15,471
社区成员
发帖
与我相关
我的任务
分享CAPIHook编译出错
//APIHook.h文件
#ifndef __APIHOOK_H__
#define __APIHOOK_H__
#include <windows.h>
class CAPIHook
{
public:
CAPIHook(LPSTR pszModName, LPSTR pszFuncName,
PROC pfnHook, BOOL bExcludeAPIHookMod=TRUE);
virtual ~CAPIHook();
operator PROC() {return m_pfnOrig;}
private:
LPSTR m_pszModName; //导出要HOOK函数的模块的名字
LPSTR m_pszFuncName; //要HOOK的函数的名字
PROC m_pfnOrig; //原API函数地址
PROC m_pfnHook; //HOOK后函数的地址
BOOL m_bExcludeAPIHookMod; //是否将HOOK API的模块本身排除在外
private:
static void ReplaceIATEntryInAllMods(LPSTR pszExportMod, PROC pfnCurrent,
PROC pfnew, BOOL bExcludeAPIHookMod);
static void ReplaceIATEntryInOneMod(LPSTR pszExportMod, PROC pfnCurrent,
PROC pfnew, HMODULE hModCaller);
//下面的代码用来解决其他模块动态加载DLL的问题
private:
//这两个指针用来将所有的CAPIHook对象连在一起
static CAPIHook *sm_pHeader;
CAPIHook *m_pNext;
private:
//当一个新的DLL被加载时,调用此函数
static void WINAPI HookNewlyLoadedModule(HMODULE hModule, DWORD dwFlags);
//用来跟踪当前进程加载新的DLL
static HMODULE WINAPI LoadLibraryA(PCSTR pszModulePath);
static HMODULE WINAPI LoadLibraryW(PCWSTR pszModulePath);
static HMODULE WINAPI LoadLibraryExA(PCSTR pszModulePath, HANDLE hFile, DWORD dwFlags);
static HMODULE WINAPI LoadLibraryExW(PCWSTR pszModulePath, HANDLE hFile, DWORD dwFlags);
//如果请求已HOOK的API函数,则返回用户自定义函数的地址
static FARPROC WINAPI GetProcAddress(HMODULE hModule, PCSTR pszProcName);
private:
//自动对这些函数进行挂钩
static CAPIHook sm_LoadLibraryA;
static CAPIHook sm_LoadLibraryW;
static CAPIHook sm_LoadLibraryExA;
static CAPIHook sm_LoadLibraryExW;
static CAPIHook sm_GetProcAddress;
};
#endif
//////////////////////////////////////////////////////////////
// APIHook.cpp文件
#include "APIHook.h"
#include "Tlhelp32.h"
#include <IMAGEHLP.H> // 为了调用ImageDirectoryEntryToData函数
#pragma comment(lib, "ImageHlp")
// CAPIHook对象链表的头指针
CAPIHook* CAPIHook::sm_pHeader = NULL;
CAPIHook::CAPIHook(LPSTR pszModName, LPSTR pszFuncName, PROC pfnHook, BOOL bExcludeAPIHookMod)
{
// 保存这个Hook函数的信息
m_bExcludeAPIHookMod = bExcludeAPIHookMod;
m_pszModName = pszModName;
m_pszFuncName = pszFuncName;
m_pfnHook = pfnHook;
m_pfnOrig = ::GetProcAddress(::GetModuleHandle(pszModName), pszFuncName);
// 将此对象添加到链表中
m_pNext = sm_pHeader;
sm_pHeader = this;
// 在所有当前已加载的模块中HOOK这个函数
ReplaceIATEntryInAllMods(m_pszModName, m_pfnOrig, m_pfnHook, bExcludeAPIHookMod);
}
void CAPIHook::ReplaceIATEntryInOneMod(LPSTR pszExportMod,
PROC pfnCurrent, PROC pfnNew, HMODULE hModCaller)
{
// 取得模块的导入表(import descriptor)首地址。ImageDirectoryEntryToData函数可以直接返回导入表地址
ULONG ulSize;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)
::ImageDirectoryEntryToData(hModCaller, TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize);
if(pImportDesc == NULL) // 这个模块没有导入节表
{
return;
}
// 查找包含pszExportMod模块中函数导入信息的导入表项
while(pImportDesc->Name != 0)
{
LPSTR pszMod = (LPSTR)((DWORD)hModCaller + pImportDesc->Name);
if(lstrcmpiA(pszMod, pszExportMod) == 0) // 找到
break;
pImportDesc++;
}
if(pImportDesc->Name == 0) // hModCaller模块没有从pszExportMod模块导入任何函数
{
return;
}
// 取得调用者的导入地址表(import address table, IAT)
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)(pImportDesc->FirstThunk + (DWORD)hModCaller);
// 查找我们要HOOK的函数,将它的地址用新函数的地址替换掉
while(pThunk->u1.Function)
{
// lpAddr指向的内存保存了函数的地址
PDWORD lpAddr = (PDWORD)&(pThunk->u1.Function);
if(*lpAddr == (DWORD)pfnCurrent)
{
// 修改页的保护属性
DWORD dwOldProtect;
MEMORY_BASIC_INFORMATION mbi;
::VirtualQuery(lpAddr, &mbi, sizeof(mbi));
::VirtualProtect(lpAddr, sizeof(DWORD), PAGE_READWRITE, &dwOldProtect);
// 修改内存地址 相当于“*lpAddr = (DWORD)pfnNew;”
::WriteProcessMemory(::GetCurrentProcess(),
lpAddr, &pfnNew, sizeof(DWORD), NULL);
::VirtualProtect(lpAddr, sizeof(DWORD), dwOldProtect, 0);
break;
}
pThunk++;
}
}
void CAPIHook::ReplaceIATEntryInAllMods(LPSTR pszExportMod,
PROC pfnCurrent, PROC pfnNew, BOOL bExcludeAPIHookMod)
{
// 取得当前模块的句柄
HMODULE hModThis = NULL;
if(bExcludeAPIHookMod)
{
MEMORY_BASIC_INFORMATION mbi;
if(::VirtualQuery(ReplaceIATEntryInAllMods, &mbi, sizeof(mbi)) != 0)
hModThis = (HMODULE)mbi.AllocationBase;
}
// 取得本进程的模块列表
HANDLE hSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ::GetCurrentProcessId());
// 遍历所有模块,分别对它们调用ReplaceIATEntryInOneMod函数,修改导入地址表
MODULEENTRY32 me = { sizeof(MODULEENTRY32) };
BOOL bOK = ::Module32First(hSnap, &me);
while(bOK)
{
// 注意:我们不HOOK当前模块的函数
if(me.hModule != hModThis)
ReplaceIATEntryInOneMod(pszExportMod, pfnCurrent, pfnNew, me.hModule);
bOK = ::Module32Next(hSnap, &me);
}
::CloseHandle(hSnap);
}
// 挂钩LoadLibrary和GetProcAddress函数,以便在这些函数被调用以后,挂钩的函数也能够被正确的处理
CAPIHook CAPIHook::sm_LoadLibraryA("Kernel32.dll", "LoadLibraryA",
(PROC)CAPIHook::LoadLibraryA, TRUE);
CAPIHook CAPIHook::sm_LoadLibraryW("Kernel32.dll", "LoadLibraryW",
(PROC)CAPIHook::LoadLibraryW, TRUE);
CAPIHook CAPIHook::sm_LoadLibraryExA("Kernel32.dll", "LoadLibraryExA",
(PROC)CAPIHook::LoadLibraryExA, TRUE);
CAPIHook CAPIHook::sm_LoadLibraryExW("Kernel32.dll", "LoadLibraryExW",
(PROC)CAPIHook::LoadLibraryExW, TRUE);
CAPIHook CAPIHook::sm_GetProcAddress("Kernel32.dll", "GetProcAddress",
(PROC)CAPIHook::GetProcAddress, TRUE);
void WINAPI CAPIHook::HookNewlyLoadedModule(HMODULE hModule, DWORD dwFlags)
{
// 如果一个新的模块被加载,挂钩各CAPIHook对象要求的API函数
if((hModule != NULL) && ((dwFlags&LOAD_LIBRARY_AS_DATAFILE) == 0))
{
CAPIHook *p = sm_pHeader;
while(p != NULL)
{
ReplaceIATEntryInOneMod(p->m_pszModName, p->m_pfnOrig, p->m_pfnHook, hModule);
p = p->m_pNext;
}
}
}
HMODULE WINAPI CAPIHook::LoadLibraryA(PCSTR pszModulePath)
{
HMODULE hModule = ::LoadLibraryA(pszModulePath);
HookNewlyLoadedModule(hModule, 0);
return(hModule);
}
HMODULE WINAPI CAPIHook::LoadLibraryW(PCWSTR pszModulePath)
{
HMODULE hModule = ::LoadLibraryW(pszModulePath);
HookNewlyLoadedModule(hModule, 0);
return(hModule);
}
HMODULE WINAPI CAPIHook::LoadLibraryExA(PCSTR pszModulePath, HANDLE hFile, DWORD dwFlags)
{
HMODULE hModule = ::LoadLibraryExA(pszModulePath, hFile, dwFlags);
HookNewlyLoadedModule(hModule, dwFlags);
return(hModule);
}
HMODULE WINAPI CAPIHook::LoadLibraryExW(PCWSTR pszModulePath, HANDLE hFile, DWORD dwFlags)
{
HMODULE hModule = ::LoadLibraryExW(pszModulePath, hFile, dwFlags);
HookNewlyLoadedModule(hModule, dwFlags);
return(hModule);
}
FARPROC WINAPI CAPIHook::GetProcAddress(HMODULE hModule, PCSTR pszProcName)
{
// 得到这个函数的真实地址
FARPROC pfn = ::GetProcAddress(hModule, pszProcName);
// 看它是不是我们要hook的函数
CAPIHook *p = sm_pHeader;
while(p != NULL)
{
if(p->m_pfnOrig == pfn)
{
pfn = p->m_pfnHook;
break;
}
p = p->m_pNext;
}
return pfn;
}
c:\program files\microsoft visual studio\vc98\include\imagehlp.h(267) : error C2061: syntax error : identifier 'LPWIN_CERTIFICATE'
c:\program files\microsoft visual studio\vc98\include\imagehlp.h(293) : error C2061: syntax error : identifier 'LPWIN_CERTIFICATE'
c:\program files\microsoft visual studio\vc98\include\imagehlp.h(302) : error C2061: syntax error : identifier 'LPWIN_CERTIFICATE'
IMAGEAPI
ImageAddCertificate(
IN HANDLE FileHandle,
IN LPWIN_CERTIFICATE Certificate,//说这里出错
OUT PDWORD Index
);
...全文
请发表友善的回复…
发表回复
野男孩 2010-08-11
- 打赏
- 举报
The WIN_CERTIFICATE structure is defined as follows:
typedef struct _WIN_CERTIFICATE {
DWORD dwLength;
WORD wRevision;
WORD wCertificateType; // WIN_CERT_TYPE_xxx
BYTE bCertificate[ANYSIZE_ARRAY];
} WIN_CERTIFICATE, *LPWIN_CERTIFICATE;
typedef struct _WIN_CERTIFICATE {
DWORD dwLength;
WORD wRevision;
WORD wCertificateType; // WIN_CERT_TYPE_xxx
BYTE bCertificate[ANYSIZE_ARRAY];
} WIN_CERTIFICATE, *LPWIN_CERTIFICATE;
schlafenhamster 2010-08-09
- 打赏
- 举报
”imagehlp.h“ 里需要'LPWIN_CERTIFICATE'的定义,找找看
Taiji02 2010-08-09
- 打赏
- 举报
没有人能帮我解决吗?
xyytuo 2010-08-07
- 打赏
- 举报
Taiji02 2010-08-07
- 打赏
- 举报
[Quote=引用 12 楼 schlafenhamster 的回复:]
“只要在以前编译通过的项目中#include "APIHook.h",提示:apihook.cpp(186) : fatal error C1010: unexpected end of file while looking for precompiled header directive”
你文件没有:
#include "stdafx.h"
所以设置中“Compiled Headers”……
[/Quote]
按你所说,编译结果如下:
Deleting intermediate files and output files for project 'test - Win32 Debug'.
--------------------Configuration: test - Win32 Debug--------------------
Compiling resources...
Compiling...
StdAfx.cpp
Compiling...
APIHook.cpp
c:\program files\microsoft visual studio\vc98\include\imagehlp.h(267) : error C2061: syntax error : identifier 'LPWIN_CERTIFICATE'
c:\program files\microsoft visual studio\vc98\include\imagehlp.h(293) : error C2061: syntax error : identifier 'LPWIN_CERTIFICATE'
c:\program files\microsoft visual studio\vc98\include\imagehlp.h(302) : error C2061: syntax error : identifier 'LPWIN_CERTIFICATE'
NetCardCtrl.cpp
test.cpp
testDlg.cpp
Generating Code...
Error executing cl.exe.
test.exe - 3 error(s), 0 warning(s)
这是为什么呢?
“只要在以前编译通过的项目中#include "APIHook.h",提示:apihook.cpp(186) : fatal error C1010: unexpected end of file while looking for precompiled header directive”
你文件没有:
#include "stdafx.h"
所以设置中“Compiled Headers”……
[/Quote]
按你所说,编译结果如下:
Deleting intermediate files and output files for project 'test - Win32 Debug'.
--------------------Configuration: test - Win32 Debug--------------------
Compiling resources...
Compiling...
StdAfx.cpp
Compiling...
APIHook.cpp
c:\program files\microsoft visual studio\vc98\include\imagehlp.h(267) : error C2061: syntax error : identifier 'LPWIN_CERTIFICATE'
c:\program files\microsoft visual studio\vc98\include\imagehlp.h(293) : error C2061: syntax error : identifier 'LPWIN_CERTIFICATE'
c:\program files\microsoft visual studio\vc98\include\imagehlp.h(302) : error C2061: syntax error : identifier 'LPWIN_CERTIFICATE'
NetCardCtrl.cpp
test.cpp
testDlg.cpp
Generating Code...
Error executing cl.exe.
test.exe - 3 error(s), 0 warning(s)
这是为什么呢?
schlafenhamster 2010-08-07
- 打赏
- 举报
“只要在以前编译通过的项目中#include "APIHook.h",提示:apihook.cpp(186) : fatal error C1010: unexpected end of file while looking for precompiled header directive”
你文件没有:
#include "stdafx.h"
所以设置中“Compiled Headers”要选“Not using。。。”
你文件没有:
#include "stdafx.h"
所以设置中“Compiled Headers”要选“Not using。。。”
Taiji02 2010-08-07
- 打赏
- 举报
[Quote=引用 8 楼 cnzdgs 的回复:]
缺少“}”。
[/Quote]
在哪个地方,没发现哦。
楼上的,问题依旧哦!
缺少“}”。
[/Quote]
在哪个地方,没发现哦。
楼上的,问题依旧哦!
cdm2179 2010-08-06
- 打赏
- 举报
//////////////////////////////////////////////////////////////
// APIHook.cpp文件
#include "APIHook.h"
#include "Tlhelp32.h"
#include <ImageHlp.h> // 为了调用ImageDirectoryEntryToData函数
#pragma comment(lib, "ImageHlp")
// CAPIHook对象链表的头指针
CAPIHook* CAPIHook::sm_pHeader = NULL;
CAPIHook::CAPIHook(LPSTR pszModName, LPSTR pszFuncName, PROC pfnHook, BOOL bExcludeAPIHookMod)
{
// 保存这个Hook函数的信息
m_bExcludeAPIHookMod = bExcludeAPIHookMod;
m_pszModName = pszModName;
m_pszFuncName = pszFuncName;
m_pfnHook = pfnHook;
m_pfnOrig = ::GetProcAddress(::GetModuleHandle(pszModName), pszFuncName);
// 将此对象添加到链表中
m_pNext = sm_pHeader;
sm_pHeader = this;
// 在所有当前已加载的模块中HOOK这个函数
ReplaceIATEntryInAllMods(m_pszModName, m_pfnOrig, m_pfnHook, bExcludeAPIHookMod);
}
CAPIHook::~CAPIHook()
{
// 取消对所有模块中函数的HOOK
ReplaceIATEntryInAllMods(m_pszModName, m_pfnHook, m_pfnOrig, m_bExcludeAPIHookMod);
CAPIHook *p = sm_pHeader;
// 从链表中移除此对象
if(p == this)
{
sm_pHeader = p->m_pNext;
}
else
{
while(p != NULL)
{
if(p->m_pNext == this)
{
p->m_pNext = this->m_pNext;
break;
}
p = p->m_pNext;
}
}
}
void CAPIHook::ReplaceIATEntryInOneMod(LPSTR pszExportMod,
PROC pfnCurrent, PROC pfnNew, HMODULE hModCaller)
{
// 取得模块的导入表(import descriptor)首地址。ImageDirectoryEntryToData函数可以直接返回导入表地址
ULONG ulSize;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)
::ImageDirectoryEntryToData(hModCaller, TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize);
if(pImportDesc == NULL) // 这个模块没有导入节表
{
return;
}
// 查找包含pszExportMod模块中函数导入信息的导入表项
while(pImportDesc->Name != 0)
{
LPSTR pszMod = (LPSTR)((DWORD)hModCaller + pImportDesc->Name);
if(lstrcmpiA(pszMod, pszExportMod) == 0) // 找到
break;
pImportDesc++;
}
if(pImportDesc->Name == 0) // hModCaller模块没有从pszExportMod模块导入任何函数
{
return;
}
// 取得调用者的导入地址表(import address table, IAT)
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)(pImportDesc->FirstThunk + (DWORD)hModCaller);
// 查找我们要HOOK的函数,将它的地址用新函数的地址替换掉
while(pThunk->u1.Function)
{
// lpAddr指向的内存保存了函数的地址
PDWORD lpAddr = (PDWORD)&(pThunk->u1.Function);
if(*lpAddr == (DWORD)pfnCurrent)
{
// 修改页的保护属性
DWORD dwOldProtect;
MEMORY_BASIC_INFORMATION mbi;
::VirtualQuery(lpAddr, &mbi, sizeof(mbi));
::VirtualProtect(lpAddr, sizeof(DWORD), PAGE_READWRITE, &dwOldProtect);
// 修改内存地址 相当于“*lpAddr = (DWORD)pfnNew;”
::WriteProcessMemory(::GetCurrentProcess(),
lpAddr, &pfnNew, sizeof(DWORD), NULL);
::VirtualProtect(lpAddr, sizeof(DWORD), dwOldProtect, 0);
break;
}
pThunk++;
}
}
void CAPIHook::ReplaceIATEntryInAllMods(LPSTR pszExportMod,
PROC pfnCurrent, PROC pfnNew, BOOL bExcludeAPIHookMod)
{
// 取得当前模块的句柄
HMODULE hModThis = NULL;
if(bExcludeAPIHookMod)
{
MEMORY_BASIC_INFORMATION mbi;
if(::VirtualQuery(ReplaceIATEntryInAllMods, &mbi, sizeof(mbi)) != 0)
hModThis = (HMODULE)mbi.AllocationBase;
}
// 取得本进程的模块列表
HANDLE hSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ::GetCurrentProcessId());
// 遍历所有模块,分别对它们调用ReplaceIATEntryInOneMod函数,修改导入地址表
MODULEENTRY32 me = { sizeof(MODULEENTRY32) };
BOOL bOK = ::Module32First(hSnap, &me);
while(bOK)
{
// 注意:我们不HOOK当前模块的函数
if(me.hModule != hModThis)
ReplaceIATEntryInOneMod(pszExportMod, pfnCurrent, pfnNew, me.hModule);
bOK = ::Module32Next(hSnap, &me);
}
::CloseHandle(hSnap);
}
// 挂钩LoadLibrary和GetProcAddress函数,以便在这些函数被调用以后,挂钩的函数也能够被正确的处理
CAPIHook CAPIHook::sm_LoadLibraryA("Kernel32.dll", "LoadLibraryA",
(PROC)CAPIHook::LoadLibraryA, TRUE);
CAPIHook CAPIHook::sm_LoadLibraryW("Kernel32.dll", "LoadLibraryW",
(PROC)CAPIHook::LoadLibraryW, TRUE);
CAPIHook CAPIHook::sm_LoadLibraryExA("Kernel32.dll", "LoadLibraryExA",
(PROC)CAPIHook::LoadLibraryExA, TRUE);
CAPIHook CAPIHook::sm_LoadLibraryExW("Kernel32.dll", "LoadLibraryExW",
(PROC)CAPIHook::LoadLibraryExW, TRUE);
CAPIHook CAPIHook::sm_GetProcAddress("Kernel32.dll", "GetProcAddress",
(PROC)CAPIHook::GetProcAddress, TRUE);
void WINAPI CAPIHook::HookNewlyLoadedModule(HMODULE hModule, DWORD dwFlags)
{
// 如果一个新的模块被加载,挂钩各CAPIHook对象要求的API函数
if((hModule != NULL) && ((dwFlags&LOAD_LIBRARY_AS_DATAFILE) == 0))
{
CAPIHook *p = sm_pHeader;
while(p != NULL)
{
ReplaceIATEntryInOneMod(p->m_pszModName, p->m_pfnOrig, p->m_pfnHook, hModule);
p = p->m_pNext;
}
}
}
HMODULE WINAPI CAPIHook::LoadLibraryA(PCSTR pszModulePath)
{
HMODULE hModule = ::LoadLibraryA(pszModulePath);
HookNewlyLoadedModule(hModule, 0);
return(hModule);
}
HMODULE WINAPI CAPIHook::LoadLibraryW(PCWSTR pszModulePath)
{
HMODULE hModule = ::LoadLibraryW(pszModulePath);
HookNewlyLoadedModule(hModule, 0);
return(hModule);
}
HMODULE WINAPI CAPIHook::LoadLibraryExA(PCSTR pszModulePath, HANDLE hFile, DWORD dwFlags)
{
HMODULE hModule = ::LoadLibraryExA(pszModulePath, hFile, dwFlags);
HookNewlyLoadedModule(hModule, dwFlags);
return(hModule);
}
HMODULE WINAPI CAPIHook::LoadLibraryExW(PCWSTR pszModulePath, HANDLE hFile, DWORD dwFlags)
{
HMODULE hModule = ::LoadLibraryExW(pszModulePath, hFile, dwFlags);
HookNewlyLoadedModule(hModule, dwFlags);
return(hModule);
}
FARPROC WINAPI CAPIHook::GetProcAddress(HMODULE hModule, PCSTR pszProcName)
{
// 得到这个函数的真实地址
FARPROC pfn = ::GetProcAddress(hModule, pszProcName);
// 看它是不是我们要hook的函数
CAPIHook *p = sm_pHeader;
while(p != NULL)
{
if(p->m_pfnOrig == pfn)
{
pfn = p->m_pfnHook;
break;
}
p = p->m_pNext;
}
return pfn;
}
cdm2179 2010-08-06
- 打赏
- 举报
// APIHook.h文件
#ifndef __APIHOOK_H__
#define __APIHOOK_H__
#include <windows.h>
class CAPIHook
{
public:
CAPIHook(LPSTR pszModName,
LPSTR pszFuncName, PROC pfnHook, BOOL bExcludeAPIHookMod = TRUE);
virtual ~CAPIHook();
operator PROC() { return m_pfnOrig; }
// 实现
private:
LPSTR m_pszModName; // 导出要HOOK函数的模块的名字
LPSTR m_pszFuncName; // 要HOOK的函数的名字
PROC m_pfnOrig; // 原API函数地址
PROC m_pfnHook; // HOOK后函数的地址
BOOL m_bExcludeAPIHookMod; // 是否将HOOK API的模块排除在外
private:
static void ReplaceIATEntryInAllMods(LPSTR pszExportMod, PROC pfnCurrent,
PROC pfnNew, BOOL bExcludeAPIHookMod);
static void ReplaceIATEntryInOneMod(LPSTR pszExportMod,
PROC pfnCurrent, PROC pfnNew, HMODULE hModCaller);
// 下面的代码用来解决其它模块动态加载DLL的问题
private:
// 这两个指针用来将所有的CAPIHook对象连在一起
static CAPIHook *sm_pHeader;
CAPIHook *m_pNext;
private:
// 当一个新的DLL被加载时,调用此函数
static void WINAPI HookNewlyLoadedModule(HMODULE hModule, DWORD dwFlags);
// 用来跟踪当前进程加载新的DLL
static HMODULE WINAPI LoadLibraryA(PCSTR pszModulePath);
static HMODULE WINAPI LoadLibraryW(PCWSTR pszModulePath);
static HMODULE WINAPI LoadLibraryExA(PCSTR pszModulePath, HANDLE hFile, DWORD dwFlags);
static HMODULE WINAPI LoadLibraryExW(PCWSTR pszModulePath, HANDLE hFile, DWORD dwFlags);
// 如果请求已HOOK的API函数,则返回用户自定义函数的地址
static FARPROC WINAPI GetProcAddress(HMODULE hModule, PCSTR pszProcName);
private:
// 自动对这些函数进行挂钩
static CAPIHook sm_LoadLibraryA;
static CAPIHook sm_LoadLibraryW;
static CAPIHook sm_LoadLibraryExA;
static CAPIHook sm_LoadLibraryExW;
static CAPIHook sm_GetProcAddress;
};
#endif // __APIHOOK_H__
cnzdgs 2010-08-06
- 打赏
- 举报
缺少“}”。
Taiji02 2010-08-06
- 打赏
- 举报
//////////////////////////////////////////////////////////////
// APIHook.cpp文件
#include "APIHook.h"
#include "Tlhelp32.h"
#include <IMAGEHLP.H> // 为了调用ImageDirectoryEntryToData函数
#pragma comment(lib, "ImageHlp")
// CAPIHook对象链表的头指针
CAPIHook* CAPIHook::sm_pHeader = NULL;
CAPIHook::CAPIHook(LPSTR pszModName, LPSTR pszFuncName, PROC pfnHook, BOOL bExcludeAPIHookMod)
{
// 保存这个Hook函数的信息
m_bExcludeAPIHookMod = bExcludeAPIHookMod;
m_pszModName = pszModName;
m_pszFuncName = pszFuncName;
m_pfnHook = pfnHook;
m_pfnOrig = ::GetProcAddress(::GetModuleHandle(pszModName), pszFuncName);
// 将此对象添加到链表中
m_pNext = sm_pHeader;
sm_pHeader = this;
// 在所有当前已加载的模块中HOOK这个函数
ReplaceIATEntryInAllMods(m_pszModName, m_pfnOrig, m_pfnHook, bExcludeAPIHookMod);
}
void CAPIHook::ReplaceIATEntryInOneMod(LPSTR pszExportMod,
PROC pfnCurrent, PROC pfnNew, HMODULE hModCaller)
{
// 取得模块的导入表(import descriptor)首地址。ImageDirectoryEntryToData函数可以直接返回导入表地址
ULONG ulSize;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)
::ImageDirectoryEntryToData(hModCaller, TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize);
if(pImportDesc == NULL) // 这个模块没有导入节表
{
return;
}
// 查找包含pszExportMod模块中函数导入信息的导入表项
while(pImportDesc->Name != 0)
{
LPSTR pszMod = (LPSTR)((DWORD)hModCaller + pImportDesc->Name);
if(lstrcmpiA(pszMod, pszExportMod) == 0) // 找到
break;
pImportDesc++;
}
if(pImportDesc->Name == 0) // hModCaller模块没有从pszExportMod模块导入任何函数
{
return;
}
// 取得调用者的导入地址表(import address table, IAT)
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)(pImportDesc->FirstThunk + (DWORD)hModCaller);
// 查找我们要HOOK的函数,将它的地址用新函数的地址替换掉
while(pThunk->u1.Function)
{
// lpAddr指向的内存保存了函数的地址
PDWORD lpAddr = (PDWORD)&(pThunk->u1.Function);
if(*lpAddr == (DWORD)pfnCurrent)
{
// 修改页的保护属性
DWORD dwOldProtect;
MEMORY_BASIC_INFORMATION mbi;
::VirtualQuery(lpAddr, &mbi, sizeof(mbi));
::VirtualProtect(lpAddr, sizeof(DWORD), PAGE_READWRITE, &dwOldProtect);
// 修改内存地址 相当于“*lpAddr = (DWORD)pfnNew;”
::WriteProcessMemory(::GetCurrentProcess(),
lpAddr, &pfnNew, sizeof(DWORD), NULL);
::VirtualProtect(lpAddr, sizeof(DWORD), dwOldProtect, 0);
break;
}
pThunk++;
}
}
void CAPIHook::ReplaceIATEntryInAllMods(LPSTR pszExportMod,
PROC pfnCurrent, PROC pfnNew, BOOL bExcludeAPIHookMod)
{
// 取得当前模块的句柄
HMODULE hModThis = NULL;
if(bExcludeAPIHookMod)
{
MEMORY_BASIC_INFORMATION mbi;
if(::VirtualQuery(ReplaceIATEntryInAllMods, &mbi, sizeof(mbi)) != 0)
hModThis = (HMODULE)mbi.AllocationBase;
}
// 取得本进程的模块列表
HANDLE hSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ::GetCurrentProcessId());
// 遍历所有模块,分别对它们调用ReplaceIATEntryInOneMod函数,修改导入地址表
MODULEENTRY32 me = { sizeof(MODULEENTRY32) };
BOOL bOK = ::Module32First(hSnap, &me);
while(bOK)
{
// 注意:我们不HOOK当前模块的函数
if(me.hModule != hModThis)
ReplaceIATEntryInOneMod(pszExportMod, pfnCurrent, pfnNew, me.hModule);
bOK = ::Module32Next(hSnap, &me);
}
::CloseHandle(hSnap);
}
// 挂钩LoadLibrary和GetProcAddress函数,以便在这些函数被调用以后,挂钩的函数也能够被正确的处理
CAPIHook CAPIHook::sm_LoadLibraryA("Kernel32.dll", "LoadLibraryA",
(PROC)CAPIHook::LoadLibraryA, TRUE);
CAPIHook CAPIHook::sm_LoadLibraryW("Kernel32.dll", "LoadLibraryW",
(PROC)CAPIHook::LoadLibraryW, TRUE);
CAPIHook CAPIHook::sm_LoadLibraryExA("Kernel32.dll", "LoadLibraryExA",
(PROC)CAPIHook::LoadLibraryExA, TRUE);
CAPIHook CAPIHook::sm_LoadLibraryExW("Kernel32.dll", "LoadLibraryExW",
(PROC)CAPIHook::LoadLibraryExW, TRUE);
CAPIHook CAPIHook::sm_GetProcAddress("Kernel32.dll", "GetProcAddress",
(PROC)CAPIHook::GetProcAddress, TRUE);
void WINAPI CAPIHook::HookNewlyLoadedModule(HMODULE hModule, DWORD dwFlags)
{
// 如果一个新的模块被加载,挂钩各CAPIHook对象要求的API函数
if((hModule != NULL) && ((dwFlags&LOAD_LIBRARY_AS_DATAFILE) == 0))
{
CAPIHook *p = sm_pHeader;
while(p != NULL)
{
ReplaceIATEntryInOneMod(p->m_pszModName, p->m_pfnOrig, p->m_pfnHook, hModule);
p = p->m_pNext;
}
}
}
HMODULE WINAPI CAPIHook::LoadLibraryA(PCSTR pszModulePath)
{
HMODULE hModule = ::LoadLibraryA(pszModulePath);
HookNewlyLoadedModule(hModule, 0);
return(hModule);
}
HMODULE WINAPI CAPIHook::LoadLibraryW(PCWSTR pszModulePath)
{
HMODULE hModule = ::LoadLibraryW(pszModulePath);
HookNewlyLoadedModule(hModule, 0);
return(hModule);
}
HMODULE WINAPI CAPIHook::LoadLibraryExA(PCSTR pszModulePath, HANDLE hFile, DWORD dwFlags)
{
HMODULE hModule = ::LoadLibraryExA(pszModulePath, hFile, dwFlags);
HookNewlyLoadedModule(hModule, dwFlags);
return(hModule);
}
HMODULE WINAPI CAPIHook::LoadLibraryExW(PCWSTR pszModulePath, HANDLE hFile, DWORD dwFlags)
{
HMODULE hModule = ::LoadLibraryExW(pszModulePath, hFile, dwFlags);
HookNewlyLoadedModule(hModule, dwFlags);
return(hModule);
}
FARPROC WINAPI CAPIHook::GetProcAddress(HMODULE hModule, PCSTR pszProcName)
{
// 得到这个函数的真实地址
FARPROC pfn = ::GetProcAddress(hModule, pszProcName);
// 看它是不是我们要hook的函数
CAPIHook *p = sm_pHeader;
while(p != NULL)
{
if(p->m_pfnOrig == pfn)
{
pfn = p->m_pfnHook;
break;
}
p = p->m_pNext;
}
return pfn;
}
///////////////////////////////////
//apihook.h文件
#ifndef __APIHOOK_H__
#define __APIHOOK_H__
#include <windows.h>
class CAPIHook
{
public:
CAPIHook(LPSTR pszModName, LPSTR pszFuncName,
PROC pfnHook, BOOL bExcludeAPIHookMod=TRUE);
virtual ~CAPIHook();
operator PROC() {return m_pfnOrig;}
private:
LPSTR m_pszModName; //导出要HOOK函数的模块的名字
LPSTR m_pszFuncName; //要HOOK的函数的名字
PROC m_pfnOrig; //原API函数地址
PROC m_pfnHook; //HOOK后函数的地址
BOOL m_bExcludeAPIHookMod; //是否将HOOK API的模块本身排除在外
private:
static void ReplaceIATEntryInAllMods(LPSTR pszExportMod, PROC pfnCurrent,
PROC pfnew, BOOL bExcludeAPIHookMod);
static void ReplaceIATEntryInOneMod(LPSTR pszExportMod, PROC pfnCurrent,
PROC pfnew, HMODULE hModCaller);
//下面的代码用来解决其他模块动态加载DLL的问题
private:
//这两个指针用来将所有的CAPIHook对象连在一起
static CAPIHook *sm_pHeader;
CAPIHook *m_pNext;
private:
//当一个新的DLL被加载时,调用此函数
static void WINAPI HookNewlyLoadedModule(HMODULE hModule, DWORD dwFlags);
//用来跟踪当前进程加载新的DLL
static HMODULE WINAPI LoadLibraryA(PCSTR pszModulePath);
static HMODULE WINAPI LoadLibraryW(PCWSTR pszModulePath);
static HMODULE WINAPI LoadLibraryExA(PCSTR pszModulePath, HANDLE hFile, DWORD dwFlags);
static HMODULE WINAPI LoadLibraryExW(PCWSTR pszModulePath, HANDLE hFile, DWORD dwFlags);
//如果请求已HOOK的API函数,则返回用户自定义函数的地址
static FARPROC WINAPI GetProcAddress(HMODULE hModule, PCSTR pszProcName);
private:
//自动对这些函数进行挂钩
static CAPIHook sm_LoadLibraryA;
static CAPIHook sm_LoadLibraryW;
static CAPIHook sm_LoadLibraryExA;
static CAPIHook sm_LoadLibraryExW;
static CAPIHook sm_GetProcAddress;
};
#endif
只要在以前编译通过的项目中#include "APIHook.h",提示:apihook.cpp(186) : fatal error C1010: unexpected end of file while looking for precompiled header directive
怎么搞的?
Taiji02 2010-08-06
- 打赏
- 举报
[Quote=引用 5 楼 oysoft 的回复:]
不会吧,你代码给的就不全,别人也没有办法帮你实际检查
[/Quote]
APIHook.h和APIHook.cpp都给了哦,你只要在项目中#include "APIHook.h",编译就出错。
不会吧,你代码给的就不全,别人也没有办法帮你实际检查
[/Quote]
APIHook.h和APIHook.cpp都给了哦,你只要在项目中#include "APIHook.h",编译就出错。
oysoft 2010-08-06
- 打赏
- 举报
不会吧,你代码给的就不全,别人也没有办法帮你实际检查
Taiji02 2010-08-06
- 打赏
- 举报
[Quote=引用 3 楼 oysoft 的回复:]
添加头文件或者添加那段定义代码呀
[/Quote]
没用的!不是说没定义,是说语法错误。但是这怎么可能呢?
添加头文件或者添加那段定义代码呀
[/Quote]
没用的!不是说没定义,是说语法错误。但是这怎么可能呢?
oysoft 2010-08-06
- 打赏
- 举报
添加头文件或者添加那段定义代码呀
Taiji02 2010-08-06
- 打赏
- 举报
怎么办?
oysoft 2010-08-06
- 打赏
- 举报
LPWIN_CERTIFICATE定义在WinBase.h中
typedef struct _WIN_CERTIFICATE {
DWORD dwLength;
WORD wRevision;
WORD wCertificateType; // WIN_CERT_TYPE_xxx
BYTE bCertificate[ANYSIZE_ARRAY];
} WIN_CERTIFICATE, *LPWIN_CERTIFICATE;
typedef struct _WIN_CERTIFICATE {
DWORD dwLength;
WORD wRevision;
WORD wCertificateType; // WIN_CERT_TYPE_xxx
BYTE bCertificate[ANYSIZE_ARRAY];
} WIN_CERTIFICATE, *LPWIN_CERTIFICATE;
