//拦截方法没有用更改AIT, 而是用的JMP跳转, 在WIN2000/XP下面都能拦截. 就是在WIN98下面不能对指定的函数进行拦截, 不知道什么原因??
#include <windows>
#include <stdio.h>typedef struct
{
FARPROC funcaddr;
BYTE olddata[5];
BYTE newdata[5];
}HOOKSTRUCT;
HOOKSTRUCT struct_DeleteFileA;
HOOKSTRUCT struct_DeleteFileW;void HookOnOne(HOOKSTRUCT *hookfunc)
{
HANDLE hProc;
DWORD dwIdOld = GetCurrentProcessId();
hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, dwIdOld);
VirtualProtect(hookfunc->funcaddr, 5, PAGE_READWRITE,&dwIdOld);
WriteProcessMemory(hProc, hookfunc->funcaddr, hookfunc->newdata, 5, 0);
VirtualProtect(hookfunc->funcaddr, 5, dwIdOld, &dwIdOld);
}
void HookOffOne(HOOKSTRUCT *hookfunc)
{
HANDLE hProc;
DWORD dwIdOld = GetCurrentProcessId();
hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, dwIdOld);
VirtualProtect(hookfunc->funcaddr,5, PAGE_READWRITE, &dwIdOld);
WriteProcessMemory(hProc, hookfunc->funcaddr, hookfunc->olddata, 5, 0);
VirtualProtect(hookfunc->funcaddr, 5, dwIdOld, &dwIdOld);
}
//自定义的函数
BOOL WINAPI MyDeleteFileW(LPCTSTR lpFileName)
{
return TRUE;
}//自定义的函数
BOOL WINAPI MyDeleteFileA(LPCTSTR lpFileName)
{
return TRUE;
}
void MyFunc()
{
hookapi("kernel32.dll", "DeleteFileA", (DWORD)MyDeleteFileA, &struct_DeleteFileA);
hookapi("kernel32.dll", "DeleteFileW", (DWORD)MyDeleteFileW, &struct_DeleteFileW);
HookOnOne(&struct_DeleteFileA);
HookOnOne(&struct_DeleteFileW);
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved)
{
if(ul_reason_for_call == DLL_PROCESS_ATTACH)
MyFunc(); return TRUE;
}
#include <windows>
#include <stdio.h>typedef struct
{
FARPROC funcaddr;
BYTE olddata[5];
BYTE newdata[5];
}HOOKSTRUCT;
HOOKSTRUCT struct_DeleteFileA;
HOOKSTRUCT struct_DeleteFileW;void HookOnOne(HOOKSTRUCT *hookfunc)
{
HANDLE hProc;
DWORD dwIdOld = GetCurrentProcessId();
hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, dwIdOld);
VirtualProtect(hookfunc->funcaddr, 5, PAGE_READWRITE,&dwIdOld);
WriteProcessMemory(hProc, hookfunc->funcaddr, hookfunc->newdata, 5, 0);
VirtualProtect(hookfunc->funcaddr, 5, dwIdOld, &dwIdOld);
}
void HookOffOne(HOOKSTRUCT *hookfunc)
{
HANDLE hProc;
DWORD dwIdOld = GetCurrentProcessId();
hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, dwIdOld);
VirtualProtect(hookfunc->funcaddr,5, PAGE_READWRITE, &dwIdOld);
WriteProcessMemory(hProc, hookfunc->funcaddr, hookfunc->olddata, 5, 0);
VirtualProtect(hookfunc->funcaddr, 5, dwIdOld, &dwIdOld);
}
//自定义的函数
BOOL WINAPI MyDeleteFileW(LPCTSTR lpFileName)
{
return TRUE;
}//自定义的函数
BOOL WINAPI MyDeleteFileA(LPCTSTR lpFileName)
{
return TRUE;
}
void MyFunc()
{
hookapi("kernel32.dll", "DeleteFileA", (DWORD)MyDeleteFileA, &struct_DeleteFileA);
hookapi("kernel32.dll", "DeleteFileW", (DWORD)MyDeleteFileW, &struct_DeleteFileW);
HookOnOne(&struct_DeleteFileA);
HookOnOne(&struct_DeleteFileW);
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved)
{
if(ul_reason_for_call == DLL_PROCESS_ATTACH)
MyFunc(); return TRUE;
}
#include "dllhook1.h"BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved )
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
if(!init())
{
MessageBoxA(NULL,"Init","ERROR",MB_OK);
return(FALSE);
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
if(bHook)
{ UninstallHook();
break;
}
}
return TRUE;
} LRESULT Hook(int nCode,WPARAM wParam,LPARAM lParam)//空的钩子函数
{
return(CallNextHookEx(g_hHook,nCode,wParam,lParam));
} EXPORT BOOL InstallHook()//输出安装空的钩子函数
{
g_hinstDll=LoadLibrary("dllhook1.dll");
g_hHook=SetWindowsHookEx(WH_GETMESSAGE,(HOOKPROC)Hook,g_hinstDll,0);
if (!g_hHook)
{
MessageBoxA(NULL,"SET ERROR","ERROR",MB_OK);
return(FALSE);
}
return(TRUE);
} EXPORT int UninstallHook()//输出御在钩子函数
{
return(UnhookWindowsHookEx(g_hHook));
} BOOL init()//初始化得到MessageBoxA的地址,并生成Jmp XXX(MyMessageBoxA)的跳转指令
{
hModule=LoadLibrary("user32.dll");
pfMessageBoxA=GetProcAddress(hModule,"MessageBoxA"); if(pfMessageBoxA==NULL)
return FALSE;
_asm
{
lea edi,OldMessageBoxACode
mov esi,pfMessageBoxA
cld
movsd
movsb
}
NewMessageBoxACode[0]=0xe9;//jmp MyMessageBoxA的相对地址的指令
_asm
{
lea eax,MyMessageBoxA
mov ebx,pfMessageBoxA
sub eax,ebx
sub eax,5
mov dword ptr [NewMessageBoxACode+1],eax
}
#include "stdafx.h"
#include "detours.h"
#include "HookApi.h"
#include "ReplaceApi.h"
#include "ddraw.h"
#include "d3d8.h"
#include "d3dx8math.h"//////////////////////////////////////////////////////////////
//替换方法
//静态定义
//DefHookAPI(源API函数名,源API函数类型,源API函数参数) 参数格式:(参数1,参数2...)
//{
// //调用源函数方法:Real_源函数名(参数)
// return 返回值;
//}
//在ReplaceApi函数里添加HookAPI(源API函数名);
//**********************************************************
//动态
//DefHookDApi(源API函数名,源API函数类型,源API函数参数) 参数格式:(参数1,参数2...)
//{
// //调用源函数方法:Real_源函数名(参数)
// return 返回值;
//}
//HookDAPI(源API函数名,源API函数地址)
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//DirectX老版本的 老版本指的是IDirectDraw接口
LPDIRECTDRAW lpDD=NULL;
LPDDSURFACEDESC lpDDSD=NULL;
LPDIRECTDRAWSURFACE lpDDSP=NULL;
LPDIRECTDRAWSURFACE lpDDSB=NULL;
//DirectX新版本的 新版本指的是IDirectDraw7接口
LPDIRECTDRAW7 lpDD7=NULL;
LPDDSURFACEDESC2 lpDDSD7=NULL;
LPDIRECTDRAWSURFACE7 lpDDSP7=NULL;
LPDIRECTDRAWSURFACE7 lpDDSB7=NULL;
//D3D8的
LPDIRECT3D8 lpD3D=NULL;
LPDIRECT3DDEVICE8 lpD3DDevice=NULL; // D3D设备
LPDIRECT3DVERTEXBUFFER8 lpD3DVB=NULL; // 顶点缓冲区//保存的坐标偏移量
FLOAT x=0.0f;
//这是D3D用到的顶点结构
#define D3DFVF_CUSTOMVERTEX (D3DFVF_XYZ|D3DFVF_DIFFUSE)
struct CUSTOMVERTEX
{
FLOAT x, y, z;// 顶点坐标
DWORD color;// 顶点颜色
};
//这个是往HDC写字的函数-老版本 这个函数我也不大明白,从别的的放抄的
HRESULT DrawText(LPDIRECTDRAWSURFACE m_pdds,TCHAR* strText,DWORD dwOriginX,DWORD dwOriginY,
COLORREF crBackground,COLORREF crForeground)
{
HDC hDC = NULL;
HRESULT hr;
HFONT hFont=NULL;
if( m_pdds == NULL || strText == NULL )
return E_INVALIDARG; // Make sure this surface is restored.
if( FAILED( hr = m_pdds->Restore() ) )
return hr; if( FAILED( hr = m_pdds->GetDC( &hDC ) ) )
return hr; // Set the background and foreground color
SetBkColor( hDC, crBackground );
SetTextColor( hDC, crForeground ); if( hFont )
SelectObject( hDC, hFont ); // Use GDI to draw the text on the surface
TextOut( hDC, dwOriginX, dwOriginY, strText, strlen(strText) ); if( FAILED( hr = m_pdds->ReleaseDC( hDC ) ) )
return hr; return S_OK;
}
//这个是往HDC写字的函数-新版本
HRESULT DrawText7(LPDIRECTDRAWSURFACE7 m_pdds,TCHAR* strText,DWORD dwOriginX,DWORD dwOriginY,
COLORREF crBackground,COLORREF crForeground)
{
HDC hDC = NULL;
HRESULT hr;
HFONT hFont=NULL;
if( m_pdds == NULL || strText == NULL )
return E_INVALIDARG; // Make sure this surface is restored.
if( FAILED( hr = m_pdds->Restore() ) )
return hr; if( FAILED( hr = m_pdds->GetDC( &hDC ) ) )
return hr; // Set the background and foreground color
SetBkColor( hDC, crBackground );
SetTextColor( hDC, crForeground ); if( hFont )
SelectObject( hDC, hFont ); // Use GDI to draw the text on the surface
TextOut( hDC, dwOriginX, dwOriginY, strText, strlen(strText) ); if( FAILED( hr = m_pdds->ReleaseDC( hDC ) ) )
return hr; return S_OK;
}
//老版本的BltFast 这个是从离屏页面Copy图片到后台页面的函数
DefHookDApi(BltFast,HRESULT,(DWORD x,DWORD y,LPDIRECTDRAWSURFACE lpdds, LPRECT lprc,DWORD n))
{
//我们直接把东西Copy到离屏页面
DrawText(lpdds,"BltFast",0,0,RGB(0,0,0),RGB(255,255,0));
HRESULT ret=Real_BltFast(x,y,lpdds,lprc,n);
return ret;
}
//老版本的Blt 这个是从后台页面Copy主页面的函数
DefHookDApi(Blt,HRESULT,(GUID FAR *lpGUID,LPRECT lprc,LPDIRECTDRAWSURFACE lpdds,LPRECT lprc1,
DWORD n, LPDDBLTFX n1))
{
//我们直接把东西Copy到后台页面
DrawText(lpdds,"Blt",0,0,RGB(0,0,0),RGB(255,255,0));
HRESULT ret=Real_Blt(lpGUID,lprc,lpdds,lprc1,n,n1);
return ret;
}
//新版本的Blt 这个是从后台页面Copy主页面的函数
DefHookDApi(Blt7,HRESULT,(GUID FAR *lpGUID,LPRECT lprc,LPDIRECTDRAWSURFACE7 lpdds,LPRECT lprc1,
DWORD n, LPDDBLTFX n1))
{
//我们直接把东西Copy到后台页面
DrawText7(lpdds,"Blt",0,0,RGB(0,0,0),RGB(255,255,0));
HRESULT ret=Real_Blt7(lpGUID,lprc,lpdds,lprc1,n,n1);
return ret;
}
//老版本的Flip 这个是把缓存页面的东西Copy到主页面的函数
DefHookDApi(Flip,HRESULT,(GUID FAR*lpGUID,LPDIRECTDRAWSURFACE lpdds, DWORD n))
{
//我们直接把东西Copy到缓存页面
DrawText(lpDDSB,"Flip",0,0,RGB(0,0,0),RGB(255,255,0));
HRESULT ret=Real_Flip(lpGUID,lpdds,n);
return ret;
}
DefHookDApi(Flip7,HRESULT,(GUID FAR *lpGUID,LPDIRECTDRAWSURFACE7 lpdds, DWORD n))
{
//我们直接把东西Copy到后台页面
DrawText7(lpDDSB7,"Flip",0,0,RGB(0,0,0),RGB(255,255,0));
HRESULT ret=Real_Flip7(lpGUID,lpdds,n);
return ret;
}
//老版本的GetAttachedSurface 这个是绑定缓存页面到主页面的函数
DefHookDApi(GetAttachedSurface,HRESULT,(GUID FAR *lpGUID,LPDDSCAPS lpddscap,
LPDIRECTDRAWSURFACE FAR * lpdds))
{
//这里是得到游戏的缓存页面
HRESULT ret=Real_GetAttachedSurface(lpGUID,lpddscap,lpdds);
//保存缓存页面
lpDDSB=*lpdds;
return ret;
}
//新版本的GetAttachedSurface 这个是绑定缓存页面到主页面的函数
DefHookDApi(GetAttachedSurface7,HRESULT,(GUID FAR *lpGUID,LPDDSCAPS2 lpddscap,
LPDIRECTDRAWSURFACE7 FAR * lpdds))
{
//这里是得到游戏的缓存页面
HRESULT ret=Real_GetAttachedSurface7(lpGUID,lpddscap,lpdds);
lpDDSB7=*lpdds;
return ret;
}
//老版本的CreateSurface 这个是创建页面函数
DefHookDApi(CreateSurface,HRESULT,(GUID FAR *lpGUID,LPDDSURFACEDESC lpddsd,
LPDIRECTDRAWSURFACE FAR * lpdds,IUnknown FAR * pUnkOuter))
{
PROC p=NULL;
HRESULT ret=Real_CreateSurface(lpGUID,lpddsd,lpdds,pUnkOuter);
//判断页面是否是主页面
if(lpddsd->ddsCaps.dwCaps&DDSCAPS_PRIMARYSURFACE)
{
//保存主页面
lpDDSP=*lpdds;
//替换BltFast函数
p=*(PROC*)(*((DWORD*)lpDDSP)+0x1c);
HookDApi(BltFast,p);
if(lpddsd->dwFlags&DDSD_BACKBUFFERCOUNT)
{
//替换GetAttachedSurface函数
p=*(PROC*)(*((DWORD*)lpDDSP)+0x30);
HookDApi(GetAttachedSurface,p);
//替换Flip函数
p=*(PROC*)(*((DWORD*)lpDDSP)+0x2c);
HookDApi(Flip,p);
}
//替换Blt函数
p=*(PROC*)(*((DWORD*)lpDDSP)+0x14);
HookDApi(Blt,p);
}
//判断页面是否是离屏页面
if(lpddsd->ddsCaps.dwCaps&DDSCAPS_OFFSCREENPLAIN)
{
}
return ret;
}
//新版本的CreateSurface
DefHookDApi(CreateSurface7,HRESULT,(GUID FAR *lpGUID,LPDDSURFACEDESC2 lpddsd,
LPDIRECTDRAWSURFACE7 FAR * lpdds,IUnknown FAR * pUnkOuter))
{
PROC p=NULL;
HRESULT ret=Real_CreateSurface7(lpGUID,lpddsd,lpdds,pUnkOuter);
if(lpddsd->ddsCaps.dwCaps&DDSCAPS_PRIMARYSURFACE)
{
lpDDSP7=*lpdds;
if(lpddsd->dwFlags&DDSD_BACKBUFFERCOUNT)
{
p=*(PROC*)(*((DWORD*)lpDDSP7)+0x30);
HookDApi(GetAttachedSurface7,p);
p=*(PROC*)(*((DWORD*)lpDDSP7)+0x2c);
HookDApi(Flip7,p);
}
p=*(PROC*)(*((DWORD*)lpDDSP7)+0x14);
HookDApi(Blt7,p);
}
return ret;
}
//老版本DirectDrawCreate 创建DirectDraw函数
DefHookApi(DirectDrawCreate,HRESULT,(GUID FAR *lpGUID,LPDIRECTDRAW FAR *lplpDD,
IUnknown FAR *pUnkOuter))
{
// MessageBox(0,"DirectDrawCreate","",MB_OK);
HRESULT ret=Real_DirectDrawCreate(lpGUID,lplpDD,pUnkOuter);
if(*lplpDD!=NULL)
{
PROC p=NULL;
//保存DirectDraw指针
lpDD=*lplpDD;
//替换创建页面函数
p=*(PROC*)(*((DWORD*)lpDD)+0x18);
HookDApi(CreateSurface,p);
}
return ret;
}
//新版本DirectDrawCreateEx 创建DirectDraw7函数
DefHookApi(DirectDrawCreateEx,HRESULT,(GUID FAR * lpGuid, LPVOID *lplpDD,REFIID iid,
IUnknown FAR *pUnkOuter))
{
MessageBox(0,"DirectDrawCreateEx","",MB_OK);
HRESULT ret=Real_DirectDrawCreateEx(lpGuid,lplpDD,iid,pUnkOuter);
if((*((LPDIRECTDRAW7*)lplpDD))!=NULL)
{
PROC p=NULL;
//保存DirectDraw7指针
lpDD7=(LPDIRECTDRAW7)*lplpDD;
//替换创建页面函数
p=*(PROC*)(*((DWORD*)lpDD7)+0x18);
HookDApi(CreateSurface7,p);
}
return ret;
}//不用看这个函数,他是3d游戏用来刷新的
DefHookDApi(SetTransform,HRESULT,(GUID FAR * lpGuid,D3DTRANSFORMSTATETYPE State,CONST D3DMATRIX* pMatrix))
{
HRESULT ret;
if(State>D3DTS_VIEW)
// if(State>D3DTS_PROJECTION)
{
if(x>1.0f)
x=0.0f;
x=x+0.00001f;
D3DMATRIX m_matProj;
m_matProj._11 = pMatrix->_11+x;
m_matProj._12 = pMatrix->_12+x;
m_matProj._13 = pMatrix->_13+x;
m_matProj._14 = pMatrix->_14;
m_matProj._21 = pMatrix->_21;
m_matProj._22 = pMatrix->_22;
m_matProj._23 = pMatrix->_23;
m_matProj._24 = pMatrix->_24;
m_matProj._31 = pMatrix->_31;
m_matProj._32 = pMatrix->_32;
m_matProj._33 = pMatrix->_33;
m_matProj._34 = pMatrix->_34;
m_matProj._41 = pMatrix->_41;
m_matProj._42 = pMatrix->_42;
m_matProj._43 = pMatrix->_43;
m_matProj._44 = pMatrix->_44;
return Real_SetTransform(lpGuid,State,&m_matProj);
}
ret=Real_SetTransform(lpGuid,State,pMatrix);
return ret;
}BOOL Win=FALSE;
//d3d8的CreateDevice 这个是3d游戏的创建函数
DefHookDApi(CreateDevice,HRESULT,(GUID FAR * lpGuid,UINT Adapter,D3DDEVTYPE DeviceType,
HWND hFocusWindow,DWORD BehaviorFlags,D3DPRESENT_PARAMETERS* pPresentationParameters,
LPDIRECT3DDEVICE8* ppReturnedDeviceInterface))
{
//窗口模式
pPresentationParameters->Windowed = TRUE;
//必须关闭下面两个参数
pPresentationParameters->FullScreen_RefreshRateInHz=0;
pPresentationParameters->FullScreen_PresentationInterval=0;
//这个大家都见多了
if(!Win)
{
Win=TRUE;
LONG style,exstyle;
style= GetWindowLong(hFocusWindow,GWL_STYLE);
style=style | WS_CAPTION ;
SetWindowLong(hFocusWindow,GWL_STYLE,style);//修改窗体的exstyle属性
exstyle=GetWindowLong(hFocusWindow,GWL_EXSTYLE);
exstyle=exstyle | WS_EX_APPWINDOW | WS_EX_WINDOWEDGE ;
SetWindowLong(hFocusWindow,GWL_EXSTYLE,exstyle);//设置窗体的位置,取消其最前端显示,为图简单807,632是我自己随便设的//当然最好是先用AdjustWindowRect函数调整一下大小
SetWindowPos(hFocusWindow,HWND_NOTOPMOST,0,0,800,600,SWP_SHOWWINDOW);
ShowWindow(hFocusWindow,SW_SHOWNORMAL);
}
HRESULT ret=Real_CreateDevice(lpGuid,Adapter,DeviceType,hFocusWindow,BehaviorFlags,
pPresentationParameters,ppReturnedDeviceInterface);
if(*ppReturnedDeviceInterface!=NULL)
{
lpD3DDevice=*ppReturnedDeviceInterface;
PROC p=*(PROC*)(*((DWORD*)lpD3DDevice)+0x94);
HookDApi(SetTransform,p);
}
return ret;
}
//d3d的Direct3DCreate8 这个是创建D3D8函数
DefHookApi(Direct3DCreate8,LPDIRECT3D8,(UINT SDKVersion))
{
if( NULL==(lpD3D=Real_Direct3DCreate8(SDKVersion)))
return lpD3D;
PROC p=NULL;
p=*(PROC*)(*((DWORD*)lpD3D)+0x3c);
HookDApi(CreateDevice,p);
return lpD3D;
}
//锁定鼠标区域
DefHookApi(ClipCursor,BOOL,(RECT *lpRect))
{
// BOOL ret=Real_ClipCursor(lpRect);
return TRUE;
}//设置窗口函数
BOOL SetWindow(HWND hWnd)
{
BOOL ret;
Win=TRUE;
LONG style,exstyle;
style= GetWindowLong(hWnd,GWL_STYLE);
style=style | WS_CAPTION ;
SetWindowLong(hWnd,GWL_STYLE,style);//修改窗体的exstyle属性
exstyle=GetWindowLong(hWnd,GWL_EXSTYLE);
exstyle=exstyle | WS_EX_APPWINDOW | WS_EX_WINDOWEDGE ;
SetWindowLong(hWnd,GWL_EXSTYLE,exstyle);//设置窗体的位置,取消其最前端显示,为图简单807,632是我自己随便设的//当然最好是先用AdjustWindowRect函数调整一下大小
ret=SetWindowPos(hWnd,HWND_NOTOPMOST,0,0,800,600,SWP_SHOWWINDOW);
ShowWindow(hWnd,SW_SHOWNORMAL);
return ret;
}//注入时的替换Api函数
VOID ReplaceApi(VOID)
{
//中断了DirectDrawCreate
HookApi(DirectDrawCreate);
//中断了DirectDrawCreateEx
HookApi(DirectDrawCreateEx);
//中断了Direct3DCreate8
// HookApi(Direct3DCreate8);
//中断了ClipCursor
// HookApi(ClipCursor); //为了解除鼠标限定区域
}
//程序初始化时运行:在未替换api前
VOID InitApp(VOID)
{
}
//程序退出时运行:在恢复api前
VOID ExitApp(VOID)
{
}
/////////////////////////////////////////////////////////////////
怀疑在98下这个能不能成功,好像kernel32.dll,user32.dll,gdi32.dll中的函数在98下用这个方法hook都有问题。
只是不知道WIN98下面还有什么办法能够拦截API呢?更改IAT的方法不是很好. 有的函数拦不了
可以进ring 0,统统改掉。而且有个前提,你的DLL也必须加载到高端内存里去。否则其他进程没有这个DLL的映像,立刻兰屏。
还有我在WIN2003里面拦截SendMessage时,目标进程会发生错误
> 还有我在WIN2003里面拦截SendMessage时,目标进程会发生错误 方法问题吧。Win NT平台下不如用Detours库
//
// 在Ring0状态下修改系统共享的代码
//
#define HookExceptionNo 5void Ring0WriteMemory(void * dst,void *src,int copySize)
{
BYTE IDTR_1[6];
DWORD OldExceptionHook;
__asm
{
JMP __ContinueRing0Proc:PUSHADMOV AX,30h // 定义一个系统级别的数据段选择子 MOV BX,DS // 保存原DS与ES
MOV DX,ESMOV DS,AX // 修改DS与ES
MOV ES,AXREP MOVSB // 插入指令MOV DS,BX // 复原DS与ES
MOV ES,DXPOPADIRETD //返回__Continue:
SIDT FWORD PTR IDTR_1 // 修改中断门
MOV EAX,DWORD PTR IDTR_1+02h
ADD EAX,HookExceptionNo*08h+04h
CLI
MOV ECX,DWORD PTR [EAX] // 保存原异常处理例程入口
MOV CX,WORD PTR [EAX-04h]
MOV OldExceptionHook,ECXLEA EBX,Ring0Proc // 指定新入口
MOV WORD PTR [EAX-04h],BX
SHR EBX,10h
MOV WORD PTR[EAX+02h],BXPUSHAD // 配置参数
MOV EDI,dst
MOV ESI,src
MOV ECX,copySizeINT HookExceptionNo // 激活Ring0代码
POPADMOV ECX,OldExceptionHook // 复原入口
MOV WORD PTR[EAX-04h],CX
SHR ECX,10h
MOV WORD PTR[EAX+02h],CXSTI
}
}
能不能把你的方法共享一下呢?
如何把拦截函数写进内核2GB的空间呢?