#include<windows.h>
#include <TlHelp32.h>
#include <stdio.h>
#include <limits.h>
typedef HANDLE(WINAPI *OPENTHREAD) (DWORD dwFlag, BOOL bUnknow, DWORD dwThreadId);
OPENTHREAD g_lpfnOpenThread = NULL;
DWORD g_HookAddr;
DWORD g_HookAddrOffset;
void GetInformation(PCONTEXT context)
{
printf("EAX: %X \nEBX: %X\nECX: %X\nEDX: %X\nESP: %X\nEBP: %X\nESI: %X\nEDI: %X\n",
context->Eax,
context->Ebx,
context->Ecx,
context->Edx,
context->Esp,
context->Ebp,
context->Esi,
context->Edi
);
printf("参数 \n"
"参数1: %X\n"
"参数2: %s\n"
"参数3: %s\n"
"参数4: %s\n",
(HWND) (*(DWORD*)(context->Esp + 0x4)),
(char*)(*(DWORD*)(context->Esp + 0x8)),
(char*)(*(DWORD*)(context->Esp + 0xC)),
(UINT) (*(DWORD*)(context->Esp + 0x10))
);
}
void ModifytheText(PCONTEXT debug_context)
{
char* text = (char*)(*(DWORD*)(debug_context->Esp + 0x8));
int length = strlen(text);
DWORD oldprotect = 0;
VirtualProtect(text, length, PAGE_EXECUTE_READWRITE, &oldprotect);//修改PTE p=1 r/w1=0
_snprintf(text, length, "HOOK 成功");//修改messagebox的信息
VirtualProtect(text, length, oldprotect, &oldprotect);
}
void __declspec(naked) OriginalFunc(void)
{
__asm
{
mov edi, edi
jmp[g_HookAddrOffset]
}
}
//异常函数
LONG WINAPI ExceptionFilter(PEXCEPTION_POINTERS ExceptionInfo)
{
if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP)
{
if ((DWORD)ExceptionInfo->ExceptionRecord->ExceptionAddress == g_HookAddr)
{
PCONTEXT pcontext = ExceptionInfo->ContextRecord;
ModifytheText(pcontext);//修改messbox信息
GetInformation(pcontext);//获取寄存器,参数
pcontext->Eip = (DWORD)&OriginalFunc;
return EXCEPTION_CONTINUE_EXECUTION;
}
}
return EXCEPTION_CONTINUE_SEARCH;
}
void SetSehHook()
{
g_lpfnOpenThread = (OPENTHREAD)GetProcAddress(LoadLibrary(L"kernel32.dll"),"OpenThread");
g_HookAddr = (DWORD)GetProcAddress(GetModuleHandle(L"user32.dll"), "MessageBoxA");
g_HookAddrOffset = g_HookAddr + 2;
printf("MessageBoxA:%X\n", g_HookAddr);
//遍历线程 找到要HOOK的地址
HANDLE hTool32 = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hTool32 != INVALID_HANDLE_VALUE)
{
THREADENTRY32 thread_entry32;
thread_entry32.dwSize = sizeof(THREADENTRY32);
HANDLE hHookThrad = NULL;
DWORD dwCount = 0;
if (Thread32First(hTool32, &thread_entry32))
{
do
{
if (thread_entry32.th32OwnerProcessID == GetCurrentProcessId())
{
dwCount++;
if (dwCount == 1)//Hook第一条线程
{
hHookThrad = g_lpfnOpenThread(
THREAD_SET_CONTEXT | THREAD_GET_CONTEXT | THREAD_QUERY_INFORMATION,
FALSE,
thread_entry32.th32ThreadID);
}
}
thread_entry32.dwSize = sizeof(THREADENTRY32);
} while (Thread32Next(hTool32,&thread_entry32));
//注册顶级异常处理函数
SetUnhandledExceptionFilter(ExceptionFilter);
//设置硬件断点
CONTEXT thread_context = { CONTEXT_DEBUG_REGISTERS };
thread_context.Dr0 = g_HookAddr ;
thread_context.Dr7 = 1;
SetThreadContext(hHookThrad, &thread_context);
CloseHandle(hHookThrad);
}
CloseHandle(hTool32);
}
}
int APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID reserved)
{
if (reason == DLL_PROCESS_ATTACH)
{
SetSehHook();
}
return TRUE;
}
void main()
{
::LoadLibraryA("dt.dll");
MessageBoxA(NULL, "349561280", "349561280", MB_OK);
getchar();
}