如何hook只知道地址的0x00******的函数

如果要hook游戏中的函数我是不是只要修改
  pfMessageBoxA = GetProcAddress( hModule, "MessageBoxA" );
改为
pfMessageBoxA=0x00******(游戏中该函数的地址)

 

网络上的程序如下
dll
//---------------------------------------------------------------------------

#include <windows.h>
#include <vcl.h>

#pragma argsused
HHOOK g_hHook;
HINSTANCE g_hinstDll;
FARPROC pfMessageBoxA;
int WINAPI MyMessageBoxA( HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType );
BYTE OldMessageBoxACode[5], NewMessageBoxACode[5];
HMODULE hModule;
DWORD dwIdOld, dwIdNew;
BOOL bHook = false;
void HookOn();
void HookOff();
BOOL init();
extern "C"__declspec( dllexport )__stdcall BOOL UninstallHook();
LRESULT WINAPI MousHook( int nCode, WPARAM wParam, LPARAM lParam );

BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved )
{
  switch ( ul_reason_for_call )
  {
    case DLL_PROCESS_ATTACH:
      if ( !init() )
      {
        MessageBoxA( NULL, "Init", "ERROR", MB_OK );
        return ( false );
      }
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
      if ( bHook ) UninstallHook();
    break;
  }
  return TRUE;
}

LRESULT WINAPI Hook( int nCode, WPARAM wParam, LPARAM lParam ) //空的钩子函数
{

  return ( CallNextHookEx( g_hHook, nCode, wParam, lParam ) );
}

extern "C"__declspec( dllexport )__stdcall BOOL InstallHook() //输出安装空的钩子函数
{
  g_hinstDll = LoadLibrary( "Project2.dll" );
  g_hHook = SetWindowsHookEx( WH_GETMESSAGE, ( HOOKPROC )Hook, g_hinstDll, 0 );
  if ( !g_hHook )
  {
    MessageBoxA( NULL, "SET ERROR", "ERROR", MB_OK );
    return ( false );
  }
  return ( true );
}

extern "C"__declspec( dllexport )__stdcall BOOL UninstallHook() //输出御在[来源：GameRes.com]钩子函数
{

  return ( UnhookWindowsHookEx( g_hHook ) );
}

BOOL init() //初始化得到MessageBoxA的地址，并生成Jmp XXX(MyMessageBoxA)的跳转指令
{
  hModule = LoadLibrary( "user32.dll" );
  pfMessageBoxA = GetProcAddress( hModule, "MessageBoxA" );
  if ( pfMessageBoxA == NULL )
    return false;
  _asm
  {
    lea edi,OldMessageBoxACode
    mov esi, pfMessageBoxA
    cld
    movsd
    movsb
  }
  NewMessageBoxACode[0] = 0xe9; //jmp MyMessageBoxA的相对地址的指令
  _asm
  {
    lea eax, MyMessageBoxA
    mov ebx, pfMessageBoxA
    sub eax, ebx
    sub eax, 5
    mov dword ptr[NewMessageBoxACode + 1], eax
  }
  dwIdNew = GetCurrentProcessId(); //得到所属进程的ID
  dwIdOld = dwIdNew;
  HookOn(); //开始拦截
  return ( true );
}

int WINAPI MyMessageBoxA( HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType ) //首先关闭拦截，然后才能调用被拦截的Api 函数
{
  int nReturn = 0;
  HookOff();
  nReturn = MessageBoxA( hWnd, "Hook", lpCaption, uType );
  HookOn();
  return ( nReturn );
}

void HookOn()
{
  HANDLE hProc;
  dwIdOld = dwIdNew;
  hProc = OpenProcess( PROCESS_ALL_ACCESS, 0, dwIdOld ); //得到所属进程的句柄
  VirtualProtectEx( hProc, pfMessageBoxA, 5, PAGE_READWRITE, & dwIdOld ); //修改所属进程中MessageBoxA的前5个字节的属性为可写
  WriteProcessMemory( hProc, pfMessageBoxA, NewMessageBoxACode, 5, 0 ); //将所属进程中MessageBoxA的前5个字节改为JMP 到MyMessageBoxA
  VirtualProtectEx( hProc, pfMessageBoxA, 5, dwIdOld, & dwIdOld ); //修改所属进程中MessageBoxA的前5个字节的属性为原来的属性
  bHook = true;
}

void HookOff() //将所属进程中JMP MyMessageBoxA的代码改为Jmp MessageBoxA
{
  HANDLE hProc;
  dwIdOld = dwIdNew;
  hProc = OpenProcess( PROCESS_ALL_ACCESS, 0, dwIdOld );
  VirtualProtectEx( hProc, pfMessageBoxA, 5, PAGE_READWRITE, & dwIdOld );
  WriteProcessMemory( hProc, pfMessageBoxA, OldMessageBoxACode, 5, 0 );
  VirtualProtectEx( hProc, pfMessageBoxA, 5, dwIdOld, & dwIdOld );
  bHook = false;
}

测试程序:
//---------------------------------------------------------------------------
#include <vcl.h>
#pragma hdrstop

#include "Unit1.h"
extern "C" __declspec(dllimport) __stdcall
BOOL InstallHook();
extern "C" __declspec(dllimport) __stdcall
BOOL UninstallHook();
//---------------------------------------------------------------------------
#pragma package(smart_init)
#pragma resource "*.dfm"
TForm1 *Form1;
//---------------------------------------------------------------------------
__fastcall TForm1::TForm1(TComponent* Owner)
        : TForm(Owner)
{
}
//---------------------------------------------------------------------------

void __fastcall TForm1::Button1Click(TObject *Sender)
{
       if(!InstallHook())
    {
        Label1->Caption = "Hook Error!";
    }
    MessageBoxA(NULL, "内容", "标题", MB_OK);
    // 可以看见"内容变成了"来自钩子中的内容"
    if(!UninstallHook())
    {
        Label1->Caption = "Uninstall Error!";
    }
}

 

原文:http://bbs.gameres.com/showthread.asp?threadid=8370