日本好好热aⅴ|国产99视频精品免费观看|日本成人aV在线|久热香蕉国产在线

• 電腦軟件
• 單機(jī)游戲
• 安卓應(yīng)用
• 安卓游戲
• 蘋果電腦
• 蘋果手機(jī)

首頁 → 編程開發(fā) → 其它知識(shí) → 64位Windows 7 系統(tǒng) HookApi編程實(shí)例

64位Windows 7 系統(tǒng) HookApi編程實(shí)例

相關(guān)軟件相關(guān)文章發(fā)表評(píng)論 來源：西西整理時(shí)間：2013/4/4 9:49:29字體大小：A-A+

作者：西西點(diǎn)擊：0次評(píng)論：0次標(biāo)簽： HookApi

"天眼"數(shù)字遠(yuǎn)程監(jiān)控系統(tǒng) CoolKing1.1

• 類型：遠(yuǎn)程監(jiān)控大�。�4.6M語言：中文 評(píng)分：5.6
• 標(biāo)簽：

立即下載

本程序HOOK的API是DispatchMessageA和DispatchMessageW。在HOOK的方法內(nèi)會(huì)還原ESP，調(diào)用user32.DispathMessage(A或W)之后再修改ESP，實(shí)現(xiàn)的功能是記錄消息的詳細(xì)日志，記錄哪個(gè)窗口處理過哪些消息。

1、新建一個(gè)win32 console項(xiàng)目，取名為DoInjection，新建一個(gè)DoInjectionMain.h，代碼如下：
BOOL SetPrivilege(LPCTSTR lPSzPrivilege, BOOL bEnablePrivilege);
BOOL IsVistaOrLater();
BOOL InjectProcess();
BOOL InjectCreateProcess();
void HookGetMessage();
BOOL InjectCreateThread(HANDLE hProcess, LPTHREAD_START_ROUTINE pThreadProc, LPVOID pRemoteBuf);
HANDLE MsicCreateRemoteThread(HANDLE hProcess,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter);

typedef void*(__stdcall*LPFN_KernelBaseGetGlobalData)(void);
typedef DWORD (WINAPI *PFNTCREATETHREADEX)
(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
DWORD dwStackSize,
DWORD dw1,
DWORD dw2,
LPVOID Unknown
); 

2、新建一個(gè)DoInjectionMain.c(不是CPP)，代碼如下：
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <tchar.h>
#include "DoInjection.h"

#pragma comment(lib,"th32.lib")
#pragma comment(lib,"Advapi32.lib")

//這個(gè)路徑很有意思，這個(gè)路徑是相對(duì)于目標(biāo)進(jìn)程的，而不是自身進(jìn)程。
//所以要嘛寫成絕對(duì)路徑，要嘛寫成相對(duì)于目標(biāo)進(jìn)程的相對(duì)路徑。
//如果寫成相對(duì)于自身的路徑就要麻煩了，本程序就找不到dll文件了。
const char *pcDllName="MfcHookApi.dll"; //DLL文件的路徑
HANDLE hSnap=0,hThreadHandle=0,hRemoteProcess32=0,hTokenHandle=0;
PROCESSENTRY32 procEntry32;
BOOL bNext=FALSE,bWrittenResult=FALSE;
TOKEN_PRIVILEGES tokenPower;
LUID luidPower;
LPVOID pRemoteBuf=NULL;
FARPROC fnDllKernel32;
size_t sizeWritten=0;
DWORD dwThreadId=0;

char* pcProsessName="DoWin32test.exe"; //要注入的進(jìn)程名(目標(biāo)進(jìn)程名)

int main()
{
IsVistaOrLater();
SetPrivilege(SE_DEBUG_NAME,TRUE);
//InjectProcess();
InjectCreateProcess();
getchar();
return 0;
}

BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
HANDLE hToken;
LUID luid;
if( !OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken) )
{
_tprintf("OpenProcessToken error: %u\r\n", GetLastError());
return FALSE;
}
if( !LookupPrivilegeValue(NULL,
lpszPrivilege,
&luid) )
{
_tprintf("LookupPrivilegeValue error: %u\r\n", GetLastError() );
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if( bEnablePrivilege )
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
if( !AdjustTokenPrivileges(hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL) )
{
_tprintf("AdjustTokenPrivileges error: %u\r\n", GetLastError() );
return FALSE;
}
if( GetLastError() == ERROR_NOT_ALL_ASSIGNED )
{
_tprintf("The token does not have the specified privilege. \r\n");
return FALSE;
}
return TRUE;
}

BOOL IsVistaOrLater()
{

OSVERSIONINFO osvi;
ZeroMemory(&osvi, sizeof(OSVERSIONINFO));
//OSVERSIONINFOEX osvix;
//ZeroMemory(&osvix,sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&osvi);
printf("network terminal v%ld.%ld,%s,platform:%ld,build number:%ld\r\n",osvi.dwMajorVersion,osvi.dwMinorVersion,osvi.szCSDVersion,osvi.dwPlatformId,osvi.dwBuildNumber);
if( osvi.dwMajorVersion >= 6 )
return TRUE;
return FALSE;
}

BOOL InjectProcess()
{
procEntry32.dwSize = sizeof(PROCESSENTRY32);
hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
bNext=Process32First(hSnap, &procEntry32);
while(bNext)
{
if(!stricmp(procEntry32.szExeFile,pcProsessName)) //--->>
{
hRemoteProcess32=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_WRITE|PROCESS_VM_OPERATION,1,procEntry32.th32ProcessID);
break;
}
bNext=Process32Next(hSnap, &procEntry32);
}
CloseHandle(hSnap);
pRemoteBuf=VirtualAllocEx(hRemoteProcess32,NULL,strlen(pcDllName),MEM_COMMIT,PAGE_READWRITE);
bWrittenResult=WriteProcessMemory(hRemoteProcess32,pRemoteBuf,pcDllName,strlen(pcDllName),(ULONG*)&sizeWritten);
if (bWrittenResult)
{
printf("InjectCreate()-->WriteProcessMemory() Success,written size:%ld,buffer address:%16X\r\n",sizeWritten,pRemoteBuf);
}
else
{
printf("InjectCreate()-->WriteProcessMemory() Error:%ld\r\n",GetLastError());
}
fnDllKernel32=GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");

//hThreadHandle=CreateRemoteThread(hRemoteProcess32,NULL,0,(LPTHREAD_START_ROUTINE)fnDllKernel32,pAllocMemory,0,&dwThreadId);
//if (hThreadHandle&&dwThreadId)
//{
// printf("CreateRemoteThread Success,Handle:%ld,Thread Id:%ld\r\n",hThreadHandle,dwThreadId);
//}
//else
//{
// printf("CreateRemoteThread Error:%ld\r\n",GetLastError());
//}
InjectCreateThread(hRemoteProcess32, (LPTHREAD_START_ROUTINE)fnDllKernel32, pRemoteBuf);
//MsicCreateRemoteThread(hRemoteProcess32,(LPTHREAD_START_ROUTINE)fnDllKernel32,pRemoteBuf);
VirtualFreeEx(hRemoteProcess32, pRemoteBuf, 0, MEM_RELEASE);;
CloseHandle(hRemoteProcess32);
return TRUE;
}

BOOL InjectCreateProcess()
{
PROCESS_INFORMATION pi;
STARTUPINFO si;
procEntry32.dwSize = sizeof(PROCESSENTRY32);
ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));
ZeroMemory(&si,sizeof(STARTUPINFO));
si.cb=sizeof(STARTUPINFO);

CreateProcess(NULL,pcProsessName,NULL,NULL,false,0,NULL,NULL,&si,&pi);
hRemoteProcess32=pi.hProcess;
printf("waiting for 30 seconds please.\r\n");
for (int i=0;i<30;i++)
{
Sleep(1000);
printf(".");
}
printf("\r\n");
pRemoteBuf=VirtualAllocEx(hRemoteProcess32,NULL,strlen(pcDllName),MEM_COMMIT,PAGE_READWRITE);
bWrittenResult=WriteProcessMemory(hRemoteProcess32,pRemoteBuf,pcDllName,strlen(pcDllName),(ULONG*)&sizeWritten);
if (bWrittenResult)
{
printf("InjectCreate()-->WriteProcessMemory() Success,written size:%ld,buffer address:%16X\r\n",sizeWritten,pRemoteBuf);
}
else
{
printf("InjectCreate()-->WriteProcessMemory() Error:%ld\r\n",GetLastError());
}
fnDllKernel32=GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");

//hThreadHandle=CreateRemoteThread(hRemoteProcess32,NULL,0,(LPTHREAD_START_ROUTINE)fnDllKernel32,pAllocMemory,0,&dwThreadId);
//if (hThreadHandle&&dwThreadId)
//{
// printf("CreateRemoteThread Success,Handle:%ld,Thread Id:%ld\r\n",hThreadHandle,dwThreadId);
//}
//else
//{
// printf("CreateRemoteThread Error:%ld\r\n",GetLastError());
//}
//InjectCreateThread(hRemoteProcess32, (LPTHREAD_START_ROUTINE)fnDllKernel32, pRemoteBuf);
MsicCreateRemoteThread(hRemoteProcess32,(LPTHREAD_START_ROUTINE)fnDllKernel32,pRemoteBuf);
//VirtualFreeEx(hRemoteProcess32, pRemoteBuf, 0, MEM_RELEASE);;
//CloseHandle(hRemoteProcess32);
return TRUE;
}

BOOL InjectCreateThread(HANDLE hProcess, LPTHREAD_START_ROUTINE pThreadProc, LPVOID pRemoteBuf)
{
HANDLE hThread = NULL;
FARPROC pFunc = NULL;
if( IsVistaOrLater() ) // Vista, 7, Server2008
{
pFunc = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateThreadEx");
if( pFunc == NULL )
{
printf("InjectCreateThread()-->GetProcAddress(\"NtCreateThreadEx\") Error %d\r\n",GetLastError());
return FALSE;
}
((PFNTCREATETHREADEX)pFunc)(&hThread,
0x1FFFFF,
NULL,
hProcess,
pThreadProc,
pRemoteBuf,
FALSE,
NULL,
NULL,
NULL,
NULL);
if( hThread == NULL )
{
printf("InjectCreateThread()-->NtCreateThreadEx() Error: %d\r\n", GetLastError());
return FALSE;
}
else
{
printf("InjectCreateThread()-->NtCreateThreadEx() Success,Thread Id:%ld\r\n",hThread);
}
}
else // 2000, XP, Server2003
{
hThread = CreateRemoteThread(hProcess,
NULL,
0,
pThreadProc,
pRemoteBuf,
0,
NULL);
if( hThread == NULL )
{
printf("InjectCreateThread()-->CreateRemoteThread() Error: %d\r\n", GetLastError());
return FALSE;
}
else
{
printf("InjectCreateThread()-->CreateRemoteThread() Success,Thread Id:%ld\r\n",hThread);
}
}
if( WAIT_FAILED == WaitForSingleObject(hThread, INFINITE) )
{
printf("InjectCreateThread() : WaitForSingleObject() Error: %d\r\n", GetLastError());
return FALSE;
}
return TRUE;
}

typedef void*(__stdcall*LPFN_KernelBaseGetGlobalData)(void);
HANDLE MsicCreateRemoteThread(HANDLE hProcess,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter)
{
OSVERSIONINFOEX stOSVersionInfoEx= {0};
FARPROC pCreateRemoteThreadEx=NULL;
LPFN_KernelBaseGetGlobalData pKernelBaseGetGlobalData=NULL;
UCHAR *pCreateRemoteThread=NULL;
UCHAR *pGlobalData=NULL;
UCHAR *pMisc=NULL;
HMODULE hKernelBase=NULL;
HMODULE hKernel32=NULL;
HANDLE hNewThread=NULL;
ULONG ulIndex=0;
WORD wCode=0;
do
{
stOSVersionInfoEx.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);
if(!GetVersionEx((OSVERSIONINFO*)&stOSVersionInfoEx))
{
break;
}
//vista以前的系統(tǒng)不存在這個(gè)問題
if((stOSVersionInfoEx.dwMajorVersion<6)||(GetCurrentProcess()==hProcess))
{
hNewThread=CreateRemoteThread(hProcess,NULL,0,lpStartAddress,lpParameter,0,&dwThreadId);
if (dwThreadId)
{
printf("MsicCreateRemoteThread()-->CreateRemoteThread() Success,Thread Id:%08X\r\n",dwThreadId);
}
else
{
printf("MsicCreateRemoteThread()-->CreateRemoteThread() Error:%ld\r\n",GetLastError());
}

break;
}
if((stOSVersionInfoEx.dwMajorVersion==6)&&(0==stOSVersionInfoEx.dwMinorVersion))
{
//vista
hKernel32=LoadLibraryA("Kernel32.dll");
pCreateRemoteThread=(UCHAR*)GetProcAddress(hKernel32,"CreateRemoteThread");
for(ulIndex=0; ulIndex<0x300; ulIndex+=1)
{
wCode=*((USHORT*)(pCreateRemoteThread+ulIndex));
#ifdef _WIN64
if(0x3D80==wCode)
{
pMisc=(*((ULONG*)(pCreateRemoteThread+ulIndex+2)))+(pCreateRemoteThread+ulIndex+7);
break;
}
#else
if(0x1D38==wCode)
{
pMisc=(UCHAR*)(*((ULONG*)(pCreateRemoteThread+ulIndex+2)));
break;
}
#endif
}
}
else if((stOSVersionInfoEx.dwMajorVersion==6)&&(1==stOSVersionInfoEx.dwMinorVersion))
{
//win7
hKernelBase=LoadLibraryW(L"KernelBase.dll");
if(NULL==hKernelBase)
{
break;
}
pKernelBaseGetGlobalData=(LPFN_KernelBaseGetGlobalData)GetProcAddress(hKernelBase,"KernelBaseGetGlobalData");
printf("MsicCreateRemoteThread()-->KernelBaseGetGlobalData:%08X\r\n",pKernelBaseGetGlobalData);
if(NULL==pKernelBaseGetGlobalData)
{
break;
}
pGlobalData=(UCHAR*)pKernelBaseGetGlobalData();
if(NULL==pGlobalData)
{
break;
}
#ifdef _WIN64
pMisc=pGlobalData+0x5C;
#else
pMisc=pGlobalData+0x30;
#endif
}
else
{
//手上的win8 Build 8250 沒有session 隔離
}
//////////////////////////////////////////////////////////////////////////
if(NULL==pMisc)
{
break;
}
printf("MsicCreateRemoteThread()-->pMisc: %08X\r\n",pMisc);
//Patch
*pMisc=1;
//xx
hNewThread=CreateRemoteThread(hProcess,NULL,0,lpStartAddress,lpParameter,0,&dwThreadId);
if (dwThreadId)
{
printf("MsicCreateRemoteThread()-->CreateRemoteThread() Success,Thread Id:%08X\r\n",dwThreadId);
}
else
{
printf("MsicCreateRemoteThread()-->CreateRemoteThread() Error:%ld\r\n",GetLastError());
}
//UnPatch
*pMisc=0;
}
while(FALSE);
if(NULL!=hKernelBase)
{
printf("MsicCreateRemoteThread()-->hKernelBase:%08X\r\n",hKernelBase);
FreeLibrary(hKernelBase);
hKernelBase=NULL;
}
return hNewThread;
}

void HookGetMessage()
{
HOOKPROC hp;
//SetWindowsHookEx(WH_GETMESSAGE,hp,)
}
3、新建一個(gè)mfc的DLL項(xiàng)目，命名為 MfcHookApi.dll，MfcHookApi.h的代碼如下：

// MfcHookApi.h : main header file for the MFCHOOKAPI DLL
//

#if !defined(AFX_MFCHOOKAPI_H__6A8FC5E5_0E77_4B74_8344_CB9CA22141E5__INCLUDED_)
#define AFX_MFCHOOKAPI_H__6A8FC5E5_0E77_4B74_8344_CB9CA22141E5__INCLUDED_

#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000

#ifndef __AFXWIN_H__
#error include 'stdafx.h' before including this file for PCH
#endif

#include "resource.h" // main symbols

/////////////////////////////////////////////////////////////////////////////
// CMfcHookApiApp
// See MfcHookApi.cpp for the implementation of this class
//

class CMfcHookApiApp : public CWinApp
{
public:
CMfcHookApiApp();

// Overrides
// ClassWizard generated virtual function overrides
//{{AFX_VIRTUAL(CMfcHookApiApp)
public:
virtual BOOL InitInstance();
//}}AFX_VIRTUAL

//{{AFX_MSG(CMfcHookApiApp)
// NOTE - the ClassWizard will add and remove member functions here.
// DO NOT EDIT what you see in these blocks of generated code !
//}}AFX_MSG
DECLARE_MESSAGE_MAP()
};

extern "C" __declspec(dllexport) void ActiveHook();
extern "C" __declspec(dllexport) void InstallHook4Api(HWND hwnd);

int* addrMsgBoxA=(int*)MessageBoxA;
int* addrMsgBoxW=(int*)MessageBoxW;
int WINAPI HookMessageBoxA(HWND hWnd, LPCSTR lpText,LPCSTR lpCaption, UINT uType);
int WINAPI HookMessageBoxW(HWND hWnd, LPCWSTR lpText,LPCWSTR lpCaption, UINT uType);
void SetHookMessageBox(HMODULE hModule);

typedef int(WINAPI* PfnMessageBox)(HWND,LPCSTR,LPCSTR,UINT);

int* addrDispatchA=(int*)DispatchMessageA;
int* addrDispatchW=(int*)DispatchMessageW;
LRESULT WINAPI HookDispatchMessageA(MSG* msg);
LRESULT WINAPI HookDispatchMessageW(MSG* msg);
void SetHookDispatchMessage(HMODULE hModule);

typedef LRESULT (WINAPI* DLLDISPATCHMESSAGE)(MSG* msg);
/////////////////////////////////////////////////////////////////////////////

//{{AFX_INSERT_LOCATION}}
// Microsoft Visual C++ will insert additional declarations immediately before the previous line.

#endif // !defined(AFX_MFCHOOKAPI_H__6A8FC5E5_0E77_4B74_8344_CB9CA22141E5__INCLUDED_)

4、MfcHookApi.cpp代碼如下：
// MfcHookApi.cpp : Defines the initialization routines for the DLL.
//

#include "stdafx.h"
#include "MfcHookApi.h"
#include <TlHelp32.h>
#include <stdio.h>
#include <Shlwapi.h>

#pragma comment(lib,"shlwapi.lib")
#pragma comment(lib,"th32.lib")

#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[]=__FILE__;
#endif

//
// Note!
//
// If this DLL is dynamically linked against the MFC
// DLLs,any functions exported from this DLL which
// call into MFC must have the AFX_MANAGE_STATE macro
// added at the very beginning of the function.
//
// For example:
//
// extern "C" BOOL PASCAL EXPORT ExportedFunction()
// {
// AFX_MANAGE_STATE(AfxGetStaticModuleState());
// // normal function body here
// }
//
// It is very important that this macro appear in each
// function,prior to any calls into MFC. This means that
// it must appear as the first statement within the
// function,even before any object variable declarations
// as their constructors may generate calls into the MFC
// DLL.
//
// Please see MFC Technical Notes 33 and 58 for additional
// details.
//

/////////////////////////////////////////////////////////////////////////////
// CMfcHookApiApp

BEGIN_MESSAGE_MAP(CMfcHookApiApp,CWinApp)
//{{AFX_MSG_MAP(CMfcHookApiApp)
// NOTE - the ClassWizard will add and remove mapping macros here.
// DO NOT EDIT what you see in these blocks of generated code!
//}}AFX_MSG_MAP
END_MESSAGE_MAP()

/////////////////////////////////////////////////////////////////////////////
// CMfcHookApiApp construction

CMfcHookApiApp::CMfcHookApiApp()
{
// TODO: add construction code here,
// Place all significant initialization in InitInstance
}

/////////////////////////////////////////////////////////////////////////////
// The one and only CMfcHookApiApp object

CMfcHookApiApp theApp;

HHOOK hHook=0;
HINSTANCE hinstDll=0;
DWORD dwCurrentPid=0;
DWORD TargetPid=0;
BOOL bApiHook=false;
FARPROC fpApiAddrA=NULL,fpApiAddrW=NULL;
BYTE btOldCodeA[5]={0,0,0,0,0};
BYTE btNewCodeA[5]={0,0,0,0,0};
BYTE btOldCodeW[5]={0,0,0,0,0};
BYTE btNewCodeW[5]={0,0,0,0,0};
DWORD dwProtect=0;
HANDLE hRemoteProcess32=0,hSnap=0;
//#pragma data_seg()
//#pragma comment(linker,"/SECTION:YuKai,rws")
int nHookCount=0;

char* pcProsessName="DoWin32Test.exe";

//---------------------------------------------------------------------------
// 空的鉤子函數(shù)
LRESULT WINAPI HookProc(int nCode,WPARAM wParam,LPARAM lParam)
{
return CallNextHookEx(hHook,nCode,wParam,lParam);
}

extern "C" __declspec(dllexport) void ActiveHook()
{
AFX_MANAGE_STATE(AfxGetStaticModuleState());
}

//---------------------------------------------------------------------------
//本函數(shù)一定要用WINAPI(即__stdcall)，表示本函數(shù)自己平衡堆棧(和win32 API一致)
int WINAPI HookMessageBoxA(HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType)
{
nHookCount++;
printf("HookMessageBoxA hook Success......%d\r\n",nHookCount);
return 1;
//return ((PfnMessageBox)(addrMsgBoxA))(NULL,"HOOK成功","HOOK成功",MB_ICONINFORMATION);
}

//---------------------------------------------------------------------------
//本函數(shù)一定要用WINAPI(即__stdcall)，表示本函數(shù)自己平衡堆棧(和win32 API一致)
int WINAPI HookMessageBoxW(HWND hWnd,LPCWSTR lpText,LPCWSTR lpCaption,UINT uType)
{

nHookCount++;
printf("HookMessageBoxW hook Success......%d\r\n",nHookCount);
return 1;
//return ((PfnMessageBox)(addrMsgBoxW))(NULL,"HOOK成功","HOOK成功",MB_ICONINFORMATION);
}


//---------------------------------------------------------------------------
// 安裝卸載空鉤子(ProcessID=NULL：卸載)
extern "C" __declspec(dllexport) void InstallHook4Api(HWND hwnd)
{
AFX_MANAGE_STATE(AfxGetStaticModuleState());
//GetWindowThreadProcessId(hwnd,&TargetPid);
//只hook窗口句柄為hwnd的線程
if(hwnd)
hHook=SetWindowsHookEx(WH_GETMESSAGE,(HOOKPROC)HookProc,hinstDll,GetWindowThreadProcessId(hwnd,&TargetPid));
else
{
if(hHook)
UnhookWindowsHookEx(hHook);
}
}

void SetHookMessageBox(HMODULE hModule)
{
HMODULE hModuleUser32=0;
char cArrDllName[256];
hinstDll=(HINSTANCE)hModule;
BOOL bNext=FALSE;
PROCESSENTRY32 procEntry32;
//獲取目標(biāo)進(jìn)程句柄。
procEntry32.dwSize=sizeof(PROCESSENTRY32);
hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
bNext=Process32First(hSnap,&procEntry32);
while(bNext)
{
if(!stricmp(procEntry32.szExeFile,pcProsessName)) //--->>
{
hRemoteProcess32=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_WRITE|PROCESS_VM_OPERATION,1,procEntry32.th32ProcessID);
break;
}
bNext=Process32Next(hSnap,&procEntry32);
}
CloseHandle(hSnap);
dwCurrentPid=procEntry32.th32ProcessID;
//載入需要HOOK的DLL并保存原始ESP
hModuleUser32=LoadLibrary("user32.dll");
fpApiAddrA=GetProcAddress(hModuleUser32,"MessageBoxA");
if(fpApiAddrA==NULL)
return;
/*MessageBoxA原前5字節(jié)存至OldCode[5]*/
_asm
{
pushad
lea edi,btOldCodeA
mov esi,fpApiAddrA
cld
movsd
movsb
popad
}
/*MessageBoxA新前5字節(jié)存至 NewCode[5]*/
btNewCodeA[0]=0xe9;
_asm
{
lea eax,HookMessageBoxA
mov ebx,fpApiAddrA
sub eax,ebx
sub eax,5
mov dword ptr [btNewCodeA+1],eax
}
//修改ESP
/*改寫MessageBoxA()的前5個(gè)字節(jié)*/
VirtualProtectEx(hRemoteProcess32,fpApiAddrA,5,PAGE_READWRITE,&dwProtect);
WriteProcessMemory(hRemoteProcess32,fpApiAddrA,btNewCodeA,5,0);
VirtualProtectEx(hRemoteProcess32,fpApiAddrA,5,dwProtect,&dwProtect);
//載入需要HOOK的DLL并保存原始ESP
fpApiAddrW=GetProcAddress(hModuleUser32,"MessageBoxW");
if(fpApiAddrW==NULL)
return;
/*MessageBoxA原前5字節(jié)存至OldCode[5]*/
_asm
{
pushad
lea edi,btOldCodeW
mov esi,fpApiAddrW
cld
movsd
movsb
popad
}
/*MessageBoxW新前5字節(jié)存至 NewCode[5]*/
btNewCodeW[0]=0xe9;
_asm
{
lea eax,HookMessageBoxW
mov ebx,fpApiAddrW
sub eax,ebx
sub eax,5
mov dword ptr [btNewCodeW+1],eax
}
/*改寫MessageBoxA()的前5個(gè)字節(jié)*/
//修改ESP
VirtualProtectEx(hRemoteProcess32,fpApiAddrW,5,PAGE_READWRITE,&dwProtect);
WriteProcessMemory(hRemoteProcess32,fpApiAddrW,btNewCodeW,5,0);
VirtualProtectEx(hRemoteProcess32,fpApiAddrW,5,dwProtect,&dwProtect);

bApiHook=true;
//增加引用次數(shù)后立即卸鉤(目的:卸鉤后保留該dll存在于目標(biāo)進(jìn)程中)
GetModuleFileName((HINSTANCE)hModule,cArrDllName,256);
LoadLibrary(cArrDllName);
//只能由目標(biāo)程序卸鉤，否則目標(biāo)程序有可能來不及加載Hook進(jìn)來的dll
if(hHook && (dwCurrentPid==TargetPid))
UnhookWindowsHookEx(hHook);

}

void SetHookDispatchMessage(HMODULE hModule)
{
HMODULE hModuleUser32=0;
char cArrDllName[256];
hinstDll=(HINSTANCE)hModule;
BOOL bNext=FALSE;
PROCESSENTRY32 procEntry32;
//獲取目標(biāo)進(jìn)程句柄。
procEntry32.dwSize=sizeof(PROCESSENTRY32);
hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
bNext=Process32First(hSnap,&procEntry32);
while(bNext)
{
if(!stricmp(procEntry32.szExeFile,pcProsessName))
{
hRemoteProcess32=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_WRITE|PROCESS_VM_OPERATION,1,procEntry32.th32ProcessID);
break;
}
bNext=Process32Next(hSnap,&procEntry32);
}
CloseHandle(hSnap);
dwCurrentPid=procEntry32.th32ProcessID;
//載入需要HOOK的DLL并保存原始ESP
hModuleUser32=LoadLibrary("user32.dll");
fpApiAddrA=GetProcAddress(hModuleUser32,"DispatchMessageA");
if(fpApiAddrA==NULL)
return;
/*MessageBoxA原前5字節(jié)存至OldCode[5]*/
_asm
{
pushad
lea edi,btOldCodeA
mov esi,fpApiAddrA
cld
movsd
movsb
popad
}
/*MessageBoxA新前5字節(jié)存至 NewCode[5]*/
btNewCodeA[0]=0xe9;
_asm
{
lea eax,HookDispatchMessageA
mov ebx,fpApiAddrA
sub eax,ebx
sub eax,5
mov dword ptr [btNewCodeA+1],eax
}
//修改ESP
/*改寫MessageBoxA()的前5個(gè)字節(jié)*/
VirtualProtectEx(hRemoteProcess32,fpApiAddrA,5,PAGE_READWRITE,&dwProtect);
WriteProcessMemory(hRemoteProcess32,fpApiAddrA,btNewCodeA,5,0);
VirtualProtectEx(hRemoteProcess32,fpApiAddrA,5,dwProtect,&dwProtect);

//載入需要HOOK的DLL并保存原始ESP
fpApiAddrW=GetProcAddress(hModuleUser32,"DispatchMessageW");
if(fpApiAddrA==NULL)
return;
/*MessageBoxA原前5字節(jié)存至OldCode[5]*/
_asm
{
pushad
lea edi,btOldCodeW
mov esi,fpApiAddrW
cld
movsd
movsb
popad
}
/*MessageBoxW新前5字節(jié)存至 NewCode[5]*/
btNewCodeW[0]=0xe9;
_asm
{
lea eax,HookDispatchMessageW
mov ebx,fpApiAddrW
sub eax,ebx
sub eax,5
mov dword ptr [btNewCodeW+1],eax
}
/*改寫MessageBoxA()的前5個(gè)字節(jié)*/
//修改ESP
VirtualProtectEx(hRemoteProcess32,fpApiAddrW,5,PAGE_READWRITE,&dwProtect);
WriteProcessMemory(hRemoteProcess32,fpApiAddrW,btNewCodeW,5,0);
VirtualProtectEx(hRemoteProcess32,fpApiAddrW,5,dwProtect,&dwProtect);

bApiHook=true;
//增加引用次數(shù)后立即卸鉤(目的:卸鉤后保留該dll存在于目標(biāo)進(jìn)程中)
GetModuleFileName((HINSTANCE)hModule,cArrDllName,256);
LoadLibrary(cArrDllName);
//只能由目標(biāo)程序卸鉤，否則目標(biāo)程序有可能來不及加載Hook進(jìn)來的dll
if(hHook && (dwCurrentPid==TargetPid))
UnhookWindowsHookEx(hHook);

}

LRESULT WINAPI HookDispatchMessageA(MSG* msg)
{
CString szFormat="";
CString szLog="";
CTime time;
CString szFileName="";
DWORD dwFlag=0;

RECT rc;
TCHAR szCaption[128];
//HMODULE hDll=0;
//DLLDISPATCHMESSAGE dispatch;
LRESULT lr=0;
//hDll=LoadLibrary("user32.dll");
//if (hDll)
//{
// dispatch=(DLLDISPATCHMESSAGE)GetProcAddress(hDll,"DispatchMessageA");
// if (dispatch)
// {
// lr=(dispatch)(msg);
// }
//}
VirtualProtectEx(hRemoteProcess32,fpApiAddrA,5,PAGE_READWRITE,&dwProtect);
WriteProcessMemory(hRemoteProcess32,fpApiAddrA,btOldCodeA,5,0);
VirtualProtectEx(hRemoteProcess32,fpApiAddrA,5,dwProtect,&dwProtect);
lr=DispatchMessageA(msg);

//寫日志
szFormat="%-16X%-16X%-16X%-16X%-16d%-16d%-16X%-16d%-16d%-128s\r\n";
memset(szCaption,0,128);
if (IsWindow(msg->hwnd))
{
GetWindowRect(msg->hwnd,&rc);
GetWindowText(msg->hwnd,szCaption,128);
szLog.Format(szFormat,msg->hwnd,msg->message,msg->wParam,msg->wParam,msg->pt.x,msg->pt.y,msg->time,rc.right,rc.bottom,szCaption);
}
else
{
szLog.Format(szFormat,msg->hwnd,msg->message,msg->wParam,msg->wParam,msg->pt.x,msg->pt.y,msg->time,-1,-1,szCaption);
}

time=CTime::GetCurrentTime();
szFileName=time.Format("%Y%m%d%H");
szFileName.Insert(0,"C:\\DM");
szFileName+=".log";
dwFlag=CFile::modeReadWrite|CFile::shareDenyRead;
if (!PathFileExists(szFileName))
{
dwFlag|=CFile::modeCreate;
}
CFile fileLog(szFileName,dwFlag);
fileLog.SeekToEnd();
fileLog.Write(szLog,szLog.GetLength());
fileLog.Flush();
fileLog.Close();

//重新HOOK以便寫日志
VirtualProtectEx(hRemoteProcess32,fpApiAddrA,5,PAGE_READWRITE,&dwProtect);
WriteProcessMemory(hRemoteProcess32,fpApiAddrA,btNewCodeA, 5, 0);
VirtualProtectEx(hRemoteProcess32,fpApiAddrA,5,dwProtect,&dwProtect);
return lr;
}

LRESULT WINAPI HookDispatchMessageW(MSG* msg)
{
CString szFormat="";
CString szLog="";
CTime time;
CString szFileName="";
DWORD dwFlag=0;

RECT rc;
DWORD dwThreadId=0;
TCHAR szCaption[128];
//HMODULE hDll=0;
//DLLDISPATCHMESSAGE dispatch;
LRESULT lr=0;
//hDll=LoadLibrary("user32.dll");
//if (hDll)
//{
// dispatch=(DLLDISPATCHMESSAGE)GetProcAddress(hDll,"DispatchMessageW");
// if (dispatch)
// {
// lr=(dispatch)(msg);
// }
//}
//恢復(fù)HOOK
VirtualProtectEx(hRemoteProcess32,fpApiAddrW,5,PAGE_READWRITE,&dwProtect);
WriteProcessMemory(hRemoteProcess32,fpApiAddrW,btOldCodeW,5,0);
VirtualProtectEx(hRemoteProcess32,fpApiAddrW,5,dwProtect,&dwProtect);
lr=DispatchMessageW(msg);

szFormat="%-16X%-16X%-16X%-16X%-16d%-16d%-16X%-16d%-16d%-16d%-128s\r\n";
memset(szCaption,0,128);
dwThreadId=GetCurrentThreadId();
if (IsWindow(msg->hwnd))
{
GetWindowRect(msg->hwnd,&rc);
GetWindowText(msg->hwnd,szCaption,128);
szLog.Format(szFormat,msg->hwnd,msg->message,msg->wParam,msg->wParam,msg->pt.x,msg->pt.y,msg->time,rc.right,rc.bottom,dwThreadId,szCaption);
}
else
{
szLog.Format(szFormat,msg->hwnd,msg->message,msg->wParam,msg->wParam,msg->pt.x,msg->pt.y,msg->time,-1,-1,dwThreadId,szCaption);
}

time=CTime::GetCurrentTime();
szFileName=time.Format("%Y%m%d%H");
szFileName.Insert(0,"C:\\DM");
szFileName+=".log";
dwFlag=CFile::modeReadWrite|CFile::shareDenyRead;
if (!PathFileExists(szFileName))
{
dwFlag|=CFile::modeCreate;
}
CFile fileLog(szFileName,dwFlag);
fileLog.SeekToEnd();
fileLog.Write(szLog,szLog.GetLength());
fileLog.Flush();
fileLog.Close();

//重新HOOK以便寫日志
VirtualProtectEx(hRemoteProcess32,fpApiAddrW,5,PAGE_READWRITE,&dwProtect);
WriteProcessMemory(hRemoteProcess32,fpApiAddrW,btNewCodeW, 5, 0);
VirtualProtectEx(hRemoteProcess32,fpApiAddrW,5,dwProtect,&dwProtect);
return lr;
}

BOOL CMfcHookApiApp::InitInstance()
{
// TODO: Add your specialized code here and/or call the base class
SetHookDispatchMessage(GetModuleHandle(NULL));
//SetHookMessageBox(GetModuleHandle(NULL));

CString szFormat="";
CString szLog="";
CTime time;
CString szFileName="";
DWORD dwFlag=0;

szFormat="%-16s%-16s%-16s%-16s%-16s%-16s%-16s%-16s%-16s%-16s%-128s\r\n";
szLog.Format(szFormat,"hwnd","message","wparam","lparam","mouse.x","mouse.y","message.time","client.width","client.height","thread id","window.caption");
time=CTime::GetCurrentTime();
szFileName=time.Format("%Y%m%d%H");
szFileName.Insert(0,"C:\\DM");
szFileName+=".log";
dwFlag=CFile::modeReadWrite|CFile::shareDenyRead;
if (!PathFileExists(szFileName))
{
dwFlag|=CFile::modeCreate;
}
CFile fileLog(szFileName,dwFlag);
fileLog.SeekToEnd();
fileLog.Write(szLog,szLog.GetLength());
fileLog.Flush();
fileLog.Close();

return CWinApp::InitInstance();
}
5、新建一個(gè)測試程序：WIN32項(xiàng)目，取名為：DoWin32Test，代碼如下：

// DoWin32Test.cpp : Defines the entry point for the application.
//

#include "stdafx.h"
#include "resource.h"

#define MAX_LOADSTRING 100

// Global Variables:
HINSTANCE hInst; // current instance
TCHAR szTitle[MAX_LOADSTRING]; // The title bar text
TCHAR szWindowClass[MAX_LOADSTRING]; // The title bar text

// Foward declarations of functions included in this code module:
ATOM MyRegisterClass(HINSTANCE hInstance);
BOOL InitInstance(HINSTANCE, int);
LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
LRESULT CALLBACK About(HWND, UINT, WPARAM, LPARAM);

int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
MSG msg;
HACCEL hAccelTable;

// Initialize global strings
LoadString(hInstance, IDS_APP_TITLE, szTitle, MAX_LOADSTRING);
LoadString(hInstance, IDC_DOWIN32TEST, szWindowClass, MAX_LOADSTRING);
MyRegisterClass(hInstance);

// Perform application initialization:
if (!InitInstance (hInstance, nCmdShow))
{
return FALSE;
}

hAccelTable = LoadAccelerators(hInstance, (LPCTSTR)IDC_DOWIN32TEST);

// Main message loop:
while (GetMessage(&msg, NULL, 0, 0))
{
if (!TranslateAccelerator(msg.hwnd, hAccelTable, &msg))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
}

return msg.wParam;
}



//
// FUNCTION: MyRegisterClass()
//
// PURPOSE: Registers the window class.
//
// COMMENTS:
//
// This function and its usage is only necessary if you want this code
// to be compatible with Win32 systems prior to the 'RegisterClassEx'
// function that was added to Windows 95. It is important to call this function
// so that the application will get 'well formed' small icons associated
// with it.
//
ATOM MyRegisterClass(HINSTANCE hInstance)
{
WNDCLASSEX wcex;

wcex.cbSize = sizeof(WNDCLASSEX);

wcex.style = CS_HREDRAW | CS_VREDRAW;
wcex.lpfnWndProc = (WNDPROC)WndProc;
wcex.cbClsExtra = 0;
wcex.cbWndExtra = 0;
wcex.hInstance = hInstance;
wcex.hIcon = LoadIcon(hInstance, (LPCTSTR)IDI_DOWIN32TEST);
wcex.hCursor = LoadCursor(NULL, IDC_ARROW);
wcex.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
wcex.lpszMenuName = (LPCSTR)IDC_DOWIN32TEST;
wcex.lpszClassName = szWindowClass;
wcex.hIconSm = LoadIcon(wcex.hInstance, (LPCTSTR)IDI_SMALL);

return RegisterClassEx(&wcex);
}

//
// FUNCTION: InitInstance(HANDLE, int)
//
// PURPOSE: Saves instance handle and creates main window
//
// COMMENTS:
//
// In this function, we save the instance handle in a global variable and
// create and display the main program window.
//
BOOL InitInstance(HINSTANCE hInstance, int nCmdShow)
{
HWND hWnd;

hInst = hInstance; // Store instance handle in our global variable

hWnd = CreateWindow(szWindowClass, szTitle, WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, 0, CW_USEDEFAULT, 0, NULL, NULL, hInstance, NULL);

if (!hWnd)
{
return FALSE;
}

ShowWindow(hWnd, nCmdShow);
UpdateWindow(hWnd);

return TRUE;
}

//
// FUNCTION: WndProc(HWND, unsigned, WORD, LONG)
//
// PURPOSE: Processes messages for the main window.
//
// WM_COMMAND - process the application menu
// WM_PAINT - Paint the main window
// WM_DESTROY - post a quit message and return
//
//
LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
int wmId, wmEvent;
PAINTSTRUCT ps;
HDC hdc;
TCHAR szHello[MAX_LOADSTRING];
LoadString(hInst, IDS_HELLO, szHello, MAX_LOADSTRING);

switch (message)
{
case WM_COMMAND:
wmId = LOWORD(wParam);
wmEvent = HIWORD(wParam);
// Parse the menu selections:
switch (wmId)
{
case IDM_ABOUT:
DialogBox(hInst, (LPCTSTR)IDD_ABOUTBOX, hWnd, (DLGPROC)About);
break;
case IDM_EXIT:
DestroyWindow(hWnd);
break;
default:
return DefWindowProc(hWnd, message, wParam, lParam);
}
break;
case WM_PAINT:
hdc = BeginPaint(hWnd, &ps);
// TODO: Add any drawing code here...
RECT rt;
GetClientRect(hWnd, &rt);
DrawText(hdc, szHello, strlen(szHello), &rt, DT_CENTER);
EndPaint(hWnd, &ps);
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
default:
return DefWindowProc(hWnd, message, wParam, lParam);
}
return 0;
}

// Mesage handler for about box.
LRESULT CALLBACK About(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
{
switch (message)
{
case WM_INITDIALOG:
return TRUE;

case WM_COMMAND:
if (LOWORD(wParam) == IDOK || LOWORD(wParam) == IDCANCEL)
{
EndDialog(hDlg, LOWORD(wParam));
return TRUE;
}
break;
}
return FALSE;
}
最后，記得修改所有項(xiàng)目的生成目錄，令所有項(xiàng)目生成到一個(gè)目錄。我設(shè)置的方法是直接在默認(rèn)生成目錄前加“..\”。祝你成功。

相關(guān)文章

01-27重裝Windows 7，解決的Windows 7 “盜版”黑屏

01-27玩家稱Flash漏洞導(dǎo)致他的魔獸帳戶遭攻擊，暴雪公司和Adobe公司的

01-25理解DDoS攻擊的攻擊手段,173教你如何減輕DDoS攻擊危害

01-25.exe程序不能打開,kasmain.exe病毒的手動(dòng)查殺

01-25摩托羅拉在中國市場Android手機(jī)中引入百度及其他搜索引擎

01-22Switch命令大全,Cisco資格認(rèn)證考試要記住的

01-17使用Win32API制作簡單外掛

01-14勇者斗惡龍IX,任天堂Wi - Fi將從2010年1月15日推出

01-13BioWare公司，TransGaming發(fā)布龍騰世紀(jì)：起源的Mac版本

01-13Unistal將推出BitDefender互聯(lián)網(wǎng)安全2010，反病毒軟件2010

相關(guān)評(píng)論

閱讀本文后您有什么感想? 已有23人給出評(píng)價(jià)!

• 8 喜歡
• 3 頂
• 1 難過
• 5 囧
• 3 圍觀
• 2 無聊

熱門評(píng)論

最新評(píng)論

發(fā)表評(píng)論 查看所有評(píng)論(0)

昵稱:

表情:

字?jǐn)?shù): 0/500 (您的評(píng)論需要經(jīng)過審核才能顯示)

推薦文章

沒有數(shù)據(jù)

• Fdisk硬盤分區(qū)圖文教程

相關(guān)下載

名稱大小下載

• 1"天眼"數(shù)字遠(yuǎn)程監(jiān)控系統(tǒng) CoolKing4.6M下載
• 2INOQONI45.3M下載
• 3(HostsAppend)Hosts文件編輯工具209KB下載
• 4.NET Framework 2.0 x6445.1M下載
• 5.NET Framework 3.5 SP1 ADO.NET 數(shù)據(jù)服務(wù)更新5.9M下載
• 6.NET Micro Framework 4.0 Porting Kit38.5M下載
• 7.net反編譯工具(de4dot)1.8M下載
• 8.NET反編譯工具(dotPeek)31KB下載
• 9.net混淆器(dotNET Reactor)2.5M下載
• 10.NET平臺(tái)反編譯工具(Dotnet IL Editor)1021KB下載

最新文章

• 

  IIS8.0安裝配置完整圖文教程 IIS8.0的W

  15-12-18
• 

  Eclipse新手快捷鍵大全

  13-12-29
• 

  谷歌瀏覽器日志記錄命令console.log的使

  13-03-07
• 

  PESpin 教程學(xué)習(xí)筆記之Antidump及Remo

  11-07-15
• 

  VMware虛擬機(jī)安裝圖解

  10-12-14