51hook 课程之inline hook代码

#include "main.h"

//1、找到要HOOK的函数
//2、保存要hook的函数的前5个字节
//3、计算目标函数距离jump指令的下一条指令的偏移 offset
//4、改变函数的前5个字节 改成jmp offset (即0xE9 offset)

//1、进行hook的初始工作，找到hook函数的地址并保存函数的前5个字节 计算出偏移值 保存改变后的前5个字节
//2、安装钩子
//3、卸载钩子
//4、自定义函数

#define HOOK_HEAD (5)

DWORD g_unhookFun = NULL;
char g_unhookHead[HOOK_HEAD] = { 0 }; // 原函数对应机器码的前5个字节
char g_hookHead[HOOK_HEAD] = { 0 }; //原函数被hook之后，其机器码对应的前5个字节

int WINAPI MyMessageBoxW(_In_opt_ HWND hWnd, _In_opt_ LPCWSTR lpText,
		_In_opt_ LPCWSTR lpCaption, _In_ UINT uType)
{
	UnInstallHook();
	int res = MessageBoxW(hWnd, L"51hooked laohua", lpCaption, uType);
	InstallHook();
	return res;
}

BOOL InitHook()
{
	HMODULE hModule = LoadLibraryA("user32.dll");
	if (hModule == NULL)
	{
		return FALSE;
	}
	g_unhookFun = (DWORD)GetProcAddress(hModule, "MessageBoxW");
	//保存原函数的前5个字节
	memcpy(g_unhookHead, (char*)g_unhookFun, HOOK_HEAD);
	//计算偏移
	DWORD offset = (DWORD)MyMessageBoxW - (g_unhookFun + HOOK_HEAD);
	// 保存hook后的前5个字节
	g_hookHead[0] = 0xE9;
	memcpy(g_hookHead + 1, &offset, sizeof(offset));

	return TRUE;
}

//安装钩子
BOOL InstallHook()
{
	DWORD oldProtect = 0;
	VirtualProtect((DWORD*)g_unhookFun, HOOK_HEAD, PAGE_EXECUTE_READWRITE, &oldProtect);
	memcpy((char*)g_unhookFun, g_hookHead, HOOK_HEAD);
	VirtualProtect((DWORD*)g_unhookFun, HOOK_HEAD, oldProtect, &oldProtect);

	return TRUE;
}

//卸载钩子
BOOL UnInstallHook()
{
	DWORD oldProtect = 0;
	VirtualProtect((DWORD*)g_unhookFun, HOOK_HEAD, PAGE_EXECUTE_READWRITE, &oldProtect);
	memcpy((char*)g_unhookFun, g_unhookHead, HOOK_HEAD);
	VirtualProtect((DWORD*)g_unhookFun, HOOK_HEAD, oldProtect, &oldProtect);

	return TRUE;
}

BOOL WINAPI	DllMain(_In_ HINSTANCE hInstance, _In_ DWORD fdwReason, _In_ LPVOID lpvReserved)
{
	if (fdwReason == DLL_PROCESS_ATTACH)
	{
		InitHook();
		InstallHook();
	}
	else if (fdwReason == DLL_PROCESS_DETACH)
	{
		UnInstallHook();
	}
	return TRUE;
}