前些日子闲的蛋疼，研究的东西...方法是查找user32.dll 内的 gsharinfo 地址。放代码出来(参考网上写的)，想申请邀请码。
这里我想问个问题，希望哪位高手可以指点一下。
就是
typedef struct tagHOOK {                                 /* hk */
        HANDLE                        h;
        DWORD                        cLockObj;
        PVOID                        pti;
        PVOID                        rpdesk;
        PBYTE                        pSelf;
        tagHOOK*        phkNext;
        int             iHook;              // WH_xxx hook type
        DWORD                        offPfn;
        UINT            flags;              // HF_xxx flags
        int             ihmod;
        PTHREADINFO                ptiHooked;          // Thread hooked.
} HOOK_INFO, *PHOOK_INFO;

传说这个 int             ihmod; 变量可以获得钩子函数的地址，我没有搞明白使用方法。
下面放出代码。

// SearchHook.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include <Windows.h>
#include <vector>
using namespace std;

typedef int NTSTATUS;  

typedef struct _W32THREAD
{
	PVOID pEThread;
	ULONG RefCount;
	PVOID ptlW32;
	PVOID pgdiDcattr;
	PVOID pgdiBrushAttr;
	PVOID pUMPDObjs;
	PVOID pUMPDHeap;
	DWORD dwEngAcquireCount;
	PVOID pSemTable;
	PVOID pUMPDObj;
} W32THREAD, *PW32THREAD;

typedef struct _RTL_BALANCED_LINKS {
	struct _RTL_BALANCED_LINKS *Parent;
	struct _RTL_BALANCED_LINKS *LeftChild;
	struct _RTL_BALANCED_LINKS *RightChild;
	CHAR Balance;
	UCHAR Reserved[3];
} RTL_BALANCED_LINKS, *PRTL_BALANCED_LINKS;

typedef struct _RTL_AVL_TABLE {
	RTL_BALANCED_LINKS BalancedRoot;
	PVOID OrderedPointer;
	ULONG WhichOrderedElement;
	ULONG NumberGenericTableElements;
	ULONG DepthOfTree;
	PVOID RestartKey;
	ULONG DeleteCount;
	PVOID CompareRoutine;
	PVOID AllocateRoutine;
	PVOID FreeRoutine;
	PVOID TableContext;
} RTL_AVL_TABLE, *PRTL_AVL_TABLE;

typedef struct _W32PROCESS
{
	PVOID		  peProcess;
	DWORD         RefCount;
	ULONG         W32PF_flags;
	PVOID         InputIdleEvent;
	DWORD         StartCursorHideTime;
	PVOID		  NextStart;
	PVOID         pDCAttrList;
	PVOID         pBrushAttrList;
	DWORD         W32Pid;
	LONG          GDIHandleCount;
	LONG          UserHandleCount;
	PVOID		  GDIPushLock;  /* Locking Process during access to structure. */
	RTL_AVL_TABLE GDIEngUserMemAllocTable;  /* Process AVL Table. */
	LIST_ENTRY    GDIDcAttrFreeList;
	LIST_ENTRY    GDIBrushAttrFreeList;
} W32PROCESS, *PW32PROCESS;

typedef struct _PROCESSINFO
{
	_W32PROCESS a;
	PVOID ptiList;
	PVOID ptiMainThread;
	PVOID rpdeskStartup;
	PVOID pclsPrivateList;
	PVOID pclsPublicList;
	DWORD dwhmodLibLoadedMask;
	HANDLE ahmodLibLoaded[32];
} PROCESSINFO, *PPROCESSINFO;

typedef struct _THREADINFO
{
	W32THREAD			a;
	PVOID               ptl;
	PPROCESSINFO        ppi;
} THREADINFO, *PTHREADINFO;


typedef struct tagHOOK {				 /* hk */
	HANDLE			h;
	DWORD			cLockObj;
	PVOID			pti;
	PVOID			rpdesk;
	PBYTE			pSelf;
	tagHOOK*        phkNext;
	int             iHook;              // WH_xxx hook type
	DWORD			offPfn;
	UINT            flags;              // HF_xxx flags
	int             ihmod;
	PTHREADINFO		ptiHooked;          // Thread hooked.
} HOOK_INFO, *PHOOK_INFO;


typedef struct _HANDLEENTRY {
	DWORD   phookInfo;                  /* type为5的时候再，其他句柄类型还有其他结构体*/
	PVOID   pOwner;
	BYTE    bType;							 /* type of object by webxeyes 为5的时候是hook */ 
	BYTE    bFlags;							 /* flags - like destroy flag */
	WORD    wUniq;							 /* uniqueness count */
} HANDLEENTRY, *PHANDLE_ENTRY;

typedef struct tagSERVERINFO
{
	WORD wRIPFlags;
	WORD wSRVIFlags;
	WORD wRIPPID;
	WORD wRIPError;
	DWORD cHandleEntries; //这里是句柄数目
}SERVERINFO,*PSERVERINFO;

typedef struct tagSHAREDINFO {
	struct tagSERVERINFO *psi;
	struct _HANDLEENTRY *aheList;       // handle table pointer
	PVOID   pDispInfo;					// global disp
	ULONG   ulSharedDelta;				// by webxeyes
} SHAREDINFO, *PSHAREDINFO;

typedef enum _SYSDBG_COMMAND  
{  
	SysDbgReadVirtualMemory = 8 //从内核空间拷贝到用户空间，或者从用户空间拷贝到用户空间

}SYSDBG_COMMAND,*PSYSDBG_COMMAND; 

typedef struct _MEMORY_CHUNKS {
	ULONG Address;
	PVOID Data;
	ULONG Length;
} MEMORY_CHUNKS, *PMEMORY_CHUNKS;

typedef struct _CLIENT_ID
{
	DWORD ProcessID;
	DWORD ThreadID;
}CLIENT_ID;
typedef struct _outHookInfo 
{
	DWORD hHandle;
	DWORD address;
	DWORD type;
	char  dllname[8];
	DWORD threadID;
	DWORD processID;
}outHookInfo;

typedef NTSTATUS (NTAPI * PZwSystemDebugControl) (  
	SYSDBG_COMMAND ControlCode,  
	PVOID InputBuffer,  
	ULONG InputBufferLength,  
	PVOID OutputBuffer,  
	ULONG OutputBufferLength,  
	PULONG ReturnLength  
	); 

PZwSystemDebugControl ZwSystemDebugControl = NULL;

int EnableDebugPrivilege(BOOL bEnable)
{
	int dwRet = FALSE;   

	HANDLE hToken;
	
	if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
	{
		//Attempt to modify the "Debug" privilege
		TOKEN_PRIVILEGES tp;
		tp.PrivilegeCount = 1;
		LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
		tp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
		AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
		dwRet  = (GetLastError() ==  ERROR_SUCCESS);
		CloseHandle(hToken);
	}

	return dwRet;
}
void travalHook(DWORD pHookInfo)
{
	MEMORY_CHUNKS   QueryBuff;
	HOOK_INFO stHookInfo = {0};
	DWORD	dwLength = 0;
	DWORD	ethread = 0;
	CLIENT_ID   stClientId = {0};

	if( pHookInfo == 0)
		return;

	QueryBuff.Address = pHookInfo;
	QueryBuff.Data    = (PVOID)&stHookInfo;
	QueryBuff.Length  = sizeof(HOOK_INFO);
	
	ZwSystemDebugControl(SysDbgReadVirtualMemory, &QueryBuff, sizeof(MEMORY_CHUNKS), NULL, 0, &dwLength);

	if( dwLength == sizeof(tagHOOK) )
	{
		printf("Handle:%x address:%x HookType:%x Offpfn:%x\n", (DWORD)stHookInfo.h, QueryBuff.Address, stHookInfo.iHook, stHookInfo.offPfn);

		QueryBuff.Address = (DWORD)stHookInfo.pti;
		QueryBuff.Data    = (PVOID)ðread;
		QueryBuff.Length  = sizeof(DWORD);

		ZwSystemDebugControl(SysDbgReadVirtualMemory, &QueryBuff, sizeof(MEMORY_CHUNKS), NULL, 0, &dwLength);

		if( dwLength == sizeof(DWORD) )
		{
			QueryBuff.Address = ethread + 0x1EC;
			QueryBuff.Data    = (PVOID)&stClientId;
			QueryBuff.Length  = sizeof(CLIENT_ID);

			ZwSystemDebugControl(SysDbgReadVirtualMemory, &QueryBuff, sizeof(MEMORY_CHUNKS), NULL, 0, &dwLength);

			printf("ThreadID:%d, ProcessID:%d\n",stClientId.ThreadID, stClientId.ProcessID);
		}

	}
	
	if( stHookInfo.phkNext != 0)
	{
		travalHook( (DWORD)stHookInfo.phkNext );
	}
}

void searchook()
{
	HMODULE         hDLL = LoadLibrary(L"user32.dll");
	DWORD			dwUserRegisterWowHandlers = (DWORD)GetProcAddress(hDLL , "UserRegisterWowHandlers");
	DWORD			dwLength = 0;
	PSHAREDINFO		pstSharedInfo = NULL;
	HOOK_INFO		stHooInfo = {0};
	MEMORY_CHUNKS   QueryBuff;
	outHookInfo     stOut = {0};
	vector<outHookInfo> p;

	for( DWORD i = dwUserRegisterWowHandlers; i < dwUserRegisterWowHandlers + 0x256; i++)
	{
		if( *(WORD*)i == 0x40C7 && *(BYTE*)(i+7) == 0xB8 )
		{
			pstSharedInfo = (PSHAREDINFO)(*(DWORD*)(i + 8));
		}
	}

	ZwSystemDebugControl = (PZwSystemDebugControl)GetProcAddress(LoadLibrary(L"ntdll.dll"), "ZwSystemDebugControl");

	if( ZwSystemDebugControl == NULL ){
		return ;
	}

	EnableDebugPrivilege(TRUE);


	printf("HookInfoAddress:%x\n",(DWORD)pstSharedInfo);

	for( int i = 0; i < pstSharedInfo->psi->cHandleEntries; i++)
	{
		if( pstSharedInfo->aheList[i].bType == 5) //hook
		{
			travalHook(pstSharedInfo->aheList[i].phookInfo);
		}
	}
}
int _tmain(int argc, _TCHAR* argv[])
{
	searchook();
	getchar();
	return 0;
}

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！