这段代码展示了如何使用`CheckHooks`函数检查opengl32.dll中'glBegin'函数是否被修改,通过对比内存中的原始和检查数据来判断是否存在hook。它用于检测潜在的代码注入或安全漏洞。
bool CheckHooks(const char* pszModule, const char* pszMethod, BYTE* pBytesToCheck, DWORD dwSize)
{
bool bOK = false;
HANDLE hProcess = ::GetCurrentProcess();
HMODULE hModule = ::GetModuleHandle(pszModule);
if (!hModule)
return true; //The dll aint loaded
LPVOID pAddress = ::GetProcAddress(hModule, pszMethod);
// change the page-protection for the intercepted function
DWORD dwOldProtect;
if (!::VirtualProtectEx(hProcess, pAddress, dwSize, PAGE_EXECUTE_READ, &dwOldProtect))
return false;
//Read the bytes to see if someone hooked that function
BYTE* pBytesInMem = (BYTE*)malloc(dwSize);
DWORD dwRead = 0;
if (::ReadProcessMemory(hProcess, pAddress, pBytesInMem, dwSize, &dwRead))
{
bOK = 0 != memcmp(pBytesInMem, pBytesToCheck, dwRead);
/*
char szAddress[_MAX_PATH];
sprintf(szAddress, "%s::%s - at %lx - %s", pszModule, pszMethod, pAddress, bOK ? "OK" : "HACK");
AgLog(szAddress);
HANDLE hFile = CreateFile("c:\\temp.bin", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, NULL, NULL);
DWORD dwWritten;
WriteFile(hFile, pBytesToCheck, dwRead, &dwWritten, NULL);
CloseHandle(hFile);
*/
}
//
// restore page protection
//
VirtualProtectEx(hProcess, pAddress, dwSize, dwOldProtect, &dwOldProtect);
free(pBytesInMem);
return bOK;
}
代码调用方法
BYTE byHokoHack[1] = {0xE8};
BYTE byRegularJumpHack[1] = {0xE9};
if ( !CheckHooks("opengl32.dll", "glBegin", byHokoHack, sizeof(byHokoHack))
|| !CheckHooks("opengl32.dll", "glBegin", byRegularJumpHack, sizeof(byRegularJumpHack))
)
{
m_sDll = "opengl32.dll (patched)";
return 11;
}
用法:
BYTE byHokoHack[1] = {0xE8};
BYTE byRegularJumpHack[1] = {0xE9};
if ( !CheckHooks("opengl32.dll", "glBegin", byHokoHack, sizeof(byHokoHack))
|| !CheckHooks("opengl32.dll", "glBegin", byRegularJumpHack, sizeof(byRegularJumpHack))
)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
