希望能够帮帮小弟
程序源代码:
void CTestAPIDlg::OnHook()
{
// TODO: Add your control notification handler code here
HMODULE m_hdl = GetModuleHandle(NULL);
HMODULE m_hdldll=LoadLibrary("User32.dll");
FARPROC m_ProAdd = GetProcAddress(m_hdldll,"MessageBoxA"); //pf*m_pf=MessageBoxQ;
//fp=MessageBox;
ReplaceIATEntryInOneMod("User32.dll" , m_ProAdd , (PROC)MessageBoxQ , m_hdl);
} void CTestAPIDlg::ReplaceIATEntryInOneMod(PCSTR pszCalleeModName, PROC pfnCurrent, PROC pfnNew, HMODULE hmodCaller)
{
ULONG ulSize; PIMAGE_IMPORT_DESCRIPTOR pImportDesc = NULL;
__try {
pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR) ImageDirectoryEntryToData(
hmodCaller, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize);
}
__except (InvalidReadExceptionFilter(GetExceptionInformation())) {
}
if (pImportDesc == NULL)
return; // This module has no import section or is no longer loaded for (; pImportDesc->Name; pImportDesc++)
{
PSTR pszModName = (PSTR) ((PBYTE) hmodCaller + pImportDesc->Name);
if (lstrcmpiA(pszModName, pszCalleeModName) == 0)
{ PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)
((PBYTE) hmodCaller + pImportDesc->FirstThunk); // Replace current function address with new function address
for (; pThunk->u1.Function; pThunk++)
{ // Get the address of the function address
PROC* ppfn = (PROC*) &pThunk->u1.Function; // Is this the function we're looking for?
BOOL bFound = (*ppfn == pfnCurrent);
if (bFound)
{
if (!WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL) && (ERROR_NOACCESS == GetLastError()))
{
DWORD dwOldProtect;
if (VirtualProtect(ppfn, sizeof(pfnNew), PAGE_WRITECOPY, &dwOldProtect))
{
WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL);
VirtualProtect(ppfn, sizeof(pfnNew), dwOldProtect, &dwOldProtect);
}
}
return; // We did it, get out
}
}
} // Each import section is parsed until the right entry is found and patched
}
}void CTestAPIDlg::OnMsgbox()
{
// TODO: Add your control notification handler code here
MessageBoxA("没有被截取到!");
}
程序源代码:
void CTestAPIDlg::OnHook()
{
// TODO: Add your control notification handler code here
HMODULE m_hdl = GetModuleHandle(NULL);
HMODULE m_hdldll=LoadLibrary("User32.dll");
FARPROC m_ProAdd = GetProcAddress(m_hdldll,"MessageBoxA"); //pf*m_pf=MessageBoxQ;
//fp=MessageBox;
ReplaceIATEntryInOneMod("User32.dll" , m_ProAdd , (PROC)MessageBoxQ , m_hdl);
} void CTestAPIDlg::ReplaceIATEntryInOneMod(PCSTR pszCalleeModName, PROC pfnCurrent, PROC pfnNew, HMODULE hmodCaller)
{
ULONG ulSize; PIMAGE_IMPORT_DESCRIPTOR pImportDesc = NULL;
__try {
pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR) ImageDirectoryEntryToData(
hmodCaller, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize);
}
__except (InvalidReadExceptionFilter(GetExceptionInformation())) {
}
if (pImportDesc == NULL)
return; // This module has no import section or is no longer loaded for (; pImportDesc->Name; pImportDesc++)
{
PSTR pszModName = (PSTR) ((PBYTE) hmodCaller + pImportDesc->Name);
if (lstrcmpiA(pszModName, pszCalleeModName) == 0)
{ PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)
((PBYTE) hmodCaller + pImportDesc->FirstThunk); // Replace current function address with new function address
for (; pThunk->u1.Function; pThunk++)
{ // Get the address of the function address
PROC* ppfn = (PROC*) &pThunk->u1.Function; // Is this the function we're looking for?
BOOL bFound = (*ppfn == pfnCurrent);
if (bFound)
{
if (!WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL) && (ERROR_NOACCESS == GetLastError()))
{
DWORD dwOldProtect;
if (VirtualProtect(ppfn, sizeof(pfnNew), PAGE_WRITECOPY, &dwOldProtect))
{
WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL);
VirtualProtect(ppfn, sizeof(pfnNew), dwOldProtect, &dwOldProtect);
}
}
return; // We did it, get out
}
}
} // Each import section is parsed until the right entry is found and patched
}
}void CTestAPIDlg::OnMsgbox()
{
// TODO: Add your control notification handler code here
MessageBoxA("没有被截取到!");
}
解决方案 »
- VC6.0 主对话框向子对话框发送消息没有反映
- access数据库中ALTER TABLE stu ALTER index COUNTER (1,1);问题
- vc 图形处理(标题说不太明白,请进来看看)
- 选中LIST表的某一行,进行拖动,在拖带的过程中使鼠标产生,鼠标的自定义形状 <待高手解决>
- 求救:实现插件功能时,遇到的一个问题
- 怎样在一个while循环里面等消息阿?在线等,好了就给分
- switch为什么不能用CString类型?
- vc++在sqlserver数据库中如何存取图片信息
- 5555555555 LNK2001 错误求解,急!
- 关于编程开发机器配置的调查!
- vc/mfc中 游戏中图片处理的问题
- 私人拉软件项目应该怎么个交钱方式
MFC对MessageBox做了封装了的吧.
你所提到的问题恰恰是导入表式hook的局限性只有改变hook的形式才能根本上解决这个问题新的hook方式就是inline hook
{
// TODO: Add your control notification handler code here
MessageBox("谢谢!");
} 这个MessageBox调用的是CWnd::MessageBoxA,可不是User32里面的MessageBoxA。IAT里面自然没有这个函数。MFC32.dll中的导出函数没有名字,所以只能用数字,这里MessageBox对应的是4224(我是VC6, Win2k3 SP1)。 强制hack的方法如下: OnHook:
HMODULE m_hdl = GetModuleHandle(NULL);
//去MFC42.dll中找(我调试的是Release版本,所以不是MFC42D.dll)CWnd::MessageBoxA
FARPROC m_ProAdd = GetProcAddress(LoadLibrary("MFC42.dll"),(LPCSTR)4224);
//然后以MessageBoxQ函数hook之
ReplaceIATEntryInOneMod("MFC42.dll" , m_ProAdd , (PROC)MessageBoxQ , m_hdl); MessageBoxQ函数要注意,没有四个参数了,因为hook的是CWnd类成员函数,所以有个this指针在ECX寄存器。我是这么写的:
int WINAPI MessageBoxQ(LPCTSTR lpText,LPCTSTR lpCaption,UINT uType)
{
//break in debugger
__asm int 3;
return 0;
}
为什么动态链接就HOOK不到,还不清楚!或许可以只是方法不对,还待研究