Cross-process API HOOK (first draft)
DETROX
What is "cross-process API HOOK"?
It is well known that the various system functions of the Windows application are implemented by calling the API function. The API Hook is an additional applet to the system's API, which can monitor even the call to the API function. The so-called cross-trip is to let your program control the API call of others.
API Hook Theory
Through the analysis of Win32 PE files (if you are not familiar with PE file format, you can look at the ICZelion PE tutorial or LuevelSmeyer << The PE File Format >>). We know many of the information stored in the IMPORT TABLE memory in the PE file. These include the function name of the API, the call address, and the like. The operating system will first map it to memory when performing a PE file. At the map, it also writes the entry address of the API function in the current version operating system to a set of structures in the Import Table associated with the API call, which is used for the application's API call. When the application calls the API, he will find an API's entry address in your own memory image, and then execute the CALL instruction. As a result, we can reach the purpose of redirect API by modifying the entrance address of the API function in the IMPORT TABLE of the application memory image. Change the API address to our own function, so our function can complete the monitoring and control of the API.
Realization of API Hook
/ * 1 * / handle hcurrent = getModuleHandle (NULL);
/ * 2 * / image_dos_header * pidh;
/ * 3 * / image_nt_headers * pinh;
/ * 4 * / image_data_directory * psymboltable;
/ * 5 * / image_import_descriptor * piid;
/ * 6 * / PIDH = (image_dos_header *) hcurrent;
/ * 7 * / PINH = (image_nt_headers *) ((DWORD) HCURRENT PIDH-> E_LFANEW);
/ * 8 * / psymboltable = & pinh-> optionalheader.dataDirectory [1];
/ * 9 * / PIID = (image_import_descriptor *) ((DWORD) HCurrent psymboltable-> virtualaddress;
/ * 10 * / do {
/ * 11 * / image_thunk_data * pitd, * pitd2;
/ * 12 * / pitd = (image_thunk_data *) ((DWORD) HCURRENT PIID-> OriginalFirstthunk);
/ * 13 * / pitd2 = (image_thunk_data *) ((DWORD) HCURRENT PIID-> firstthunk);
/ * 14 * / do {
/ * 15 * / image_import_by_name * PIIBN;
/ * 16 * / piibn = (image_import_by_name *) ((DWORD) HCurrent * (DWORD *) PITD);
/ * 17 * / proc * ppfn = (proc *) (Pitd2-> u1.function);
/ * 18 * / if (! Strcmp ("MessageBoxw", (char *) PIIBN-> NAME)) {
/ * 19 * / oldmsg = (msgboxType) (PPFN);
/ * 20 * / dWord addr = (dword) mymessage; / * 21 * / dword Written = 0;
/ * Change memory read-write status * /
/ * 22 * / DWORD OLDACCESS;
/ * 23 * / VirtualProtect (& Pitd2-> u1.function, sizeof (dword), page_writecopy, & oldaccess);
/ * 24 * / apiaddress = (dword) & pitd2-> u1.function;
/ * Write data to memory images * /
/ * 25 * / writeprocessMemory (getCurrentProcess (), & pitd2-> u1.function, & addr, sizeof (dword), & write)
/ * 26 * /}
/ * 27 * / PITD ; PITD2 ;
/ * 28 * /} while (Pitd-> U1.Function);
/ * 29 * / PIID ;
/ * 30 * /} while (PIID-> firstthunk piid-> characteristics
PIID-> Forwarderchain PIID-> Name PIID-> TIMEDATESTAMP;
analysis:
Looking for Import Talbe
In / * 1 * / we use getModuleHandle (NULL) to return the base address of the current process in memory. But this value is only described as "a Module Handle for the Specified Module" in the document, although he is indeed a base address of the process memory image. If you are not very assured, you can use, getModuleinformation function to get the base address, just contain psapi.h and psapi.lib (this library is not in VC6, so I have no use of this function). In / * 6 * / we first find the image_dos_header structure, his start address is the base address of the image. / * 7 * / Find the image_nt_headers structure through the offset of the PE file header given by Image_DOS_Header. The second element in the DataDirectory array in the Optionalheader in Image_NT_Headers is pointing to the address of the IMPORT TABLE we want. In / * 9 * / we convert it to a structural pointer of image_import_descriptor to store in PIID.
Alternative API function entry address
In / * 12 * / and / * 13 * / we get the OriginalFirstthunk and the Firstthunk structure, which is used to get the name and entrance address of the API function later. / * 10 * / DO loop allows us to traverse each image_import_descriptor structure is also every DLL of the application reference. In / * 14 * / cycle we traverse the image_thunk_data structure in the DLL to query the API information. / * 16 * / We convert OriginalFirstthunk to the image_import_by_name structure to obtain the name of the API function to comparison. After / * 18 * / we find the MessageBoxw function, use it when / * 19 * / saves its original entry address for use. At / * 23 * / We need to change the read and write sector of the memory area with VirtualProtect, because the general application image is read-only, and directly writing will cause an unfair access to abnormality. On / * 25 * / we write the address of its own function.
This will basically complete the redirection of an API function.
other
The API entry address of the recovery function is relatively simple. As long as you write the saved value, you can write back. The above program is / * 24 * / I saved the address of the place where the MessageBox entry address is saved with APIADDRESS, which is used to use the WriteProcessMemory to recover. Cross-process theory
We must use our own function to replace the API function in someone programs, but our function is in different processes in different processes. Different processes are not called each other. So we must find a way to put your own function into someone else's process space. At this time, we need to use DLL Injection technology. If you are not very familiar with her, it is recommended to see the << Programming Applications for Microsoft Windows >> Jeffrey Richter Master, or you can refer to Mr. Chen Xida's << C Builder Depth Adventures >>.
Briefly, DLL Injection is that the way to let the other party's process loading our DLL program, put the function that needs to be replaced in our DLL. As a result, our function has entered the space of others. There are a lot of DLL INJECTION methods, and Richter masters have a detailed explanation of various methods in the book. Mr. Chen Guanda also has in-depth analysis. I am here to use the SetWindowsHookex function to achieve the purpose. There are more than these reasons: 1, do not need to restart the system, it is convenient to debug. 2, the communication between the two processes can be used to make the communication between the two processes can be used to grasp the state of the HOOK. Easy to install and uninstall.
SETWINDOWSHOKEX can complete the DLL INJECTION because it is to add a hook to an application, and hook has hook procedure is the hook function. If this hook function is in a DLL, then the system will load this DLL on the target process of SETWINDOWSHOKEX. Therefore, we have achieved our DLL INJECTION. Of course, we will use WH_GetMessage Hook for Injection because this Hook can be used to monitor the message loop for the target process. This is convenient for our process to communicate with the target process.
Realization and attention to cross-process
/ * Dllpart.dll * /
#include
#include
#include
#include
TypedEf (WinAPI * msgboxType) (HWND, LPCWSTR, LPCWSTR, UINT);
MsgboxType Oldmsg; / * API original address * /
DWORD apiaddress; / * Store addresses of the API entry address * /
Int WinAPI MyMessage (HWND HWND, LPCWSTR M1, LPCWSTR M2, UINT M3) {
/ * This is a function that is used to replace * /
Return Oldmsg (HWND, BUF, M2, MB_OK);
}
Const char szapp [] = "dllpart.dll";
HHOOK HHOOK; / * HOOK handle * /
HModule Hinst; / * DLL module handle for SETWINDOWSHOKEX functions * /
HWND htarget; / * Target window handle * /
/ * DLL entry * /
Bool WinApi Dllmain (Hinstance Inst, DWord Reason, LPvoid LPVReServed)
{
Hinst = INST;
Switch (REASON) {
Case DLL_Process_attach:
/ * Debug information, indicating that the DLL has loaded * /
MessageBox (NULL, "DLL_PROCESS_ATTACH", SZAPP, MB_OK; BREAK;
Case DLL_PROCESS_DETACH:
/ * Debug information, indicating that the DLL has been uninstalled * /
MessageBox (NULL, "DLL_PROCESS_DETACH", SZAPP, MB_OK;
Break;
}
Return True;
}
/ * Display information of getLastError * /
Void showerr (const char * m) {
Char Message [255];
FormatMessage (Format_Message_From_System, 0, getLastError ()
, Makelangid (Lang_neutral, Sublang_Default), Message, 255, 0);
MessageBox (NULL, MESSAGE, M, MB_OK);
}
// -----------------------
Void unhookAPI () {
/ * Uninstall API Hook with * /
}
Void hookapi () {
/ * Load the API Hook as the function described above * /
}
// -----------------------
/ * Hook procedure * / for wh_getmentmesage * /
Lresult Callback GetMsgProc (int Ncode, WPARAM WPARAM, LPARAM LPARAM) {
IF (ncode == hc_action) {
Msg * msg = (msg *) LPARAM;
IF (msg-> message == wm_char) {
IF (msg-> wparam == 'h!) hookapi ();
IF (msg-> wparam == 'u') UnhookAPI ();
}
}
Return CallNexthookex (HHOOK, NCODE, WPARAM, LPARAM);
}
Extern "C" __DECLSPEC (DLLEXPORT) setapihook (hwnd handle) {
DWORD thREADID = GetWindowThreadProcessId (Handle, Null);
htarget = handle;
MessageBox (NULL, "Enabling CallwndProc Hook", Szapp, MB_OK;
HHOOK = SETWINDOWSHOKEX (Wh_getMessage, getMsgProc, Hinst, ThreadID);
IF (hHOOK) {
MessageBox (NULL, "Hook OK!", SZAPP, MB_OK;
} else {
SHOWERR ("SETWINDOWSHOKEX");
}
}
Extern "C" __DECLSPEC (DLLEXPORT) unhookapihook () {
MessageBox (NULL, "Disnable CallWndProc Hook", SZAPP, MB_OK;
IF (unhookwindowshookex (hHOOK) {
MessageBox (NULL, "UnHook OK!", SZAPP, MB_OK;
} else {
SHOWERR ("UnhookWindowsHookex);
}
}
analysis
Several questions that need attention
SetapiHook and UnHookApiHook are functions used by our own process call to load the WH_GetMessage Hook. Since our program is to load this DLL with loadLibrary, this two functions should be modified with __Declspec (dllexPort) to make it exported to be found by the getaddressproc function. Plus Extern "C" is to allow the compiler to use C language encoding. Because the C compiler will perform Dynamic Binding (implementation of C function overload), attach the parameter type of the function to the name. It is the export name of the function looks like SetapiHook @ Xytzx, which is not conducive to getaddressProc. Therefore, using extern "C" to let the compiler do not use Dynamic Binding, the function that naturally uses EXTERN "C" cannot be overloaded. Don't forget to call the CallNextHooKex function in getMsgproc to ensure the integrity of the HOOK chain.
Be sure to call HookAPI and UNHOOKAPI functions in hook procedure, because the place where the API entry address is saved in the target process, you must complete the uninstall operation in the process space of the target process, you cannot call in UnHookapihook or the SetapiHook function, because unhookapihook is Our process is called, so in our process space. Using UnHookAPI here will cause an illegal access to errors. Use Hookapi will add API Hook to your own DLL.
The last parameter of SETWINDOWSHOKEX is ThreadID is not Handle, so you have to convert it by calling getWindowThreadProcessID.
Other techniques that may be used in crossing the process API HOOK
Information interaction and sharing of primary processes and target processes
Due to the use of the WH_GetMessage hook we can use the Windows message mechanism to implement inter-process communication. It should be noted that you should use PostthReadMessage to send messages got by WH_GetMessage instead of sendMessage or postmessage, because the two are used to send messages to the window. And our WH_GetMessage is Hook on the thread, so you need to use PostthReadMessage.
Data that pass unsight can be done using the WM_COPYDATA message. It should also be noted that if the message using the MFC is available, you need to send it with SendMessage. WM_COPYDATA uses relatively simple to refer to the MSDN documentation. You can also refer to the SHOWERR function part of the program hook.cpp in the appendix.
If you pass larger data or you want data sharing, you can open up the shared memory to perform data sharing. Here is simple to analyze the code using shared memory
Handle HMAP;
Switch (REASON) {
Case DLL_Process_attach:
/ * Create / open shared memory area * /
HMAP = CREATEFILEMAPPING ((HFile *) 0xffffff, NULL, PAGE_READWRITE, 0, SIZEOF (GLOBALDATA), ID_MAP);
PG_DATA = (GlobalData *) MapViewoffile (HMAP, File_Map_all_Access, 0, 0, 0);
IF (! pg_data) {
MessageBox (NULL, "Unable to establish shared memory, program termination!", Szapp, mb_ok);
IF (hmap) {
CloseHandle (HMAP);
HMAP = NULL;
Return 0;
}
}
PG_DATA-> hinst = hinst;
SHOWERR ("Shared Save Image File");
Showerr ("DLL load ...", false);
Break;
Case DLL_PROCESS_DETACH:
IF (pg_data) {
UnmapViewoffile (PG_DATA);
PG_DATA = NULL;
}
IF (hmap) {
CloseHandle (HMAP);
HMAP = NULL;
}
Break;
}
The above code establishes a shared area through CREATEFILEMAPPING. Set its first parameter to 0xFffffFFF to create a memory sharing area instead of a file. And marked as readable and writable (Page_Readwrite). Its size is the size of the Structural GlobalData. The last ID_MAP is a string for indicating this area. Once you have opened or create a shared area, we use MapViewOffile to get the address of this area. Then you can use PG_DATA to operate the shared area directly. Don't forget to securely remove the shared area when DLL exits.
Message waiting and security uninstallation
Before we uninstall the Wh_getMessage hook, you must first return the API call of the target program to normal. We cannot call unhookWindowshookex immediately after calling unhook, because it is very likely that UnHookapi has not been able to complete the recovery operation of the API entry address, and the wh_getMessage hook has been uninstalled. Therefore, you need to wait for a while, so I will complete the recovery operation in calling UnHookWindowsHookex. To prevent the wrong mistake.
Extern "C" __declspec (dllexport) void unhookapihook () {
/ * Send a message to the target thread to perform API UnHook * /
PostthreadMessage (pg_data-> idtarget, wm_disableapihook, (wparam) getCurrentThreadId (), 0);
Showerr ("WM_DISABLEAPIHOK");
/ * Waiting for the target process to return to WM_UNHOOKOK messages, confirm that WH_GetMessage's hook can be removed * /
MSG msg;
Do {
GetMessage (& MSG, NULL, 0, 0);
} while (msg.Message! = WM_UNHOOKOK);
UnHookWindowshookex (pg_data-> hHOK);
PostthreadMessage (pg_data-> idtarget, wm_disableapihook, (wparam) getCurrentThreadId (), 0);
SHOWERR ("UnhookWindowsHookex);
} The above code we use a loop containing getMessage to wait for the arrival of the message, once UNHOOKAPI completes him, will send a WM_UNHOOKOK message. Waiting for us to receive a message to confirm that all security is to uninstall the Wh_getMessage hook.
Take a message object
We must know that the code is executed in the main program space or in the target program process space. The UNHOOKAPIHOOK function like the above is called by the main program, so executed in the main program process space. This will send a message to the main program after the UnHookApi used to restore the target program API information, not the target program.
The target process loads other DLLs
If the target process is dynamically loaded with other DLL files, we must monitor the LoadLibrary function. Ensure that the API entry address in the DLL is also modified correctly. Preventing the situation of chaos from chaos. I got the DLL path from LoadLibrary for getModuleHandle to get the address of his imagebase.
I don't know how the article written, I hope everyone can give more criticism. I have discovered the problem.
Email: detrox@yang.com.cn
Reference
<< Programming Applications for Microsoft Windows >>, Jeffrey Richter, Microsoft Press << C Builder Deep Adventures >> Chen Xiga, Huazhong University Press
<< THE PE FILE FORMAT >>, LuevelSmeyer
<< ICZelion's PE Tutorial >>, ICZelion
Attached: Examples of cross-process APIHOK
First open a notepad program and enter a few characters, run the following program, load the APIHOOK. After you choose to create new, you will see the API hook will see the result of the MessageBoxw function hook. Code in WinXP SP1 VC6 .0 test successfully.
Download source code
(Special Thank Lao Luo's code shader, much better than myself)
This is a DLL program, hook.dll
#include
#include
#include
#include
#include "mydef.h"
const char szapp [] = "hook.dll"; / * Application Name * /
Handle HMap; / * Handle of shared memory image * /
GLOBALDATA * PG_DATA; / * Global data in shared memory * /
LResult Callback GetMsgProc (int, wparam, lparam);
/ * Display the error pointed by getLastError * /
Void Showerr (const char * m, bool getrror = true) {
Char Message [127];
Char BUF [255];
CopyDataStruct CDS;
IF (getError)
FormatMessage (Format_Message_From_System, 0
GetLastError (), MakelangId (lang_neutral, sublang_default), Message, 127, 0);
Else
* message = 0;
IF (GetCurrentThreadId ()! = pg_data-> idmain)
Sprintf (BUF, "Target Program Space DLL:% -30S [% -40S]", M, Message);
Else
Sprintf (buf, "main program space DLL:% -30S [% -40s]", m, message);
CDS.LPDATA = BUF;
Cds.cbdata = Sizeof (BUF);
Cds.dwdata = 0;
SendMessage (pg_data-> hwndmain, wm_copydata, (wparam) pg_data-> hwndtarget, (lparam) & cds;
SetLastError (0);
}
Int WinAPI MyMessageBoxw (HWND HWND, LPCWSTR M1, LPCWSTR M2, UINT M3) {
Wchar_t buf [255];
SWPRINTF (BUF, L "!! This window's API is hook !! / NHWND: 0x% 08X / NMESSAGE:% S / NCAPTION:% S"
(Dword *) hwnd
M1
, M2);
PG_DATA-> OldapiFunction (hwnd, buf, m2, mb_ok);
Return PG_Data-> OldapiFunction (hwnd, m1, m2, m3);
/ * DLL entry function * /
Bool WinApi Dllmain (Hinstance Hinst, DWord Reason, LPVOID LPVRESERVED)
{
Switch (REASON) {
Case DLL_Process_attach:
/ * Create / open shared memory area * /
HMAP = CREATEFILEMAPPING ((HFile *) 0xffffff, NULL, PAGE_READWRITE, 0, SIZEOF (GLOBALDATA), ID_MAP);
PG_DATA = (GlobalData *) MapViewoffile (HMAP, File_Map_all_Access, 0, 0, 0);
IF (! pg_data) {
MessageBox (NULL, "Unable to establish shared memory, program termination!", Szapp, mb_ok);
IF (hmap) {
CloseHandle (HMAP);
HMAP = NULL;
Return 0;
}
}
PG_DATA-> hinst = hinst;
SHOWERR ("Shared Save Image File");
Showerr ("DLL load ...", false);
Break;
Case DLL_PROCESS_DETACH:
SHOWERR ("DLL Uninstall ...", FALSE);
IF (pg_data) {
UnmapViewoffile (PG_DATA);
PG_DATA = NULL;
}
IF (hmap) {
CloseHandle (HMAP);
HMAP = NULL;
}
Break;
}
Return True;
}
/ * Uninstall API Hook * /
Void unhookAPI () {
DWORD WRITTEN = 0;
DWORD OLDDRAPIFUNCTION = (DWORD) PG_DATA-> Oldapifunction;
WriteProcessMemory (GetCurrentProcess (), (DWORD *) PG_DATA-> AddrapientryPoint
, & OlddrapiFunction, SizeOf (DWORD), & Written;
Showerr ("WriteProcessMemory on UnHook);
/ * Send API UNHOOK to the main thread * /
PostthreadMessage (pg_data-> idmain, wm_unhookok, 0, 0);
}
/ * Load API Hook * /
Void Hookapi (Const Char * Szapiname, TapiFunction Newaddr, DWORD ImageBase) {
/ * This code, please refer to the analysis in the article * /
Image_dos_header * pidh;
Image_nt_headers * pinh;
Image_data_directory * psymboltable;
Image_import_descriptor * piid;
PIDH = (image_dos_header *) imagebase;
Pinh = (image_nt_headers *) ((DWORD) ImageBase PidH-> E_LFANEW);
Psymboltable = & pinh-> optionalheader.dataDirectory [1];
PIID = (image_import_descriptor *) (DWORD) ImageBase psymboltable-> virtualaddress; do {
Image_thunk_data * pitd_org, * pitd_1st;
Pitd_org = (image_thunk_data *) ((DWORD) ImageBase PIID-> OriginalFirstthunk;
Pitd_1st = (image_thunk_data *) ((DWORD) ImageBase PIID-> firstthunk);
Do {
Image_import_by_name * PIIBN;
PIIBN = (image_import_by_name *) ((DWORD) ImageBase * ((DWORD *) PITD_ORG);
Proc * PapiFunction = (Proc *) (pitd_1st-> u1.function);
IF (! strcmp (szapiname, (char *) piibn-> name)) {
DWORD addRNewApifunction = (dword) MyMessageBoxw;
DWORD WRITTEN = 0;
DWORD OLDACCESS;
PG_DATA-> Oldapifunction = (TAPIFUNCTION) (PAPIFUNCTION)
/ * Change memeory stat * /
VirtualProtect (& PITD_1ST-> U1.Function, SizeOf (DWORD), Page_Writecopy, & Oldaccess);
SHOWERR ("VirtualProtect");
PG_DATA-> addrapientrypoint = (dword) & pitd_1st-> u1.function;
/ * WRITE Process Memory * /
WriteProcessMemory (getCurrentProcess (), & pitd_1st-> u1.function
, & Addapifunction, sizeof (dWord), & Written;
Showerr ("WriteProcessMemory on Hook";
}
PITD_ORG ;
PITD_1ST ;
} While (pitd_1st-> u1.function);
PIID ;
WHILE (PIID-> Firstthunk PIID-> CHARACTERISTICS
PIID-> Forwarderchain PIID-> Name PIID-> TIMEDATESTAMP;
}
// -----------------------
Extern "C" __DECLSPEC (DLLEXPORT) BOOL SetapiHook (HWND _TARGET) {
PG_DATA-> HHOOK = SETWINDOWSHOKEX (Wh_getMsSage, getmsgproc, pg_data-> hinst, pg_data-> idtarget);
SHOWERR ("SETWINDOWSHOKEX");
/ * Send a message to the target thread to perform API hook * /
IF (pg_data-> hHOOK) {
PostthreadMessage (pg_data-> idtarget, wm_enableapihook, 0, 0);
} Else {
Return False;
}
Showerr ("WM_ENABLEAPIHOK");
Return True;
}
Extern "C" __declspec (dllexport) void unhookapihook () {
/ * Send a message to the target thread to perform API UnHook * /
PostthreadMessage (pg_data-> idtarget, wm_disableapihook, (wparam) getCurrentThreadId (), 0);
Showerr ("WM_DISABLEAPIHOK");
/ * Waiting for the target process to return to WM_UNHOOKOK messages, confirm that WH_GetMessage's hook can be removed * /
MSG msg;
Do {
GetMessage (& MSG, NULL, 0, 0);
} while (msg.Message! = WM_UNHOOKOK);
UnHookWindowshookex (pg_data-> hHOK);
PostthreadMessage (pg_data-> idtarget, wm_disableapihook, (wparam) getCurrentThreadId (), 0);
SHOWERR ("UnhookWindowsHookex);
}
Lresult Callback GetMsgProc (int Ncode, WPARAM WPARAM, LPARAM LPARAM) {
IF (ncode == hc_action) {
Msg * msg = (msg *) LPARAM;
IF (msg-> message == wm_enableapihook) {
Hookapi ("MessageBoxw", MyMessageBoxw, (DWORD) GetModuleHandle (NULL));
}
IF (msg-> message == wm_disableapihook) {
UnhookAPI ();
}
IF (msg-> message == wm_destroy) {
SHOWERR ("Target Process Exit!", False);
}
}
Return CallNexthookex (PG_Data-> HHOK, NCODE, WPARAM, LPARAM);
}
This is the key part of the main program hookgui.cpp
Building a window program with MFC, including two buttons and a listbox
Typedef void (* punhookapihook ();
Typedef Bool (* psetapihook (hwnd);
HModule HDLL = NULL;
HWND hnotepad = null;
Psetapihook setapihook;
Punhookapihook unhookapihook;
GLOBALDATA * PG_DATA; / * Global data in shared memory * /
Handle HMap; / * Handle of shared memory image * /
INT Chookguidlg :: Showerr (const char * m) {
Char Message [127];
Char BUF [255];
INT Errid = getLastError ();
FormatMessage (Format_Message_From_System, 0
, Errid, Makelangid (Lang_neutral, SUBLANG_DEFAULT), Message, 127, 0;
Sprintf (BUF, "Program:% -30S [% -40S] / N", M, Message);
C_List1.insertString (c_list1.getcount (), buf); Updatedata (false);
Return Errid;
}
Void Chookguidlg :: OnsetapiHook ()
{
// Todo: Add Your Control Notification Handler Code Here
HDLL = LoadLibrary ("hook.dll");
Showerr ("LoadLibrary";
HMAP = OpenFilemapping (file_map_all_access, false, id_map);
Showerr ("openfilemapping");
PG_DATA = (GlobalData *) MapViewOffile (HMAP, File_Map_all_access, 0,0,0);
Showerr ("MapViewOffile");
IF (! pg_data) {
MessageBox ("You cannot open the shared memory program to terminate!");
Return;
}
Setapihook = (Psetapihook) GetProcadDress (HDLL, "SetapiHook");
Showerr ("getProcaddress-setapihook);
PG_DATA-> HWndTarget = :: FindWindow ("NOTEPAD", NULL);
PG_DATA-> hWndmain = m_hwnd;
PG_DATA-> IDMAIN = getWindowThreadProcessID (m_hwnd, null);
PG_DATA-> IDTARGET = GetWindowThreadProcessId (pg_data-> hwndtarget, null);
IF (! showerr ("finderr (" findwindow ")) {
IF (setail) {
IF (Setapihook (HNOTEPAD))
PostthreadMessage (pg_data-> idtarget
, WM_SETCALLERID, (LPARAM) getCurrentThreadId (), 0);
Else {
MessageBox ("SetWindowhookex error, program termination!");
Return;
}
} Else {
MessageBox ("Unable to get a setapiHook function! The program termination!");
}
} Else {
MessageBox ("NOTEPAD.exe" in memory);
}
c_setapihook.enablewindow (false);
C_unsetapihook.enableWindow ();
}
Void Chookguidlg :: Onunsetapihook ()
{
// Todo: Add Your Control Notification Handler Code Here
IF (HDLL) {
IF (! iswindow (pg_data-> hwndtarget) {
MessageBox ("" "Target process is not in memory");
Return;
}
Unhookapihook = (Punhookapihook) GetProcaddress (HDLL, "UnhookApiHook);
Showerr ("getProcaddress-unhookapihook);
IF (unhookapihook)
Unhookapihook ();
Freelibrary (HDLL); Showerr ("Freeelibrary");
HDLL = NULL;
} Else {
MessageBox ("Add DLL");
}
c_setapihook.enableWindow ();
C_unsetapihook.enableWindow (False);
}
Void Chookguidlg :: Onok ()
{
// Todo: Add extra validation here
IF (HDLL) {
Onunsetapihook ();
}
CDIALOG :: Onok ();
}
Bool Chookguidlg :: ONCOPYDATA (CWND * PWND, CopyDataStruct * PcopyDataStruct)
{
// Todo: add your message handler code here and / or call default
C_List1.insertstring (c_list1.getcount (), (char *) pcopyDataStruct-> lpdata);
Return CDIALOG :: ONCOPYDATA (PWND, PCopyDataStruct);
}
