Introduction to the API function under Win2k: API interception is not a new technology, many commercial software uses this technology. The interception of Windows API functions, no more than two methods, the first is Mr. Jeffrey Richter modified the module input festival, method, is very safe, but it is very complicated, and some exe file, no DLL Enter a list of symbols, it is possible to intercepted uninterrupted. The second method is the commonly used JMP XXX method, although it is very old, it is simple and practical. This article describes the second method in Win2K. The second method, WIN98 / ME is much more way to enter the Ring0 level, with LDT, IDT, VXD and other methods, it is easy to dynamically modify the code in memory, but under Win2k, these methods can not be used, write WDM too much Complex, it seems difficult to achieve on the surface, is there. Win2k provides us with a powerful memory API action function --- VirtualProtectex, WriteProcessMemeory, ReadProcessMemeory, with them, we can dynamically modify the code in memory, whose prototype is: BOOL VirtualProtectex (Handle HProcess, // To modify memory Procedure handle LPVOID LPADDRESS, / / To modify the start address DWORD DWSIZE, / / Modify memory byte DWORD flnewprotect, // Modified memory properties PDWORD LPFLOLDPROTECT / / Modify the address of the memory attribute; Bool WriteProcessMemory (Handle HProcess, // To write a process handler lpvoid lpbaseaddress, // write memory start address lpvoid lpbuffer, // Write data DWORD nsize, // To write the number of bytes to write LPDWORD LPNUMBEROFBYTESWRITTEN // actually write The number of children of the child); Bool ReadProcessMemory (Handle HProcess, // To read the handle of the process LPCVOID LPBASEADDRESS, // read the start address of the memory lpvoid lpbuffer, // read the address of the data dword nsize, // To read the word The number of sub-sessions of the number lpdword lpnumberofBytesRead // actually reads the number of children); for specific parameters, see MSDN Help.
In Win2k, because of the same address space in the same address, this and Win9x / Me exist in all proximity addresses, there is a simple adoption of hook functions by hook functions and remote injection processes. of MessageBoxA intercept example to illustrate: wherein Dll files: HHOOK g_hHook; HINSTANCE g_hinstDll; FARPROC pfMessageBoxA; int WINAPI MyMessageBoxA (HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType); BYTE OldMessageBoxACode [5], NewMessageBoxACode [5]; HMODULE hModule; DWORD dwIdOld, dwIdNew; BOOL bHook = false; void HookOn (); void hookOff (); BOOL init (); LRESULT WINAPI MousHook (int nCode, WPARAM wParam, LPARAM lParam); BOOL APIENTRY DllMain (HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {switch (ul_reason_for_call) {case DLL_PROCESS_ATTACH:! if (init ()) {MessageBoxA (NULL, "Init", "ERROR", MB_OK); return (false);} case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: if (bHook) UnintallHook (); break;} return TRUE;} LRESULT WINAPI hook (int nCode, WPARAM wParam, LPARAM lParam) // empty hook function {return (CallNextHookEx (g_hHook, nCode, wParam, lParam)) } Hookapi2_api bool installhook () // Output installation empty hook function {g_hinstdll = LO adLibrary ( "HookApi2.dll"); g_hHook = SetWindowsHookEx (WH_GETMESSAGE, (HOOKPROC) Hook, g_hinstDll, 0); if (! g_hHook) {MessageBoxA (NULL, "SET ERROR", "ERROR", MB_OK); return (false }
Return (True);} hookapi2_api bool uninstallhook () // Output Royal in hook function {
Return (UnHookWindowsHookex (g_hhook);
Bool init () // Initialize the address of the Messageboxa and generates JMP XXX (MyMessageBoxa) jump instruction {hmodule = loadingLibrary ("User32.
