{"id":31,"date":"2013-04-04T14:22:15","date_gmt":"2013-04-04T06:22:15","guid":{"rendered":"http:\/\/www.yarpee.com\/?p=31"},"modified":"2013-04-04T14:22:15","modified_gmt":"2013-04-04T06:22:15","slug":"inline-hook","status":"publish","type":"post","link":"http:\/\/www.yarpee.cn\/?p=31","title":{"rendered":"Inline Hook"},"content":{"rendered":"

Inline Hook\u4e5f\u662f\u5149\u542c\u8bf4\u8fc7\u6ca1\u7ec3\u8fc7\uff0c\u4eca\u5929\u81ea\u5df1\u52a8\u624b\u8fd8\u662f\u9047\u5230\u4e86\u4e0d\u5c11\u95ee\u9898\uff0c\u4e3b\u8981\u662f\u66ff\u6362\u540e\u7684\u51fd\u6570\u5982\u4f55\u8c03\u7528\u539f\u51fd\u6570\u548c\u5e73\u8861\u5176\u8c03\u7528\u5806\u6808\u3002Demo\u91cc\u6ca1\u6709\u5b9e\u73b0\u5982\u4f55\u5148\u6267\u884c\u88abInline Hook\u8986\u76d6\u7684\u4ee3\u7801\u540e\u8df3\u8f6c\u5230\u539f\u51fd\u6570\u7684\u6d41\u7a0b\uff0c\u4ee5\u540e\u5b9e\u73b0\u540e\u8865\u5145\u3002<\/p>\n

#include <Windows.h>
\n#include <tchar.h><\/code><\/p>\n

\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ Inline Hook
\n#define JMP_CODE_SIZE 5
\n#pragma warning(push)
\n#pragma warning(disable:4311)
\nBOOL InlineHook(void* lpOldFunction, void* lpNewFunction)
\n{
\nBOOL bRet = FALSE;
\nbyte btCode[JMP_CODE_SIZE] = {0xE9}; \/\/ 5\u5b57\u8282\u76f8\u5bf9\u8df3\u8f6c\u6307\u4ee4
\ndo
\n{
\nif(NULL == lpOldFunction || NULL == lpNewFunction)
\n{
\nbreak;
\n}<\/p>\n

DWORD* pdwAddr = (DWORD*)&btCode[1];
\n*pdwAddr = (DWORD)lpNewFunction – (DWORD)lpOldFunction – JMP_CODE_SIZE; \/\/ \u8ba1\u7b97\u76f8\u5bf9\u8df3\u8f6c\u5730\u5740<\/p>\n

DWORD dwProtect = 0;
\nif(VirtualProtect(lpOldFunction, JMP_CODE_SIZE, PAGE_READWRITE, &dwProtect))
\n{
\nmemcpy(lpOldFunction, btCode, JMP_CODE_SIZE);
\nVirtualProtect(lpOldFunction, JMP_CODE_SIZE, dwProtect, &dwProtect);
\nbRet = TRUE;
\n}
\n} while (0);
\nreturn bRet;
\n}
\n#pragma warning(pop)<\/p>\n

\/\/ \u7528\u4e8e\u6062\u590dInline Hook
\nvoid* g_lpMessageBoxA = NULL;
\nbyte g_btCode[JMP_CODE_SIZE] = {0};<\/p>\n

\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u771f\u6b63\u5b9e\u73b0MessageBoxA, MyMessageBoxA\u53ea\u662f\u4e00\u4e2a\u9a6c\u7532
\nint WINAPI InternalMessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
\n{
\nMessageBoxW(NULL, L”In MyMessageBoxA”, L”InlineHook”, MB_OK);<\/p>\n

\/\/ \u8fd8\u539fInline Hook
\nDWORD dwProtect = 0;
\nif(VirtualProtect(g_lpMessageBoxA, JMP_CODE_SIZE, PAGE_READWRITE, &dwProtect))
\n{
\nmemcpy(g_lpMessageBoxA, g_btCode, JMP_CODE_SIZE);
\nVirtualProtect(g_lpMessageBoxA, JMP_CODE_SIZE, dwProtect, &dwProtect);
\n}<\/p>\n

\/\/ \u8c03\u56de\u771f\u6b63\u7684MessageBoxA
\nreturn MessageBoxA(hWnd, lpText, lpCaption, uType);
\n}<\/p>\n

\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ Inline Hook\u7528MyMessageBoxA\u66ff\u6362MessageBoxA
\n\/\/ \u7f16\u8bd1\u5668\u751f\u6210\u4ee3\u7801\u65f6\u4f1a\u5728\u51fd\u6570\u524d\u540e\u589e\u52a0\u4e00\u4e9b\u5806\u6808\u5e73\u8861\u7684\u4ee3\u7801, \u5bfc\u81f4\u76f4\u63a5ret 10h\u5806\u6808\u5e76\u4e0d\u4f1a\u5e73\u8861
\n\/\/ \u56e0\u6b64\u9700\u8981\u4f7f\u7528_declspec(naked)\u4fee\u9970, \u4f46\u51fd\u6570\u5185\u9700\u8981\u81ea\u5df1\u63a7\u5236\u5bc4\u5b58\u5668
\n_declspec(naked) int WINAPI MyMessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
\n{
\n\/\/ \u5806\u6808\u5e73\u8861
\n_asm
\n{
\npush ebp
\nmov ebp, esp
\npush dword ptr[ebp+0x14]
\npush dword ptr[ebp+0x10]
\npush dword ptr[ebp+0xC]
\npush dword ptr[ebp+0x8]
\ncall InternalMessageBoxA
\npop ebp
\nret 10h ; \u7531\u4e8e\u6ca1\u6709jmp\u56de\u88abInline Hook\u7684\u51fd\u6570, \u56e0\u6b64\u9700\u8981\u5e73\u8861\u5806\u6808.
\n}
\n}<\/p>\n

int _tmain(int argc, TCHAR* argv[])
\n{
\nHMODULE hLib = LoadLibrary(_T(“user32.dll”));
\nif(hLib != NULL)
\n{
\ng_lpMessageBoxA = GetProcAddress(hLib, “MessageBoxA”);
\nmemcpy(g_btCode, g_lpMessageBoxA, JMP_CODE_SIZE); \/\/ \u4fdd\u5b58\u5373\u5c06\u8986\u76d6\u76845\u5b57\u8282\u4ee3\u7801
\nInlineHook(g_lpMessageBoxA, MyMessageBoxA); \/\/ Inline Hook MessageBoxA\u5230MyMessageBoxA
\nMessageBoxA(NULL, “Real MessageBoxA”, “InlineHook”, MB_OK);
\nFreeLibrary(hLib);
\n}
\nreturn 0;
\n}<\/p>\n","protected":false},"excerpt":{"rendered":"

Inline Hook\u4e5f\u662f\u5149\u542c\u8bf4\u8fc7\u6ca1\u7ec3\u8fc7\uff0c\u4eca\u5929\u81ea\u5df1\u52a8\u624b\u8fd8\u662f\u9047\u5230\u4e86\u4e0d\u5c11\u95ee\u9898\uff0c\u4e3b\u8981\u662f\u66ff\u6362\u540e\u7684\u51fd\u6570\u5982\u4f55\u8c03\u7528\u539f\u51fd\u6570\u548c\u5e73 … <\/p>\n

\u7ee7\u7eed\u9605\u8bfb\u201cInline Hook\u201d<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-31","post","type-post","status-publish","format-standard","hentry","category-c_plus_plus"],"_links":{"self":[{"href":"http:\/\/www.yarpee.cn\/index.php?rest_route=\/wp\/v2\/posts\/31"}],"collection":[{"href":"http:\/\/www.yarpee.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.yarpee.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.yarpee.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.yarpee.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=31"}],"version-history":[{"count":0,"href":"http:\/\/www.yarpee.cn\/index.php?rest_route=\/wp\/v2\/posts\/31\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.yarpee.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=31"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.yarpee.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=31"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.yarpee.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=31"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}