//---------------------------------------------------------------------------#include <windows.h> //--------------------------------------------------------------------------- // Important note about DLL memory management when your DLL uses the // static version of the RunTime Library: // // If your DLL exports any functions that pass String objects (or structs/ // classes containing nested Strings) as parameter or function results, // you will need to add the library MEMMGR.LIB to both the DLL project and // any other projects that use the DLL. You will also need to use MEMMGR.LIB // if any other projects which use the DLL will be performing new or delete // operations on any non-TObject-derived classes which are exported from the // DLL. Adding MEMMGR.LIB to your project will change the DLL and its calling // EXE's to use the BORLNDMM.DLL as their memory manager. In these cases, // the file BORLNDMM.DLL should be deployed along with your DLL. // // To avoid using BORLNDMM.DLL, pass string information using "char *" or // ShortString parameters. // // If your DLL uses the dynamic version of the RTL, you do not need to // explicitly add MEMMGR.LIB as this will be done implicitly for you //---------------------------------------------------------------------------#pragma argsused HHOOK g_hHook; HINSTANCE g_hinstDll; FARPROC fpMessageBoxA;HMODULE hModule ; BYTE OldMessageBoxACode[5], NewMessageBoxACode[5]; DWORD dwIdOld, dwIdNew; BOOL bHook = false;void HookOn(); void HookOff(); BOOL Init(); int WINAPI MyMessageBoxA(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType); //--------------------------------------------------------------------------- // 空的钩子函数 LRESULT WINAPI Hook(int nCode, WPARAM wParam, LPARAM lParam) { return(CallNextHookEx(g_hHook, nCode, wParam, lParam)); } //--------------------------------------------------------------------------- // 输出,安装空的钩子函数 extern "C" __declspec(dllexport) __stdcall BOOL InstallHook() { g_hinstDll = LoadLibrary("project1.dll"); // 这里的文件名为Dll本身的文件名 g_hHook = SetWindowsHookEx(WH_GETMESSAGE, (HOOKPROC)Hook, g_hinstDll, 0); if (!g_hHook) { MessageBoxA(NULL, "SET ERROR", "ERROR", MB_OK); return(false); } return(true); } //---------------------------------------------------------------------------
icopyhook是不是只对文件夹起作用啊??
-------------------
It works with folder only and not with individual files.
还有如果你往瑞星的进程里注入代码,肯定被杀-_-
BOOL myDeleteFileW( LPCWSTR lpFileName )
{
char fName[MAX_PATH] = {0};
WideCharToMultiByte( CP_ACP, 0, lpFileName, -1, fName, 128,NULL,NULL);
char sPrompt[200] = {0};
sprintf( sPrompt, "确认删除文件:%s吗?", fName );
if( IDYES == MessageBox( NULL, sPrompt, "提示", MB_YESNO ) )
{
return ((BOOL (WINAPI*)(LPCWSTR))g_pDeleteFileW)( lpFileName );
}
else
{
return FALSE;
}
}
其中g_pDeleteFileW为取得系统api DeleteFileW的地址。
现在的问题是,当这个函数返回后,就报错了:Exeplore.EXE - 应用程序错误
"0x00153025"指令引用的"0x4e1c0000"内存。该内存不能为"written"。
可以,我做过用钩子的. 但缺点是资源浪费. 想想:钩子是对所有进程的.
我转载一个文章吧,也贴给大家看看.
Win2K下的Api函数的拦截
浏览选项: 大中小 颜色 默认 灰度 橄榄色 绿色 蓝色 褐色 红色
这么多高手在这里,哎,小弟愿意向各位高手学习。
Api拦截并不是一个新的技术,很多商业软件都采用这种技术。对windows的Api函数的拦截,不外乎两种方法,第一种是Mr. Jeffrey Richter 的修改exe文件的模块输入节,种方法,很安全,但很复杂,而且有些exe文件,没有Dll的输入符号的列表,有可能出现拦截不到的情况。第二种方法就是常用的JMP XXX的方法,虽然很古老,却很简单实用。
本文一介绍第二种方法在Win2k下的使用。第二种方法,Win98/me 下因为进入Ring0级的方法很多,有LDT,IDT,Vxd等方法,很容易在内存中动态修改代码,但在Win2k下,这些方法都不能用,写WDM太过复杂,表面上看来很难实现,
其实不然。Win2k为我们提供了一个强大的内存Api操作函数---VirtualProtectEx,WriteProcessMemeory,ReadProcessMemeory,有了它们我们就能在内存中动态修改代码了,其原型为:
BOOL VirtualProtectEx(
HANDLE hProcess, // 要修改内存的进程句柄
LPVOID lpAddress, // 要修改内存的起始地址
DWORD dwSize, // 修改内存的字节
DWORD flNewProtect, // 修改后的内存属性
PDWORD lpflOldProtect // 修改前的内存属性的地址
);
BOOL WriteProcessMemory(
HANDLE hProcess, // 要写进程的句柄
LPVOID lpBaseAddress, // 写内存的起始地址
LPVOID lpBuffer, // 写入数据的地址
DWORD nSize, // 要写的字节数
LPDWORD lpNumberOfBytesWritten // 实际写入的子节数
);
BOOL ReadProcessMemory(
HANDLE hProcess, // 要读进程的句柄
LPCVOID lpBaseAddress, // 读内存的起始地址
LPVOID lpBuffer, // 读入数据的地址
DWORD nSize, // 要读入的字节数
LPDWORD lpNumberOfBytesRead // 实际读入的子节数
);
具体的参数请参看MSDN帮助。在Win2k下因为Dll和所属进程在同一地址空间,这点又和Win9x/me存在所有进程存在共享的地址空间不同,
因此,必须通过钩子函数和远程注入进程的方法,现以一个简单采用钩子函数对MessageBoxA进行拦截例子来说明:
其中Dll文件为:
//---------------------------------------------------------------------------
// Important note about DLL memory management when your DLL uses the
// static version of the RunTime Library:
//
// If your DLL exports any functions that pass String objects (or structs/
// classes containing nested Strings) as parameter or function results,
// you will need to add the library MEMMGR.LIB to both the DLL project and
// any other projects that use the DLL. You will also need to use MEMMGR.LIB
// if any other projects which use the DLL will be performing new or delete
// operations on any non-TObject-derived classes which are exported from the
// DLL. Adding MEMMGR.LIB to your project will change the DLL and its calling
// EXE's to use the BORLNDMM.DLL as their memory manager. In these cases,
// the file BORLNDMM.DLL should be deployed along with your DLL.
//
// To avoid using BORLNDMM.DLL, pass string information using "char *" or
// ShortString parameters.
//
// If your DLL uses the dynamic version of the RTL, you do not need to
// explicitly add MEMMGR.LIB as this will be done implicitly for you
//---------------------------------------------------------------------------#pragma argsused
HHOOK g_hHook;
HINSTANCE g_hinstDll;
FARPROC fpMessageBoxA;HMODULE hModule ;
BYTE OldMessageBoxACode[5], NewMessageBoxACode[5];
DWORD dwIdOld, dwIdNew;
BOOL bHook = false;void HookOn();
void HookOff();
BOOL Init();
int WINAPI MyMessageBoxA(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
//---------------------------------------------------------------------------
// 空的钩子函数
LRESULT WINAPI Hook(int nCode, WPARAM wParam, LPARAM lParam)
{
return(CallNextHookEx(g_hHook, nCode, wParam, lParam));
}
//---------------------------------------------------------------------------
// 输出,安装空的钩子函数
extern "C" __declspec(dllexport) __stdcall
BOOL InstallHook()
{
g_hinstDll = LoadLibrary("project1.dll"); // 这里的文件名为Dll本身的文件名
g_hHook = SetWindowsHookEx(WH_GETMESSAGE, (HOOKPROC)Hook, g_hinstDll, 0);
if (!g_hHook)
{
MessageBoxA(NULL, "SET ERROR", "ERROR", MB_OK);
return(false);
}
return(true);
}
//---------------------------------------------------------------------------
extern "C" __declspec(dllexport) __stdcall
BOOL UninstallHook()
{
return(UnhookWindowsHookEx(g_hHook));
}
//---------------------------------------------------------------------------
// 初始化得到MessageBoxA的地址,并生成Jmp XXX(MyMessageBoxA)的跳转指令
BOOL Init()
{
hModule = LoadLibrary("user32.dll");
fpMessageBoxA = GetProcAddress(hModule, "GetSystemDirectoryA");
if(fpMessageBoxA == NULL)
return false;
_asm
{
pushad
lea edi, OldMessageBoxACode
mov esi, fpMessageBoxA
cld
movsd
movsb
popad
}
NewMessageBoxACode[0] = 0xe9; // jmp MyMessageBoxA的相对地址的指令
_asm
{
lea eax, MyGetSystemDirectory
mov ebx, fpMessageBoxA
sub eax, ebx
sub eax, 5
mov dword ptr [NewMessageBoxACode + 1], eax
}
dwIdNew = GetCurrentProcessId(); // 得到所属进程的ID
dwIdOld = dwIdNew;
HookOn(); // 开始拦截
return(true);
}
//---------------------------------------------------------------------------
// 首先关闭拦截,然后才能调用被拦截的Api 函数
int WINAPI MyMessageBoxA(HWND hWnd, LPCTSTR lpText,LPCTSTR lpCaption, UINT uType)
{
int nReturn;
HookOff();
nReturn = MessageBoxA(hWnd, "来自钩子中的内容", lpCaption, MB_OK | MB_ICONINFORMATION);
HookOn();
return(nReturn);
}
//---------------------------------------------------------------------------
你的HookOn,HookOff,Hook()都在哪?
接上:
//---------------------------------------------------------------------------
// 本文代码由ccrun整理并在BCB 6.0环境下调试通过。
// Welcome to C++ Builder 研究
// http://www.ccrun.com
//---------------------------------------------------------------------------void HookOn()
{
HANDLE hProc;
dwIdOld = dwIdNew;
// 得到所属进程的句柄
hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, dwIdOld);
// 修改所属进程中MessageBoxA的前5个字节的属性为可写
VirtualProtectEx(hProc, fpMessageBoxA, 5, PAGE_READWRITE,&dwIdOld);
// 将所属进程中MessageBoxA的前5个字节改为JMP 到MyMessageBoxA
WriteProcessMemory(hProc, fpMessageBoxA, NewMessageBoxACode, 5, 0);
// 修改所属进程中MessageBoxA的前5个字节的属性为原来的属性
VirtualProtectEx(hProc, fpMessageBoxA, 5, dwIdOld, &dwIdOld);
bHook=true;
}
//---------------------------------------------------------------------------
// 将所属进程中JMP MyMessageBoxA的代码改为Jmp MessageBoxA
void HookOff()
{
HANDLE hProc;
dwIdOld = dwIdNew;
hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, dwIdOld);
VirtualProtectEx(hProc, fpMessageBoxA,5, PAGE_READWRITE, &dwIdOld);
WriteProcessMemory(hProc, fpMessageBoxA, OldMessageBoxACode, 5, 0);
VirtualProtectEx(hProc, fpMessageBoxA, 5, dwIdOld, &dwIdOld);
bHook = false;
}
//---------------------------------------------------------------------------
int WINAPI DllEntryPoint(HINSTANCE hinst, unsigned long reason, void* lpReserved)
{
switch (reason)
{
case DLL_PROCESS_ATTACH:
if(!Init())
{
MessageBoxA(NULL,"Init","ERROR",MB_OK);
return(false);
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
if(bHook)
UninstallHook();
break;
}
return TRUE;
}
extern "C" __declspec(dllimport) __stdcall
BOOL InstallHook();
extern "C" __declspec(dllimport) __stdcall
BOOL UninstallHook();
//---------------------------------------------------------------------------
__fastcall TForm1::TForm1(TComponent* Owner)
: TForm(Owner)
{
}
//---------------------------------------------------------------------------
// 本文代码由ccrun整理并在BCB 6.0环境下调试通过。
// Welcome to C++ Builder 研究
// http://www.ccrun.com
//---------------------------------------------------------------------------
void __fastcall TForm1::Button1Click(TObject *Sender)
{
if(!InstallHook())
{
Label1->Caption = "Hook Error!";
}
MessageBoxA(NULL, "内容", "标题", MB_OK);
// 可以看见"内容变成了"来自钩子中的内容"
if(!UninstallHook())
{
Label1->Caption = "Uninstall Error!";
}
}
//---------------------------------------------------------------------------
我试过这个程序的.而且也试过HOOK其他的API都没问题,当然对于Windows未公布的一些函数你得知道它得函数原型,这些也可已在网上搜到得.