HOOK ExitWindowsEx函数并修改代码
来源:互联网 发布:淘宝怎么修改好评 编辑:程序博客网 时间:2024/06/05 11:04
===============hookdll.dll===========================
.486
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
SEH struct
a byte ?
api DWORD ?
d BYTE ?
e BYTE ?
SEH ends
WriteApi proto :DWORD ,:DWORD,:DWORD,:DWORD
MyAPI proto :DWORD ,:DWORD
GetApi proto :DWORD,:DWORD
.data
hInstance dd 0
WProcess dd 0
hacker SEH <>
CommandLine LPSTR ?
Papi1 DWORD ?
Myapi1 DWORD ?
ApiBak1 db 10 dup(?)
DllName1 db "user32.dll",0
ApiName1 db "ExitWindowsEx",0
mdb db "下面的程序想关闭计算机,要保持阻止吗?",0
.data?
hHook dd ?
hWnd dd ?
.code
DllEntry proc hInst:HINSTANCE, reason:DWORD, reserved1:DWORD
.if reason==DLL_PROCESS_ATTACH
push hInst
pop hInstance
invoke GetCommandLine
mov CommandLine,eax ;取程序命令行
mov hacker.a,0B8h ;mov eax
mov hacker.d,0FFh ;jmp
mov hacker.e, 0E0h ;eax
invoke GetCurrentProcess ;取进程伪句柄
mov WProcess ,eax
invoke GetApi,addr DllName1,addr ApiName1 ;取API地址
mov Papi1,eax ;保存API地址
invoke ReadProcessMemory,WProcess,Papi1,addr ApiBak1,8,NULL ;备份原API的前8字节
mov hacker.api,offset MyAPI ;要替代API的函数地址
invoke WriteApi,WProcess,Papi1, addr hacker ,size SEH ;HOOK API
endif
.if reason==DLL_PROCESS_DETACH
invoke WriteApi,WProcess,Papi1, addr ApiBak1 ,8 ;还原API
.endif
mov eax,TRUE
ret
DllEntry Endp
GetMsgProc proc nCode:DWORD,wParam:DWORD,lParam:DWORD
invoke CallNextHookEx,hHook,nCode,wParam,lParam
mov eax,TRUE
ret
GetMsgProc endp
InstallHook proc
invoke SetWindowsHookEx,WH_GETMESSAGE,addr GetMsgProc,hInstance,NULL
mov hHook,eax
ret
InstallHook endp
UninstallHook proc
invoke UnhookWindowsHookEx,hHook
invoke WriteApi,WProcess,Papi1, addr ApiBak1 ,8
ret
UninstallHook endp
GetApi proc DllNameAddress:DWORD,ApiNameAddress:DWORD
invoke GetModuleHandle,DllNameAddress ;取DLL模块句柄
.if eax==NULL
invoke LoadLibrary ,DllNameAddress ;加载DLL
.endif
invoke GetProcAddress,eax,ApiNameAddress ;取API地址
mov eax,eax
ret
GetApi endp
WriteApi proc Process:DWORD ,Papi:DWORD,Ptype:DWORD,Psize:DWORD
LOCAL mbi:MEMORY_BASIC_INFORMATION
LOCAL msize:DWORD
;返回页面虚拟信息
invoke VirtualQueryEx,Process, Papi,addr mbi,SIZEOF MEMORY_BASIC_INFORMATION
;修改为可读写模式
invoke VirtualProtectEx,Process, mbi.BaseAddress,8h,PAGE_EXECUTE_READWRITE,addr mbi.Protect
;开始写内存
invoke WriteProcessMemory,Process, Papi, Ptype,Psize ,NULL
PUSH eax
;改回只读模式
invoke VirtualProtectEx,Process,mbi.BaseAddress,8h,PAGE_EXECUTE_READ,addr mbi.Protect
pop eax
ret
WriteApi endp
MyAPI proc bs:DWORD ,dwReserved:DWORD ;替代的API,参数要和原来一样
invoke MessageBox, NULL, CommandLine, addr mdb, 4 ;弹出信息框选择是否阻止
.if eax==7 ;如果选择否
invoke WriteApi,WProcess,Papi1, addr ApiBak1 ,8 ;先还原API
invoke ExitWindowsEx,bs,dwReserved ;再调用API
invoke WriteApi,WProcess,Papi1, addr hacker ,sizeof SEH ;调用完后再改回来
.endif
mov eax,TRUE
ret
MyAPI endp
End DllEntry
============================hookdll.def=========================
LIBRARY hookdll
EXPORTS InstallHook
EXPORTS UninstallHook
=================================================
注意;连接时要加上"/SECTION:.bss[S]"的开关,用来设置共享段
- HOOK ExitWindowsEx函数并修改代码
- ExitWindowsEx 函数
- 修改函数代码HOOK的封装
- ExitWindowsEx函数调用前需提权
- API函数ExitWindowsEx关机
- ExitWindowsEx函数 关闭计算机
- C++实现修改函数代码HOOK的封装方法
- 虚函数Hook代码
- ExitWindowsEx
- ExitWindowsEx
- Windows硬件系统函数 - ExitWindowsEx
- Window关机函数ExitWindowsEx详解
- ExitWindowsEx()函数的相关用法
- Window关机函数ExitWindowsEx详解
- Window关机函数ExitWindowsEx详解
- Window关机函数ExitWindowsEx详解
- 系统关机函数ExitWindowsEx详解
- 关机,注销,重启函数:ExitWindowsEx
- 谈谈char ,nchar,varchar,nvarchar 和Uniqueidentifier
- “架构师方法论”,构建软件灵魂所必知必会的
- android开发技巧精髓七
- #每x分钟消耗y个钻石
- android开发技巧精髓八
- HOOK ExitWindowsEx函数并修改代码
- android开发技巧精髓九
- 伟大的代表先进生产力的技术青年们,加gTalk群吧 kingsfriendstech@im.partych.at
- vc6.0转vs2005不适之处(一)——字符集
- 常用过流、过压、过温保护电路之选型技巧
- redis 数据类型
- linus 的争论
- 重新理解webservice
- android开发技巧精髓十