一个非常清晰的"Hook API"实例源码

//附件下载：http://d.download.csdn.net/down/509594/rgbsky_nudt

/*==========================a.exe===========================*/
#include <windows.h>
#pragma comment(lib,"hookapi.lib")

extern "C" __declspec(dllimport) void InstallHook4Api(HWND hwnd);

void main()
{
HWND hwnd;
while(1)
{
if(hwnd =FindWindow("#32770","程序B"))//程序B为目标程序，它调用了MessageBoxA()
{
InstallHook4Api(hwnd);
break;
}
Sleep(500);
}
//注意进程A的MessageBoxA()也被修改了
MessageBoxA(NULL,"原MessageBoxA()","程序A",MB_OK);
}
/*=========================hookapi.dll=========================*/
#include <windows.h>

#pragma data_seg("YuKai")
HHOOK hHook=0;
HINSTANCE hinstDll=0;
HANDLE hHandle=0;
DWORD TargetPid;

BOOL bApiHook = false;
FARPROC fpApiAddr=NULL;
BYTE OldCode[5]={0,0,0,0,0};
BYTE NewCode[5]={0,0,0,0,0};

#pragma data_seg()
#pragma comment(linker,"/SECTION:YuKai,rws")

extern "C" __declspec(dllexport) void InstallHook4Api(HWND hwnd);
//---------------------------------------------------------------------------
// 空的钩子函数
LRESULT WINAPI HookProc(int nCode, WPARAM wParam, LPARAM lParam)
{
return CallNextHookEx(hHook, nCode, wParam, lParam);
}
//---------------------------------------------------------------------------
// 安装卸载空钩子(ProcessID=NULL：卸载)
extern "C" __declspec(dllexport) void InstallHook4Api(HWND hwnd)
{
//GetWindowThreadProcessId(hwnd,&TargetPid);
//只hook窗口句柄为hwnd的线程
if(hwnd)
hHook = SetWindowsHookEx(WH_GETMESSAGE, (HOOKPROC)HookProc, hinstDll,GetWindowThreadProcessId(hwnd,&TargetPid));
else
if(hHook) UnhookWindowsHookEx(hHook);
}
//---------------------------------------------------------------------------
//本函数一定要用WINAPI(即__stdcall)，表示本函数自己平衡堆栈(和win32 API一致)
int WINAPI myMessageBoxA(HWND hWnd, LPCTSTR lpText,LPCTSTR lpCaption, UINT uType)
{
DWORD dwProtect;

/*恢复MessageBoxA()的前5个字节*/
VirtualProtectEx(hHandle, fpApiAddr,5, PAGE_READWRITE, &dwProtect);
WriteProcessMemory(hHandle, fpApiAddr, OldCode, 5, 0);
VirtualProtectEx(hHandle, fpApiAddr, 5, dwProtect, &dwProtect);
bApiHook = false;

MessageBoxA(hWnd, "myMessageBoxA()",
"钩子Dll", MB_OK);	//显示一个对话框，表示HOOK API成功
int nReturn = MessageBoxA(hWnd,lpText,lpCaption,uType);		//执行原有的MessageBoxA()功能

/*改写MessageBoxA()的前5个字节*/
VirtualProtectEx(hHandle, fpApiAddr, 5, PAGE_READWRITE,&dwProtect);
WriteProcessMemory(hHandle, fpApiAddr, NewCode, 5, 0);
VirtualProtectEx(hHandle, fpApiAddr, 5, dwProtect, &dwProtect);
bApiHook=true;

return nReturn;		//返回程序调用MessageBoxA()的下一条语句
}
//---------------------------------------------------------------------------
int WINAPI DllMain(HINSTANCE hinst, unsigned long reason, void* lpReserved)
{
HMODULE hModule;
DWORD CurrentPid;
DWORD dwProtect;
char dllname[256];

hinstDll = hinst;
switch (reason)
{
case DLL_PROCESS_ATTACH:

hModule = LoadLibrary( "user32.dll");
fpApiAddr = GetProcAddress(hModule, "MessageBoxA");
if(fpApiAddr == NULL) return false;
/*MessageBoxA原前5字节存至OldCode[5]*/
_asm
{
pushad
lea edi, OldCode
mov esi, fpApiAddr
cld
movsd
movsb
popad
}
/*MessageBoxA新前5字节存至 NewCode[5]*/
NewCode[0] = 0xe9;
_asm
{
lea eax, myMessageBoxA
mov ebx, fpApiAddr
sub eax, ebx
sub eax, 5
mov dword ptr [NewCode+1], eax
}
/*改写MessageBoxA()的前5个字节*/
CurrentPid = GetCurrentProcessId();
hHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, CurrentPid);
VirtualProtectEx(hHandle, fpApiAddr, 5, PAGE_READWRITE,&dwProtect);
WriteProcessMemory(hHandle, fpApiAddr, NewCode, 5, 0);
VirtualProtectEx(hHandle, fpApiAddr, 5, dwProtect, &dwProtect);
bApiHook=true;
//增加引用次数后立即卸钩(目的:卸钩后保留该dll存在于目标进程中)
GetModuleFileName(hinst,dllname,256);
LoadLibrary(dllname);
//只能由目标程序卸钩，否则目标程序有可能来不及加载Hook进来的dll
if(hHook && (CurrentPid==TargetPid)) UnhookWindowsHookEx(hHook);

break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
default: break;
}
return true;
}
/*=========================================================*/