通过GetProcess 获取MessageBoxA函数的地址,然后跳转到自己的函数地址去,在XP 完全可以使用,但是在WIN 7发现MessageBoxA 函数对应指令并没有进行HOOK掉,反而在调试的过程中,首先
MessageBoxA 的头几个字节 跳转到我们的函数地址,但是不一会在acLayers中进行恢复了MessageBoxA 原来的指令,并且在acLayers 内存空间实现跳转到我们的函数地址,请问大家怎么解决win 7的API HOOK相关问题??
class CApiHook
{
public :
#define HookSize 5
HANDLE m_hTargetProc ;
BOOL Initialize ( LPCTSTR lpLibFileName , LPCTSTR lpProcName , FARPROC lpNewFunc );
void SetHookOn ( void );
void SetHookOff ( void );
CApiHook();
virtual ~CApiHook();
protected :
BYTE m_OldFunc [ HookSize ];
BYTE m_NewFunc [ HookSize ];
FARPROC m_lpHookFunc ;
};
void CApiHook::SetHookOn ( void )
{
DWORD dwProtect;
VirtualProtect ( m_lpHookFunc, HookSize, PAGE_READWRITE, &dwProtect );
WriteProcessMemory ( m_hTargetProc , m_lpHookFunc , m_NewFunc , sizeof(m_NewFunc) , 0 );
VirtualProtect (m_lpHookFunc, HookSize, PAGE_READWRITE, &dwProtect );
return ;
}
BOOL CApiHook::Initialize ( LPCTSTR lpLibFileName , LPCTSTR lpProcName , FARPROC lpNewFunc )
{
HMODULE hModule ;
hModule=GetModuleHandle(lpLibFileName);
if (hModule==NULL)
{
hModule = LoadLibrary ( lpLibFileName );
if ( NULL == hModule )
return FALSE ;
}
m_lpHookFunc = GetProcAddress ( hModule , lpProcName );
if ( NULL == m_lpHookFunc )
return FALSE ;
DWORD dwProcessID = GetCurrentProcessId ();
m_hTargetProc = GetCurrentProcess ( /*OPEN_FLAGS,0,dwProcessID*/ );
if ( m_hTargetProc == NULL )
{
MessageBox ( NULL , "Initialize.OpenProcess" , "fail" , MB_OK );
return FALSE ;
}
if ( ReadProcessMemory ( m_hTargetProc , m_lpHookFunc , m_OldFunc , sizeof(m_OldFunc) , 0 ))
{
m_NewFunc [ 0 ]= 0xe9 ;
DWORD * pNewFuncAddress ;
pNewFuncAddress =( DWORD *)& m_NewFunc [ 1 ];
* pNewFuncAddress =( DWORD ) lpNewFunc -( DWORD ) m_lpHookFunc - HookSize ;
SetHookOn();
return TRUE ;
}
return FALSE ;
}
只是跳转到如下函数:
m_ApiGetVersionExA.Initialize(_T("user32.dll"),_T("MessageBoxA"),(FARPROC)MyMessageBox);
int MyMessageBox(
HWND hWnd, // handle to owner window
LPCTSTR lpText, // text in message box
LPCTSTR lpCaption, // message box title
UINT uType // message box style
)
{
TRACE("你好?");
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法