ring3 inline hook例子

ring3 inline hook例子

#include <Windows.h>
#include <stdio.h>
#include <tchar.h>

//修改API入口为mov eax,00400000; jmp eax 跳转到自己的函数
BYTE NewBytes[8] = {0xB8,0x0,0x0,0x40,0x0,0xFF,0xE0,0x0};
BYTE OldBytes[8] = {0};

FARPROC CreateFile_addr;

HANDLE WINAPI MyCreateFile(__in LPCSTR lpFileName, __in DWORD dwDesiredAccess, __in DWORD dwShareMode, __in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes, __in DWORD dwCreationDisposition, __in DWORD dwFlagsAndAttributes, __in_opt HANDLE hTemplateFile)
{
	MessageBoxA(NULL,"MyCreateFile",0,0);
	// Resume API head 8 bytes
	WriteProcessMemory(INVALID_HANDLE_VALUE,(void*)CreateFile_addr,(void*)OldBytes,8,NULL);

	printf("lpFileName is %s\n",lpFileName);

	HANDLE hFile = CreateFileA(lpFileName,dwDesiredAccess,dwShareMode,lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);

	// write jmp 语句,继续Hook
	//WriteProcessMemory(INVALID_HANDLE_VALUE,(void*)CreateFile_addr,(void*)NewBytes,8,NULL);

	return hFile;

}

void main()
{
	HMODULE hMod_kernel32 = LoadLibraryA("Kernel32.dll");
	CreateFile_addr = GetProcAddress(hMod_kernel32,"CreateFileA");

	printf("CreateFileA_Addr is %x\n",CreateFile_addr);
	//printf("MyCreateFileA_Addr is %x\n",MyCreateFile);

	// 读出createfile的前8个字节
	if ( ReadProcessMemory(INVALID_HANDLE_VALUE,CreateFile_addr,OldBytes,8,NULL)==0 )
	{
		printf("ReadProcessMemory error\n");
		return;
	}

	printf("OldBytes is %x%x%x%x%x%x%x%x\n",OldBytes[0],OldBytes[1],OldBytes[2],OldBytes[3],OldBytes[4],OldBytes[5],OldBytes[6],OldBytes[7]);

	// 将NewBytes改成my函数地址
	*(DWORD*)(NewBytes+1) = (DWORD)MyCreateFile;

	printf("NewBytes is %x%x%x%x%x%x%x%x\n",NewBytes[0],NewBytes[1],NewBytes[2],NewBytes[3],  
	 NewBytes[4],NewBytes[5],NewBytes[6],NewBytes[7]); 

	//写入跳转,开始hook
	WriteProcessMemory(INVALID_HANDLE_VALUE,CreateFile_addr,NewBytes,8,NULL);

	HANDLE hFile=CreateFileA("c:\\1.txt",GENERIC_ALL,FILE_SHARE_READ,0,CREATE_ALWAYS,0,0);
	CloseHandle(hFile);



}