HOOK ExitWindowsEx函数并修改代码

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝hookdll.dll===========================

.486
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib

SEH struct 
        a  byte ? 
        api DWORD ?   
        d BYTE ?  
        e BYTE ?
SEH ends

WriteApi proto :DWORD ,:DWORD,:DWORD,:DWORD
MyAPI proto  :DWORD  ,:DWORD
GetApi proto  :DWORD,:DWORD

.data 
        hInstance dd 0
        WProcess dd 0
        hacker SEH <> 
        CommandLine LPSTR ?

        Papi1 DWORD ? 
        Myapi1 DWORD ?
        ApiBak1 db 10 dup(?) 
        DllName1  db "user32.dll",0 
        ApiName1  db "ExitWindowsEx",0 
        mdb db "下面的程序想关闭计算机,要保持阻止吗?",0

.data? 
        hHook dd ? 
        hWnd dd ?

.code
DllEntry proc hInst:HINSTANCE, reason:DWORD, reserved1:DWORD 
   
.if reason==DLL_PROCESS_ATTACH
        push hInst
        pop hInstance

        invoke GetCommandLine   
        mov CommandLine,eax                                         ;取程序命令行

        mov hacker.a,0B8h  ;mov eax
        mov hacker.d,0FFh  ;jmp 
        mov hacker.e, 0E0h  ;eax

        invoke   GetCurrentProcess                                   ;取进程伪句柄

        mov WProcess ,eax
    
        invoke GetApi,addr DllName1,addr ApiName1                    ;取API地址
  
        mov Papi1,eax                                               ;保存API地址

        invoke ReadProcessMemory,WProcess,Papi1,addr ApiBak1,8,NULL  ;备份原API的前8字节

        mov hacker.api,offset MyAPI                                 ;要替代API的函数地址

        invoke WriteApi,WProcess,Papi1, addr hacker ,size SEH        ;HOOK API

endif

.if  reason==DLL_PROCESS_DETACH

        invoke WriteApi,WProcess,Papi1, addr ApiBak1 ,8               ;还原API

.endif

   mov  eax,TRUE
    ret
DllEntry Endp

GetMsgProc proc nCode:DWORD,wParam:DWORD,lParam:DWORD 
        invoke CallNextHookEx,hHook,nCode,wParam,lParam 
        mov eax,TRUE
    
      ret
GetMsgProc endp

 

InstallHook proc
        invoke SetWindowsHookEx,WH_GETMESSAGE,addr GetMsgProc,hInstance,NULL 
        mov hHook,eax 
        ret
InstallHook endp

UninstallHook proc 
        invoke UnhookWindowsHookEx,hHook 
        invoke WriteApi,WProcess,Papi1, addr ApiBak1 ,8
        ret
UninstallHook endp

GetApi proc DllNameAddress:DWORD,ApiNameAddress:DWORD

invoke  GetModuleHandle,DllNameAddress ;取DLL模块句柄
   
.if eax==NULL
  
        invoke LoadLibrary ,DllNameAddress    ;加载DLL
 
.endif
 
invoke GetProcAddress,eax,ApiNameAddress  ;取API地址
  

mov eax,eax
       
ret

GetApi endp

WriteApi proc Process:DWORD ,Papi:DWORD,Ptype:DWORD,Psize:DWORD

LOCAL mbi:MEMORY_BASIC_INFORMATION
LOCAL msize:DWORD

;返回页面虚拟信息
invoke VirtualQueryEx,Process, Papi,addr mbi,SIZEOF MEMORY_BASIC_INFORMATION

;修改为可读写模式

invoke VirtualProtectEx,Process, mbi.BaseAddress,8h,PAGE_EXECUTE_READWRITE,addr mbi.Protect

;开始写内存

invoke  WriteProcessMemory,Process, Papi, Ptype,Psize ,NULL

PUSH eax

;改回只读模式
invoke VirtualProtectEx,Process,mbi.BaseAddress,8h,PAGE_EXECUTE_READ,addr mbi.Protect

pop eax

ret

WriteApi endp

MyAPI proc  bs:DWORD  ,dwReserved:DWORD                       ;替代的API,参数要和原来一样

invoke MessageBox, NULL,  CommandLine, addr mdb, 4            ;弹出信息框选择是否阻止

.if eax==7                                                    ;如果选择否

invoke WriteApi,WProcess,Papi1, addr ApiBak1 ,8              ;先还原API

invoke ExitWindowsEx,bs,dwReserved                           ;再调用API

invoke WriteApi,WProcess,Papi1, addr hacker ,sizeof SEH      ;调用完后再改回来
       
.endif

mov eax,TRUE
ret

MyAPI endp

End DllEntry
============================hookdll.def=========================

LIBRARY hookdll
EXPORTS InstallHook
EXPORTS UninstallHook
=================================================

注意；连接时要加上＂／SECTION:.bss[S]＂的开关，用来设置共享段