DLL部分:
View Code #include#include #include #pragma comment(lib,"ImageHlp") #pragma data_seg("Shared") HHOOK hhk = NULL; #pragma data_seg() #pragma comment(linker, "/Section:Shared,rws") HMODULE hmodThisDll; #define MyName "DLL.DLL" LRESULT CALLBACK GetMsgProc( int nCode,WPARAM wParam,LPARAM lParam){ return CallNextHookEx(hhk,nCode,wParam,lParam); } BOOL MyWriteFile( HANDLE hFile, // 文件句柄 LPCVOID lpBuffer,// 数据缓存区指针 DWORD nNumberOfBytesToWrite, // 你要写的字节数 LPDWORD lpNumberOfBytesWritten, // 用于保存实际写入字节数的存储区域的指针 LPOVERLAPPED lpOverlapped // OVERLAPPED结构体指针 ){ MessageBoxA(NULL,"HOOK","DLL",MB_OK); return WriteFile(hFile,lpBuffer,nNumberOfBytesToWrite,lpNumberOfBytesWritten,lpOverlapped); } VOID ModifyIAT(HMODULE hmodCaller,LPCSTR szDllName,PROC pfnOrg,PROC pfnNew){ PIMAGE_THUNK_DATA pITD; ULONG ulSize; PIMAGE_IMPORT_DESCRIPTOR pIID; pIID = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hmodCaller,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&ulSize); if( !pIID ) return; for( ; pIID->Name; pIID++ ){ if( !lstrcmpiA(szDllName,(LPSTR)((PBYTE)hmodCaller+pIID->Name)) ) break; } if( !pIID->Name ) return; pITD = (PIMAGE_THUNK_DATA)((PBYTE)hmodCaller+pIID->FirstThunk); for( ; pITD->u1.Function ; pITD++ ){ PROC* ppfn = (PROC*)&pITD->u1.Function; if(*ppfn == pfnOrg){ WriteProcessMemory(GetCurrentProcess(),ppfn,&pfnNew,sizeof(pfnNew),NULL); return; } } } VOID ModifyIATs(LPCSTR szDllName,PROC pfnOrg,PROC pfnNew){ BOOL fOk = FALSE; MODULEENTRY32 me32; HANDLE hSnapshot; hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,GetCurrentProcessId()); me32.dwSize = sizeof( me32 ); for( fOk = Module32First( hSnapshot,&me32 ); fOk ; fOk = Module32Next(hSnapshot,&me32)){ if( me32.hModule != hmodThisDll ){ ModifyIAT(me32.hModule,szDllName,pfnOrg,pfnNew); } } CloseHandle( hSnapshot ); } FARPROC WINAPI MyGetProcAddress( HMODULE hModule,LPCSTR lpProcName ){ if( hModule == GetModuleHandle("kernel32.DLL") && !lstrcmpiA(lpProcName,"WriteFile") ) return (PROC)MyWriteFile; else return GetProcAddress( hModule,lpProcName ); } HMODULE WINAPI MyLoadLibraryA( LPCSTR lpLibFileName ){ HMODULE hmod = LoadLibrary( lpLibFileName ); ModifyIAT(hmod,"kernel32.DLL",GetProcAddress(GetModuleHandle("kernel32.DLL"),"WriteFile"),(PROC)MyWriteFile); ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetProcAddress"),(PROC)MyGetProcAddress); return hmod; } extern "C"_declspec(dllexport) VOID SetHook( ){ if( !hhk ){ HINSTANCE hInst = LoadLibrary(MyName); if( !hInst ) return; hhk = SetWindowsHookEx(WH_GETMESSAGE,GetMsgProc,hInst,0); FreeLibrary( hInst ); } } extern"C"_declspec(dllexport) VOID UnHook(){ if( hhk ) UnhookWindowsHookEx( hhk ); } BOOL WINAPI DllMain(HINSTANCE hInstance,DWORD dwReason,LPVOID lpvReserved){ hmodThisDll = hInstance; switch( dwReason ){ case DLL_PROCESS_ATTACH: ModifyIATs( "kernel32.DLL", GetProcAddress(GetModuleHandle("kernel32.DLL"), "WriteFile"), (PROC)MyWriteFile); ModifyIATs( "KERNEL32.DLL", GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"LoadLibraryA"), (PROC)MyLoadLibraryA); ModifyIATs("KERNEL32.DLL", GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetProcAddress"), (PROC)MyGetProcAddress); break; case DLL_PROCESS_DETACH: ModifyIATs( "USER32.DLL", (PROC)MyWriteFile, GetProcAddress(GetModuleHandle("kernel32.DLL"), "WriteFile")); ModifyIATs( "KERNEL32.DLL", (PROC)MyLoadLibraryA, GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"LoadLibraryA")); ModifyIATs( "KERNEL32.DLL", (PROC)MyGetProcAddress, GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetProcAddress")); break; } return TRUE; }
View Code #include#define DLLNAME "DLL.DLL" LRESULT CALLBACK WndProc (HWND, UINT, WPARAM, LPARAM) ; int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int iCmdShow) { static TCHAR szAppName[] = TEXT ("HOOKAPI") ; HWND hwnd ; MSG msg ; WNDCLASS wndclass ; wndclass.style = CS_HREDRAW | CS_VREDRAW ; wndclass.lpfnWndProc = WndProc ; wndclass.cbClsExtra = 0 ; wndclass.cbWndExtra = 0 ; wndclass.hInstance = hInstance ; wndclass.hIcon = LoadIcon (NULL, IDI_APPLICATION) ; wndclass.hCursor = LoadCursor (NULL, IDC_ARROW) ; wndclass.hbrBackground = (HBRUSH) GetStockObject (WHITE_BRUSH) ; wndclass.lpszMenuName = NULL ; wndclass.lpszClassName = szAppName ; if (!RegisterClass (&wndclass)){ MessageBox(NULL,TEXT("DDFD"),TEXT("DDDFAS"),MB_OK); return 0 ; } hwnd = CreateWindow (szAppName, // window class name TEXT ("HOOKAPI"), // window caption WS_OVERLAPPEDWINDOW, // window style 462, // initial x position 353, // initial y position 100, // initial x size 62, // initial y size NULL, // parent window handle NULL, // window menu handle hInstance, // program instance handle NULL) ; // creation parameters if( hwnd ){ ShowWindow (hwnd, iCmdShow) ; UpdateWindow (hwnd) ; } while (GetMessage (&msg, NULL, 0, 0)) { TranslateMessage (&msg) ; DispatchMessage (&msg) ; } return msg.wParam ; } LRESULT CALLBACK WndProc (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { switch (message) { case WM_CREATE: { PROC SetHook; HINSTANCE hInst = LoadLibrary(DLLNAME); if( !hInst ){ DestroyWindow(hwnd); MessageBox(hwnd,TEXT("Can not load dll!"),TEXT("HOOKAPI"),MB_ICONHAND); PostQuitMessage(0); return 0; } SetHook = GetProcAddress(hInst,"SetHook"); if( !SetHook ){ DestroyWindow(hwnd); MessageBox(hwnd,TEXT("Can not find function!"),TEXT("HOOKAPI"),MB_ICONHAND); PostQuitMessage(0); return 0; } //安装钩子,这样我们的dll就被映射到每一个gui程序的进程空间中 SetHook(); FreeLibrary(hInst); return 0 ; } case WM_DESTROY: { PROC UnHook; HINSTANCE hInst = LoadLibrary(DLLNAME); if( !hInst ){ MessageBox(hwnd,TEXT("Can not load dll!"),TEXT("HOOKAPI"),MB_ICONHAND); PostQuitMessage(0); return 0; } UnHook = GetProcAddress(hInst,"UnHook"); if( !UnHook ){ MessageBox(hwnd,TEXT("Can not find function!"),TEXT("HOOKAPI"),MB_ICONHAND); PostQuitMessage(0); return 0; } //退出之前我们要缷载钩子 UnHook(); PostQuitMessage (0) ; return 0 ; } } return DefWindowProc (hwnd, message, wParam, lParam) ; }
View Code #include#include #include #include #pragma comment(lib,"ImageHlp") #pragma data_seg("Shared") HHOOK hhk = NULL; #pragma data_seg() #pragma comment(linker, "/Section:Shared,rws") HMODULE hmodThisDll; #define MyName "DLL.DLL" typedef struct _IO_STATUS_BLOCK { LONG Status; LONG Information; } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; typedef struct _FILE_NAME_INFORMATION { ULONG FileNameLength; WCHAR FileName[MAX_PATH]; } FILE_NAME_INFORMATION; FARPROC ZwQueryInformationFile; //通过文件句柄,得到文件所在盘符 BOOL GetVolumeNameByHandle(HANDLE hFile, char *szFullPath) { //得到所有磁盘卷的卷序号 char szBuf[500]; int i; DWORD dwVolumeSerialNumber; memset(szBuf, 0, sizeof(szBuf)); //通过句柄得到文件的卷序号 //得到卷序号 lpFileInformation.dwVolumeSerialNumber BY_HANDLE_FILE_INFORMATION lpFileInformation; if(!GetFileInformationByHandle(hFile, &lpFileInformation) || (lpFileInformation.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) { //通过句柄得到文件信息失败 或者 此句柄为文件夹句柄,并非文件句柄 return FALSE; } if(::GetLogicalDriveStringsA(sizeof(szBuf) - 1,szBuf)) { for(i = 0; szBuf[i]; i += 4) { //得到卷信息->卷序号 if(!stricmp(&(szBuf[i]), "A:\\") || !stricmp(&(szBuf[i]), "B:\\")) { //忽略软盘 (一般不会使用,并且查询它的速度非常之慢) continue; } if(GetVolumeInformationA(&(szBuf[i]), NULL, NULL,&dwVolumeSerialNumber,NULL, NULL, NULL, NULL)) { // 与 lpFileInformation.dwVolumeSerialNumber 比较 // 如果相同,则找到该磁盘 if(dwVolumeSerialNumber == lpFileInformation.dwVolumeSerialNumber) { //找到 char szVolumeName[4]; memset(szVolumeName, 0, sizeof(szVolumeName)); strcpy(szVolumeName, &(szBuf[i])); szVolumeName[strlen(szVolumeName)-1] = '\0'; //得到路径 IO_STATUS_BLOCK isb; FILE_NAME_INFORMATION fni; HMODULE hNt = LoadLibraryA("ntdll.dll"); if(hNt) { ZwQueryInformationFile = ::GetProcAddress(hNt, "ZwQueryInformationFile"); if(ZwQueryInformationFile) { DWORD dwfni = sizeof(fni); DWORD dwRet = 0; __asm { push 9 ; push dwfni ; lea eax, fni ; push eax ; lea eax, isb ; push eax ; push hFile ; mov eax, ZwQueryInformationFile ; call eax ;//调用 ZwQueryInformationFile 函数 mov dwRet, eax;//得到返回值 } if(!dwRet) { //获取文件路径成功 fni.FileName[fni.FileNameLength/2] = 0; //构造成完整路径名 char szFilePath[MAX_PATH+1]; memset(szFilePath, 0, sizeof(szFilePath)); WideCharToMultiByte( CP_ACP, 0, fni.FileName, -1, szFilePath, sizeof(szFilePath) - 1, NULL, NULL); sprintf(szFullPath, "%s%s", szVolumeName, szFilePath); return TRUE; } } FreeLibrary(hNt); } } } } } //没有找到 return FALSE; } LRESULT CALLBACK GetMsgProc( int nCode,WPARAM wParam,LPARAM lParam){ return CallNextHookEx(hhk,nCode,wParam,lParam); } BOOL MyWriteFile( HANDLE hFile, // 文件句柄 LPCVOID lpBuffer,// 数据缓存区指针 DWORD nNumberOfBytesToWrite, // 你要写的字节数 LPDWORD lpNumberOfBytesWritten, // 用于保存实际写入字节数的存储区域的指针 LPOVERLAPPED lpOverlapped // OVERLAPPED结构体指针 ){ char szFullPath[MAX_PATH]; memset(szFullPath, 0, sizeof(szFullPath)); if(GetVolumeNameByHandle(hFile, szFullPath)) { MessageBoxA(NULL,szFullPath,"DLL",MB_OK); } else MessageBoxA(NULL,"HOOK","DLL",MB_OK); return WriteFile(hFile,lpBuffer,nNumberOfBytesToWrite,lpNumberOfBytesWritten,lpOverlapped); } VOID ModifyIAT(HMODULE hmodCaller,LPCSTR szDllName,PROC pfnOrg,PROC pfnNew){ PIMAGE_THUNK_DATA pITD; ULONG ulSize; PIMAGE_IMPORT_DESCRIPTOR pIID; pIID = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hmodCaller,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&ulSize); if( !pIID ) return; for( ; pIID->Name; pIID++ ){ if( !lstrcmpiA(szDllName,(LPSTR)((PBYTE)hmodCaller+pIID->Name)) ) break; } if( !pIID->Name ) return; pITD = (PIMAGE_THUNK_DATA)((PBYTE)hmodCaller+pIID->FirstThunk); for( ; pITD->u1.Function ; pITD++ ){ PROC* ppfn = (PROC*)&pITD->u1.Function; if(*ppfn == pfnOrg){ WriteProcessMemory(GetCurrentProcess(),ppfn,&pfnNew,sizeof(pfnNew),NULL); return; } } } VOID ModifyIATs(LPCSTR szDllName,PROC pfnOrg,PROC pfnNew){ BOOL fOk = FALSE; MODULEENTRY32 me32; HANDLE hSnapshot; hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,GetCurrentProcessId()); me32.dwSize = sizeof( me32 ); for( fOk = Module32First( hSnapshot,&me32 ); fOk ; fOk = Module32Next(hSnapshot,&me32)){ if( me32.hModule != hmodThisDll ){ ModifyIAT(me32.hModule,szDllName,pfnOrg,pfnNew); } } CloseHandle( hSnapshot ); } FARPROC WINAPI MyGetProcAddress( HMODULE hModule,LPCSTR lpProcName ){ if( hModule == GetModuleHandle("kernel32.DLL") && !lstrcmpiA(lpProcName,"WriteFile") ) return (PROC)MyWriteFile; else return GetProcAddress( hModule,lpProcName ); } HMODULE WINAPI MyLoadLibraryA( LPCSTR lpLibFileName ){ HMODULE hmod = LoadLibrary( lpLibFileName ); ModifyIAT(hmod,"kernel32.DLL",GetProcAddress(GetModuleHandle("kernel32.DLL"),"WriteFile"),(PROC)MyWriteFile); ModifyIAT(hmod,"KERNEL32.DLL",GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetProcAddress"),(PROC)MyGetProcAddress); return hmod; } extern "C"_declspec(dllexport) VOID SetHook( ){ if( !hhk ){ HINSTANCE hInst = LoadLibrary(MyName); if( !hInst ) return; hhk = SetWindowsHookEx(WH_GETMESSAGE,GetMsgProc,hInst,0); FreeLibrary( hInst ); } } extern"C"_declspec(dllexport) VOID UnHook(){ if( hhk ) UnhookWindowsHookEx( hhk ); } BOOL WINAPI DllMain(HINSTANCE hInstance,DWORD dwReason,LPVOID lpvReserved){ hmodThisDll = hInstance; switch( dwReason ){ case DLL_PROCESS_ATTACH: ModifyIATs( "kernel32.DLL", GetProcAddress(GetModuleHandle("kernel32.DLL"), "WriteFile"), (PROC)MyWriteFile); ModifyIATs( "KERNEL32.DLL", GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"LoadLibraryA"), (PROC)MyLoadLibraryA); ModifyIATs("KERNEL32.DLL", GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetProcAddress"), (PROC)MyGetProcAddress); break; case DLL_PROCESS_DETACH: ModifyIATs( "USER32.DLL", (PROC)MyWriteFile, GetProcAddress(GetModuleHandle("kernel32.DLL"), "WriteFile")); ModifyIATs( "KERNEL32.DLL", (PROC)MyLoadLibraryA, GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"LoadLibraryA")); ModifyIATs( "KERNEL32.DLL", (PROC)MyGetProcAddress, GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetProcAddress")); break; } return TRUE; }