c#使用easyhook库进行API钩取

最新推荐文章于 2025-04-22 14:22:21 发布

weixin_30316097

最新推荐文章于 2025-04-22 14:22:21 发布

阅读量596

点赞数

原文链接：http://www.cnblogs.com/ghostr/p/5513199.html

版权

本文介绍了一种通过注入DLL到Calc程序中，篡改其输出结果的方法。具体实现了当Calc程序运行时，自动将输入数字加一的功能。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

目标：使calc程序输入的数自动加1

　（当别人使用时，总会得不到正确的结果，哈哈）

编写注入程序

—————————————————————————————————
class Program中的方法，注入dll到目标进程
——————————————————————-——————————
static String ChannelName = null;

        static void Main(string[] args)
        {
            Int32.TryParse(args[0], out TargetPID) ;
            RemoteHooking.IpcCreateServer<FileMonInterface>(ref ChannelName, WellKnownObjectMode.SingleCall);
            string injectionLibrary = Path.Combine(Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location), "Inject.dll");
            RemoteHooking.Inject(
                        TargetPID,
                        injectionLibrary,
                        injectionLibrary,
                        ChannelName);
            Console.WriteLine("Injected to process {0}", TargetPID);
            Console.WriteLine("<Press any key to exit>");
            Console.ReadKey();
            }
__________________________________________________
MarshalByRefObject的实现，供dll进行调用，判断是否正常
__________________________________________________
 public class FileMonInterface : MarshalByRefObject
    {
        public void IsInstalled(Int32 InClientPID)
        {
            Console.WriteLine("FileMon has been installed in target {0}.\r\n", InClientPID);
        }
    }

编写注入使用的dll程序

—————————————————————————————————
注入成功后，调用Run方法，钩取SetWindowTextW  API，修改为DSetWindowText的委托
—————————————————————————————————
 public void Run(
            RemoteHooking.IContext InContext,
            String InChannelName)
        {
            // install hook...
                Hook = LocalHook.Create(
                    LocalHook.GetProcAddress("user32.dll", "SetWindowTextW"),
                    new DSetWindowText(SetWindowText_Hooked),
                    this);

                Hook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
         Interface.IsInstalled(RemoteHooking.GetCurrentProcessId());
            RemoteHooking.WakeUpProcess();while (true)
                {
                    Thread.Sleep(500);
                }
        }

—————————————————————————————————
委托
—————————————————————————————————
        [UnmanagedFunctionPointer(CallingConvention.StdCall,
            CharSet = CharSet.Ansi,
            SetLastError = true)]
        delegate bool DSetWindowText(
         IntPtr hWnd, //对于句柄采用IntPtr类型
         string text
     );
—————————————————————————————————
API
—————————————————————————————————
        [DllImport("user32.dll", 
        CharSet = CharSet.Ansi,
        SetLastError = true,
        CallingConvention = CallingConvention.StdCall)]
        static extern bool SetWindowText(
         IntPtr hWnd,    string text
         );
—————————————————————————————————
 傀儡API
—————————————————————————————————
    static bool SetWindowText_Hooked(
            IntPtr hWnd,
             string text)
        {
            text = (int.Parse(text.Remove(text.Length-2))+1).ToString();//修改要显示的数据
            return SetWindowText( hWnd, text);//调用API
        }