;在此文档的文档工具栏项目上单击右键->参数属性
.386
.model flat, stdcall
option casemap :none
Include windows.inc
Include user32.inc
Include kernel32.inc
Include gdi32.inc
include Ws2_32.inc
includelib gdi32.lib
IncludeLib user32.lib
IncludeLib kernel32.lib
includeLib Ws2_32.lib
include macro.asm
ApiHook struct
_mov_eax BYTE ?
hookFunction DWORD ?
_jmp BYTE ?
_jmp_eax BYTE ?
ApiHook ends
.data
.data?
hInstance dd ?
oldFunctionAddr db 10 dup(?)
oldFunction dd ?
api ApiHook<>
cds COPYDATASTRUCT<>
hProcess dd ?
hHook dd ?
copyBuffer db 1024 dup(?)
hPid dd ?
.CODE
HookApi proto
UnHookApi proto
ChangeFunction proto :DWORD,:DWORD,:DWORD
FindFunctionAddr proto :DWORD ,:DWORD
Init proto :DWORD ,:DWORD ,:DWORD
SetFunctionAddr proto
UnSetFunctionAddr proto
GetMsgProc proto :DWORD,:DWORD,:DWORD
MySend proto :DWORD,:DWORD ,:DWORD,:DWORD
;MyMessageBox proto :DWORD,:DWORD,:DWORD,:DWORD
;入口.如果DLL需要加载资源,需要保存hIinstDLL这个句柄到全局变量.它才是模块句柄
;使用GetModuleHandle获得的永远是主程序的句柄
LibMain proc hInstDLL:DWORD, reason:DWORD, unused:DWORD
.if reason == DLL_PROCESS_ATTACH ;动态库被加载时调用,返回0加载失败!
mov eax,hInstDLL
mov hInstance,eax
invoke Init,CTXT("Ws2_32.dll"),CTXT("send"),offset MySend
;-------------------------------------------------
mov eax,TRUE
ret
.elseif reason == DLL_PROCESS_DETACH
.elseif reason == DLL_THREAD_ATTACH
.elseif reason == DLL_THREAD_DETACH
;添加处理代码
invoke UnSetFunctionAddr
.endif
ret
LibMain Endp
MySend proc s:DWORD ,buf:DWORD ,len:DWORD,flags:DWORD
invoke GetCurrentProcessId
mov cds.dwData ,eax
mov eax,len
mov cds.cbData,eax
mov eax,buf
mov cds.lpData,eax
invoke FindWindow,NULL,CTXT("Form1")
invoke SendMessage,eax,WM_COPYDATA,NULL,addr cds
;--------------------------------------------------
invoke UnSetFunctionAddr
invoke send,s,buf,len,flags
invoke SetFunctionAddr
ret
MySend endp
;MyMessageBox proc hwnd:DWORD ,t:DWORD ,content:DWORD,m_type:DWORD
;invoke UnSetFunctionAddr
;
;
;invoke MessageBoxA,NULL,t,CTXT("HOOk"),m_type
; mov cds.dwData ,100
;
; invoke GetCurrentProcessId
; invoke wsprintf,addr copyBuffer,CTXT("%d"),eax
; mov cds.cbData,eax
; mov cds.lpData,offset copyBuffer
; invoke FindWindow,NULL,CTXT("Form1")
; invoke SendMessage,eax,WM_COPYDATA,NULL,addr cds
;
;
;
;
;invoke SetFunctionAddr
;
;
;ret
;MyMessageBox endp
;------------------------------------------
Init proc module:DWORD ,functionName:DWORD,function:DWORD
mov api._mov_eax,0B8h
mov eax,function
mov api.hookFunction,eax
mov api._jmp,0FFh
mov api._jmp_eax,0E0h
;-------------------------------------------------
invoke GetCurrentProcess
mov hProcess,eax
invoke FindFunctionAddr,module,functionName
mov oldFunction,eax
invoke ReadProcessMemory,hProcess,oldFunction,addr oldFunctionAddr,8h,NULL
invoke SetFunctionAddr
ret
Init endp
FindFunctionAddr proc module:DWORD,functionName:DWORD
invoke LoadLibrary,module
invoke GetProcAddress,eax,functionName
ret
FindFunctionAddr endp
SetFunctionAddr proc
invoke ChangeFunction,oldFunction,addr api,size ApiHook
ret
SetFunctionAddr endp
UnSetFunctionAddr proc
invoke ChangeFunction,oldFunction,addr oldFunctionAddr,8
ret
UnSetFunctionAddr endp
ChangeFunction proc function_addr:DWORD,new_addr:DWORD,write_size:DWORD
LOCAL mbi:MEMORY_BASIC_INFORMATION
LOCAL msize:DWORD
;返回页面虚拟信息
invoke VirtualQueryEx,hProcess, function_addr,addr mbi,SIZEOF MEMORY_BASIC_INFORMATION
;修改为可读写模式
invoke VirtualProtectEx,hProcess, mbi.BaseAddress,8h,PAGE_EXECUTE_READWRITE,addr mbi.Protect
;开始写内存
invoke WriteProcessMemory,hProcess, function_addr, new_addr, write_size ,NULL
PUSH eax
;改回只读模式
invoke VirtualProtectEx,hProcess,mbi.BaseAddress,8h,PAGE_EXECUTE_READ,addr mbi.Protect
pop eax
ret
ChangeFunction endp
GetMsgProc proc nCode:DWORD,wParam:DWORD,lParam:DWORD
invoke CallNextHookEx,hHook,nCode,wParam,lParam
mov eax,TRUE
ret
GetMsgProc endp
;安装hook
HookApi proc
.if hHook ==0
invoke SetWindowsHookEx,WH_GETMESSAGE,addr GetMsgProc,hInstance,NULL
mov hHook,eax
.endif
ret
HookApi endp
;卸载Hook
UnHookApi proc
invoke UnhookWindowsHookEx,hHook
invoke UnSetFunctionAddr
mov hHook,0
ret
UnHookApi endp
End LibMain
扫一扫
04-06
1126
1126
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
