|
|
本帖最后由 Tesla.Angela 于 2010-7-28 23:50 编辑
陈辉大牛写的HOOK估计大家都看到了,十分牛逼吧。
不过大牛写的东西估计一般小菜看不懂而只能膜拜,所以我今天抽空写了个简单的Hook例子(HOOK自己进程内部的MessageBoxW),让大家了解一下Hook。
以下是核心代码:
'////////////////////
'Simple VB Hook
'Code By Tesla.Angela
'////////////////////
Option Explicit
Public Declare Function MessageBoxA Lib "user32.dll" _
(ByVal a As Long, _
ByVal b As String, _
ByVal c As String, _
ByVal d As Long) As Long
Public Declare Function MessageBoxW Lib "user32.dll" _
(ByVal a As Long, _
ByVal b As Long, _
ByVal c As Long, _
ByVal d As Long) As Long
Public Declare Function WriteProcessMemory Lib "kernel32.dll" _
(ByVal a As Long, _
ByVal b As Long, _
ByVal c As Long, _
ByVal d As Long, _
ByVal e As Long) As Long
Public Declare Function LoadLibraryA Lib "kernel32.dll" _
(ByVal szLibName As String) As Long
Public Declare Function GetProcAddress Lib "kernel32.dll" _
(ByVal hLib As Long, _
ByVal szFuncName As String) As Long
Public Declare Function memcpy Lib "kernel32.dll" Alias "RtlMoveMemory" _
(ByVal pDst As Long, _
ByVal pSrc As Long, _
ByVal dwLength As Long) As Long
Dim OldCode(4) As Byte, NewCode(4) As Byte
Dim FunAddr As Long
Public Function HookStatus(ByVal Status As Boolean) As Boolean
Dim ret As Boolean: ret = False
If Status = True Then
ret = WriteProcessMemory(-1, FunAddr, VarPtr(NewCode(0)), 5, 0)
If ret = True Then
HookStatus = True
Exit Function
End If
Else
ret = WriteProcessMemory(-1, FunAddr, VarPtr(OldCode(0)), 5, 0)
If ret = True Then
HookStatus = True
Exit Function
End If
End If
HookStatus = False
End Function
Public Function Fake_MsgBoxW(ByVal a As Long, ByVal b As Long, ByVal c As Long, ByVal d As Long) As Long
MessageBoxA 0, "MessageBoxW被HOOK了!显示此消息后才调用Real_MessageBoxW!" & vbCrLf & _
"如果传给MessageBoxW的最后一个参数为4,将会被拒绝调用Real_MessageBoxW!", _
"Fake_MessageBoxW", 0
If (d <> 4) Then
HookStatus False
Fake_MsgBoxW = MessageBoxW(a, b, c, d)
HookStatus True
Else
MessageBoxA 0, "拒绝访问!拒绝原因:传给MessageBoxW的最后一个参数为4。", "Fake_MessageBoxW", 0
Fake_MsgBoxW = 0
End If
End Function
Private Function SubPtr(ByVal AnyPtr As Long) As Long
SubPtr = AnyPtr
End Function
Public Function Hook_MsgBoxW() As Boolean
Dim JmpAddr As Long
FunAddr = GetProcAddress(LoadLibraryA("User32.dll"), "MessageBoxW")
Call memcpy(VarPtr(OldCode(0)), FunAddr, 5)
NewCode(0) = &HE9
JmpAddr = SubPtr(AddressOf Fake_MsgBoxW) - FunAddr - 5
Call memcpy(VarPtr(NewCode(1)), VarPtr(JmpAddr), 4)
Call HookStatus(True)
Hook_MsgBoxW = True
End Function
调用代码:
Private Sub Command1_Click()
MessageBoxW 0, StrPtr("txt"), StrPtr("title"), 0
End Sub
Private Sub Command2_Click()
Hook_MsgBoxW
Command2.Enabled = False
Command3.Enabled = True
End Sub
Private Sub Command3_Click()
HookStatus False
Command2.Enabled = Not False
Command3.Enabled = Not True
End Sub
Private Sub Command4_Click()
MessageBoxW 0, StrPtr("txt"), StrPtr("title"), 4
End Sub
Private Sub Form_QueryUnload(Cancel As Integer, UnloadMode As Integer)
End
End Sub
如果要想这段代码在别的进程里起作用,方法有两个:
1.用老马的《VB函数添加大师》写个DLL
2.写个驱动禁用Copy-On-Write机制 |
|
发表于 2010-7-28 23:43:54
发表于 2010-8-13 22:53:12
