接上帖!!!

解决方案 »

  1.   

    /*
    Class Name : Api Hook
    Builder    : -Sky Is Blue !-
    Date       : 2003-06-01
    Os         : Win9x
    */#include "ApiHook.h"ApiHookImpl::ApiHookImpl(void)
    {
    this->SystemCallCode.CleanLink();
    this->UserCallCodeOffset.CleanLink();
    this->CallerModuleName.CleanLink();
    this->SystemModuleName.CleanLink();
    this->SystemFunctionName.CleanLink(); this->SystemCall=false;
    }ApiHookImpl::~ApiHookImpl(void)
    {
    this->UnHookAll();
    }bool ApiHookImpl::FindHookFunctionName(LPTSTR FunctionName)
    {
    bool Return;
    LPTSTR * RefFunctionName; this->SystemFunctionName.SetLinkToHeader(); Return=false; do
    {
    RefFunctionName=this->SystemFunctionName.PopAndMove(true); if(RefFunctionName!=NULL)
    {
    if(stricmp(* RefFunctionName,FunctionName)==NULL)
    {
    Return=true; break;
    }
    }
    }
    while(RefFunctionName!=NULL); return Return;
    }DWORD * ApiHookImpl::FindImPortEntry(const LPTSTR ModuleName,const LPTSTR CallerModuleName,const LPTSTR FunctionName) //By Caller ImPort Function
    {
    BOOL Return;
    BYTE * Header;
    DWORD Index,Total,* EntryAddress,FunctionIndex;
    HMODULE Module;
    LPTSTR Name;
    PIMAGE_DOS_HEADER Dos;
    PIMAGE_NT_HEADERS Nt;
    PIMAGE_SECTION_HEADER Section,EachSection;
    PIMAGE_IMPORT_DESCRIPTOR ImPort,EachImPort;
    PIMAGE_IMPORT_BY_NAME ImPortName;
    PIMAGE_THUNK_DATA ImPortThunk,FixImPortThunk;

    Module=GetModuleHandle(CallerModuleName);

    if(Module==NULL)
    {
    return NULL;
    } Header=(BYTE *) Module; Dos=(PIMAGE_DOS_HEADER) Header; Nt=(PIMAGE_NT_HEADERS) (Header+Dos->e_lfanew); Section=(PIMAGE_SECTION_HEADER) ((BYTE *) Nt+sizeof(IMAGE_NT_HEADERS)); for(Index=NULL;Index<Nt->FileHeader.NumberOfSections;Index++)
    {
    EachSection=Section+Index;
    } ImPort=(PIMAGE_IMPORT_DESCRIPTOR) (Header+Nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); Total=NULL; Return=false; EachImPort=ImPort; for(;EachImPort->Name;EachImPort++)
    {
    Total++; if(!Return)
    {
    Name=(LPTSTR) Header+EachImPort->Name; if(stricmp(Name,ModuleName)==NULL)
    {
    Return=true;
    }
    }
    } if(!Return)
    {
    return NULL;
    } EntryAddress=NULL; EachImPort=ImPort; for(Index=NULL;Index<Total;Index++)
    {
    ImPortThunk=(PIMAGE_THUNK_DATA) (Header+EachImPort->FirstThunk); FixImPortThunk=(PIMAGE_THUNK_DATA) (Header+EachImPort->OriginalFirstThunk); if(FixImPortThunk==NULL)
    {
    FixImPortThunk=ImPortThunk;
    } for(;ImPortThunk->u1.Function;ImPortThunk++,FixImPortThunk++)
    {
    if((FixImPortThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)!=NULL) //Call By Function Index
    {
    ImPortName=NULL;
    }
    else //Call By Function Name
    {
    ImPortName=(PIMAGE_IMPORT_BY_NAME) ((BYTE *) FixImPortThunk->u1.AddressOfData+(DWORD) Header);
    } if(ImPortName==NULL) //Call By Index
    {
    FunctionIndex=FixImPortThunk->u1.Ordinal-IMAGE_ORDINAL_FLAG;
    }
    else //Call By Name/Address
    {
    Name=(LPTSTR) ImPortName->Name;
    }

    if(((ImPortName!=NULL) && (stricmp(Name,FunctionName)==NULL)) || ((ImPortName==NULL) && (FunctionIndex==(DWORD) FunctionName)))
    {
    if((BYTE) * ImPortThunk->u1.Function==IMPORT_FUNCTION_CALL_FLAG)
    {
    this->SystemCall=true;
    }
    else
    {
    this->SystemCall=false;
    } EntryAddress=(DWORD *) ((BYTE *) ImPortThunk->u1.Function+ADDRESS_OFFSET); break;
    }
    } if(EntryAddress==NULL)
    {
    EachImPort++;
    }
    else
    {
    break;
    }
    } return EntryAddress;
    }DWORD * ApiHookImpl::FindExPortEntry(const LPTSTR ModuleName,const LPTSTR FunctionName) //By Funciton Owner ExPort
    {
    BOOL Return;
    BYTE * Header;
    DWORD Index,Total,* EntryAddress,* FunctionEntry;
    WORD * IndexEntry;
    HMODULE Module;
    LPTSTR Name,* NameEntry;
    PIMAGE_DOS_HEADER Dos;
    PIMAGE_NT_HEADERS Nt;
    PIMAGE_EXPORT_DIRECTORY ExPort;

    Module=GetModuleHandle(ModuleName);

    if(Module==NULL)
    {
    return NULL;
    } Header=(BYTE *) Module; Dos=(PIMAGE_DOS_HEADER) Header; Nt=(PIMAGE_NT_HEADERS) (Header+Dos->e_lfanew); ExPort=(PIMAGE_EXPORT_DIRECTORY) (Header+Nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); Return=false; Name=(LPTSTR) (Header+ExPort->Name); if(ExPort->NumberOfFunctions>NULL)
    {
    FunctionEntry=(DWORD *) (Header+(DWORD) ExPort->AddressOfFunctions);
    NameEntry=(LPTSTR *) (Header+(DWORD) ExPort->AddressOfNames);
    IndexEntry=(WORD *) (Header+(DWORD) ExPort->AddressOfNameOrdinals); //Named Function Name And Entry Address for(Total=NULL;Total<ExPort->NumberOfNames;Total++)
    {
    Name=(LPTSTR) (Header+(DWORD) NameEntry[Total]); Index=IndexEntry[Total]; EntryAddress=(DWORD *) (Header+FunctionEntry[Index]); if(stricmp(Name,FunctionName)==NULL)
    {
    Return=true; break;
    }
    } if(!Return) //Not Find Call By Named Function Name
    {
    //Call By Index Function Entry Address for(Total=NULL;Total<ExPort->NumberOfFunctions;Total++)
    {
    Index=Total; for(DWORD NamedIndex=NULL;NamedIndex<ExPort->NumberOfNames;NamedIndex++)
    {
    if(Total==IndexEntry[NamedIndex])
    {
    Index=0xFFFFFFFF; break;
    }
    } if(Index!=0xFFFFFFFF) //Not A Named Function Index
    {
    EntryAddress=(DWORD *) (Header+FunctionEntry[Index]); if(Index+ExPort->Base==(DWORD) FunctionName)
    {
    Return=true; break;
    }
    }
    }
    }
    } if(!Return)
    {
    return NULL;
    }

    return EntryAddress;
    }
      

  2.   

    bool ApiHookImpl::HookImPort(const LPTSTR ModuleName,const LPTSTR CallerModuleName,const LPTSTR SystemFunction,const LPVOID UserFunction) //Hook For Module ImPort Function
    {
    DWORD Protect,* ImPortEntry,Len;
    BOOL Return;
    MEMORY_BASIC_INFORMATION Info;
    HANDLE Handle;
    LPTSTR ModuleFileName,FunctionName,CallerModuleFileName;

    if(this->FindHookFunctionName(SystemFunction))
    {
    return false;
    } ImPortEntry=this->FindImPortEntry(ModuleName,CallerModuleName,SystemFunction); if(ImPortEntry==NULL)
    {
    return false;
    }

    memset(& Info,NULL,sizeof(MEMORY_BASIC_INFORMATION)); Return=VirtualQuery(ImPortEntry,& Info,sizeof(MEMORY_BASIC_INFORMATION));

    if(Return!=sizeof(MEMORY_BASIC_INFORMATION))
    {
    return false;
    } Return=VirtualProtect(ImPortEntry,ADDRESS_SIZE,PAGE_EXECUTE_READWRITE,& Protect);

    if(!Return)
    {
    return false;
    } Handle=GetCurrentProcess(); if(CallerModuleName==NULL)
    {
    CallerModuleFileName=NULL;
    }
    else
    {
    Len=strlen(CallerModuleName); CallerModuleFileName=new CHAR[Len+1]; memset(CallerModuleFileName,NULL,Len+1); memcpy(CallerModuleFileName,CallerModuleName,Len);
    } Len=strlen(ModuleName); ModuleFileName=new CHAR[Len+1]; memset(ModuleFileName,NULL,Len+1); memcpy(ModuleFileName,ModuleName,Len); if(IsBadCodePtr((FARPROC) SystemFunction))
    {
    Len=ADDRESS_SIZE+1;
    }
    else
    {
    Len=strlen(SystemFunction);
    } FunctionName=new CHAR[Len+1]; memset(FunctionName,NULL,Len+1); if(IsBadCodePtr((FARPROC) SystemFunction))
    {
    ultoa((DWORD) SystemFunction,FunctionName,16);
    }
    else
    {
    memcpy(FunctionName,SystemFunction,Len);
    } //Save The Original Call Code this->SystemCallCode.SetLinkToTail();
    this->UserCallCodeOffset.SetLinkToTail();
    this->CallerModuleName.SetLinkToTail();
    this->SystemModuleName.SetLinkToTail();
    this->SystemFunctionName.SetLinkToTail();

    this->SystemCallCode.PushBack(* ImPortEntry);
    this->UserCallCodeOffset.PushBack(this->SystemCall?NULL:(DWORD) ImPortEntry+ADDRESS_OFFSET);
    this->CallerModuleName.PushBack(CallerModuleFileName);
    this->SystemModuleName.PushBack(ModuleFileName);
    this->SystemFunctionName.PushBack(FunctionName); //Write The New Function Entry * ImPortEntry=(DWORD) UserFunction; Return=VirtualProtect(ImPortEntry,ADDRESS_SIZE,Protect,& Protect); FlushInstructionCache(Handle,ImPortEntry,ADDRESS_SIZE); if(!Return)
    {
    return false;
    } return true;
    }bool ApiHookImpl::HookExPort(const LPTSTR ModuleName,const LPTSTR SystemFunction,const LPVOID UserFunction) //Hook For Module ExPort Function
    {
    DWORD Protect,* ExPortEntry,Len;
    BOOL Return;
    HANDLE Handle;
    MODULEENTRY32 ModuleId;
    MEMORY_BASIC_INFORMATION Info;
    LPTSTR ModuleFileName,FunctionName; if(this->FindHookFunctionName(SystemFunction))
    {
    return false;
    } ExPortEntry=this->FindExPortEntry(ModuleName,SystemFunction); if(ExPortEntry==NULL)
    {
    return false;
    }

    Handle=CreateToolhelp32Snapshot(TH32CS_SNAPALL,NULL); ModuleId.dwSize=sizeof(MODULEENTRY32); Return=Module32First(Handle,& ModuleId); while((stricmp(ModuleId.szModule,ModuleName)!=NULL) && Return)
    {
    Return=Module32Next(Handle,& ModuleId);
    } CloseHandle(Handle); if(!Return)
    {
    return false;
    } Handle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,ModuleId.th32ProcessID); if(Handle==NULL)
    {
    return false;
    } memset(& Info,NULL,sizeof(MEMORY_BASIC_INFORMATION)); Return=VirtualQueryEx(Handle,ExPortEntry,& Info,sizeof(MEMORY_BASIC_INFORMATION));

    if(Return)
    {
    Return=VirtualProtectEx(Handle,ExPortEntry,ADDRESS_SIZE,PAGE_EXECUTE_READWRITE,& Protect);

    if(Return)
    {
    //Save The Original Call Code Len=strlen(ModuleName); ModuleFileName=new CHAR[Len+1]; memset(ModuleFileName,NULL,Len+1); memcpy(ModuleFileName,ModuleName,Len); if(IsBadCodePtr((FARPROC) SystemFunction))
    {
    Len=ADDRESS_SIZE+1;
    }
    else
    {
    Len=strlen(SystemFunction);
    } FunctionName=new CHAR[Len+1]; memset(FunctionName,NULL,Len+1); if(IsBadCodePtr((FARPROC) SystemFunction))
    {
    ultoa((DWORD) SystemFunction,FunctionName,16);
    }
    else
    {
    memcpy(FunctionName,SystemFunction,Len);
    } this->SystemCallCode.SetLinkToTail();
    this->UserCallCodeOffset.SetLinkToTail();
    this->CallerModuleName.SetLinkToTail();
    this->SystemModuleName.SetLinkToTail();
    this->SystemFunctionName.SetLinkToTail(); this->SystemCallCode.PushBack(* ExPortEntry);
    this->UserCallCodeOffset.PushBack(NULL);
    this->CallerModuleName.PushBack((LPTSTR) EXPORT_FUNCTION);
    this->SystemModuleName.PushBack(ModuleFileName);
    this->SystemFunctionName.PushBack(FunctionName); //Write The New Function Entry Return=WriteProcessMemory(Handle,ExPortEntry,& (DWORD &) UserFunction,ADDRESS_SIZE,NULL); if(Return)
    {
    Return=VirtualProtectEx(Handle,ExPortEntry,ADDRESS_SIZE,Protect,& Protect); FlushInstructionCache(Handle,ExPortEntry,ADDRESS_SIZE);
    }
    }
    } CloseHandle(Handle); return (bool) Return;
    }
      

  3.   

    bool ApiHookImpl::UnHookImPort(const LPTSTR SystemFunction) //Hook For Module ImPort Function
    {
    DWORD Index,Protect,* ImPortEntry;
    BOOL Return;
    MEMORY_BASIC_INFORMATION Info;
    DWORD * SystemCode;
    HANDLE Handle;
    LPTSTR * ModuleName,* FunctionName,* CallerModuleFileName;

    if(!this->FindHookFunctionName(SystemFunction))
    {
    return false;
    } Index=this->SystemFunctionName.GetLinkItemIndex(); this->SystemCallCode.SetLinkItemIndex(Index); this->CallerModuleName.SetLinkItemIndex(Index); this->SystemModuleName.SetLinkItemIndex(Index); this->SystemFunctionName.SetLinkItemIndex(Index); SystemCode=this->SystemCallCode.Pop(); CallerModuleFileName=this->CallerModuleName.Pop(); ModuleName=this->SystemModuleName.Pop(); FunctionName=this->SystemFunctionName.Pop(); if((SystemCode==NULL) || (ModuleName==NULL) || (CallerModuleFileName==NULL) || (FunctionName==NULL))
    {
    return false;
    } ImPortEntry=this->FindImPortEntry(* ModuleName,* CallerModuleFileName,SystemFunction); if(ImPortEntry==NULL)
    {
    return false;
    } memset(& Info,NULL,sizeof(MEMORY_BASIC_INFORMATION)); Return=VirtualQuery(ImPortEntry,& Info,sizeof(MEMORY_BASIC_INFORMATION));

    if(Return!=sizeof(MEMORY_BASIC_INFORMATION))
    {
    return false;
    }

    Return=VirtualProtect(ImPortEntry,ADDRESS_SIZE,PAGE_EXECUTE_READWRITE,& Protect);

    if(!Return)
    {
    return false;
    }

    Handle=GetCurrentProcess(); //ReStore The System ImPort Call Code * ImPortEntry=* SystemCode; Return=VirtualProtect(ImPortEntry,ADDRESS_SIZE,Protect,& Protect); FlushInstructionCache(Handle,ImPortEntry,ADDRESS_SIZE); delete [](* ModuleName);
    delete [](* FunctionName);
    delete [](* CallerModuleFileName); this->SystemCallCode.SetLinkItemIndex(Index); this->SystemCallCode.Delete(); this->UserCallCodeOffset.SetLinkItemIndex(Index); this->UserCallCodeOffset.Delete(); this->CallerModuleName.SetLinkItemIndex(Index); this->CallerModuleName.Delete(); this->SystemModuleName.SetLinkItemIndex(Index); this->SystemModuleName.Delete(); this->SystemFunctionName.SetLinkItemIndex(Index); this->SystemFunctionName.Delete(); return true;
    }bool ApiHookImpl::UnHookExPort(const LPTSTR SystemFunction) //Hook For Module ExPort Function
    {
    DWORD Index,Protect,* ExPortEntry;
    BOOL Return;
    HANDLE Handle;
    MODULEENTRY32 ModuleId;
    MEMORY_BASIC_INFORMATION Info;
    DWORD * SystemCode;
    LPTSTR  * ModuleName,* FunctionName;

    if(!this->FindHookFunctionName(SystemFunction))
    {
    return false;
    } Index=this->SystemFunctionName.GetLinkItemIndex(); this->SystemModuleName.SetLinkItemIndex(Index); this->SystemCallCode.SetLinkItemIndex(Index); this->SystemFunctionName.SetLinkItemIndex(Index); ModuleName=this->SystemModuleName.Pop(); SystemCode=this->SystemCallCode.Pop(); FunctionName=this->SystemFunctionName.Pop(); if((SystemCode==NULL) || (ModuleName==NULL) || (FunctionName==NULL))
    {
    return false;
    } ExPortEntry=this->FindExPortEntry(* ModuleName,SystemFunction); if(ExPortEntry==NULL)
    {
    return false;
    }

    Handle=CreateToolhelp32Snapshot(TH32CS_SNAPALL,NULL); ModuleId.dwSize=sizeof(MODULEENTRY32); Return=Module32First(Handle,& ModuleId); while((stricmp(ModuleId.szModule,* ModuleName)!=NULL) && Return)
    {
    Return=Module32Next(Handle,& ModuleId);
    } CloseHandle(Handle); if(!Return)
    {
    return false;
    } Handle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,ModuleId.th32ProcessID); if(Handle==NULL)
    {
    return false;
    } memset(& Info,NULL,sizeof(MEMORY_BASIC_INFORMATION)); Return=VirtualQueryEx(Handle,ExPortEntry,& Info,sizeof(MEMORY_BASIC_INFORMATION));

    if(Return)
    {
    Return=VirtualProtectEx(Handle,ExPortEntry,ADDRESS_SIZE,PAGE_EXECUTE_READWRITE,& Protect);

    if(Return)
    {
    //Write The New Function Entry Return=WriteProcessMemory(Handle,ExPortEntry,SystemCode,ADDRESS_SIZE,NULL); if(Return)
    {
    Return=VirtualProtectEx(Handle,ExPortEntry,ADDRESS_SIZE,Protect,& Protect); FlushInstructionCache(Handle,ExPortEntry,ADDRESS_SIZE);
    }
    }
    } CloseHandle(Handle); delete [](* ModuleName);
    delete [](* FunctionName); this->SystemCallCode.SetLinkItemIndex(Index); this->SystemCallCode.Delete(); this->SystemModuleName.SetLinkItemIndex(Index); this->SystemModuleName.Delete(); this->SystemFunctionName.SetLinkItemIndex(Index); this->SystemFunctionName.Delete(); return (bool) Return;
    }bool ApiHookImpl::UnHookAll(void)
    {
    DWORD Index;
    LPTSTR * RefSystemFunctionName,* RefModuleFlag;

    this->CallerModuleName.SetLinkToHeader(); this->SystemFunctionName.SetLinkToHeader(); do
    {
    RefModuleFlag=this->CallerModuleName.PopAndMove(true); RefSystemFunctionName=this->SystemFunctionName.PopAndMove(true); Index=this->SystemFunctionName.GetLinkItemIndex(); if(RefSystemFunctionName!=NULL)
    {
    ((DWORD) * RefModuleFlag)==EXPORT_FUNCTION?this->UnHookExPort(* RefSystemFunctionName):this->UnHookImPort(* RefSystemFunctionName);
    } this->CallerModuleName.SetLinkItemIndex(Index); this->SystemFunctionName.SetLinkItemIndex(Index);
    }
    while(RefSystemFunctionName!=NULL); return true;
    }bool ApiHookImpl::CallHookImPort(const LPTSTR SystemFunction,DWORD EbpOffset)
    {
    DWORD Index,* Address,* Base; if(!this->FindHookFunctionName(SystemFunction))
    {
    return false;
    }

    Index=this->SystemFunctionName.GetLinkItemIndex(); this->SystemCallCode.SetLinkItemIndex(Index); this->UserCallCodeOffset.SetLinkItemIndex(Index); Address=this->SystemCallCode.Pop(); Base=this->UserCallCodeOffset.Pop(); if((Address==NULL) || (Base==NULL))
    {
    return false;
    } EbpOffset+=EBP_SIZE+CALL_SIZE; _asm
    {
    mov eax,Address

    mov edx,dword ptr [eax] mov eax,Base add edx,dword ptr [eax] mov eax,EbpOffset mov ebx,esp mov esp,eax call edx

    mov esp,ebx
    } return true;
    }bool ApiHookImpl::CallHookExPort(const LPTSTR SystemFunction,DWORD EbpOffset)
    {
    DWORD Index,* Address; if(!this->FindHookFunctionName(SystemFunction))
    {
    return false;
    } Index=this->SystemFunctionName.GetLinkItemIndex(); this->SystemCallCode.SetLinkItemIndex(Index); Address=this->SystemCallCode.Pop(); if(Address==NULL)
    {
    return false;
    } EbpOffset+=EBP_SIZE+CALL_SIZE; _asm
    {
    mov edx,Address

    mov edx,dword ptr [edx] mov ebx,esp mov eax,EbpOffset mov esp,eax call edx mov esp,ebx
    }
    }
      

  4.   

    多謝了,高手們看看呀!!!http://expert.csdn.net/Expert/topic/1868/1868356.xml?temp=.3658563
    http://expert.csdn.net/Expert/topic/1868/1868391.xml?temp=.5015375