Inline Hook

1. #include <windows.h>
2. #include <stdio.h>
3. #include <tchar.h>
4.  
5. //修改API入口为 mov eax, 00400000;jmp eax是程序能跳转到自己的函数
6. BYTE NewBytes[8] = {0xB8, 0x0, 0x0, 0x40, 0x0, 0xFF, 0xE0, 0x0};
7. BYTE OldBytes[8] = {0};
8.  
9. FARPROC CreateFile_Addr;
10.  
11. HANDLE WINAPI MyCreateFile(
12.     __in          LPCTSTR lpFileName,
13.     __in          DWORD dwDesiredAccess,
14.     __in          DWORD dwShareMode,
15.     __in          LPSECURITY_ATTRIBUTES lpSecurityAttributes,
16.     __in          DWORD dwCreationDisposition,
17.     __in          DWORD dwFlagsAndAttributes,
18.     __in          HANDLE hTemplateFile
19.     )
20. {
21.     MessageBox(0, TEXT("MyCreateFile"), 0, 0);
22.     //恢复API头8个字节
23.     WriteProcessMemory(INVALID_HANDLE_VALUE, (void*)CreateFile_Addr,
24.         (void*)OldBytes, 8, NULL);
25.  
26.     printf("lpFileName is %S\n",lpFileName);
27.  
28.     //调用正确的函数
29.     HANDLE hFile = CreateFile(lpFileName,dwDesiredAccess,dwShareMode,
30.         lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);
31.  
32.     //写入跳转语句，继续Hook
33.     WriteProcessMemory(INVALID_HANDLE_VALUE, (void*)CreateFile_Addr,
34.         (void*)NewBytes, 8, NULL);
35.  
36.     return hFile;
37. }
38.  
39.  
40. void main()
41. {
42.     HMODULE hModule_Kernel32 = LoadLibrary(TEXT("Kernel32.dll"));
43.     CreateFile_Addr = GetProcAddress(hModule_Kernel32, "CreateFileW");
44.  
45.     printf("CreateFileW_Addr is %x\n",CreateFile_Addr);
46.     printf("MyCreateFile Addr is %x\n",MyCreateFile);
47.  
48.     //读CreateFile函数的前8个字节
49.     if(ReadProcessMemory(INVALID_HANDLE_VALUE,CreateFile_Addr,OldBytes,8,NULL)==0)
50.     {
51.         printf("ReadProcessMemory error\n");
52.         return;
53.     }
54.  
55.     printf("OldBytes is %x%x%x%x%x%x%x%x\n",OldBytes[0],OldBytes[1],OldBytes[2],
56.         OldBytes[3],OldBytes[4],OldBytes[5],OldBytes[6],OldBytes[7]);
57.  
58.     //将NewBytes改成My函数地址
59.     *(DWORD*)(NewBytes + 1) = (DWORD)MyCreateFile;
60.  
61.     printf("NewBytes is %x%x%x%x%x%x%x%x\n",NewBytes[0],NewBytes[1],NewBytes[2],NewBytes[3],
62.         NewBytes[4],NewBytes[5],NewBytes[6],NewBytes[7]);
63.  
64.     //写入跳转，开始Hook
65.     WriteProcessMemory(INVALID_HANDLE_VALUE,CreateFile_Addr,NewBytes,8,NULL);
66.  
67.     //调用CreateFileA测试一下。
68.     //HANDLE hFile=CreateFileA("C:\\1.txt",GENERIC_ALL,FILE_SHARE_READ,0,CREATE_ALWAYS,0,0);
69.  
70.     SHELLEXECUTEINFO ShExecInfo;
71.     TCHAR pszParseName[MAX_PATH] = TEXT("C:\\Windows\\System32\\notepad.exe");
72.  
73.     ShExecInfo.cbSize = sizeof(SHELLEXECUTEINFO);
74.     ShExecInfo.fMask = SEE_MASK_WAITFORINPUTIDLE | SEE_MASK_NOCLOSEPROCESS;
75.     ShExecInfo.hwnd = NULL;
76.     ShExecInfo.lpVerb = NULL;
77.     ShExecInfo.lpFile = pszParseName;
78.     ShExecInfo.lpParameters = NULL;
79.     ShExecInfo.lpDirectory = NULL;
80.     ShExecInfo.nShow = SW_SHOWNORMAL;
81.     ShExecInfo.hInstApp = NULL;
82.  
83.     ShellExecuteEx(&ShExecInfo);
84.    
85.     WaitForSingleObject(ShExecInfo.hProcess, INFINITE);
86.     CloseHandle(ShExecInfo.hProcess);
87.  
88.     //CloseHandle(hFile);
89. }