使用x86的detours库编写hook-dll

以CreateFileW为例,一般都要hook带W的api,因为windows系统底层调用的基本上都是W版本的API。

1、定义detour库需要hook的windows api

//filehookdetour.h
#include <Windows.h>
#include <detours.h>

#pragma comment(lib,"detours.lib")


typedef HANDLE (WINAPI *HOOK_CreateFileW)(LPCWSTR lpFileName,
										DWORD dwDesiredAcces, 
										DWORD dwShareMode, 
										LPSECURITY_ATTRIBUTES lpSecurityAttributes,
										DWORD dwCreationDisposition, 
										DWORD dwFlagsAndAttributes,
										HANDLE hTemplateFile);

HOOK_CreateFileW						g_initCreateFileW = NULL;
HOOK_CreateFileW						g_finalCreateFileW = NULL;

HANDLE WINAPI MY_CreateFileW( LPCWSTR lpFileName,
							  DWORD dwDesiredAcces, 
							  DWORD dwShareMode, 
							  LPSECURITY_ATTRIBUTES lpSecurityAttributes,
							  DWORD dwCreationDisposition, 
							  DWORD dwFlagsAndAttributes,
							  HANDLE hTemplateFile)
{
	if (lpFileName)
	{
		//TO DO...
	}
	return g_finalCreateFileW(lpFileName, dwDesiredAcces, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}


void InitHook()
{
	g_initCreateFileW = (HOOK_CreateFileW)DetourFindFunction("Kernel32.dll", "CreateFileW");
	g_finalCreateFileW = (HOOK_CreateFileW)DetourFunction((PBYTE)g_initCreateFileW, (PBYTE)MY_CreateFileW);
	
}

void UnHook()
{
	DetourRemove((PBYTE)g_finalCreateFileW,(PBYTE)MY_CreateFileW);
}

2、定义dll导出接口

//filehook.h
#ifdef FILEHOOK_EXPORTS
#define FILEHOOK_API __declspec(dllexport)
#else
#define FILEHOOK_API __declspec(dllimport)
#endif

FILEHOOK_API  bool InstallHook(HINSTANCE hInstance);
FILEHOOK_API  bool RemoveHook();

3、定义define文件

LIBRARY FileHook
EXPORTS
InstallHook @1
RemoveHook @2

SECTIONS 
.phk READ WRITE SHARED 

编译之后的文件名为:FileHook.dll

4、定义DllMain

//filehook.cpp

#include"filehook.h"
#include"filehookdetour.h"

#pragma data_seg(".phk")
HHOOK g_Hook = NULL;//放在共享数据区
#pragma data_seg()


BOOL APIENTRY DllMain( HANDLE hModule, 
                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved
					 )
{
    switch (ul_reason_for_call)
	{
		case DLL_PROCESS_ATTACH:
			InitHook();//call InitHook() here
			break;
		case DLL_THREAD_ATTACH:
			break;
		case DLL_THREAD_DETACH:
			break;
		case DLL_PROCESS_DETACH:
			UnHook();//call UnHook() here
			break;
    }
    return TRUE;
}


LRESULT CALLBACK CallWndProc(int nCode,WPARAM wParam,LPARAM lParam)
{
	return CallNextHookEx(g_Hook, nCode,wParam,lParam);
}


bool InstallHook(HINSTANCE hInstance)
{
	if(g_Hook == NULL)
	{
		g_Hook = SetWindowsHookEx(WH_CALLWNDPROC,CallWndProc,hInstance,0);
		if(g_Hook)
		{ 
		   return true;
		}
		else
		{
		   return false;
		}
	}
	return true;
}


bool RemoveHook()
{
	if(g_Hook != NULL)
	{
		if(!UnhookWindowsHookEx(g_Hook))
		{	
			DWORD dwEr= GetLastError();
			if (dwEr==0)//句柄非法
			{
				ghPrintHook=NULL;
			}
			return false;
		}
		g_Hook = NULL;
	}
	return true;
}

5、调用

void TestFileHook()
{
	typedef bool (*API_InstallHook)(HINSTANCE);
	API_InstallHook pInstallHook;
	typedef bool (*API_RemoveHook)();
	API_RemoveHook m_pRemoveHook;

	HINSTANCE hInstance = LoadLibrary(TEXT("FileHook.dll"));

	if(hInstance  != NULL)
	{
		pInstallHook = (API_InstallHook)GetProcAddress((hInstance  ,"InstallHook");
		pRemoveHook = (API_RemoveHook)GetProcAddress((hInstance  ,"RemoveHook");
	}
	
	pInstallHook(hInstance);
	//to do your actions here...
	
	pRemoveHook();
	FreeLibrary(hInstance);
	hInstance = NULL;
}





目前最好的EasyHook的完整Demo程序,包括了Hook.dll动态和Inject.exe注入程序。 Hook.dll动态封装了一套稳定的下钩子的机制,以后对函数下钩子,只需要填下数组表格就能实现了,极大的方便了今后的使用。 Inject.exe部分是用MFC写的界面程序,只需要在界面上输入进程ID就能正确的HOOK上相应的进程,操作起来非常的简便。 这个Demo的代码风格也非常的好,用VS2010成功稳定编译通过,非常值得下载使用。 部分代码片段摘录如下: //【Inject.exe注入程序的代码片段】 void CInjectHelperDlg::OnBnClickedButtonInjectDllProcessId() { ////////////////////////////////////////////////////////////////////////// //【得到进程ID值】 UINT nProcessID = 0; if (!GetProcessID(nProcessID)) { TRACE(_T("%s GetProcessID 失败"), __FUNCTION__); return; } ////////////////////////////////////////////////////////////////////////// //【得到DLL完整路径】 CString strPathDLL; if (!GetDllFilePath(strPathDLL)) { TRACE(_T("%s GetDllFilePath 失败"), __FUNCTION__); return; } ////////////////////////////////////////////////////////////////////////// //【注入DLL】 NTSTATUS ntStatus = RhInjectLibrary(nProcessID, 0, EASYHOOK_INJECT_DEFAULT, strPathDLL.GetBuffer(0), NULL, NULL, 0); if (!ShowStatusInfo(ntStatus)) { TRACE(_T("%s ShowStatusInfo 失败"), __FUNCTION__); return; } } //【Hook.dll动态的代码片段】 extern "C" __declspec(dllexport) void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* InRemoteInfo) { if (!DylibMain()) { TRACE(_T("%s DylibMain 失败"), __FUNCTION__); return; } } FUNCTIONOLDNEW_FRMOSYMBOL array_stFUNCTIONOLDNEW_FRMOSYMBOL[]= { {_T("kernel32"), "CreateFileW", (void*)CreateFileW_new}, {_T("kernel32"), "CreateFileA", (void*)CreateFileA_new}, {_T("kernel32"), "ReadFile", (void*)ReadFile_new} }; BOOL HookFunctionArrayBySymbol() { /////////////////////////////////////////////////////////////// int nPos = 0; do { /////////////////////////////// FUNCTIONOLDNEW_FRMOSYMBOL* stFunctionOldNew = &g_stFUNCTIONOLDNEW_FRMOSYMBOL[nPos]; if (NULL == stFunctionOldNew->strModulePath) { break; } /////////////////////////////// if (!HookFunctionBySymbol(stFunctionOldNew->strModulePath, stFunctionOldNew->strNameFunction, stFunctionOldNew->pFunction_New)) { TRACE(_T("%s HookFunctionBySymbol 失败"), __FUNCTION__); return FALSE; } } while(++nPos); /////////////////////////////////////////////////////////////// return TRUE; } HANDLE WINAPI CreateFileW_new( PWCHAR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile ) { TRACE(_T("CreateFileW_new. lpFileName = %s"), lpFileName); return CreateFileW( lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile); }
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值