- #include "stdio.h"
- #include "tchar.h"
- #include "windows.h"
- //offset=目标地址-(jmp指令起始地址+5)
- //跳转指令解码:[0xe9][offset]
- // offset:有符号整型,四字节.它等于jmp指令的下一指令地址到目标地址的相对距离
- // 计算公式:
- // offset=目标地址-(jmp指令起始地址+5)
- //其实还有0xeb等短跳转指令可用的,但用的最多的还是0xe9跳转
- BYTE jmp[5]={0};
- BYTE enter[5]={0};
- HANDLE hProcess=NULL;
- DWORD pfnMsgBox=0;
- DWORD dwOld=0;
- int WINAPI MessageBoxProxy(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType)
- {
- int ret=0;
- printf("this is MessageBoxProxy begin!\n");
- printf("Caption:%s\n",lpCaption);
- printf("Text:%s\n",lpText);
- memcpy((void*)pfnMsgBox,enter,5);//恢复入口指令
- FlushInstructionCache(hProcess,(void*)pfnMsgBox,5);
- ret=MessageBox(hWnd,lpText,lpCaption,uType);//调用原函数
- memcpy((void*)pfnMsgBox,jmp,5);//写入跳转指令
- FlushInstructionCache(hProcess,(void*)pfnMsgBox,5);
- printf("this is MessageBoxProxy end!\n");
- return ret;
- }
- void SetupHook(void)
- {
- pfnMsgBox=(DWORD)GetProcAddress(GetModuleHandle(_T("user32.dll")),_T("MessageBoxA"));
- memcpy(enter,(void*)pfnMsgBox,5);//保存入口指令
- jmp[0]=0xe9;
- *(int*)&jmp[1]=(int)&MessageBoxProxy-((int)pfnMsgBox+5);
- //写入跳转指令,调用MessageBoxA时会跳到MessageBoxProxy
- VirtualProtect((void*)pfnMsgBox,5,PAGE_EXECUTE_READWRITE,&dwOld);
- memcpy((void*)pfnMsgBox,jmp,5);
- }
- void RemoveHook(void)
- {
- DWORD dwtemp;
- memcpy((void*)pfnMsgBox,enter,5);
- FlushInstructionCache(hProcess,(void*)pfnMsgBox,5);
- VirtualProtect((void*)pfnMsgBox,5,dwOld,&dwtemp);
- }
- int main(void)
- {
- hProcess=GetCurrentProcess();
- SetupHook();
- MessageBox(NULL,_T("Hook Demo!"),_T("API Hook"),MB_ICONINFORMATION);
- RemoveHook();
- MessageBox(NULL,_T("Hook Demo!"),_T("API Hook"),MB_ICONINFORMATION);
- system("pause");
- return 0;
- }
JMP、Hook
最新推荐文章于 2024-07-06 19:30:00 发布