游戏注入教程（三）-- Hook拦截系统Api

一、新建一个用于拦截的MFC的dll，代码如下：

//不同Instance共享的该变量hinst#pragma data_seg("SHARED")static HINSTANCE hinst = NULL; //本dll的实例句柄 (injectDll.dll)#pragma data_seg()#pragma comment(linker, "/section:SHARED,RWS")HANDLE hProcess = NULL; //所处进程的句柄BOOL bHook = FALSE;//是否Hook了函数BOOL inject_status = FALSE; //是否对API进行了HookBYTE OldCode[5];//老的系统API入口代码BYTE NewCode[5];//要跳转的API代码 (jmp xxxx)//user32.dll中的MessageBox函数定义typedef int (WINAPI *MyMsg)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);MyMsg m_msg;//user32.dll中的MessageBox函数FARPROC pf_msg;//指向MessageBox函数的远指针void HookOn();//开启钩子，切换成自己的函数入口地址void HookOff();//关闭钩子，切换成系统的函数入口地址void GetEntryAddr();//获取新旧函数的入口地址//我们定义的新的MyMessageBox()函数int WINAPI MyMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);BOOL CinjectDllApp::InitInstance(){hinst = AfxGetInstanceHandle(); //本dll句柄hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, ::GetCurrentProcessId());GetEntryAddr();return CWinApp::InitInstance();}int CinjectDllApp::ExitInstance(){if (bHook)HookOff();return CWinApp::ExitInstance();}void GetEntryAddr(){if (inject_status == FALSE) {inject_status = TRUE;HMODULE hmod = ::LoadLibrary(_T("User32.dll"));//载入原User32.dllm_msg = (MyMsg)::GetProcAddress(hmod, "MessageBoxW");pf_msg = (FARPROC)m_msg;_asm{lea edi, OldCodemov esi, pf_msgcldmovsdmovsb}NewCode[0] = 0xe9;//第一个字节0xe9相当于jmp指令  //获取MyMessageBox()的相对地址_asm{lea eax, MyMessageBoxmov ebx, pf_msgsub eax, ebxsub eax, 5mov dword ptr[NewCode + 1], eax}}}void HookOn(){ASSERT(hProcess != NULL);DWORD dwTemp = 0;DWORD dwOldProtect;//将内存保护模式改为可写,老模式保存入dwOldProtectVirtualProtectEx(hProcess, pf_msg, 5, PAGE_READWRITE, &dwOldProtect);//将所属进程中add的前5个字节改为Jmp MyMessageBox WriteProcessMemory(hProcess, pf_msg, NewCode, 5, 0);//将内存保护模式改回为dwOldProtectVirtualProtectEx(hProcess, pf_msg, 5, dwOldProtect, &dwTemp);bHook = TRUE;}//将所属进程中MessageBox()的入口代码恢复void HookOff(){ASSERT(hProcess != NULL);DWORD dwTemp = 0;DWORD dwOldProtect;VirtualProtectEx(hProcess, pf_msg, 5, PAGE_READWRITE, &dwOldProtect);WriteProcessMemory(hProcess, pf_msg, OldCode, 5, 0);VirtualProtectEx(hProcess, pf_msg, 5, dwOldProtect, &dwTemp);bHook = FALSE;}int WINAPI MyMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType){lpText = _T("先走到我们自己定义的MessageBox中了");HookOff();//关掉MyMessageBox()钩子防止死循环int ret = m_msg(hWnd, lpText, lpCaption, uType);HookOn();//开启MyMessageBox()钩子return ret;}

二、新建一个exe程序，调用上面的dll，对本程序进行hook，拦截MessageBox

HMODULE hm = ::LoadLibraryA("D:\\injectDll.dll");typedef void(*FuncHookOn)();FuncHookOn HookOn = (FuncHookOn)GetProcAddress(hm, "HookOn");HookOn();

三、卸载hook这种拦截行为

HMODULE hm = ::LoadLibraryA("D:\\injectDll.dll");typedef void(*FuncHookOff)();FuncHookOff HookOff = (FuncHookOff)GetProcAddress(hm, "HookOff");HookOff();

四、结合注入的部分，简单陈述下，如何注入后拦截

把以上dll程序写在前两章的待注入的dll中，通过发送键盘消息来开启或者关闭hook，还是比较简单的。