#include "stdio.h"
#include "tchar.h"
#include "windows.h"
//offset=目标地址-(jmp指令起始地址+5)
//跳转指令解码:[0xe9][offset]
// offset:有符号整型,四字节.它等于jmp指令的下一指令地址到目标地址的相对距离
// 计算公式:
// offset=目标地址-(jmp指令起始地址+5)
//其实还有0xeb等短跳转指令可用的,但用的最多的还是0xe9跳转
BYTE jmp[5]={0};
BYTE enter[5]={0};
HANDLE hProcess=NULL;
DWORD pfnMsgBox=0;
DWORD dwOld=0;
int WINAPI MessageBoxProxy(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType)
{
int ret=0;
printf("this is MessageBoxProxy begin!\n");
printf("Caption:%s\n",lpCaption);
printf("Text:%s\n",lpText);
memcpy((void*)pfnMsgBox,enter,5);//恢复入口指令
FlushInstructionCache(hProcess,(void*)pfnMsgBox,5);
ret=MessageBox(hWnd,lpText,lpCaption,uType);//调用原函数
memcpy((void*)pfnMsgBox,jmp,5);//写入跳转指令
FlushInstructionCache(hProcess,(void*)pfnMsgBox,5);
printf("this is MessageBoxProxy end!\n");
return ret;
}
void SetupHook(void)
{
pfnMsgBox=(DWORD)GetProcAddress(GetModuleHandle(_T("user32.dll")),_T("MessageBoxA"));
memcpy(enter,(void*)pfnMsgBox,5);//保存入口指令
jmp[0]=0xe9;
*(int*)&jmp[1]=(int)&MessageBoxProxy-((int)pfnMsgBox+5);
//写入跳转指令,调用MessageBoxA时会跳到MessageBoxProxy
VirtualProtect((void*)pfnMsgBox,5,PAGE_EXECUTE_READWRITE,&dwOld);
memcpy((void*)pfnMsgBox,jmp,5);
}
void RemoveHook(void)
{
DWORD dwtemp;
memcpy((void*)pfnMsgBox,enter,5);
FlushInstructionCache(hProcess,(void*)pfnMsgBox,5);
VirtualProtect((void*)pfnMsgBox,5,dwOld,&dwtemp);
}
int main(void)
{
hProcess=GetCurrentProcess();
SetupHook();
MessageBox(NULL,_T("Hook Demo!"),_T("API Hook"),MB_ICONINFORMATION);
RemoveHook();
MessageBox(NULL,_T("Hook Demo!"),_T("API Hook"),MB_ICONINFORMATION);
system("pause");
return 0;
}
JMP、Hook
最新推荐文章于 2024-07-06 19:30:00 发布