#include
#define hookexceptionno 5
BOOL init ();
Bool sysver = true; hmodule g_hmodule; dword dwidold, dwidnew; // ###################################################################################################################################################################################################################################### #################### / * Begin This is the code required to intercept the API * / typef struct {FarProc funcaddr; Byte Olddata [ 5]; Byte NewData [5]; Hookstruct; Hookstruct Messagea_API;
Void Ring0WriteMemory (void * dst, void * src, int copyspace) {byte idtr_1 [6]; DWORD OLDEXCEPTIONHOK; __ASM {JMP __CONTINUE RING0PROC:
Pushad Mov AX, 30H / / Define a system-level data segment Selecton MOV BX, DS // Save the original DS and ES MOV DX, ES MOV DS, AX // Modify DS and ES MOV ES, AX REP MOVSB // Insert Directive MOV DS, BX / / Rehabilitation DS with ES MOV ES, DX
POPAD IRETD / / Return __CONTINUE: SIDT FWORD PTR IDTR_1 / / Modification Interrupt Door MOV Eax, DWORD PTR IDTR_1 02H Add Eax, HookExceptionno * 08H 04H CLI MOV ECX, DWORD PTR [EAX] // Save the original exception handling routine port MOV CX, Word PTR [EAX-04H] MOV OldexceptionHook, ECX Lea EBX, Ring0Proc // Specify new portal MOV WORD PTR [EAX-04H], BX SHR EBX, 10H MOV Word PTR [EAX 02H], BX Pushad // Configuring parameters Mov EDI, DST MOV ESI, SRC MOV ECX, COPYSIE INT HOOKEXCEPTIONNO / / Activation Ring0 Code Popad Mov ECX, OldExceptionHook // Restore MOV WORD PTR [EAX-04H], CX SHR ECX, 10H MOV Word PTR [EAX 02H], CX STI}}
void HookOnOne (HOOKSTRUCT * hookfunc) {if (SysVer) {HANDLE hProc; dwIdOld = dwIdNew; hProc = OpenProcess (PROCESS_ALL_ACCESS, 0, dwIdOld); VirtualProtectEx (hProc, hookfunc-> funcaddr, 5, PAGE_READWRITE, & dwIdOld); WriteProcessMemory (hProc , hookfunc-> funcaddr, hookfunc-> newdata, 5, 0); VirtualProtectEx (hProc, hookfunc-> funcaddr, 5, dwIdOld, & dwIdOld);} else {Ring0WriteMemory (hookfunc-> funcaddr, hookfunc-> newdata, sizeof (hookfunc -> NewData));}} // ---------------------------------------- ----------------------------------- void hookoffone (hookstruct * hookfunc) {if (sysver) {handle hproc ; dwIdOld = dwIdNew; hProc = OpenProcess (PROCESS_ALL_ACCESS, 0, dwIdOld); VirtualProtectEx (hProc, hookfunc-> funcaddr, 5, PAGE_READWRITE, & dwIdOld); WriteProcessMemory (hProc, hookfunc-> funcaddr, hookfunc-> olddata, 5, 0) ; VirtualProtectEx (hProc, hookfunc-> funcaddr, 5, dwIdOld, & dwIdOld);} else {Ring0WriteMemory (hookfunc-> funcaddr, hookfunc-> olddata, sizeof (hookfunc-> olddata));}} // Get the function information is intercepted BOOL HOO kapi (char * dllname, char * procname, DWORD myfuncaddr, HOOKSTRUCT * hookfunc) {g_hModule = LoadLibrary (dllname); hookfunc-> funcaddr = GetProcAddress (g_hModule, procname); if (hookfunc-> funcaddr == NULL) {MessageBox ( NULL, "Get the original function address failed", "error", MB_OK; Return False;} Memcpy (hookfunc-> ildata, hookfunc-> funcaddr, 5); hookfunc-> newdata [0] = 0xE9; dword jmpaddr = myfuncaddr - (DWORD) hookfunc-> funcaddr - 5; memcpy (& hookfunc-> newdata [1], & jmpaddr, 5); return true;}
int WINAPI MyMessageBoxA (HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType) {int runt; HookOffOne (& api_MessageBoxA); runt = :: MessageBoxA (hWnd, "successful interception", lpCaption, uType); HookOnOne (& api_MessageBoxA); return runt }
Bool init () {hookapi ("User32.dll", "MessageBoxa", (DWORD) MyMessageBoxa, & API_MESSAGEBOXA);
HOOKONONE (& API_MESSAGEBOXA);
}
BOOL APIENTRY DllMain (HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {OSVERSIONINFO verinfo; verinfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO); switch (ul_reason_for_call) {case DLL_PROCESS_ATTACH: dwIdNew = GetCurrentProcessId (); GetVersionEx (& verinfo); if (verinfo.dwPlatformId == VER_PLATFORM_WIN32_NT) Sysver = true; else sysver = false;
Return init (); break; case DLL_Process_Detach: if (g_hmodule! = null) Freelibrary (g_hmodule); Break;} Return True;}
