(3) After the injecting plug-in code is incorporated into the hooking game process to complete the replacement function of the custom API function, we can design the alternative function of the custom API function in the positioning and modification program. Once you have done it, you also need to inject these codes into the pluggable game program process memory space, otherwise the game process will not access the alternative function code at all. There are many injected methods, such as using global hook implants, use the registry to inject the API function in the blocking USER32 library, use the CreateremoteThread injection (only NT / 2000), using BHO injection, etc. Because we have already contacted global hooks in the action simulation technology section, I believe that smart readers have fully mastered the production process of the overall hook, so we will continue to take advantage of this global hook in the following instance. As for several other injection methods, if you are interested, please refer to the MSDN. With the above theoretical basis, let's start making an instance of a blocking Messageboxa and RECV function. When developing a game plug-in program, you can use the instance as a frame, join the corresponding alternative function and processing code. The development process of this instance is as follows: (1) Open the ActiveKey project created in front. (2) Add the HookAPI structure in the ActiveKey.h file, which is used to store the block API function name, original API function address, and alternative function addresses.
Typedef struct tag_hookapi {lpcstr szfunc; // is used by HOOK's API function name. Proc pnewproc; // replaces the function address. Proc POLDPROC; // Original API function address. Hookapi, * lphookApi;
(3) Open the activeKey.cpp file, first join a function to locate the IAT address in the input database in the input data segment. code show as below:
Extern "C" __DECLSPEC (DLLEXPORT) PIMAGE_IMPORT_DEScriptor Locationiat (HModule HModule, LPCSTR SzimportMod) // where hmodule is a process module handle; SzimportMod is the name of the input library. {// Check if it is a DOS program, such as returning null, because the DOS program is not IAT. PIMAGE_DOS_HEADER PDOSHEADER = (pimage_dos_header) hmodule; if (pdosheader-> e_magic! = Image_dos_signature) return null; // Check if the NT flag, otherwise returns NULL. PIMAGE_NT_HEADERS pNTHeader = (PIMAGE_NT_HEADERS) ((DWORD) pDOSHeader (DWORD) (pDOSHeader-> e_lfanew)); if (! PNTHeader-> Signature = IMAGE_NT_SIGNATURE) return NULL; // NULL if no table IAT. IF (pntheader-> optionalheader.dataDirectory [image_directory_entry_import] .virtualaddress == 0) return null; // Positioning the first IAT location. PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR) ((DWORD) pDOSHeader (DWORD) (pNTHeader-> OptionalHeader.DataDirectory [IMAGE_DIRECTORY_ENTRY_IMPORT] .VirtualAddress)); // check the cycle according to the input through the IAT library name, such as the return address matches the IAT, Otherwise the next IAT is detected. While (PimportDesc-> Name) {// Gets the name of the input library description of the IAT. PSTR SZCURRMOD = (PSTR) (PimportDesc-> Name); if (StricsP (SZCurRMod, SzimportMod) == 0) Break; PimportDesc ;} if (pimportdesc-> name == null) Return Null; Return PimportDesc;} Add a function to locate the IAT item that is blocked the API function and modifies its content as an alternative function address. code show as below:
Extern "C" __DECLSPEC (DLLEXPORT) HookApibyname (HModule Hmodule, LPCSTR Szimportmod, LPhookApi Phookapi) //, HModule is the process module handle; SzimportMod is the input library name; PhookAPI is the Hookapi structure pointer. {// Positioning the SzimportMod Enter the IAT address in the input data segment. PIMAGE_IMPORT_DESCRIPTOR PIMPORTDESC = Locationiat (hmodule, szimportmod); if (pimportDesc == null) return false; // The first THUNK address. PIMAGE_THUNK_DATA PORIGTHUNK = (PIMAGE_THUNK_DATA) ((DWORD) HMODULE (DWORD) (PimportDesc-> OriginalFirstthun); // The first IAT term THUNK address. PIMAGE_THUNK_DATA PreAlthunk = (PIMAGE_THUNK_DATA) (PimportDesc-> firstthunk); / / loop look up the IAT item of the Armed API function and modify its value with an alternate function address. While (PORIGTHUNK-> U1.Function) {// Check this thunk is an IAT item. IF ((PORIGTHUNK-> u1.ordinal & image_ordinal_flag)! = image_ordinal_flag) {// Gets the function name described in this IAT item. PIMAGE_IMPORT_BY_NAME PBYNAME = (PIMAGE_IMPORT_BY_NAME) ((DWORD) HMODULE (DWORD) (Porage (PBYNAME-> Name [0] == '/ 0') Return False; // Detect whether it is a shutdown function. IF (strcmpi (phookapi-> szfunc, (char *) pBYNAME-> NAME) == 0) {MEMORY_BASIC_INFORMATION MBI_THUNK; / / Query the information of the modified page. VirtualQuery (PreAlthunk, & Mbi_thunk, sizeof (memory_basic_information)); // Change the Modify Page Protection Properties is Page_Readwrite. VirtualProtect (Mbi_thunk.BaseAddress, Mbi_thunk.region, page_readwrite, & mbi_thunk.protect); // Save the original API function address. IF (PhookApi-> PoldProc == NULL) Phooki-> PoldProc = (proc) preArthunk-> u1.function; // Modify the API function IAT item as an alternative function address. PreAlthunk-> u1.function = (pdword) phookapi-> pnewproc; // Restore the modified page protection attribute.
DWORD dwOldProtect; VirtualProtect (mbi_thunk.BaseAddress, mbi_thunk.RegionSize, mbi_thunk.Protect, & dwOldProtect);}} pOrigThunk ; pRealThunk ;} SetLastError (ERROR_SUCCESS); // set the error to ERROR_SUCCESS, indicating success. Return true;} (4) Defines the replacement function, which is only blocked only for the MessageBoxa and RECVs in this instance. code show as below:
Static int WinAPI MessageBoxa1 (HWND HWND, LPCTSTR LPTEXT, LPCTSTR LPCTSTON, UINT UTYPE) {// Filter the text and title content of the original Messageboxa, only the following is displayed. Return MessageBox (HOND, HOOK API! "," Hook API ", UTYPE);} Static Int WinAPI Recv1 (Socket S, Char Far * BUF, INT LEN, INT FLAGS) {// This can be blocked Sending network packets, you can add analysis and processing data code. RETURN RECV (S, BUF, LEN, FLAGS);
(5) Add to activate the API code in the KeyboardProc function, add the following ELSE if statement in the if (wparam == 0x79) statement:
... // When activating the F11 key, start the blocking API function function. Else if (wparam == 0x7a) {hookapi API [2]; API [0] .szfunc = "messageboxa"; // Set the name of the block being blocked. API [0] .pnewProc = (proc) messageboxa1; // Set the address of the replacement function. API [1] .szfunc = "rv"; // Set the name of the block of the block. API [1] .pnewProc = (proc) RECV1; // Set the address of the replacement function. / / Set the MessageBoxa function in the blocking user32.dll library. HookapibyName (GetModuleHandle (NULL), "User32.dll", & API [0]); // sets the RECV function in the blocking WSOCK32.DLL library. Hookapibyname (GetModuleHandle (NULL), "WSOCK32.DLL", & API [1]);} ...
