// testqq.cpp : Defines the entry point for the DLL application. // #include "stdafx.h" #include <windows.h> DWORD WINAPI hookqq(PVOID lp); DWORD dwOldAddr=0x12456; void dd() { } BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { if (ul_reason_for_call==DLL_PROCESS_ATTACH) { DWORD dw; CreateThread(NULL,NULL,hookqq,NULL,NULL,&dw); } return TRUE; } char *p=(char*)0x123456; static __declspec(naked)void NAKEABC() { _asm { push eax mov eax,DWORD PTR [esp+8] mov p,eax pop eax } __asm jmp dwOldAddr } // DWORD WINAPI hookqq(PVOID lp) { //LoginCtrl.dll的模块基址 HMODULE hMod = LoadLibrary("LoginCtrl.dll"); if (hMod == 0 ) { return 1; } //得到DOS头 PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hMod ; //如果DOS头无效 if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) { return 1; } //得到NT头 PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((ULONG)hMod + pDosHeader->e_lfanew); //如果NT头无效 if (pNtHeaders->Signature != IMAGE_NT_SIGNATURE) { return 1; } //检查输入表数据目录是否存在 if (pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress == 0 || pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size == 0 ) { return 1; } //得到输入表描述指针 PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG)hMod + pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); PIMAGE_THUNK_DATA ThunkData ; //检查每个输入项 while(ImportDescriptor->FirstThunk) { //检查输入表项是否为ntdll.dll char* dllname = (char*)((ULONG)hMod + ImportDescriptor->Name); //如果不是,则跳到下一个处理 OutputDebugString(dllname); if (stricmp(dllname , "QQHelperDll.dll") !=0) { ImportDescriptor ++ ; continue; } ThunkData = (PIMAGE_THUNK_DATA)((ULONG)hMod + ImportDescriptor->OriginalFirstThunk); int no = 1; while(ThunkData->u1.Function) { //检查函数是否为NtDeviceIoControlFile char* functionname = (char*)((ULONG)hMod + ThunkData->u1.AddressOfData + 2); if (stricmp(functionname , "?CheckQQUinValid@@YAHVCString@@@Z") == 0 ) { // //如果是,那么记录原始函数地址 //HOOK我们的函数地址 // ULONG myaddr = (ULONG)NAKEABC; ULONG btw =0; PDWORD lpAddr = (DWORD *)((ULONG)hMod + (DWORD)ImportDescriptor->FirstThunk) +(no-1); dwOldAddr = (DWORD)(*(ULONG*)lpAddr) ; DWORD dwOldFlag; VirtualProtect((void*)lpAddr,4,PAGE_READWRITE,&dwOldFlag); memcpy(lpAddr,&myaddr,sizeof(ULONG)); // WriteProcessMemory(GetCurrentProcess() , lpAddr , &myaddr , sizeof(ULONG), &btw ); if (btw==4) { MessageBox(NULL,"dsafsdfsdfasfs",NULL,NULL); } return 1; } no++; ThunkData ++; } ImportDescriptor ++; } return 1; }