新网站 http://www.softwareace.cn/?p=120
前段时间 有个项目需要此功能,貌似国内没人放出完整的例子
新建 DLL 动态库 工程名 InterceptShutdown
本文出自 王牌软件,转载时请注明出处及相应链接。
本文永久链接: http://www.softwareace.cn/?p=120
//新建 InterceptShutdown.h
#if !defined __INTERCEPTSHUTDOWN__H
#define __INTERCEPTSHUTDOWN__H
#define INJECT_EX_EXPORTS
#ifdef INJECT_EX_EXPORTS
#define HOOKDLL_API __declspec(dllexport)
#else
#define HOOKDLL_API __declspec(dllimport)
#endif
#include <mapidefs.h>
typedefstruct _APIHOOK32_ENTRY
{
LPCTSTR pszAPIName; //API名字
LPCTSTR pszCallerModuleName; //被调用的模块名
PROC pfnOriginApiAddress; //原始的函数地址
PROC pfnDummyFuncAddress; //新的函数地址
HMODULE hModCallerModule; //调用的模块句柄
}APIHOOK32_ENTRY, *PAPIHOOK32_ENTRY;
PROC lpAdder;
APIHOOK32_ENTRY pe;
HOOKDLL_APIintInstallHook();
HOOKDLL_APIintUninstallHook();
#endif // !defined(INJECT_EX__H)
//新建 InterceptShutdown.cpp
#include "InterceptShutdown.h"
#include <windows.h>
#include <imagehlp.h>
#include <tlhelp32.h>
//odbc32.lib odbccp32.lib ImageHlp.lib
#pragma comment(lib, "odbc32.lib")
#pragma comment(lib, "odbccp32.lib")
#pragma comment(lib, "ImageHlp.lib")
//-------------------------------------------------------------
// shared data
// Notice: seen by both: the instance of "HookInjEx.dll" mapped
// into "explorer.exe" as well as by the instance
// of "HookInjEx.dll" mapped into our "HookInjEx.exe"
#pragma data_seg("mydata")
HHOOKglhHook=NULL;//安装的勾子句柄
//HINSTANCE glhInstance=NULL; //DLL实例句柄
#pragma data_seg()
#pragma comment(linker,"/SECTION:mydata,RWS")
//-------------------------------------------------------------
// global variables (unshared!)
//
HINSTANCEglhInstance=NULL; //DLL实例句柄
LRESULTHookProc(int code, // hook code
WPARAMwParam, // removal option
LPARAMlParam // message
)
{
returnCallNextHookEx(glhHook,code,wParam,lParam);
}
BOOLWINAPI _SetApiHookUp(PAPIHOOK32_ENTRY phk)
{
PIMAGE_THUNK_DATA pThunk;
ULONG size;
//获取指向PE文件中的Import中IMAGE_DIRECTORY_DESCRIPTOR数组的指针
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(phk->hModCallerModule, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT,&size);
if(pImportDesc == NULL)
returnFALSE;
//查找记录,察看导入表中是否存指定的DLL
for(;pImportDesc->Name;pImportDesc++)
{
LPSTRpszDllName = (LPSTR)((PBYTE)phk->hModCallerModule+pImportDesc->Name);
if(lstrcmpiA(pszDllName,phk->pszCallerModuleName) == 0)
break;
}
if(pImportDesc->Name ==NULL)
returnFALSE;
//寻找我们想要的函数
pThunk = (PIMAGE_THUNK_DATA) ((PBYTE)phk->hModCallerModule+pImportDesc->FirstThunk);//IAT
// pThunk = (PIMAGE_THUNK_DATA) ((PBYTE)phk->hModCallerModule+pImportDesc->OriginalFirstThunk);
for(;pThunk->u1.Function;pThunk++)
{
//ppfn记录了与IAT表项相应的函数的地址
PROC *ppfn= (PROC *)&pThunk->u1.Function;
if(*ppfn == phk->pfnOriginApiAddress)
{
//如果地址相同,也就是找到了我们想要的函数,进行改写,将其指向我们所定义的函数
WriteProcessMemory(GetCurrentProcess(),ppfn,&(phk->pfnDummyFuncAddress),sizeof(phk->pfnDummyFuncAddress),NULL);
returnTRUE;
}
}
returnFALSE;
}
//***************************************************************************************/
// SetWindowsAPIHook 挂接WindowsAPI函数 当phk->hModCallerModule == NULL //
// 会在整个系统内挂接函数 //
// 仿照SetWindowsHookEx 建立 //
//***************************************************************************************//
BOOLWINAPI SetWindowsAPIHook(PAPIHOOK32_ENTRY phk)
{
MEMORY_BASIC_INFORMATION mInfo;
HMODULE hModHookDLL;
HANDLE hSnapshot;
BOOL bOk;
MODULEENTRY32 me = {sizeof(MODULEENTRY32)};
if(phk->pszAPIName == NULL || phk->pszCallerModuleName == NULL ||
phk->pfnOriginApiAddress == NULL)
returnFALSE;
if(phk->hModCallerModule == NULL)
{
VirtualQuery(_SetApiHookUp,&mInfo,sizeof(mInfo));
hModHookDLL=(HMODULE)mInfo.AllocationBase;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,0);
bOk = Module32First(hSnapshot,&me);
while(bOk)
{
if(me.hModule != hModHookDLL)
{
phk->hModCallerModule = me.hModule;
_SetApiHookUp(phk);
}
bOk = Module32Next(hSnapshot,&me);
}
phk->hModCallerModule = NULL;
returnTRUE;
}
else
return_SetApiHookUp(phk);
returnFALSE;
}
BOOLWINAPI UnhookWindowsAPIHooks(PAPIHOOK32_ENTRY lpHk)
{
PROC temp;
temp = lpHk->pfnOriginApiAddress;
lpHk->pfnOriginApiAddress = lpHk->pfnDummyFuncAddress;
lpHk->pfnDummyFuncAddress = temp;
returnSetWindowsAPIHook(lpHk);
}
BOOLWINAPI MyExitWindowsEx(
UINTuFlags, // shutdown operation
DWORDdwReserved // reserved
)
{
//MessageBox(NULL,"不能重起!!!","提示",MB_OKCANCEL);
returnFALSE;
}
intInstallHook()
{
glhHook = SetWindowsHookEx( WH_GETMESSAGE,(HOOKPROC)HookProc,glhInstance, 0);
if( glhHook==NULL )
return0;
return1;
}
intUninstallHook()
{
if(!UnhookWindowsAPIHooks(&pe) || !UnhookWindowsHookEx(glhHook))
return0;
return1;
}
//-------------------------------------------------------------
// DllMain
//
BOOLAPIENTRY DllMain( HINSTANCEhModule,
DWORD ul_reason_for_call,
LPVOIDlpReserved
)
{
if(ul_reason_for_call == DLL_PROCESS_ATTACH)
{
glhInstance=hModule;
// MessageBox(NULL,"不能重起!!!","提示",MB_OKCANCEL);
// showup();
pe.pszAPIName ="ExitWindowsEx"; //API名字
pe.pszCallerModuleName="user32.dll"; //被调用的模块名
pe.pfnOriginApiAddress=(PROC)ExitWindowsEx;//原始的函数地址
pe.pfnDummyFuncAddress=(PROC)MyExitWindowsEx; //新的函数地址
pe.hModCallerModule =NULL;
lpAdder=(PROC)ExitWindowsEx;
SetWindowsAPIHook(&pe);
}
return(TRUE);
}
//新建 InterceptShutdown.def
LIBRARY"InterceptShutdown"
DESCRIPTION 'Intercept shutdown restart'
EXPORTS
InstallHook
UninstallHook
1
禁止 拦击 关机 重启 注销 事件
最新推荐文章于 2024-09-21 12:14:27 发布