内联钩子是对目标函数挂钩,使得挂钩点的指令发生变化,一般使用跳转指令跳到伪造的函数处,而为了实现隐藏,还需要在伪造函数处解钩,等到函数返回前再次挂钩。
src
CILHook.h
#ifndef __ILHook_H_mysymbol
#define _ILHook_H_mysymbol
#include <windows.h>
class CILHook{
public:
CILHook();
~CILHook();
BOOL Hook(LPSTR pszModuleName,LPSTR pszFuncName,PROC pfnHookFunc);
VOID UnHook();
BOOL ReHook();
private:
PROC m_pfnOrig;
BYTE m_bOldBytes[5];
BYTE m_bNewBytes[5];
#endif
};
CILHook.cpp
#include "ILHook.h"
CILHook::CILHook()
{
m_pfnOrig = NULL;
ZeroMemory(m_bOldBytes,5);
ZeroMemory(m_bNewBytes,5);
}
CILHook::~CILHook()
{
UnHook();
}
BOOL CILHook::Hook(LPSTR pszModuleName,LPSTR pszFuncName,PROC pfnHookFunc)
{
BOOL bRet = FALSE;
m_pfnOrig = (PROC)GetProcAddress(GetModuleHandle(pszModuleName),pszFuncName); //get_fun_addr
if (m_pfnOrig)
{
DWORD dwNum = 0;
ReadProcessMemory(GetCurrentProcess(),m_pfnOrig,m_bOldBytes,5,&dwNum); //get_content from fun_addr
m_bNewBytes[0]='\xe9' ; //opcode jmp
*(DWORD *)(m_bNewBytes+1) =(DWORD)pfnHookFunc -((DWORD)m_pfnOrig+5); //AIM_ADDR- (hooked_fun_addr+5)
WriteProcessMemory(GetCurrentProcess(),m_pfnOrig,m_bNewBytes,5,&dwNum);
bRet = TRUE;
}
return bRet;
}
VOID CILHook::UnHook()
{
if (m_pfnOrig)
{
DWORD dwNum =0;
WriteProcessMemory(GetCurrentProcess(),m_pfnOrig,m_bOldBytes,5,&dwNum);
}
}
BOOL CILHook::ReHook()
{
bool bRet = false;
if (m_pfnOrig)
{
DWORD dwNum = 0;
WriteProcessMemory(GetCurrentProcess(),m_pfnOrig,m_bNewBytes,5,&dwNum);
bRet = TRUE;
}
return bRet;
}
poc.cpp
#include <stdio.h>
#include "ILHook.h"
CILHook hooker;
int WINAPI MyMessageBox(
HWND hwnd,
LPCST