[求助]关于API HOOK的问题,在线等~~~~~
我写了一个APIHOOK的DLL,利用远程注入hook Messagebox能成功,但hook sendto或send函数,咋就不成功呢?
高手帮我看看,小弟谢谢了原代码如下:
//////////////////////////////////////////////////////////
// ULHook.h
#pragma once
class CULHook
{
public:
CULHook(LPCTSTR pszModName,LPCSTR pszFuncName, PROC pfnHook);
~CULHook();
void UnHook();
void SetHook();
protected:
LPCTSTR m_pszModName;
LPCSTR m_pszFuncName;
PROC m_pfnOrigAddr; // 目标API函数的地址
PROC m_pfnNewAdrr; // 目标API函数的地址
DWORD AsmCode[2];
BOOL m_isHook;
DWORD m_ProcessId;
PROC GetOrigAddr();
};
///////////////////////////////////////////
// ULHook.cpp文件
#include "stdafx.h"
#include "ULHook.h"
#include "ShareMemory.h"
#include <stdio.h>
CULHook::CULHook(LPCTSTR pszModName,LPCSTR pszFuncName, PROC pfnHook)
{
m_pszModName=pszModName;
m_pszFuncName=pszFuncName;
m_isHook=FALSE;
m_pfnOrigAddr=GetOrigAddr();// 目标API函数的地址
m_pfnNewAdrr=pfnHook; // MyFun函数的地址
CShareMemory *sm= new CShareMemory(TEXT("INFO"), sizeof(DWORD), FALSE);
LPVOID buf=sm->GetBuffer();
LPVOID pData=&m_ProcessId;
memcpy(pData, buf, sizeof(DWORD));
SetHook();
}
CULHook::~CULHook()
{
if(m_isHook)UnHook();
}
PROC CULHook::GetOrigAddr()
{
//已经加载,无需加载
PROC pfnOrigAddr=NULL;
HMODULE hModule =GetModuleHandle(m_pszModName);
if(hModule)
{
// 目标API函数的地址
::MessageBox(NULL,TEXT("测试"),TEXT("信息"),NULL);
pfnOrigAddr=GetProcAddress(hModule, m_pszFuncName);
}
return pfnOrigAddr;
}
void CULHook::SetHook()
{
// 修改原API函数执行代码的前8个字节,使它跳向我们的函数
if(m_pfnOrigAddr && m_pfnNewAdrr && !m_isHook)
{
//产生新执行代码
BYTE btNewBytes[8]={0x0B8, 0x0, 0x0, 0x40, 0x0, 0x0FF, 0x0E0, 0 }; // mov eax,addr jmp eax
*(DWORD *)(btNewBytes + 1) = (DWORD)m_pfnNewAdrr;
//获取内存映射
MEMORY_BASIC_INFORMATION mbi;
::VirtualQuery(m_pfnOrigAddr, &mbi, sizeof(mbi) );
//取消内存保护
DWORD dwOldProtect;
::VirtualProtect(AsmCode, sizeof(DWORD)*2, PAGE_READWRITE, &dwOldProtect);
//保存原来的执行代码
SIZE_T dwSize;
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, m_ProcessId);
if(hProcess)
{
::ReadProcessMemory(hProcess, (void *)m_pfnOrigAddr,AsmCode, sizeof(AsmCode), &dwSize);
//修改执行代码
::WriteProcessMemory(hProcess,(void *)m_pfnOrigAddr,btNewBytes,sizeof(btNewBytes), &dwSize);
CloseHandle(hProcess);
}
//内存保护还原
::VirtualProtect(m_pfnOrigAddr, sizeof(DWORD)*2, mbi.Protect, 0);
m_isHook=TRUE;
}
return;
}
void CULHook::UnHook()
{
if(m_pfnOrigAddr && m_isHook)
{
//获取内存映射
MEMORY_BASIC_INFORMATION mbi;
::VirtualQuery(m_pfnOrigAddr, &mbi, sizeof(mbi) );
//取消内存保护
DWORD dwOldProtect;
::VirtualProtect(AsmCode, sizeof(DWORD)*2, PAGE_READWRITE, &dwOldProtect);
//修改执行代码
SIZE_T dwSize;
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, m_ProcessId);
if(hProcess)
{
::WriteProcessMemory(hProcess,(void *)m_pfnOrigAddr,AsmCode,sizeof(AsmCode), &dwSize);
CloseHandle(hProcess);
}
//内存保护还原
::VirtualProtect(m_pfnOrigAddr, sizeof(DWORD)*2, mbi.Protect, 0);
m_isHook=FALSE;
}
return;
}
// injert.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
#include "injert.h"
#include "ULHook.h"
#include <stdio.h>
#pragma comment(lib, "WS2_32")
#ifdef _MANAGED
#pragma managed(push, off)
#endif
//// 共享数据区
//#pragma data_seg(TEXT(".MyData")
//BOOL g_Hook = FALSE;
//#pragma data_seg()
//
//#pragma comment(linker,"/section:.MyData,RWS");
//CULHook g_send(TEXT("Ws2_32.dll"),"send", (PROC)hook_send);
CULHook g_sendto(TEXT("Ws2_32.dll"), "sendto", (PROC)hook_sendto);
//CULHook g_Msg(TEXT("user32.dll"),"MessageBoxW", (PROC)MyMessageBox);
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
Initialize();
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
void Initialize()
{
HANDLE hFile=CreateFile(TEXT("D://HookData.txt"), // 要打开的文件名
GENERIC_WRITE, // open for writing
0, // do not share
NULL, // default security
CREATE_ALWAYS, // Create it,if not existing
FILE_ATTRIBUTE_NORMAL | // normal file
FILE_FLAG_OVERLAPPED, // asynchronous I/O
NULL); // no attr. template
CloseHandle(hFile);
return ;
}
//int WINAPI hook_send(SOCKET s, const char FAR *buf, int len, int flags)
//{
// //记录数据或者修改参数
//
// //对文件进行写操作
// FILE *fp;
// errno_t err;
//
// char a[]="aasdsdf";
// err= fopen_s( &fp, "D:\\HookData.txt", "w");
// if(0==err)
// {
// fprintf(fp,"%s\n",a);
// }
// fclose(fp);
//
// //调用原函数
// g_send.UnHook();
// int nRet=::send(s,buf,len,flags);
// g_send.SetHook();
// return nRet;
//}
int WINAPI hook_sendto(SOCKET s, const char* buf,int len, int flags, const struct sockaddr* to, int tolen)
{
//记录数据或者修改参数
::MessageBox(NULL,TEXT("测试"),TEXT("信息"),NULL);
//对文件进行写操作
FILE *fp;
errno_t err;
char a[]="aasdsdf";
err= fopen_s( &fp, "D:\\HookData.txt", "w");
if(0==err)
{
fprintf(fp,"%s\n",a);
}
fclose(fp);
// 调用原来的函数,发送数据
g_sendto.UnHook();
int nRet = ::sendto(s, buf, len, flags, to, tolen);
g_sendto.SetHook();
return nRet;
}
//int WINAPI MyMessageBox(HWND hWnd,
// LPCTSTR lpText,
// LPCTSTR lpCaption,
// UINT uType)
//{
//
// g_Msg.UnHook();
// int nRet=::MessageBoxW(hWnd,lpText,TEXT("APIHOOK"),uType);
// g_Msg.SetHook();
//
// return nRet;
//}
#ifdef _MANAGED
#pragma managed(pop)
#endif
[[it] 本帖最后由 xlin1033xl 于 2008-10-12 20:40 编辑 [/it]]
