MessageBox Hook - Dll File

1. #include <windows.h>
2. #include <fstream>
3.  
4. #define SIZE 6
5.  
6. typedef int (WINAPI *pMessageBoxA)(HWND, LPCSTR, LPCSTR, UINT); // typedef the FuncVairable[Fake-Reall]
7. int WINAPI MyMessageBoxA(HWND, LPCSTR, LPCSTR, UINT); // Fake Function
8.  
9. void BeginRedirect(LPVOID);
10.  
11. pMessageBoxA pOrigMBAddress = NULL; //  RealFunction
12. BYTE oldBytes[SIZE] = {0}; // To Hae the backup for unhook
13. BYTE JMP[SIZE] = {0}; // To have the jmp
14. DWORD oldProtect, myProtect = PAGE_EXECUTE_READWRITE;
15.  
16. INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
17. {
18.     switch(Reason)
19.     {
20.  
21.     case DLL_PROCESS_ATTACH:  // if library loaded
22.         pOrigMBAddress = (pMessageBoxA)GetProcAddress(GetModuleHandle(TEXT("user32.dll")), "MessageBoxA");
23.         //Get Address of Function "MessageBoxA" and put it in varibal of pointer for a WIN API
24.  
25.         if(pOrigMBAddress != NULL) // if every thing ok >
26.             BeginRedirect(MyMessageBoxA);    // Start hooking
27.         break;
28.  
29.     case DLL_PROCESS_DETACH: // if library unload // and unhook
30.         memcpy(pOrigMBAddress, oldBytes, SIZE); // but the reall function addres into the reall function
31.     case DLL_THREAD_ATTACH:
32.     case DLL_THREAD_DETACH:
33.         break;
34.     }
35.     return TRUE;
36. }
37.  
38. void BeginRedirect(LPVOID newFunction)
39. {
40.     ///// TheJumpCode     JMP     x     x    x     x    RET
41.     BYTE tempJMP[SIZE] = {0xE9, 0x09,0x09,0x09,0x09, 0xC3}; // this is assambly code for jamp to address of fuck function (JMP NOP NOP RET)
42.  
43.         memcpy(JMP, tempJMP, SIZE); /////  Copy Bytes Array Form JMP to tempJMP
44.  
45.     // Get fake function address  ==>
46.     //                 FakeFunctionAddr  -   ReallFunctionAddr  - 5
47.     DWORD JMPSize = ((DWORD)newFunction - (DWORD)pOrigMBAddress - 5);
48.     // Allowed the realfunction vairable to write and read   and   get  the oldProtect
49.     VirtualProtect((LPVOID)pOrigMBAddress, SIZE,  PAGE_EXECUTE_READWRITE, &oldProtect);
50.  
51.     // BackUp the reallFunc addrs into oldBytes
52.     memcpy(oldBytes, pOrigMBAddress, SIZE); // Put pOrigMBAddress
53.  
54.     // Chane the - JMP [ x   x   x   x ] RET -
55.     //    To the        fakeFunc addrs
56.     memcpy(&JMP[1], &JMPSize,4);
57.    
58.     // Chane the reallFunction addres to the [ JMP ] code
59.     memcpy(pOrigMBAddress, JMP, SIZE);
60.  
61.     // Retrun the oldProtect
62.     VirtualProtect((LPVOID)pOrigMBAddress, SIZE, oldProtect, NULL);
63. }
64.  
65. int  WINAPI MyMessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uiType)
66. {
67.     //   Allowed the reallFunction Vairable to wrtie - read - execute
68.     VirtualProtect((LPVOID)pOrigMBAddress, SIZE, myProtect, NULL);
69.  
70.     // Copy the oldBytes(the realFunc addrs) to the ReallFunc Vairable
71.     memcpy(pOrigMBAddress, oldBytes, SIZE);
72.  
73.     // Execute what ever you want ->
74.         Beep(1000,1000);
75.      MessageBoxA(hWnd, "ServatonSecure", "Hooked", uiType);
76.      
77.  
78.     // Return the JMP
79.     memcpy(pOrigMBAddress, JMP, SIZE);
80.  
81.     // Return the oldProtect
82.     VirtualProtect((LPVOID)pOrigMBAddress, SIZE, oldProtect, NULL);
83.  
84.     // Return value to the user :)
85.     return 0;
86. }