使用x86的detours库编写hook-dll

以CreateFileW为例,一般都要hook带W的api,因为windows系统底层调用的基本上都是W版本的API。

1、定义detour库需要hook的windows api

//filehookdetour.h
#include <Windows.h>
#include <detours.h>

#pragma comment(lib,"detours.lib")


typedef HANDLE (WINAPI *HOOK_CreateFileW)(LPCWSTR lpFileName,
										DWORD dwDesiredAcces, 
										DWORD dwShareMode, 
										LPSECURITY_ATTRIBUTES lpSecurityAttributes,
										DWORD dwCreationDisposition, 
										DWORD dwFlagsAndAttributes,
										HANDLE hTemplateFile);

HOOK_CreateFileW						g_initCreateFileW = NULL;
HOOK_CreateFileW						g_finalCreateFileW = NULL;

HANDLE WINAPI MY_CreateFileW( LPCWSTR lpFileName,
							  DWORD dwDesiredAcces, 
							  DWORD dwShareMode, 
							  LPSECURITY_ATTRIBUTES lpSecurityAttributes,
							  DWORD dwCreationDisposition, 
							  DWORD dwFlagsAndAttributes,
							  HANDLE hTemplateFile)
{
	if (lpFileName)
	{
		//TO DO...
	}
	return g_finalCreateFileW(lpFileName, dwDesiredAcces, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}


void InitHook()
{
	g_initCreateFileW = (HOOK_CreateFileW)DetourFindFunction("Kernel32.dll", "CreateFileW");
	g_finalCreateFileW = (HOOK_CreateFileW)DetourFunction((PBYTE)g_initCreateFileW, (PBYTE)MY_CreateFileW);
	
}

void UnHook()
{
	DetourRemove((PBYTE)g_finalCreateFileW,(PBYTE)MY_CreateFileW);
}

2、定义dll导出接口

//filehook.h
#ifdef FILEHOOK_EXPORTS
#define FILEHOOK_API __declspec(dllexport)
#else
#define FILEHOOK_API __declspec(dllimport)
#endif

FILEHOOK_API  bool InstallHook(HINSTANCE hInstance);
FILEHOOK_API  bool RemoveHook();

3、定义define文件

LIBRARY FileHook
EXPORTS
InstallHook @1
RemoveHook @2

SECTIONS 
.phk READ WRITE SHARED 

编译之后的文件名为:FileHook.dll

4、定义DllMain

//filehook.cpp

#include"filehook.h"
#include"filehookdetour.h"

#pragma data_seg(".phk")
HHOOK g_Hook = NULL;//放在共享数据区
#pragma data_seg()


BOOL APIENTRY DllMain( HANDLE hModule, 
                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved
					 )
{
    switch (ul_reason_for_call)
	{
		case DLL_PROCESS_ATTACH:
			InitHook();//call InitHook() here
			break;
		case DLL_THREAD_ATTACH:
			break;
		case DLL_THREAD_DETACH:
			break;
		case DLL_PROCESS_DETACH:
			UnHook();//call UnHook() here
			break;
    }
    return TRUE;
}


LRESULT CALLBACK CallWndProc(int nCode,WPARAM wParam,LPARAM lParam)
{
	return CallNextHookEx(g_Hook, nCode,wParam,lParam);
}


bool InstallHook(HINSTANCE hInstance)
{
	if(g_Hook == NULL)
	{
		g_Hook = SetWindowsHookEx(WH_CALLWNDPROC,CallWndProc,hInstance,0);
		if(g_Hook)
		{ 
		   return true;
		}
		else
		{
		   return false;
		}
	}
	return true;
}


bool RemoveHook()
{
	if(g_Hook != NULL)
	{
		if(!UnhookWindowsHookEx(g_Hook))
		{	
			DWORD dwEr= GetLastError();
			if (dwEr==0)//句柄非法
			{
				ghPrintHook=NULL;
			}
			return false;
		}
		g_Hook = NULL;
	}
	return true;
}

5、调用

void TestFileHook()
{
	typedef bool (*API_InstallHook)(HINSTANCE);
	API_InstallHook pInstallHook;
	typedef bool (*API_RemoveHook)();
	API_RemoveHook m_pRemoveHook;

	HINSTANCE hInstance = LoadLibrary(TEXT("FileHook.dll"));

	if(hInstance  != NULL)
	{
		pInstallHook = (API_InstallHook)GetProcAddress((hInstance  ,"InstallHook");
		pRemoveHook = (API_RemoveHook)GetProcAddress((hInstance  ,"RemoveHook");
	}
	
	pInstallHook(hInstance);
	//to do your actions here...
	
	pRemoveHook();
	FreeLibrary(hInstance);
	hInstance = NULL;
}





评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值