我自己模仿寫了個APIHOOK的類,但在實際使用時有些問題一直難解決,誰對WINDOWS,及其MASM32(FOR WINDOW)熟呀,我把Source Code都貼在這兒了, 接上帖!!! 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 /*Class Name : Api HookBuilder : -Sky Is Blue !-Date : 2003-06-01Os : Win9x*/#include "ApiHook.h"ApiHookImpl::ApiHookImpl(void){ this->SystemCallCode.CleanLink(); this->UserCallCodeOffset.CleanLink(); this->CallerModuleName.CleanLink(); this->SystemModuleName.CleanLink(); this->SystemFunctionName.CleanLink(); this->SystemCall=false;}ApiHookImpl::~ApiHookImpl(void){ this->UnHookAll();}bool ApiHookImpl::FindHookFunctionName(LPTSTR FunctionName){ bool Return; LPTSTR * RefFunctionName; this->SystemFunctionName.SetLinkToHeader(); Return=false; do { RefFunctionName=this->SystemFunctionName.PopAndMove(true); if(RefFunctionName!=NULL) { if(stricmp(* RefFunctionName,FunctionName)==NULL) { Return=true; break; } } } while(RefFunctionName!=NULL); return Return;}DWORD * ApiHookImpl::FindImPortEntry(const LPTSTR ModuleName,const LPTSTR CallerModuleName,const LPTSTR FunctionName) //By Caller ImPort Function{ BOOL Return; BYTE * Header; DWORD Index,Total,* EntryAddress,FunctionIndex; HMODULE Module; LPTSTR Name; PIMAGE_DOS_HEADER Dos; PIMAGE_NT_HEADERS Nt; PIMAGE_SECTION_HEADER Section,EachSection; PIMAGE_IMPORT_DESCRIPTOR ImPort,EachImPort; PIMAGE_IMPORT_BY_NAME ImPortName; PIMAGE_THUNK_DATA ImPortThunk,FixImPortThunk; Module=GetModuleHandle(CallerModuleName); if(Module==NULL) { return NULL; } Header=(BYTE *) Module; Dos=(PIMAGE_DOS_HEADER) Header; Nt=(PIMAGE_NT_HEADERS) (Header+Dos->e_lfanew); Section=(PIMAGE_SECTION_HEADER) ((BYTE *) Nt+sizeof(IMAGE_NT_HEADERS)); for(Index=NULL;Index<Nt->FileHeader.NumberOfSections;Index++) { EachSection=Section+Index; } ImPort=(PIMAGE_IMPORT_DESCRIPTOR) (Header+Nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); Total=NULL; Return=false; EachImPort=ImPort; for(;EachImPort->Name;EachImPort++) { Total++; if(!Return) { Name=(LPTSTR) Header+EachImPort->Name; if(stricmp(Name,ModuleName)==NULL) { Return=true; } } } if(!Return) { return NULL; } EntryAddress=NULL; EachImPort=ImPort; for(Index=NULL;Index<Total;Index++) { ImPortThunk=(PIMAGE_THUNK_DATA) (Header+EachImPort->FirstThunk); FixImPortThunk=(PIMAGE_THUNK_DATA) (Header+EachImPort->OriginalFirstThunk); if(FixImPortThunk==NULL) { FixImPortThunk=ImPortThunk; } for(;ImPortThunk->u1.Function;ImPortThunk++,FixImPortThunk++) { if((FixImPortThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)!=NULL) //Call By Function Index { ImPortName=NULL; } else //Call By Function Name { ImPortName=(PIMAGE_IMPORT_BY_NAME) ((BYTE *) FixImPortThunk->u1.AddressOfData+(DWORD) Header); } if(ImPortName==NULL) //Call By Index { FunctionIndex=FixImPortThunk->u1.Ordinal-IMAGE_ORDINAL_FLAG; } else //Call By Name/Address { Name=(LPTSTR) ImPortName->Name; } if(((ImPortName!=NULL) && (stricmp(Name,FunctionName)==NULL)) || ((ImPortName==NULL) && (FunctionIndex==(DWORD) FunctionName))) { if((BYTE) * ImPortThunk->u1.Function==IMPORT_FUNCTION_CALL_FLAG) { this->SystemCall=true; } else { this->SystemCall=false; } EntryAddress=(DWORD *) ((BYTE *) ImPortThunk->u1.Function+ADDRESS_OFFSET); break; } } if(EntryAddress==NULL) { EachImPort++; } else { break; } } return EntryAddress;}DWORD * ApiHookImpl::FindExPortEntry(const LPTSTR ModuleName,const LPTSTR FunctionName) //By Funciton Owner ExPort{ BOOL Return; BYTE * Header; DWORD Index,Total,* EntryAddress,* FunctionEntry; WORD * IndexEntry; HMODULE Module; LPTSTR Name,* NameEntry; PIMAGE_DOS_HEADER Dos; PIMAGE_NT_HEADERS Nt; PIMAGE_EXPORT_DIRECTORY ExPort; Module=GetModuleHandle(ModuleName); if(Module==NULL) { return NULL; } Header=(BYTE *) Module; Dos=(PIMAGE_DOS_HEADER) Header; Nt=(PIMAGE_NT_HEADERS) (Header+Dos->e_lfanew); ExPort=(PIMAGE_EXPORT_DIRECTORY) (Header+Nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); Return=false; Name=(LPTSTR) (Header+ExPort->Name); if(ExPort->NumberOfFunctions>NULL) { FunctionEntry=(DWORD *) (Header+(DWORD) ExPort->AddressOfFunctions); NameEntry=(LPTSTR *) (Header+(DWORD) ExPort->AddressOfNames); IndexEntry=(WORD *) (Header+(DWORD) ExPort->AddressOfNameOrdinals); //Named Function Name And Entry Address for(Total=NULL;Total<ExPort->NumberOfNames;Total++) { Name=(LPTSTR) (Header+(DWORD) NameEntry[Total]); Index=IndexEntry[Total]; EntryAddress=(DWORD *) (Header+FunctionEntry[Index]); if(stricmp(Name,FunctionName)==NULL) { Return=true; break; } } if(!Return) //Not Find Call By Named Function Name { //Call By Index Function Entry Address for(Total=NULL;Total<ExPort->NumberOfFunctions;Total++) { Index=Total; for(DWORD NamedIndex=NULL;NamedIndex<ExPort->NumberOfNames;NamedIndex++) { if(Total==IndexEntry[NamedIndex]) { Index=0xFFFFFFFF; break; } } if(Index!=0xFFFFFFFF) //Not A Named Function Index { EntryAddress=(DWORD *) (Header+FunctionEntry[Index]); if(Index+ExPort->Base==(DWORD) FunctionName) { Return=true; break; } } } } } if(!Return) { return NULL; } return EntryAddress;} bool ApiHookImpl::HookImPort(const LPTSTR ModuleName,const LPTSTR CallerModuleName,const LPTSTR SystemFunction,const LPVOID UserFunction) //Hook For Module ImPort Function{ DWORD Protect,* ImPortEntry,Len; BOOL Return; MEMORY_BASIC_INFORMATION Info; HANDLE Handle; LPTSTR ModuleFileName,FunctionName,CallerModuleFileName; if(this->FindHookFunctionName(SystemFunction)) { return false; } ImPortEntry=this->FindImPortEntry(ModuleName,CallerModuleName,SystemFunction); if(ImPortEntry==NULL) { return false; } memset(& Info,NULL,sizeof(MEMORY_BASIC_INFORMATION)); Return=VirtualQuery(ImPortEntry,& Info,sizeof(MEMORY_BASIC_INFORMATION)); if(Return!=sizeof(MEMORY_BASIC_INFORMATION)) { return false; } Return=VirtualProtect(ImPortEntry,ADDRESS_SIZE,PAGE_EXECUTE_READWRITE,& Protect); if(!Return) { return false; } Handle=GetCurrentProcess(); if(CallerModuleName==NULL) { CallerModuleFileName=NULL; } else { Len=strlen(CallerModuleName); CallerModuleFileName=new CHAR[Len+1]; memset(CallerModuleFileName,NULL,Len+1); memcpy(CallerModuleFileName,CallerModuleName,Len); } Len=strlen(ModuleName); ModuleFileName=new CHAR[Len+1]; memset(ModuleFileName,NULL,Len+1); memcpy(ModuleFileName,ModuleName,Len); if(IsBadCodePtr((FARPROC) SystemFunction)) { Len=ADDRESS_SIZE+1; } else { Len=strlen(SystemFunction); } FunctionName=new CHAR[Len+1]; memset(FunctionName,NULL,Len+1); if(IsBadCodePtr((FARPROC) SystemFunction)) { ultoa((DWORD) SystemFunction,FunctionName,16); } else { memcpy(FunctionName,SystemFunction,Len); } //Save The Original Call Code this->SystemCallCode.SetLinkToTail(); this->UserCallCodeOffset.SetLinkToTail(); this->CallerModuleName.SetLinkToTail(); this->SystemModuleName.SetLinkToTail(); this->SystemFunctionName.SetLinkToTail(); this->SystemCallCode.PushBack(* ImPortEntry); this->UserCallCodeOffset.PushBack(this->SystemCall?NULL:(DWORD) ImPortEntry+ADDRESS_OFFSET); this->CallerModuleName.PushBack(CallerModuleFileName); this->SystemModuleName.PushBack(ModuleFileName); this->SystemFunctionName.PushBack(FunctionName); //Write The New Function Entry * ImPortEntry=(DWORD) UserFunction; Return=VirtualProtect(ImPortEntry,ADDRESS_SIZE,Protect,& Protect); FlushInstructionCache(Handle,ImPortEntry,ADDRESS_SIZE); if(!Return) { return false; } return true;}bool ApiHookImpl::HookExPort(const LPTSTR ModuleName,const LPTSTR SystemFunction,const LPVOID UserFunction) //Hook For Module ExPort Function{ DWORD Protect,* ExPortEntry,Len; BOOL Return; HANDLE Handle; MODULEENTRY32 ModuleId; MEMORY_BASIC_INFORMATION Info; LPTSTR ModuleFileName,FunctionName; if(this->FindHookFunctionName(SystemFunction)) { return false; } ExPortEntry=this->FindExPortEntry(ModuleName,SystemFunction); if(ExPortEntry==NULL) { return false; } Handle=CreateToolhelp32Snapshot(TH32CS_SNAPALL,NULL); ModuleId.dwSize=sizeof(MODULEENTRY32); Return=Module32First(Handle,& ModuleId); while((stricmp(ModuleId.szModule,ModuleName)!=NULL) && Return) { Return=Module32Next(Handle,& ModuleId); } CloseHandle(Handle); if(!Return) { return false; } Handle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,ModuleId.th32ProcessID); if(Handle==NULL) { return false; } memset(& Info,NULL,sizeof(MEMORY_BASIC_INFORMATION)); Return=VirtualQueryEx(Handle,ExPortEntry,& Info,sizeof(MEMORY_BASIC_INFORMATION)); if(Return) { Return=VirtualProtectEx(Handle,ExPortEntry,ADDRESS_SIZE,PAGE_EXECUTE_READWRITE,& Protect); if(Return) { //Save The Original Call Code Len=strlen(ModuleName); ModuleFileName=new CHAR[Len+1]; memset(ModuleFileName,NULL,Len+1); memcpy(ModuleFileName,ModuleName,Len); if(IsBadCodePtr((FARPROC) SystemFunction)) { Len=ADDRESS_SIZE+1; } else { Len=strlen(SystemFunction); } FunctionName=new CHAR[Len+1]; memset(FunctionName,NULL,Len+1); if(IsBadCodePtr((FARPROC) SystemFunction)) { ultoa((DWORD) SystemFunction,FunctionName,16); } else { memcpy(FunctionName,SystemFunction,Len); } this->SystemCallCode.SetLinkToTail(); this->UserCallCodeOffset.SetLinkToTail(); this->CallerModuleName.SetLinkToTail(); this->SystemModuleName.SetLinkToTail(); this->SystemFunctionName.SetLinkToTail(); this->SystemCallCode.PushBack(* ExPortEntry); this->UserCallCodeOffset.PushBack(NULL); this->CallerModuleName.PushBack((LPTSTR) EXPORT_FUNCTION); this->SystemModuleName.PushBack(ModuleFileName); this->SystemFunctionName.PushBack(FunctionName); //Write The New Function Entry Return=WriteProcessMemory(Handle,ExPortEntry,& (DWORD &) UserFunction,ADDRESS_SIZE,NULL); if(Return) { Return=VirtualProtectEx(Handle,ExPortEntry,ADDRESS_SIZE,Protect,& Protect); FlushInstructionCache(Handle,ExPortEntry,ADDRESS_SIZE); } } } CloseHandle(Handle); return (bool) Return;} bool ApiHookImpl::UnHookImPort(const LPTSTR SystemFunction) //Hook For Module ImPort Function{ DWORD Index,Protect,* ImPortEntry; BOOL Return; MEMORY_BASIC_INFORMATION Info; DWORD * SystemCode; HANDLE Handle; LPTSTR * ModuleName,* FunctionName,* CallerModuleFileName; if(!this->FindHookFunctionName(SystemFunction)) { return false; } Index=this->SystemFunctionName.GetLinkItemIndex(); this->SystemCallCode.SetLinkItemIndex(Index); this->CallerModuleName.SetLinkItemIndex(Index); this->SystemModuleName.SetLinkItemIndex(Index); this->SystemFunctionName.SetLinkItemIndex(Index); SystemCode=this->SystemCallCode.Pop(); CallerModuleFileName=this->CallerModuleName.Pop(); ModuleName=this->SystemModuleName.Pop(); FunctionName=this->SystemFunctionName.Pop(); if((SystemCode==NULL) || (ModuleName==NULL) || (CallerModuleFileName==NULL) || (FunctionName==NULL)) { return false; } ImPortEntry=this->FindImPortEntry(* ModuleName,* CallerModuleFileName,SystemFunction); if(ImPortEntry==NULL) { return false; } memset(& Info,NULL,sizeof(MEMORY_BASIC_INFORMATION)); Return=VirtualQuery(ImPortEntry,& Info,sizeof(MEMORY_BASIC_INFORMATION)); if(Return!=sizeof(MEMORY_BASIC_INFORMATION)) { return false; } Return=VirtualProtect(ImPortEntry,ADDRESS_SIZE,PAGE_EXECUTE_READWRITE,& Protect); if(!Return) { return false; } Handle=GetCurrentProcess(); //ReStore The System ImPort Call Code * ImPortEntry=* SystemCode; Return=VirtualProtect(ImPortEntry,ADDRESS_SIZE,Protect,& Protect); FlushInstructionCache(Handle,ImPortEntry,ADDRESS_SIZE); delete [](* ModuleName); delete [](* FunctionName); delete [](* CallerModuleFileName); this->SystemCallCode.SetLinkItemIndex(Index); this->SystemCallCode.Delete(); this->UserCallCodeOffset.SetLinkItemIndex(Index); this->UserCallCodeOffset.Delete(); this->CallerModuleName.SetLinkItemIndex(Index); this->CallerModuleName.Delete(); this->SystemModuleName.SetLinkItemIndex(Index); this->SystemModuleName.Delete(); this->SystemFunctionName.SetLinkItemIndex(Index); this->SystemFunctionName.Delete(); return true;}bool ApiHookImpl::UnHookExPort(const LPTSTR SystemFunction) //Hook For Module ExPort Function{ DWORD Index,Protect,* ExPortEntry; BOOL Return; HANDLE Handle; MODULEENTRY32 ModuleId; MEMORY_BASIC_INFORMATION Info; DWORD * SystemCode; LPTSTR * ModuleName,* FunctionName; if(!this->FindHookFunctionName(SystemFunction)) { return false; } Index=this->SystemFunctionName.GetLinkItemIndex(); this->SystemModuleName.SetLinkItemIndex(Index); this->SystemCallCode.SetLinkItemIndex(Index); this->SystemFunctionName.SetLinkItemIndex(Index); ModuleName=this->SystemModuleName.Pop(); SystemCode=this->SystemCallCode.Pop(); FunctionName=this->SystemFunctionName.Pop(); if((SystemCode==NULL) || (ModuleName==NULL) || (FunctionName==NULL)) { return false; } ExPortEntry=this->FindExPortEntry(* ModuleName,SystemFunction); if(ExPortEntry==NULL) { return false; } Handle=CreateToolhelp32Snapshot(TH32CS_SNAPALL,NULL); ModuleId.dwSize=sizeof(MODULEENTRY32); Return=Module32First(Handle,& ModuleId); while((stricmp(ModuleId.szModule,* ModuleName)!=NULL) && Return) { Return=Module32Next(Handle,& ModuleId); } CloseHandle(Handle); if(!Return) { return false; } Handle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,ModuleId.th32ProcessID); if(Handle==NULL) { return false; } memset(& Info,NULL,sizeof(MEMORY_BASIC_INFORMATION)); Return=VirtualQueryEx(Handle,ExPortEntry,& Info,sizeof(MEMORY_BASIC_INFORMATION)); if(Return) { Return=VirtualProtectEx(Handle,ExPortEntry,ADDRESS_SIZE,PAGE_EXECUTE_READWRITE,& Protect); if(Return) { //Write The New Function Entry Return=WriteProcessMemory(Handle,ExPortEntry,SystemCode,ADDRESS_SIZE,NULL); if(Return) { Return=VirtualProtectEx(Handle,ExPortEntry,ADDRESS_SIZE,Protect,& Protect); FlushInstructionCache(Handle,ExPortEntry,ADDRESS_SIZE); } } } CloseHandle(Handle); delete [](* ModuleName); delete [](* FunctionName); this->SystemCallCode.SetLinkItemIndex(Index); this->SystemCallCode.Delete(); this->SystemModuleName.SetLinkItemIndex(Index); this->SystemModuleName.Delete(); this->SystemFunctionName.SetLinkItemIndex(Index); this->SystemFunctionName.Delete(); return (bool) Return;}bool ApiHookImpl::UnHookAll(void){ DWORD Index; LPTSTR * RefSystemFunctionName,* RefModuleFlag; this->CallerModuleName.SetLinkToHeader(); this->SystemFunctionName.SetLinkToHeader(); do { RefModuleFlag=this->CallerModuleName.PopAndMove(true); RefSystemFunctionName=this->SystemFunctionName.PopAndMove(true); Index=this->SystemFunctionName.GetLinkItemIndex(); if(RefSystemFunctionName!=NULL) { ((DWORD) * RefModuleFlag)==EXPORT_FUNCTION?this->UnHookExPort(* RefSystemFunctionName):this->UnHookImPort(* RefSystemFunctionName); } this->CallerModuleName.SetLinkItemIndex(Index); this->SystemFunctionName.SetLinkItemIndex(Index); } while(RefSystemFunctionName!=NULL); return true;}bool ApiHookImpl::CallHookImPort(const LPTSTR SystemFunction,DWORD EbpOffset){ DWORD Index,* Address,* Base; if(!this->FindHookFunctionName(SystemFunction)) { return false; } Index=this->SystemFunctionName.GetLinkItemIndex(); this->SystemCallCode.SetLinkItemIndex(Index); this->UserCallCodeOffset.SetLinkItemIndex(Index); Address=this->SystemCallCode.Pop(); Base=this->UserCallCodeOffset.Pop(); if((Address==NULL) || (Base==NULL)) { return false; } EbpOffset+=EBP_SIZE+CALL_SIZE; _asm { mov eax,Address mov edx,dword ptr [eax] mov eax,Base add edx,dword ptr [eax] mov eax,EbpOffset mov ebx,esp mov esp,eax call edx mov esp,ebx } return true;}bool ApiHookImpl::CallHookExPort(const LPTSTR SystemFunction,DWORD EbpOffset){ DWORD Index,* Address; if(!this->FindHookFunctionName(SystemFunction)) { return false; } Index=this->SystemFunctionName.GetLinkItemIndex(); this->SystemCallCode.SetLinkItemIndex(Index); Address=this->SystemCallCode.Pop(); if(Address==NULL) { return false; } EbpOffset+=EBP_SIZE+CALL_SIZE; _asm { mov edx,Address mov edx,dword ptr [edx] mov ebx,esp mov eax,EbpOffset mov esp,eax call edx mov esp,ebx }} 多謝了,高手們看看呀!!!http://expert.csdn.net/Expert/topic/1868/1868356.xml?temp=.3658563http://expert.csdn.net/Expert/topic/1868/1868391.xml?temp=.5015375 ado连接数据库类,函数重载问题? 关于切分窗口的初始化大小问题 从纯资源DLL中LoadBitmap后的HBITMAP句柄,何时删除? 利用CArray建了一个二维数组,请问如何扩展动态二维数组的行数 取得一个html页面后,想改动某些内容再显示,如何做? Excel自动化,被调用的对象已与其客户断开连接 连结字符串? 有使用 winsock 控件来通讯的吗? 紧急求助!怎么打印ListCtrl控件里的数据啊??? 请大家帮我介绍一部SDK入门的书。 大家从知道MFC开始到弄明白可以自己写程序,用了多长时间? 各位兄弟帮帮忙:关于在Opengl中的坐标转换问题
Class Name : Api Hook
Builder : -Sky Is Blue !-
Date : 2003-06-01
Os : Win9x
*/#include "ApiHook.h"ApiHookImpl::ApiHookImpl(void)
{
this->SystemCallCode.CleanLink();
this->UserCallCodeOffset.CleanLink();
this->CallerModuleName.CleanLink();
this->SystemModuleName.CleanLink();
this->SystemFunctionName.CleanLink(); this->SystemCall=false;
}ApiHookImpl::~ApiHookImpl(void)
{
this->UnHookAll();
}bool ApiHookImpl::FindHookFunctionName(LPTSTR FunctionName)
{
bool Return;
LPTSTR * RefFunctionName; this->SystemFunctionName.SetLinkToHeader(); Return=false; do
{
RefFunctionName=this->SystemFunctionName.PopAndMove(true); if(RefFunctionName!=NULL)
{
if(stricmp(* RefFunctionName,FunctionName)==NULL)
{
Return=true; break;
}
}
}
while(RefFunctionName!=NULL); return Return;
}DWORD * ApiHookImpl::FindImPortEntry(const LPTSTR ModuleName,const LPTSTR CallerModuleName,const LPTSTR FunctionName) //By Caller ImPort Function
{
BOOL Return;
BYTE * Header;
DWORD Index,Total,* EntryAddress,FunctionIndex;
HMODULE Module;
LPTSTR Name;
PIMAGE_DOS_HEADER Dos;
PIMAGE_NT_HEADERS Nt;
PIMAGE_SECTION_HEADER Section,EachSection;
PIMAGE_IMPORT_DESCRIPTOR ImPort,EachImPort;
PIMAGE_IMPORT_BY_NAME ImPortName;
PIMAGE_THUNK_DATA ImPortThunk,FixImPortThunk;
Module=GetModuleHandle(CallerModuleName);
if(Module==NULL)
{
return NULL;
} Header=(BYTE *) Module; Dos=(PIMAGE_DOS_HEADER) Header; Nt=(PIMAGE_NT_HEADERS) (Header+Dos->e_lfanew); Section=(PIMAGE_SECTION_HEADER) ((BYTE *) Nt+sizeof(IMAGE_NT_HEADERS)); for(Index=NULL;Index<Nt->FileHeader.NumberOfSections;Index++)
{
EachSection=Section+Index;
} ImPort=(PIMAGE_IMPORT_DESCRIPTOR) (Header+Nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); Total=NULL; Return=false; EachImPort=ImPort; for(;EachImPort->Name;EachImPort++)
{
Total++; if(!Return)
{
Name=(LPTSTR) Header+EachImPort->Name; if(stricmp(Name,ModuleName)==NULL)
{
Return=true;
}
}
} if(!Return)
{
return NULL;
} EntryAddress=NULL; EachImPort=ImPort; for(Index=NULL;Index<Total;Index++)
{
ImPortThunk=(PIMAGE_THUNK_DATA) (Header+EachImPort->FirstThunk); FixImPortThunk=(PIMAGE_THUNK_DATA) (Header+EachImPort->OriginalFirstThunk); if(FixImPortThunk==NULL)
{
FixImPortThunk=ImPortThunk;
} for(;ImPortThunk->u1.Function;ImPortThunk++,FixImPortThunk++)
{
if((FixImPortThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)!=NULL) //Call By Function Index
{
ImPortName=NULL;
}
else //Call By Function Name
{
ImPortName=(PIMAGE_IMPORT_BY_NAME) ((BYTE *) FixImPortThunk->u1.AddressOfData+(DWORD) Header);
} if(ImPortName==NULL) //Call By Index
{
FunctionIndex=FixImPortThunk->u1.Ordinal-IMAGE_ORDINAL_FLAG;
}
else //Call By Name/Address
{
Name=(LPTSTR) ImPortName->Name;
}
if(((ImPortName!=NULL) && (stricmp(Name,FunctionName)==NULL)) || ((ImPortName==NULL) && (FunctionIndex==(DWORD) FunctionName)))
{
if((BYTE) * ImPortThunk->u1.Function==IMPORT_FUNCTION_CALL_FLAG)
{
this->SystemCall=true;
}
else
{
this->SystemCall=false;
} EntryAddress=(DWORD *) ((BYTE *) ImPortThunk->u1.Function+ADDRESS_OFFSET); break;
}
} if(EntryAddress==NULL)
{
EachImPort++;
}
else
{
break;
}
} return EntryAddress;
}DWORD * ApiHookImpl::FindExPortEntry(const LPTSTR ModuleName,const LPTSTR FunctionName) //By Funciton Owner ExPort
{
BOOL Return;
BYTE * Header;
DWORD Index,Total,* EntryAddress,* FunctionEntry;
WORD * IndexEntry;
HMODULE Module;
LPTSTR Name,* NameEntry;
PIMAGE_DOS_HEADER Dos;
PIMAGE_NT_HEADERS Nt;
PIMAGE_EXPORT_DIRECTORY ExPort;
Module=GetModuleHandle(ModuleName);
if(Module==NULL)
{
return NULL;
} Header=(BYTE *) Module; Dos=(PIMAGE_DOS_HEADER) Header; Nt=(PIMAGE_NT_HEADERS) (Header+Dos->e_lfanew); ExPort=(PIMAGE_EXPORT_DIRECTORY) (Header+Nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); Return=false; Name=(LPTSTR) (Header+ExPort->Name); if(ExPort->NumberOfFunctions>NULL)
{
FunctionEntry=(DWORD *) (Header+(DWORD) ExPort->AddressOfFunctions);
NameEntry=(LPTSTR *) (Header+(DWORD) ExPort->AddressOfNames);
IndexEntry=(WORD *) (Header+(DWORD) ExPort->AddressOfNameOrdinals); //Named Function Name And Entry Address for(Total=NULL;Total<ExPort->NumberOfNames;Total++)
{
Name=(LPTSTR) (Header+(DWORD) NameEntry[Total]); Index=IndexEntry[Total]; EntryAddress=(DWORD *) (Header+FunctionEntry[Index]); if(stricmp(Name,FunctionName)==NULL)
{
Return=true; break;
}
} if(!Return) //Not Find Call By Named Function Name
{
//Call By Index Function Entry Address for(Total=NULL;Total<ExPort->NumberOfFunctions;Total++)
{
Index=Total; for(DWORD NamedIndex=NULL;NamedIndex<ExPort->NumberOfNames;NamedIndex++)
{
if(Total==IndexEntry[NamedIndex])
{
Index=0xFFFFFFFF; break;
}
} if(Index!=0xFFFFFFFF) //Not A Named Function Index
{
EntryAddress=(DWORD *) (Header+FunctionEntry[Index]); if(Index+ExPort->Base==(DWORD) FunctionName)
{
Return=true; break;
}
}
}
}
} if(!Return)
{
return NULL;
}
return EntryAddress;
}
{
DWORD Protect,* ImPortEntry,Len;
BOOL Return;
MEMORY_BASIC_INFORMATION Info;
HANDLE Handle;
LPTSTR ModuleFileName,FunctionName,CallerModuleFileName;
if(this->FindHookFunctionName(SystemFunction))
{
return false;
} ImPortEntry=this->FindImPortEntry(ModuleName,CallerModuleName,SystemFunction); if(ImPortEntry==NULL)
{
return false;
}
memset(& Info,NULL,sizeof(MEMORY_BASIC_INFORMATION)); Return=VirtualQuery(ImPortEntry,& Info,sizeof(MEMORY_BASIC_INFORMATION));
if(Return!=sizeof(MEMORY_BASIC_INFORMATION))
{
return false;
} Return=VirtualProtect(ImPortEntry,ADDRESS_SIZE,PAGE_EXECUTE_READWRITE,& Protect);
if(!Return)
{
return false;
} Handle=GetCurrentProcess(); if(CallerModuleName==NULL)
{
CallerModuleFileName=NULL;
}
else
{
Len=strlen(CallerModuleName); CallerModuleFileName=new CHAR[Len+1]; memset(CallerModuleFileName,NULL,Len+1); memcpy(CallerModuleFileName,CallerModuleName,Len);
} Len=strlen(ModuleName); ModuleFileName=new CHAR[Len+1]; memset(ModuleFileName,NULL,Len+1); memcpy(ModuleFileName,ModuleName,Len); if(IsBadCodePtr((FARPROC) SystemFunction))
{
Len=ADDRESS_SIZE+1;
}
else
{
Len=strlen(SystemFunction);
} FunctionName=new CHAR[Len+1]; memset(FunctionName,NULL,Len+1); if(IsBadCodePtr((FARPROC) SystemFunction))
{
ultoa((DWORD) SystemFunction,FunctionName,16);
}
else
{
memcpy(FunctionName,SystemFunction,Len);
} //Save The Original Call Code this->SystemCallCode.SetLinkToTail();
this->UserCallCodeOffset.SetLinkToTail();
this->CallerModuleName.SetLinkToTail();
this->SystemModuleName.SetLinkToTail();
this->SystemFunctionName.SetLinkToTail();
this->SystemCallCode.PushBack(* ImPortEntry);
this->UserCallCodeOffset.PushBack(this->SystemCall?NULL:(DWORD) ImPortEntry+ADDRESS_OFFSET);
this->CallerModuleName.PushBack(CallerModuleFileName);
this->SystemModuleName.PushBack(ModuleFileName);
this->SystemFunctionName.PushBack(FunctionName); //Write The New Function Entry * ImPortEntry=(DWORD) UserFunction; Return=VirtualProtect(ImPortEntry,ADDRESS_SIZE,Protect,& Protect); FlushInstructionCache(Handle,ImPortEntry,ADDRESS_SIZE); if(!Return)
{
return false;
} return true;
}bool ApiHookImpl::HookExPort(const LPTSTR ModuleName,const LPTSTR SystemFunction,const LPVOID UserFunction) //Hook For Module ExPort Function
{
DWORD Protect,* ExPortEntry,Len;
BOOL Return;
HANDLE Handle;
MODULEENTRY32 ModuleId;
MEMORY_BASIC_INFORMATION Info;
LPTSTR ModuleFileName,FunctionName; if(this->FindHookFunctionName(SystemFunction))
{
return false;
} ExPortEntry=this->FindExPortEntry(ModuleName,SystemFunction); if(ExPortEntry==NULL)
{
return false;
}
Handle=CreateToolhelp32Snapshot(TH32CS_SNAPALL,NULL); ModuleId.dwSize=sizeof(MODULEENTRY32); Return=Module32First(Handle,& ModuleId); while((stricmp(ModuleId.szModule,ModuleName)!=NULL) && Return)
{
Return=Module32Next(Handle,& ModuleId);
} CloseHandle(Handle); if(!Return)
{
return false;
} Handle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,ModuleId.th32ProcessID); if(Handle==NULL)
{
return false;
} memset(& Info,NULL,sizeof(MEMORY_BASIC_INFORMATION)); Return=VirtualQueryEx(Handle,ExPortEntry,& Info,sizeof(MEMORY_BASIC_INFORMATION));
if(Return)
{
Return=VirtualProtectEx(Handle,ExPortEntry,ADDRESS_SIZE,PAGE_EXECUTE_READWRITE,& Protect);
if(Return)
{
//Save The Original Call Code Len=strlen(ModuleName); ModuleFileName=new CHAR[Len+1]; memset(ModuleFileName,NULL,Len+1); memcpy(ModuleFileName,ModuleName,Len); if(IsBadCodePtr((FARPROC) SystemFunction))
{
Len=ADDRESS_SIZE+1;
}
else
{
Len=strlen(SystemFunction);
} FunctionName=new CHAR[Len+1]; memset(FunctionName,NULL,Len+1); if(IsBadCodePtr((FARPROC) SystemFunction))
{
ultoa((DWORD) SystemFunction,FunctionName,16);
}
else
{
memcpy(FunctionName,SystemFunction,Len);
} this->SystemCallCode.SetLinkToTail();
this->UserCallCodeOffset.SetLinkToTail();
this->CallerModuleName.SetLinkToTail();
this->SystemModuleName.SetLinkToTail();
this->SystemFunctionName.SetLinkToTail(); this->SystemCallCode.PushBack(* ExPortEntry);
this->UserCallCodeOffset.PushBack(NULL);
this->CallerModuleName.PushBack((LPTSTR) EXPORT_FUNCTION);
this->SystemModuleName.PushBack(ModuleFileName);
this->SystemFunctionName.PushBack(FunctionName); //Write The New Function Entry Return=WriteProcessMemory(Handle,ExPortEntry,& (DWORD &) UserFunction,ADDRESS_SIZE,NULL); if(Return)
{
Return=VirtualProtectEx(Handle,ExPortEntry,ADDRESS_SIZE,Protect,& Protect); FlushInstructionCache(Handle,ExPortEntry,ADDRESS_SIZE);
}
}
} CloseHandle(Handle); return (bool) Return;
}
{
DWORD Index,Protect,* ImPortEntry;
BOOL Return;
MEMORY_BASIC_INFORMATION Info;
DWORD * SystemCode;
HANDLE Handle;
LPTSTR * ModuleName,* FunctionName,* CallerModuleFileName;
if(!this->FindHookFunctionName(SystemFunction))
{
return false;
} Index=this->SystemFunctionName.GetLinkItemIndex(); this->SystemCallCode.SetLinkItemIndex(Index); this->CallerModuleName.SetLinkItemIndex(Index); this->SystemModuleName.SetLinkItemIndex(Index); this->SystemFunctionName.SetLinkItemIndex(Index); SystemCode=this->SystemCallCode.Pop(); CallerModuleFileName=this->CallerModuleName.Pop(); ModuleName=this->SystemModuleName.Pop(); FunctionName=this->SystemFunctionName.Pop(); if((SystemCode==NULL) || (ModuleName==NULL) || (CallerModuleFileName==NULL) || (FunctionName==NULL))
{
return false;
} ImPortEntry=this->FindImPortEntry(* ModuleName,* CallerModuleFileName,SystemFunction); if(ImPortEntry==NULL)
{
return false;
} memset(& Info,NULL,sizeof(MEMORY_BASIC_INFORMATION)); Return=VirtualQuery(ImPortEntry,& Info,sizeof(MEMORY_BASIC_INFORMATION));
if(Return!=sizeof(MEMORY_BASIC_INFORMATION))
{
return false;
}
Return=VirtualProtect(ImPortEntry,ADDRESS_SIZE,PAGE_EXECUTE_READWRITE,& Protect);
if(!Return)
{
return false;
}
Handle=GetCurrentProcess(); //ReStore The System ImPort Call Code * ImPortEntry=* SystemCode; Return=VirtualProtect(ImPortEntry,ADDRESS_SIZE,Protect,& Protect); FlushInstructionCache(Handle,ImPortEntry,ADDRESS_SIZE); delete [](* ModuleName);
delete [](* FunctionName);
delete [](* CallerModuleFileName); this->SystemCallCode.SetLinkItemIndex(Index); this->SystemCallCode.Delete(); this->UserCallCodeOffset.SetLinkItemIndex(Index); this->UserCallCodeOffset.Delete(); this->CallerModuleName.SetLinkItemIndex(Index); this->CallerModuleName.Delete(); this->SystemModuleName.SetLinkItemIndex(Index); this->SystemModuleName.Delete(); this->SystemFunctionName.SetLinkItemIndex(Index); this->SystemFunctionName.Delete(); return true;
}bool ApiHookImpl::UnHookExPort(const LPTSTR SystemFunction) //Hook For Module ExPort Function
{
DWORD Index,Protect,* ExPortEntry;
BOOL Return;
HANDLE Handle;
MODULEENTRY32 ModuleId;
MEMORY_BASIC_INFORMATION Info;
DWORD * SystemCode;
LPTSTR * ModuleName,* FunctionName;
if(!this->FindHookFunctionName(SystemFunction))
{
return false;
} Index=this->SystemFunctionName.GetLinkItemIndex(); this->SystemModuleName.SetLinkItemIndex(Index); this->SystemCallCode.SetLinkItemIndex(Index); this->SystemFunctionName.SetLinkItemIndex(Index); ModuleName=this->SystemModuleName.Pop(); SystemCode=this->SystemCallCode.Pop(); FunctionName=this->SystemFunctionName.Pop(); if((SystemCode==NULL) || (ModuleName==NULL) || (FunctionName==NULL))
{
return false;
} ExPortEntry=this->FindExPortEntry(* ModuleName,SystemFunction); if(ExPortEntry==NULL)
{
return false;
}
Handle=CreateToolhelp32Snapshot(TH32CS_SNAPALL,NULL); ModuleId.dwSize=sizeof(MODULEENTRY32); Return=Module32First(Handle,& ModuleId); while((stricmp(ModuleId.szModule,* ModuleName)!=NULL) && Return)
{
Return=Module32Next(Handle,& ModuleId);
} CloseHandle(Handle); if(!Return)
{
return false;
} Handle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,ModuleId.th32ProcessID); if(Handle==NULL)
{
return false;
} memset(& Info,NULL,sizeof(MEMORY_BASIC_INFORMATION)); Return=VirtualQueryEx(Handle,ExPortEntry,& Info,sizeof(MEMORY_BASIC_INFORMATION));
if(Return)
{
Return=VirtualProtectEx(Handle,ExPortEntry,ADDRESS_SIZE,PAGE_EXECUTE_READWRITE,& Protect);
if(Return)
{
//Write The New Function Entry Return=WriteProcessMemory(Handle,ExPortEntry,SystemCode,ADDRESS_SIZE,NULL); if(Return)
{
Return=VirtualProtectEx(Handle,ExPortEntry,ADDRESS_SIZE,Protect,& Protect); FlushInstructionCache(Handle,ExPortEntry,ADDRESS_SIZE);
}
}
} CloseHandle(Handle); delete [](* ModuleName);
delete [](* FunctionName); this->SystemCallCode.SetLinkItemIndex(Index); this->SystemCallCode.Delete(); this->SystemModuleName.SetLinkItemIndex(Index); this->SystemModuleName.Delete(); this->SystemFunctionName.SetLinkItemIndex(Index); this->SystemFunctionName.Delete(); return (bool) Return;
}bool ApiHookImpl::UnHookAll(void)
{
DWORD Index;
LPTSTR * RefSystemFunctionName,* RefModuleFlag;
this->CallerModuleName.SetLinkToHeader(); this->SystemFunctionName.SetLinkToHeader(); do
{
RefModuleFlag=this->CallerModuleName.PopAndMove(true); RefSystemFunctionName=this->SystemFunctionName.PopAndMove(true); Index=this->SystemFunctionName.GetLinkItemIndex(); if(RefSystemFunctionName!=NULL)
{
((DWORD) * RefModuleFlag)==EXPORT_FUNCTION?this->UnHookExPort(* RefSystemFunctionName):this->UnHookImPort(* RefSystemFunctionName);
} this->CallerModuleName.SetLinkItemIndex(Index); this->SystemFunctionName.SetLinkItemIndex(Index);
}
while(RefSystemFunctionName!=NULL); return true;
}bool ApiHookImpl::CallHookImPort(const LPTSTR SystemFunction,DWORD EbpOffset)
{
DWORD Index,* Address,* Base; if(!this->FindHookFunctionName(SystemFunction))
{
return false;
}
Index=this->SystemFunctionName.GetLinkItemIndex(); this->SystemCallCode.SetLinkItemIndex(Index); this->UserCallCodeOffset.SetLinkItemIndex(Index); Address=this->SystemCallCode.Pop(); Base=this->UserCallCodeOffset.Pop(); if((Address==NULL) || (Base==NULL))
{
return false;
} EbpOffset+=EBP_SIZE+CALL_SIZE; _asm
{
mov eax,Address
mov edx,dword ptr [eax] mov eax,Base add edx,dword ptr [eax] mov eax,EbpOffset mov ebx,esp mov esp,eax call edx
mov esp,ebx
} return true;
}bool ApiHookImpl::CallHookExPort(const LPTSTR SystemFunction,DWORD EbpOffset)
{
DWORD Index,* Address; if(!this->FindHookFunctionName(SystemFunction))
{
return false;
} Index=this->SystemFunctionName.GetLinkItemIndex(); this->SystemCallCode.SetLinkItemIndex(Index); Address=this->SystemCallCode.Pop(); if(Address==NULL)
{
return false;
} EbpOffset+=EBP_SIZE+CALL_SIZE; _asm
{
mov edx,Address
mov edx,dword ptr [edx] mov ebx,esp mov eax,EbpOffset mov esp,eax call edx mov esp,ebx
}
}
http://expert.csdn.net/Expert/topic/1868/1868391.xml?temp=.5015375