDummyFuncAddress = (PROC) & MyDeviceIoControl;

	switch ( fdwReason )
	{
	case DLL_PROCESS_ATTACH:
		hDLL = hModule;
		g_DeviceIoControlHook.hInst = hModule;
		HookWin32Api(&g_DeviceIoControlHook, HOOK_CAN_WRITE);

//		SetWindowsAPIHook(&hkW);
		return TRUE;
	case DLL_PROCESS_DETACH:
		hDLL = NULL;
		RestoreWin32Api(&g_DeviceIoControlHook, HOOK_NEED_CHECK);

//		UnhookWindowsAPIHooks(hkW);
	}
	return TRUE;
}

TESTDLL_API LRESULT CALLBACK HookProc(int nCode, WPARAM wParam, LPARAM lParam) 
{
    return CallNextHookEx( hHook, nCode, wParam, lParam); 
}

TESTDLL_API void InstallHook(LPCTSTR lpszFile)
{
    _tcscpy( g_szConfigFile, lpszFile );
    hHook = SetWindowsHookEx( WH_CBT, HookProc, hDLL, 0 ); 
}

TESTDLL_API void RemoveHook()
{
    UnhookWindowsHookEx( hHook );
}