实用代码:【源码下载】类:CVBAPIHooker —— 可以让你事件化处理API拦截的类 【源码下载地址】:http://60.191.21.235:1122/vbapihooker.rar 使用这个类可以很方便的拦截并处理目标进程中的导入api函数…… 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 下面是拦截api后跳转到的汇编代码,其中0x11223344代表的是在目标进程中所分配内存段的起始地址……这是每个api都不同的小代码段,主要功能是写入api钩子的序号tinystub: mov eax,0x11223344 mov dword ptr [eax+0x18],1 //APIHOOKID jmp dword ptr stub //跳转到这个是每个api最终都要到达的地方,主要功能么当然就是api拦截的主要工作咯stub: mov eax,0x11223344 pop ebx mov [eax+0x44],ebx pop eax push ebp mov ebp,0x11223344 mov [ebp+0x44],eax cmp dword ptr [ebp+0xC],0 jnz beforecall //已经有sendmessage的地址则跳转 lea eax,[ebp+0x30] push eax call dword ptr [ebp+0x0] //call getmodulehandle cmp eax,0 jnz getsendmsg //已经有User32在内存中则跳转 lea edi,[ebp+0x30] push edi call dword ptr [ebp+0x4] //call loadlibrarygetsendmsg: lea edi,[ebp+0x37] push edi push eax call dword ptr [ebp+0x8] //call getprocaddress mov [ebp+0xC],eaxbeforeaction: mov [ebp+0x14],esp//-----------------------------------/* current process */ push 0x11 push 0x123456//lpthis call dword ptr [id]//call callproc//-----------------------------------//-----------------------------------/* other process */ push 0 push 0x11 push [ebp+0x28]//msg push [ebp+0x24]//hwnd call dword ptr [ebp+0xC] //sendmessage mov [ebp+0x1C],1loop1: cmp [ebp+0x1C],1 jz loop1//----------------------------------- xor eax,eax cmp [ebp+0x20],1 //check block flag jz blockcall pop ebp mov edi,0x11223344 call dword ptr [edi+0x10]//addr push ebp mov ebp,0x11223344 jmp afteractionblockcall: mov edi,[ebp+0x50] mov eax,[esp] lea esp,[esp+edi*4+4] push eax xor eax,eaxafteraction: lea edi,[ebp+0x2C] mov [edi],eax//-----------------------------------/* current process */ push 0x22 push 0x123456//lpthis call dword ptr [id]//call callproc//-----------------------------------//-----------------------------------/* other process */ push 0 push 0x22 push [ebp+0x28]//msg push [ebp+0x24]//hwnd call dword ptr [ebp+0xC] //sendmessage mov [ebp+0x1C],1loop2: cmp [ebp+0x1C],1 jz loop2//----------------------------------- mov eax,[ebp+0x2C] pop ebp mov edi,0x11223344 push [edi+44] ret注:我汇编学的不好,所以写的代码在懂汇编的人看起来可能会有很多多余的地方……不过,我是懒猪,只求功能正常就好,嘿嘿~~ 哎呀,写错了……jnz beforecall //已经有sendmessage的地址则跳转应该是jnz beforeaction //已经有sendmessage的地址则跳转阿门~~ 往包里加入了一个更加详细的使用例子……还有野猪,hoho~~~~~ 我喜欢吃豆子哦,加偶,偶来拜师,要不成立个VB豆子帮让你当老大,偶当小流氓也行QQ:13841047 动态生成exe文件的问题 【问】如何用字符串方式载入窗体? list或listview的行中数据太多,能不能让他自动换行 一个奇怪的问题 『求助』高手请帮忙!!!两个函数怎样才能同时运行??? 我想让Treeview控件的图标用矢量图格式,怎么做啊? 一个简单的语法问题!!在线等待 我怎么看不到所有的贴子内容?已经好多天了! 500元求端口映射! 帮帮我啊! 如何改变窗体的高度 怎样快速加载图片??(要比LoadPicture快)
tinystub:
mov eax,0x11223344
mov dword ptr [eax+0x18],1 //APIHOOKID
jmp dword ptr stub //跳转到
这个是每个api最终都要到达的地方,主要功能么当然就是api拦截的主要工作咯
stub:
mov eax,0x11223344
pop ebx
mov [eax+0x44],ebx
pop eax
push ebp
mov ebp,0x11223344
mov [ebp+0x44],eax
cmp dword ptr [ebp+0xC],0
jnz beforecall //已经有sendmessage的地址则跳转
lea eax,[ebp+0x30]
push eax
call dword ptr [ebp+0x0] //call getmodulehandle
cmp eax,0
jnz getsendmsg //已经有User32在内存中则跳转
lea edi,[ebp+0x30]
push edi
call dword ptr [ebp+0x4] //call loadlibrary
getsendmsg:
lea edi,[ebp+0x37]
push edi
push eax
call dword ptr [ebp+0x8] //call getprocaddress
mov [ebp+0xC],eax
beforeaction:
mov [ebp+0x14],esp
//-----------------------------------
/* current process */
push 0x11
push 0x123456//lpthis
call dword ptr [id]//call callproc
//-----------------------------------
//-----------------------------------
/* other process */
push 0
push 0x11
push [ebp+0x28]//msg
push [ebp+0x24]//hwnd
call dword ptr [ebp+0xC] //sendmessage
mov [ebp+0x1C],1
loop1:
cmp [ebp+0x1C],1
jz loop1
//-----------------------------------
xor eax,eax
cmp [ebp+0x20],1 //check block flag
jz blockcall
pop ebp
mov edi,0x11223344
call dword ptr [edi+0x10]//addr
push ebp
mov ebp,0x11223344
jmp afteraction
blockcall:
mov edi,[ebp+0x50]
mov eax,[esp]
lea esp,[esp+edi*4+4]
push eax
xor eax,eax
afteraction:
lea edi,[ebp+0x2C]
mov [edi],eax
//-----------------------------------
/* current process */
push 0x22
push 0x123456//lpthis
call dword ptr [id]//call callproc
//-----------------------------------
//-----------------------------------
/* other process */
push 0
push 0x22
push [ebp+0x28]//msg
push [ebp+0x24]//hwnd
call dword ptr [ebp+0xC] //sendmessage
mov [ebp+0x1C],1
loop2:
cmp [ebp+0x1C],1
jz loop2
//-----------------------------------
mov eax,[ebp+0x2C]
pop ebp
mov edi,0x11223344
push [edi+44]
ret
注:我汇编学的不好,所以写的代码在懂汇编的人看起来可能会有很多多余的地方……不过,我是懒猪,只求功能正常就好,嘿嘿~~
应该是
jnz beforeaction //已经有sendmessage的地址则跳转阿门~~
QQ:13841047