头文件ILHook.h
/********************************************************************
purpose: 利用修改内存的方式来实现进程注入
*********************************************************************/
#pragma once
#include <Windows.h>
class CILHook
{
public:
CILHook(void);
~CILHook(void);
BOOL Hook(LPSTR pszModuleName, LPSTR pszFunName, PROC procFun);
void UnHook();
BOOL ReHook();
PROC m_pfnOld;
BYTE m_bOld[5];
BYTE m_bNew[5];
};
源文件ILHook.cpp
#include "StdAfx.h"
#include "ILHook.h"
CILHook::CILHook(void)
{
m_pfnOld = NULL;
ZeroMemory(m_bNew, 5);
ZeroMemory(m_bOld, 5);
}
CILHook::~CILHook(void)
{
UnHook();
}
BOOL CILHook::Hook( LPSTR pszModuleName, LPSTR pszFunName, PROC procFun )
{
BOOL bRet = FALSE;
m_pfnOld = (PROC)GetProcAddress(GetModuleHandle(pszModuleName), pszFunName);
if (m_pfnOld != NULL)
{
//保证旧的数据
DWORD dwNum(0);
ReadProcessMemory(GetCurrentProcess(), m_pfnOld, m_bOld, 5, &dwNum);
//构造JMP指令, 39是JMP指令的机器码
m_bNew[0] = '\xe9';
//修改目标函数的入口地址
*(DWORD*)(m_bNew+1) = DWORD(procFun) - DWORD(m_pfnOld) - 5;
WriteProcessMemory(GetCurrentProcess(), m_pfnOld, m_bNew, 5, &dwNum);
bRet = TRUE;
}
return bRet;
}
void CILHook::UnHook()
{
if (m_pfnOld != NULL)
{
DWORD dwNum(0);
WriteProcessMemory(GetCurrentProcess(), m_pfnOld, m_bOld, 5, &dwNum);
}
}
BOOL CILHook::ReHook()
{
if (m_pfnOld != NULL)
{
DWORD dwNum(0);
WriteProcessMemory(GetCurrentProcess(), m_pfnOld, m_bNew, 5, &dwNum);
return TRUE;
}
return FALSE;
}
测试文件
#include "StdAfx.h"
#include "MainHook.h"
CILHook MsgHook;
int WINAPI myMessageBoxA(HWND hwnd,
LPCTSTR lpText,
LPCTSTR lpCaption,
UINT uType)
{
MsgHook.UnHook();
MessageBox(hwnd, "hook", lpCaption, uType);
//MessageBox(hwnd, lpText, lpCaption, uType);
MsgHook.ReHook();
return IDOK;
}
void testHook()
{
MessageBox(NULL, "test", "information", MB_YESNO);
MsgHook.Hook("User32.dll", "MessageBoxA", (PROC)myMessageBoxA);
MessageBox(NULL, "test", "information", MB_OK);
MsgHook.UnHook();
MessageBox(NULL, "test", "information", MB_OK);
}