#ifndef _HOOKAPI_H #define _HOOKAPI_H class CHOOKAPI { public: LPVOID pOldFunEntry, pNewFunEntry ; // 初始函数地址、HOOK后的函数地址 BYTE bOldByte[5], bNewByte[5] ; // 原始字节、目标字节 public: CHOOKAPI () {} ~CHOOKAPI() {} // 实现HOOK API void Hook ( PSTR szModuleName, PSTR szFunName, FARPROC pFun ) { HMODULE hMod = ::GetModuleHandleA ( szModuleName ) ; if ( hMod != NULL ) { pNewFunEntry = (LPVOID)pFun ; pOldFunEntry = (LPVOID)GetProcAddress ( hMod, szFunName ) ; bNewByte[0] = 0xE9 ; *((PDWORD)(&(bNewByte[1]))) = (DWORD)pNewFunEntry - (DWORD)pOldFunEntry - 5 ; DWORD dwProtect, dwWriteByte, dwReadByte ; VirtualProtect ( (LPVOID)pOldFunEntry, 5, PAGE_READWRITE, &dwProtect ); ReadProcessMemory ( GetCurrentProcess(), (LPVOID)pOldFunEntry, bOldByte, 5, &dwReadByte ) ; WriteProcessMemory ( GetCurrentProcess(), (LPVOID)pOldFunEntry, bNewByte, 5, &dwWriteByte ) ; VirtualProtect ( (LPVOID)pOldFunEntry, 5, dwProtect, NULL ) ; } } // 重新HOOK void ReHook () { DWORD dwProtect, dwWriteByte ; VirtualProtect ( pOldFunEntry, 5, PAGE_READWRITE, &dwProtect ); WriteProcessMemory ( GetCurrentProcess(), pOldFunEntry, bNewByte, 5, &dwWriteByte ) ; VirtualProtect ( pOldFunEntry, 5, dwProtect, NULL ) ; } // 撤消HOOK void UnHook () { DWORD dwProtect, dwWriteByte ; VirtualProtect ( pOldFunEntry, 5, PAGE_READWRITE, &dwProtect ); WriteProcessMemory ( GetCurrentProcess(), pOldFunEntry, bOldByte, 5, &dwWriteByte ) ; VirtualProtect ( pOldFunEntry, 5, dwProtect, NULL ) ; } } ; #endif
#include <windows.h> #include "HookApi.h" CHOOKAPI HookItem ; // 定义MessageBoxA函数原型 typedef int (WINAPI* PFNMessageBoxA)( HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType ) ; // 自定义的MessageBoxA函数 // 实现对原始MessageBoxA的输入、输出参数的监控,甚至是取消调用 int WINAPI NEW_MessageBoxA( HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType ) { // 撤消HOOK HookItem.UnHook () ; // 此处可以观察/修改调用参数,甚至可以取消调用直接返回。 // …… // 取得原函数地址 PFNMessageBoxA pfnMessageBoxA = (PFNMessageBoxA)HookItem.pOldFunEntry ; // 调用原函数,修改输入参数 int ret = pfnMessageBoxA ( hWnd, "这是HOOK函数过程的消息框", "[测试]", uType ) ; // 此处可以查看/修改调用原函数的返回值 // …… // 重新HOOK HookItem.ReHook () ; return ret ; } int WINAPI WinMain ( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow ) { // 原始API MessageBoxA ( 0, "正常消息框", "测试", 0 ) ; // HOOK API HookItem.Hook ( "USER32.dll", "MessageBoxA", (FARPROC)NEW_MessageBoxA ) ; // 调用API,测试 MessageBoxA ( 0, "正常消息框", "测试", 0 ) ; // 撤消HOOK HookItem.UnHook () ; return 0 ; }