APIHook

1. //////////////////////////////////////////////////////////////
2. // APIHook.cpp文件
4. #include "APIHook.h"
5. #include "Tlhelp32.h"
7. #include <imagehlp.h>   // 为了调用ImageDirectoryEntryToData函数
8. #pragma comment(lib, "ImageHlp")
11. // CAPIHook对象链表的头指针
12. CAPIHook* CAPIHook::sm_pHeader = NULL;  
14. CAPIHook::CAPIHook(LPSTR pszModName, LPSTR pszFuncName, PROC pfnHook, BOOL bExcludeAPIHookMod)  
15. {  
16. // 保存这个Hook函数的信息
17.     m_bExcludeAPIHookMod = bExcludeAPIHookMod;  
18.     m_pszModName = pszModName;  
19.     m_pszFuncName = pszFuncName;  
20.     m_pfnHook = pfnHook;  
21.     m_pfnOrig = ::GetProcAddress(::GetModuleHandle(pszModName), pszFuncName);  
23. // 将此对象添加到链表中
24.     m_pNext = sm_pHeader;  
25.     sm_pHeader = this;  
27. // 在所有当前已加载的模块中HOOK这个函数
28.     ReplaceIATEntryInAllMods(m_pszModName, m_pfnOrig, m_pfnHook, bExcludeAPIHookMod);   
29. }  
31. CAPIHook::~CAPIHook()  
32. {  
33. // 取消对所有模块中函数的HOOK
34.     ReplaceIATEntryInAllMods(m_pszModName, m_pfnHook, m_pfnOrig, m_bExcludeAPIHookMod);  
36.     CAPIHook *p = sm_pHeader;  
38. // 从链表中移除此对象
39. if(p == this)  
40.     {  
41.         sm_pHeader = p-&gt;m_pNext;  
42.     }  
43. else
44.     {  
45. while(p != NULL)  
46.         {  
47. if(p-&gt;m_pNext == this)  
48.             {  
49.                 p-&gt;m_pNext = this-&gt;m_pNext;  
50. break;  
51.             }  
52.             p = p-&gt;m_pNext;  
53.         }  
54.     }  
56. }  
58. void CAPIHook::ReplaceIATEntryInOneMod(LPSTR pszExportMod,   
59.                    PROC pfnCurrent, PROC pfnNew, HMODULE hModCaller)  
60. {  
61. // 取得模块的导入表（import descriptor）首地址。ImageDirectoryEntryToData函数可以直接返回导入表地址
62. ULONG ulSize;  
63.     PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)  
64.                 ::ImageDirectoryEntryToData(hModCaller, TRUE,   
65.                     IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize);  
66. if(pImportDesc == NULL) // 这个模块没有导入节表
67.     {  
68. return;  
69.     }  
71. // 查找包含pszExportMod模块中函数导入信息的导入表项
72. while(pImportDesc-&gt;Name != 0)  
73.     {  
74. LPSTR pszMod = (LPSTR)((DWORD)hModCaller + pImportDesc-&gt;Name);  
75. if(lstrcmpiA(pszMod, pszExportMod) == 0) // 找到
76. break;  
78.         pImportDesc++;  
79.     }  
80. if(pImportDesc-&gt;Name == 0) // hModCaller模块没有从pszExportMod模块导入任何函数
81.     {  
82. return;  
83.     }  
85. // 取得调用者的导入地址表（import address table, IAT）
86.     PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)(pImportDesc-&gt;FirstThunk + (DWORD)hModCaller);  
88. // 查找我们要HOOK的函数，将它的地址用新函数的地址替换掉
89. while(pThunk-&gt;u1.Function)  
90.     {  
91. // lpAddr指向的内存保存了函数的地址
92.         PDWORD lpAddr = (PDWORD)&(pThunk-&gt;u1.Function);  
93. if(*lpAddr == (DWORD)pfnCurrent)  
94.         {  
95. // 修改页的保护属性
96. DWORD dwOldProtect;  
97.             MEMORY_BASIC_INFORMATION mbi;  
98.             ::VirtualQuery(lpAddr, &mbi, sizeof(mbi));  
99.             ::VirtualProtect(lpAddr, sizeof(DWORD), PAGE_READWRITE, &dwOldProtect);  
101. // 修改内存地址  相当于“*lpAddr = (DWORD)pfnNew;”
102.             ::WriteProcessMemory(::GetCurrentProcess(),   
103.                         lpAddr, &pfnNew, sizeof(DWORD), NULL);  
105.             ::VirtualProtect(lpAddr, sizeof(DWORD), dwOldProtect, 0);  
106. break;  
107.         }  
108.         pThunk++;  
109.     }  
110. }  
112. void CAPIHook::ReplaceIATEntryInAllMods(LPSTR pszExportMod,   
113.                     PROC pfnCurrent, PROC pfnNew, BOOL bExcludeAPIHookMod)  
114. {  
115. // 取得当前模块的句柄
116. HMODULE hModThis = NULL;  
117. if(bExcludeAPIHookMod)  
118.     {  
119.         MEMORY_BASIC_INFORMATION mbi;  
120. if(::VirtualQuery(ReplaceIATEntryInAllMods, &mbi, sizeof(mbi)) != 0)  
121.             hModThis = (HMODULE)mbi.AllocationBase;  
122.     }  
124. // 取得本进程的模块列表
125. HANDLE hSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ::GetCurrentProcessId());  
127. // 遍历所有模块，分别对它们调用ReplaceIATEntryInOneMod函数，修改导入地址表
128.     MODULEENTRY32 me = { sizeof(MODULEENTRY32) };  
129. BOOL bOK = ::Module32First(hSnap, &me);  
130. while(bOK)  
131.     {  
132. // 注意：我们不HOOK当前模块的函数
133. if(me.hModule != hModThis)  
134.             ReplaceIATEntryInOneMod(pszExportMod, pfnCurrent, pfnNew, me.hModule);  
136.         bOK = ::Module32Next(hSnap, &me);  
137.     }  
138.     ::CloseHandle(hSnap);  
139. }  
142. // 挂钩LoadLibrary和GetProcAddress函数，以便在这些函数被调用以后，挂钩的函数也能够被正确的处理
144. CAPIHook CAPIHook::sm_LoadLibraryA("Kernel32.dll", "LoadLibraryA",     
145.                     (PROC)CAPIHook::LoadLibraryA, TRUE);  
147. CAPIHook CAPIHook::sm_LoadLibraryW("Kernel32.dll", "LoadLibraryW",     
148.                     (PROC)CAPIHook::LoadLibraryW, TRUE);  
150. CAPIHook CAPIHook::sm_LoadLibraryExA("Kernel32.dll", "LoadLibraryExA",   
151.                     (PROC)CAPIHook::LoadLibraryExA, TRUE);  
153. CAPIHook CAPIHook::sm_LoadLibraryExW("Kernel32.dll", "LoadLibraryExW",   
154.                     (PROC)CAPIHook::LoadLibraryExW, TRUE);  
156. CAPIHook CAPIHook::sm_GetProcAddress("Kernel32.dll", "GetProcAddress",   
157.                     (PROC)CAPIHook::GetProcAddress, TRUE);  
161. void WINAPI CAPIHook::HookNewlyLoadedModule(HMODULE hModule, DWORD dwFlags)  
162. {  
163. // 如果一个新的模块被加载，挂钩各CAPIHook对象要求的API函数
164. if((hModule != NULL) && ((dwFlags&LOAD_LIBRARY_AS_DATAFILE) == 0))  
165.     {  
166.         CAPIHook *p = sm_pHeader;  
167. while(p != NULL)  
168.         {  
169.             ReplaceIATEntryInOneMod(p-&gt;m_pszModName, p-&gt;m_pfnOrig, p-&gt;m_pfnHook, hModule);  
170.             p = p-&gt;m_pNext;  
171.         }  
172.     }  
173. }  
176. HMODULE WINAPI CAPIHook::LoadLibraryA(PCSTR pszModulePath)   
177. {  
178. HMODULE hModule = ::LoadLibraryA(pszModulePath);  
179.     HookNewlyLoadedModule(hModule, 0);  
180. return(hModule);  
181. }  
183. HMODULE WINAPI CAPIHook::LoadLibraryW(PCWSTR pszModulePath)   
184. {  
185. HMODULE hModule = ::LoadLibraryW(pszModulePath);  
186.     HookNewlyLoadedModule(hModule, 0);  
187. return(hModule);  
188. }  
190. HMODULE WINAPI CAPIHook::LoadLibraryExA(PCSTR pszModulePath, HANDLE hFile, DWORD dwFlags)   
191. {  
192. HMODULE hModule = ::LoadLibraryExA(pszModulePath, hFile, dwFlags);  
193.     HookNewlyLoadedModule(hModule, dwFlags);  
194. return(hModule);  
195. }  
197. HMODULE WINAPI CAPIHook::LoadLibraryExW(PCWSTR pszModulePath, HANDLE hFile, DWORD dwFlags)   
198. {  
199. HMODULE hModule = ::LoadLibraryExW(pszModulePath, hFile, dwFlags);  
200.     HookNewlyLoadedModule(hModule, dwFlags);  
201. return(hModule);  
202. }  
204. FARPROC WINAPI CAPIHook::GetProcAddress(HMODULE hModule, PCSTR pszProcName)  
205. {  
206. // 得到这个函数的真实地址
207.     FARPROC pfn = ::GetProcAddress(hModule, pszProcName);  
209. // 看它是不是我们要hook的函数
210.     CAPIHook *p = sm_pHeader;  
211. while(p != NULL)  
212.     {  
213. if(p-&gt;m_pfnOrig == pfn)  
214.         {  
215.             pfn = p-&gt;m_pfnHook;  
216. break;  
217.         }  
219.         p = p-&gt;m_pNext;  
220.     }  
222. return pfn;  
223. }  
224. </imagehlp.h>