#ifndef __ILHOOK_H__F47BF581_8D85_49ef_923D_895DCC9E4471_
#define __ILHOOK_H__F47BF581_8D85_49ef_923D_895DCC9E4471_
#include <Windows.h>
class CILHook
{
public:
CILHook(); // 构造
~CILHook(); // 析构
// HOOK函数
BOOL Hook(LPSTR pszModuleName, LPSTR pszFuncName, PROC pfnHookFunc);
// 取消HOOK函数
VOID UnHook();
// 重新进行HOOK函数
BOOL ReHook();
private:
PROC m_pfnOrig; // 函数地址
BYTE m_bOldBytes[5]; // 函数入口代码
BYTE m_bNewBytes[5]; // Inline代码
};
#endif
#include "ILHook.h"
CILHook::CILHook()
{
// 对成员变量的初始化
m_pfnOrig = NULL;
ZeroMemory(m_bOldBytes, 5);
ZeroMemory(m_bNewBytes, 5);
}
CILHook::~CILHook()
{
// 取消HOOK
UnHook();
}
/*
函数名称:Hook
函数功能:对指定模块中的函数进行挂钩
参数说明:
pszModuleName:模块名称
pszFuncName: 函数名称
pfnHookFunc: 钩子函数
*/
BOOL CILHook::Hook(LPSTR pszModuleName, LPSTR pszFuncName, PROC pfnHookFunc)
{
BOOL bRet = FALSE;
// 获取指定模块中函数的地址
m_pfnOrig = (PROC)GetProcAddress(GetModuleHandle(pszModuleName), pszFuncName);
if ( m_pfnOrig != NULL )
{
// 保存该地址处5个字节的内容
DWORD dwNum = 0;
//不仅仅可以hook自身进程的api,还可以hook其他进程的api
ReadProcessMemory(GetCurrentProcess(), m_pfnOrig, m_bOldBytes, 5, &dwNum);
// 构造JMP指令
m_bNewBytes[0] = '\xe9'; // jmp Opcode
// pfnHookFunc是我们HOOK后的目标地址
// m_pfnOrig是原来的地址
// 5是指令长度
*(DWORD *)(m_bNewBytes + 1) = (DWORD)pfnHookFunc - (DWORD)m_pfnOrig - 5;
// 将构造好的地址写入该地址处
WriteProcessMemory(GetCurrentProcess(), m_pfnOrig, m_bNewBytes, 5, &dwNum);
bRet = TRUE;
}
return bRet;
}
/*
函数名称:UnHook
函数功能:取消函数的挂钩
*/
VOID CILHook::UnHook()
{
if ( m_pfnOrig != 0 )
{
DWORD dwNum = 0;
WriteProcessMemory(GetCurrentProcess(), m_pfnOrig, m_bOldBytes, 5, &dwNum);
}
}
/*
函数名称:ReHook
函数功能:重新对函数进行挂钩
*/
BOOL CILHook::ReHook()
{
BOOL bRet = FALSE;
if ( m_pfnOrig != 0 )
{
DWORD dwNum = 0;
WriteProcessMemory(GetCurrentProcess(), m_pfnOrig, m_bNewBytes, 5, &dwNum);
bRet = TRUE;
}
return bRet;
}
#include "ILHook.h"
#include <tchar.h>
CILHook CreateProcessHook;
// 我们实现的Hook函数
BOOL
WINAPI
MyCreateProcessW(
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
)
{
BOOL bRet = FALSE;
if ( MessageBoxA(NULL, ("成功拦截API CreateProcess"), ("系统提示"), MB_YESNO) == IDYES )
{
CreateProcessHook.UnHook();
bRet = CreateProcessW(lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
CreateProcessHook.ReHook();
}
else
{
MessageBox(NULL, "您启动的程序被拦截", "提示", MB_OK);
}
// CreateProcessHook.UnHook();
// // 弹出被创建进程的进程名
// MessageBoxW(NULL, lpApplicationName, lpCommandLine, MB_OK);
//
// // 创建进程
// bRet = CreateProcessW(lpApplicationName,
// lpCommandLine,
// lpProcessAttributes,
// lpThreadAttributes,
// bInheritHandles,
// dwCreationFlags,
// lpEnvironment,
// lpCurrentDirectory,
// lpStartupInfo,
// lpProcessInformation);
//
// CreateProcessHook.ReHook();
return bRet;
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH:
{
// Hook CreateProcessW()函数
CreateProcessHook.Hook("kernel32.dll",
"CreateProcessW",
(PROC)MyCreateProcessW);
break;
}
case DLL_PROCESS_DETACH:
{
CreateProcessHook.UnHook();
break;
}
}
return TRUE;
}