标签:return addr Windows void OpenProcess Hook API BOOL DWORD
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
//old data
typedef BOOL(WINAPI *pProcessInternalW)(HANDLE hToken, LPCWSTR AppName, LPWSTR CmdLine,
LPSECURITY_ATTRIBUTES ProcessAttr, LPSECURITY_ATTRIBUTES ThreadAttr,
BOOL bIH, DWORD flags, LPVOID env, LPCWSTR CurrDir,
LPSTARTUPINFOW si, LPPROCESS_INFORMATION pi, PHANDLE NewToken);
DWORD oldProtect;
BYTE JmpByte[5];
BYTE OldByte[5];
HMODULE hModuleW;
void* OpenProcessadr;
extern "C" __declspec(dllexport) bool CALLBACK H1_OpenProcess();
extern "C" __declspec(dllexport) void UnHook();//卸载钩子函数
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
H1_OpenProcess();//执行钩子函数
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
//UnHook();//卸载钩子
break;
}
return TRUE;
}
//facke Function
//
__declspec(dllexport) BOOL CALLBACK MyOpenProcess(HANDLE hToken, LPCWSTR AppName, LPWSTR CmdLine,
LPSECURITY_ATTRIBUTES ProcessAttr, LPSECURITY_ATTRIBUTES ThreadAttr,
BOOL bIH, DWORD flags, LPVOID env, LPCWSTR CurrDir,
LPSTARTUPINFOW si, LPPROCESS_INFORMATION pi, PHANDLE NewToken)
{
//自己的函数:设置监控新的进程
MessageBox(NULL,L"test", L"Demo",0);
//还回去
UnHook();//恢复Hook 地址转回去
/*执行原先的方法*/
pProcessInternalW ProcessInternal;
ProcessInternal = (pProcessInternalW)GetProcAddress(hModuleW, "CreateProcessInternalW");
BOOL proGet = ProcessInternal(hToken,AppName,CmdLine,ProcessAttr,ThreadAttr,bIH,flags,env, CurrDir,
si,pi,NewToken);
H1_OpenProcess();
return proGet;
}
void* F1_OpenProcess()
{
//找地址
void* addr = 0;
HMODULE hModule = LoadLibrary(L"kernelbase.dll");//加载dll
hModuleW = hModule;
addr = (void*)GetProcAddress(hModule, "CreateProcessInternalW");
if (addr == 0)
{
MessageBox(NULL, L"FindNothing", L"Address", 0);
}
return addr;
}
__declspec(dllexport) bool CALLBACK H1_OpenProcess()
{
void* addr = F1_OpenProcess();
OpenProcessadr = addr;
if (addr == 0)
{
return false;
}
//将其权限设为可读写
VirtualProtect((void *)addr,5,PAGE_EXECUTE_READWRITE,&oldProtect);
JmpByte[0] = 0xE9;
*(DWORD *)&JmpByte[1] = (DWORD)((long long)MyOpenProcess - (long long)addr - 5);
//保留字节
memcpy(OldByte,(void *)addr,5);
memcpy((void *)addr,JmpByte,5);
return true;
}
//卸载钩子
void UnHook()
{
//恢复原先字节
memcpy((void*)OpenProcessadr, OldByte, 5);
//恢复属性
DWORD p;
VirtualProtect((void*)OpenProcessadr, 5, oldProtect, &p);
}
标签:return,
addr,
Windows,
void,
OpenProcess,
Hook,
API,
BOOL,
DWORD
From: https://blog.51cto.com/u_15906863/5977835