Ring3下Inline Hook API
生活随笔
收集整理的這篇文章主要介紹了
Ring3下Inline Hook API
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
用CreateFile為例子,講解一下Ring3下的Inline Hook API,基本原理很簡單
1、獲取CreateFile函數的地址
2、讀取CreateFile函數的前8個字節
3、將CreateFile函數的前8個字節,修改成mov eax,我的函數地址? jmp eax
4、進入我的函數地址之后,記得恢復CreateFile函數原來的8個字節,不然沒法正常使用CreateFile
?
代碼如下:
#include <windows.h> #include <stdio.h> #include <iostream.h> #include <tchar.h>//修改API入口為 mov eax, 00400000;jmp eax是程序能跳轉到自己的函數 BYTE NewBytes[8] = {0xB8, 0x0, 0x0, 0x40, 0x0, 0xFF, 0xE0, 0x0}; BYTE OldBytes[8] = {0};FARPROC CreateFile_Addr;HANDLE WINAPI MyCreateFile(__in LPCTSTR lpFileName,__in DWORD dwDesiredAccess,__in DWORD dwShareMode,__in LPSECURITY_ATTRIBUTES lpSecurityAttributes,__in DWORD dwCreationDisposition,__in DWORD dwFlagsAndAttributes,__in HANDLE hTemplateFile) {MessageBox(0,"MyCreateFile",0,0);//恢復API頭8個字節WriteProcessMemory( INVALID_HANDLE_VALUE, (void*)CreateFile_Addr,(void*)OldBytes, 8, NULL);printf("lpFileName is %s\n",lpFileName);//調用正確的函數HANDLE hFile=CreateFileA(lpFileName,dwDesiredAccess,dwShareMode,lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);//寫入跳轉語句,繼續HookWriteProcessMemory(INVALID_HANDLE_VALUE, (void*)CreateFile_Addr,(void*)NewBytes, 8, NULL);return hFile; }void main() {HMODULE hModule_Kernel32 = LoadLibrary("Kernel32.dll");CreateFile_Addr = GetProcAddress(hModule_Kernel32, "CreateFileA");printf("CreateFileA_Addr is %x\n",CreateFile_Addr);printf("MyCreateFile Addr is %x\n",MyCreateFile);//讀CreateFile函數的前8個字節if(ReadProcessMemory(INVALID_HANDLE_VALUE,CreateFile_Addr,OldBytes,8,NULL)==0){printf("ReadProcessMemory error\n");return;}printf("OldBytes is %x%x%x%x%x%x%x%x\n",OldBytes[0],OldBytes[1],OldBytes[2],OldBytes[3],OldBytes[4],OldBytes[5],OldBytes[6],OldBytes[7]);//將NewBytes改成My函數地址*(DWORD*)(NewBytes + 1) = (DWORD)MyCreateFile;printf("NewBytes is %x%x%x%x%x%x%x%x\n",NewBytes[0],NewBytes[1],NewBytes[2],NewBytes[3],NewBytes[4],NewBytes[5],NewBytes[6],NewBytes[7]);//寫入跳轉,開始HookWriteProcessMemory(INVALID_HANDLE_VALUE,CreateFile_Addr,NewBytes,8,NULL);//調用CreateFileA測試一下。HANDLE hFile=CreateFileA("C:\\1.txt",GENERIC_ALL,FILE_SHARE_READ,0,CREATE_ALWAYS,0,0);CloseHandle(hFile); }
?
?
總結
以上是生活随笔為你收集整理的Ring3下Inline Hook API的全部內容,希望文章能夠幫你解決所遇到的問題。
