閱讀本文之前�����,我先假設(shè)讀者已經(jīng)知道了 SEH 和 API Hook 的基本概念���,因?yàn)槲也淮蛩阍诖诉M(jìn)行掃盲工作�。什么�����?你不懂什么叫 SEH 和 API Hook ����?那……先去找點(diǎn)資料看看吧,到處都有哦�����,推薦讀物:Jeffrey Richter 大牛的《Windows核心編程》。(沒(méi)話可說(shuō)�,研究系統(tǒng)底層編程的葵花寶典,必備?��。?lt;BR><BR>另外值得補(bǔ)充的是,API Hook 跟一般的 Hook 是一點(diǎn)關(guān)系都沒(méi)有的�����,雖然它們都是“Hook”����,但是在技術(shù)上卻有著天壤之別。啊……不明白�?先去看看葵花寶典吧……<BR><BR>呵呵,廢話不多說(shuō)了��,讓我們開(kāi)始吧���。<BR><BR>經(jīng)常研究 Crack 的朋友一定會(huì)知道 INT 3 這個(gè)指令�。(你不知道���?我倒……) 這個(gè)指令在軟件調(diào)試中非常有用���,因?yàn)槲覀兛梢岳盟鼇?lái)設(shè)置特定的斷點(diǎn)(BreakPoint)��,當(dāng)程序遇到 INT 3 指令的時(shí)候����,將會(huì)產(chǎn)生一個(gè)斷點(diǎn)異常�,這個(gè)異常在 Windows.inc 里面定義為 EXCEPTION_BREAKPOINT ,對(duì)應(yīng)值是 080000003h �����。Hoho���,說(shuō)了那么多�����,你想到什么了嗎�����?<BR><BR>是的����,聰明的你應(yīng)該已經(jīng)想到了!既然是異常��,就肯定可以通過(guò) SEH 來(lái)進(jìn)行處理�����。于是我們可以這樣做:在調(diào)用 API 之前�,先設(shè)置一個(gè)斷點(diǎn),然后當(dāng) API 正式運(yùn)行的時(shí)候�,就會(huì)因?yàn)榕龅?INT 3 指令而進(jìn)入我們的異常處理模塊�,接著我們就可以在處理模塊里面為所欲為了——是改變什么東西還是讓它順利通過(guò),我沒(méi)話說(shuō)����,看你喜歡吧……<BR><BR>簡(jiǎn)單地說(shuō),過(guò)程就是類(lèi)似這樣的:<BR><BR>程序遇到 INT 3 指令后����,產(chǎn)生一個(gè)中斷異常,這時(shí) Windows 就拿著一份處理異常的活挨個(gè)問(wèn) SEH 鏈表上的回調(diào)函數(shù):“你干不干��?”�����,“不干”,“你呢��?”���,“我也不干”……當(dāng) Windows 終于問(wèn)到我們定義好的斷點(diǎn)異常處理函數(shù)后����,他說(shuō):“讓我來(lái)干好了���!”���,于是 Windows 就不會(huì)再問(wèn)余下的人了,他把全權(quán)托給了我們的處理函數(shù)�,至于我們的函數(shù)在之后做了什么手腳……呵呵,只有天知道����!<BR><BR>明白了嗎?其實(shí)在這里我們是利用了軟件調(diào)試上的一個(gè)小技巧�����,實(shí)現(xiàn)了“偽 API Hook”����。嚴(yán)格來(lái)說(shuō)�,這種方法不能算是真正的 API Hook �����,但是由于我們可以在 SEH 回調(diào)函數(shù)中為所欲為���,而系統(tǒng)不會(huì)發(fā)覺(jué)����,所以也可以勉強(qiáng)算個(gè)數(shù)吧��。<BR><BR>弄清楚原理后���,剩下的就不難了。我們首先要保存目標(biāo) API 的入口地址��,接著要設(shè)置一個(gè) INT 3 指令�,然后就在 SEH 的回調(diào)函數(shù)中進(jìn)行地址修正等工作,最后萬(wàn)事倶備����,只欠東風(fēng)了��。程序一運(yùn)行�����,就進(jìn)入了我們的 SEH 回調(diào)函數(shù)�����,呵呵�,你愛(ài)怎么樣就怎么樣吧……<BR><BR>怎么樣����?一點(diǎn)都不難吧。羅里羅嗦地說(shuō)了一大堆�����,可能有人會(huì)開(kāi)始不耐煩了……呵�����,別著急����,下面我就給出源代碼���。補(bǔ)充一句:本方法只是提供了一種新的思路,如果你在深入研究中發(fā)現(xiàn)了我的錯(cuò)誤����,或者有更好的解決方法,請(qǐng)給我來(lái)信啊�����,我的郵箱:<A title=歡迎來(lái)信探討�! href="mailto:lcother@163.net?subject=老羅,有關(guān)SEH實(shí)現(xiàn)API Hook的問(wèn)題想跟你探討����。"><FONT color=#0000ff>mailto:lcother@163.net?subject=老羅,有關(guān)SEH實(shí)現(xiàn)API Hook的問(wèn)題想跟你探討��。</FONT></A>����。<BR><BR>(注意��,本技術(shù)只能在 NT/2000/XP 平臺(tái)下使用)<BR><BR>
/ R& I. e# I( L* r4 `+ x1 w4 l<TABLE cellSpacing=0 cellPadding=0 bgColor=#fbedbb border=0>7 r3 ?* N# p! c. R* w' o3 p- F
<TBODY>$ H% p' O6 c) ^$ g, n, _" ~
<TR>/ N9 N; o; K5 P. l, h2 s8 b
<TD><A name=L1><FONT color=#238e23>;*********************************************************</FONT><BR><A name=L2><FONT color=#238e23>;程序名稱(chēng):用 SEH 技術(shù)實(shí)現(xiàn) API Hook</FONT><BR><A name=L3><FONT color=#238e23>;適用系統(tǒng):Win NT/2000/XP</FONT><BR><A name=L4><FONT color=#238e23>;作者:羅聰</FONT><BR><A name=L5><FONT color=#238e23>;日期:2002-11-22</FONT><BR><A name=L6><FONT color=#238e23>;出處:http://www.LuoCong.com(老羅的繽紛天地)</FONT><BR><A name=L7><FONT color=#238e23>;注意事項(xiàng):如欲轉(zhuǎn)載,請(qǐng)保持本程序的完整�,并注明:</FONT><BR><A name=L8><FONT color=#238e23>;轉(zhuǎn)載自“老羅的繽紛天地”(http://www.LuoCong.com)</FONT><BR><A name=L9><FONT color=#238e23>;*********************************************************</FONT><BR><A name=L10><BR><A name=L11><FONT color=#9932cd><B>.</B></FONT><FONT color=#802000>386</FONT><BR><A name=L12><FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>model</FONT> <FONT color=#ff0000>flat</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>stdcall</FONT><BR><A name=L13><FONT color=#ff0000>option</FONT> <FONT color=#ff0000>casemap</FONT><FONT color=#3080ca>:</FONT>none<BR><A name=L14><BR><A name=L15><FONT color=#ff8000>include</FONT> \masm32\include\windows.inc<BR><A name=L16><FONT color=#ff8000>include</FONT> \masm32\include\kernel32.inc<BR><A name=L17><FONT color=#ff8000>include</FONT> \masm32\include\user32.inc<BR><A name=L18><FONT color=#ff8000>includelib</FONT> \masm32\lib\kernel32.lib<BR><A name=L19><FONT color=#ff8000>includelib</FONT> \masm32\lib\user32.lib<BR><A name=L20><BR><A name=L21>WndProc <FONT color=#ff0000>proto</FONT> <FONT color=#3080ca>:</FONT><FONT color=#ff0000>DWORD</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#3080ca>:</FONT><FONT color=#ff0000>DWORD</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#3080ca>:</FONT><FONT color=#ff0000>DWORD</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#3080ca>:</FONT><FONT color=#ff0000>DWORD</FONT><BR><A name=L22>Error_Handler <FONT color=#ff0000>proto</FONT> <FONT color=#3080ca>:</FONT><FONT color=#ff0000>DWORD</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#3080ca>:</FONT><FONT color=#ff0000>DWORD</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#3080ca>:</FONT><FONT color=#ff0000>DWORD</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#3080ca>:</FONT><FONT color=#ff0000>DWORD</FONT><BR><A name=L23>SetHook <FONT color=#ff0000>proto</FONT><BR><A name=L24><BR><A name=L25><FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>const</FONT><BR><A name=L26>IDI_LC <FONT color=#ff0000>equ</FONT> <FONT color=#802000>1</FONT><BR><A name=L27>IDC_CHECKBUTTON_HOOK <FONT color=#ff0000>equ</FONT> <FONT color=#802000>3000</FONT><BR><A name=L28>IDC_BUTTON_ABOUT <FONT color=#ff0000>equ</FONT> <FONT color=#802000>3001</FONT><BR><A name=L29>IDC_BUTTON_EXIT <FONT color=#ff0000>equ</FONT> <FONT color=#802000>3002</FONT><BR><A name=L30><BR><A name=L31><FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>data</FONT><BR><A name=L32>szDlgName <FONT color=#ff0000>db</FONT> <FONT color=#0000ff>"lc_dialog"</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>0</FONT><BR><A name=L33>szMsgAbout <FONT color=#ff0000>db</FONT> <FONT color=#0000ff>"-= SEH for API Hook =-"</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>13</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>10</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>13</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>10</FONT><FONT color=#9932cd><B>,</B></FONT><FONT color=#3080ca>\</FONT><BR><A name=L34> <FONT color=#0000ff>"作者:羅聰(lcother@163.net)"</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>13</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>10</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>13</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>10</FONT><FONT color=#9932cd><B>,</B></FONT><FONT color=#3080ca>\</FONT><BR><A name=L35> <FONT color=#0000ff>"老羅的繽紛天地"</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>13</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>10</FONT><FONT color=#9932cd><B>,</B></FONT><FONT color=#3080ca>\</FONT><BR><A name=L36> <FONT color=#0000ff>"http://www.LuoCong.com"</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>13</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>10</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>0</FONT><BR><A name=L37>szMyText <FONT color=#ff0000>db</FONT> <FONT color=#802000>13</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>10</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>13</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>10</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#0000ff>"(哈哈,看到有什么不同了嗎�����?)"</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>0</FONT><BR><A name=L38>szMsgHooked <FONT color=#ff0000>db</FONT> <FONT color=#0000ff>"MessageBoxIndirectA() has been hooked!"</FONT><FONT color=#9932cd><B>,</B></FONT><FONT color=#3080ca>\</FONT><BR><A name=L39> <FONT color=#802000>13</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>10</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>13</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>10</FONT><FONT color=#9932cd><B>,</B></FONT><FONT color=#3080ca>\</FONT><BR><A name=L40> <FONT color=#0000ff>"即將改變?cè)瓉?lái)的 MessageBoxIndirectA() 的參數(shù)�,"</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>13</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>10</FONT><FONT color=#9932cd><B>,</B></FONT><FONT color=#3080ca>\</FONT><BR><A name=L41> <FONT color=#0000ff>"請(qǐng)注意后面的對(duì)話框跟沒(méi)有 Hook 之前有什么不同……"</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>0</FONT><BR><A name=L42>szCaption <FONT color=#ff0000>db</FONT> <FONT color=#0000ff>"SEH for API Hook by LC"</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>0</FONT><BR><A name=L43>szLibUser <FONT color=#ff0000>db</FONT> <FONT color=#0000ff>"user32"</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>0</FONT><BR><A name=L44>szProcMsgBoxInd <FONT color=#ff0000>db</FONT> <FONT color=#0000ff>"MessageBoxIndirectA"</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>0</FONT><BR><A name=L45>dwAddress <FONT color=#ff0000>dd</FONT> <FONT color=#802000>0</FONT><BR><A name=L46>dwOldProtect <FONT color=#ff0000>dd</FONT> <FONT color=#802000>0</FONT><BR><A name=L47>bOldByte <FONT color=#ff0000>db</FONT> <FONT color=#802000>0</FONT><BR><A name=L48>dwRetAddr <FONT color=#ff0000>dd</FONT> <FONT color=#802000>0</FONT><BR><A name=L49><BR><A name=L50><FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>data</FONT><FONT color=#3080ca>?</FONT><BR><A name=L51>hInstance HINSTANCE <FONT color=#3080ca>?</FONT><BR><A name=L52>mbp MSGBOXPARAMS <FONT color=#3080ca><</FONT><FONT color=#3080ca>></FONT><BR><A name=L53>szText <FONT color=#ff0000>db</FONT> <FONT color=#802000>1024</FONT> <FONT color=#ff0000>dup</FONT><FONT color=#ff00ff>(</FONT><FONT color=#3080ca>?</FONT><FONT color=#ff00ff>)</FONT><BR><A name=L54><BR><A name=L55><FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>code</FONT><BR><A name=L56>main<FONT color=#3080ca>:</FONT><BR><A name=L57> <FONT color=#238e23>; 設(shè)置 SEH 鏈:</FONT><BR><A name=L58> <FONT color=#ff0000>assume</FONT> <FONT color=#ff0000>fs</FONT><FONT color=#3080ca>:</FONT>nothing<BR><A name=L59> <FONT color=#ff0000>push</FONT> <FONT color=#ff0000>offset</FONT> Error_Handler<BR><A name=L60> <FONT color=#ff0000>push</FONT> <FONT color=#ff0000>fs</FONT><FONT color=#3080ca>:</FONT><FONT color=#871f78>[</FONT><FONT color=#802000>0</FONT><FONT color=#871f78>]</FONT><BR><A name=L61> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>fs</FONT><FONT color=#3080ca>:</FONT><FONT color=#871f78>[</FONT><FONT color=#802000>0</FONT><FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>esp</FONT><BR><A name=L62><BR><A name=L63> <FONT color=#ff0000>invoke</FONT> GetModuleHandle<FONT color=#9932cd><B>,</B></FONT> NULL<BR><A name=L64> <FONT color=#ff0000>mov</FONT> hInstance<FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>eax</FONT><BR><A name=L65> <FONT color=#ff0000>invoke</FONT> DialogBoxParam<FONT color=#9932cd><B>,</B></FONT> hInstance<FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>offset</FONT> szDlgName<FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>0</FONT><FONT color=#9932cd><B>,</B></FONT> WndProc<FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>0</FONT><BR><A name=L66><BR><A name=L67> <FONT color=#238e23>; 恢復(fù)原來(lái)的 SEH 鏈:</FONT><BR><A name=L68> <FONT color=#ff0000>pop</FONT> <FONT color=#ff0000>fs</FONT><FONT color=#3080ca>:</FONT><FONT color=#871f78>[</FONT><FONT color=#802000>0</FONT><FONT color=#871f78>]</FONT><BR><A name=L69> <FONT color=#ff0000>pop</FONT> <FONT color=#ff0000>eax</FONT><BR><A name=L70> <FONT color=#ff0000>invoke</FONT> ExitProcess<FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>0</FONT><BR><A name=L71><BR><A name=L72>WndProc <FONT color=#ff0000>proc</FONT> hWnd<FONT color=#3080ca>:</FONT>HWND<FONT color=#9932cd><B>,</B></FONT> uMsg<FONT color=#3080ca>:</FONT>UINT<FONT color=#9932cd><B>,</B></FONT> wParam<FONT color=#3080ca>:</FONT>WPARAM<FONT color=#9932cd><B>,</B></FONT> lParam<FONT color=#3080ca>:</FONT>LPARAM<BR><A name=L73> <FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>if</FONT> uMsg <FONT color=#3080ca>=</FONT><FONT color=#3080ca>=</FONT> WM_CLOSE<BR><A name=L74> <FONT color=#ff0000>invoke</FONT> EndDialog<FONT color=#9932cd><B>,</B></FONT> hWnd<FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>0</FONT><BR><A name=L75><BR><A name=L76> <FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>elseif</FONT> uMsg <FONT color=#3080ca>=</FONT><FONT color=#3080ca>=</FONT> WM_INITDIALOG<BR><A name=L77> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>eax</FONT><FONT color=#9932cd><B>,</B></FONT> hWnd<BR><A name=L78> <FONT color=#ff0000>mov</FONT> <FONT color=#871f78>[</FONT>mbp<FONT color=#9932cd><B>.</B></FONT>hwndOwner<FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>eax</FONT><BR><A name=L79> <FONT color=#ff0000>invoke</FONT> LoadIcon<FONT color=#9932cd><B>,</B></FONT> hInstance<FONT color=#9932cd><B>,</B></FONT> IDI_LC<BR><A name=L80> <FONT color=#ff0000>invoke</FONT> SendMessage<FONT color=#9932cd><B>,</B></FONT> hWnd<FONT color=#9932cd><B>,</B></FONT> WM_SETICON<FONT color=#9932cd><B>,</B></FONT> ICON_SMALL<FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>eax</FONT><BR><A name=L81> <FONT color=#238e23>; 儲(chǔ)存 API 的原入口地址:</FONT><BR><A name=L82> <FONT color=#ff0000>invoke</FONT> GetModuleHandle<FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>addr</FONT> szLibUser<BR><A name=L83> <FONT color=#ff0000>invoke</FONT> GetProcAddress<FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>eax</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>addr</FONT> szProcMsgBoxInd<BR><A name=L84> <FONT color=#ff0000>mov</FONT> <FONT color=#871f78>[</FONT>dwAddress<FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>eax</FONT><BR><A name=L85> <FONT color=#238e23>; 保存原對(duì)話框的輸出文字:</FONT><BR><A name=L86> <FONT color=#ff0000>invoke</FONT> lstrcpy<FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>addr</FONT> szText<FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>addr</FONT> szMsgAbout<BR><A name=L87><BR><A name=L88> <FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>elseif</FONT> uMsg <FONT color=#3080ca>=</FONT><FONT color=#3080ca>=</FONT> WM_COMMAND<BR><A name=L89> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>eax</FONT><FONT color=#9932cd><B>,</B></FONT> wParam<BR><A name=L90> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>edx</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>eax</FONT><BR><A name=L91> <FONT color=#ff0000>shr</FONT> <FONT color=#ff0000>edx</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>16</FONT><BR><A name=L92> <FONT color=#ff0000>movzx</FONT> <FONT color=#ff0000>eax</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>ax</FONT><BR><A name=L93> <FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>if</FONT> <FONT color=#ff0000>edx</FONT> <FONT color=#3080ca>=</FONT><FONT color=#3080ca>=</FONT> BN_CLICKED<BR><A name=L94> <FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>if</FONT> <FONT color=#ff0000>eax</FONT> <FONT color=#3080ca>=</FONT><FONT color=#3080ca>=</FONT> IDC_BUTTON_EXIT <FONT color=#3080ca>|</FONT><FONT color=#3080ca>|</FONT> <FONT color=#ff0000>eax</FONT> <FONT color=#3080ca>=</FONT><FONT color=#3080ca>=</FONT> IDCANCEL<BR><A name=L95> <FONT color=#ff0000>invoke</FONT> EndDialog<FONT color=#9932cd><B>,</B></FONT> hWnd<FONT color=#9932cd><B>,</B></FONT> NULL<BR><A name=L96><BR><A name=L97> <FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>elseif</FONT> <FONT color=#ff0000>eax</FONT> <FONT color=#3080ca>=</FONT><FONT color=#3080ca>=</FONT> IDC_BUTTON_ABOUT <FONT color=#3080ca>|</FONT><FONT color=#3080ca>|</FONT> <FONT color=#ff0000>eax</FONT> <FONT color=#3080ca>=</FONT><FONT color=#3080ca>=</FONT> IDOK<BR><A name=L98> <FONT color=#ff0000>mov</FONT> <FONT color=#871f78>[</FONT>mbp<FONT color=#9932cd><B>.</B></FONT>cbSize<FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>sizeof</FONT> mbp<BR><A name=L99> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>eax</FONT><FONT color=#9932cd><B>,</B></FONT> hInstance<BR><A name=L100> <FONT color=#ff0000>mov</FONT> <FONT color=#871f78>[</FONT>mbp<FONT color=#9932cd><B>.</B></FONT>hInstance<FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>eax</FONT><BR><A name=L101> <FONT color=#ff0000>mov</FONT> <FONT color=#871f78>[</FONT>mbp<FONT color=#9932cd><B>.</B></FONT>lpszText<FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>offset</FONT> szMsgAbout<BR><A name=L102> <FONT color=#ff0000>mov</FONT> <FONT color=#871f78>[</FONT>mbp<FONT color=#9932cd><B>.</B></FONT>lpszCaption<FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>offset</FONT> szCaption<BR><A name=L103> <FONT color=#ff0000>mov</FONT> <FONT color=#871f78>[</FONT>mbp<FONT color=#9932cd><B>.</B></FONT>dwStyle<FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> MB_OK <FONT color=#ff0000>or</FONT> MB_APPLMODAL <FONT color=#ff0000>or</FONT> MB_USERICON<BR><A name=L104> <FONT color=#ff0000>mov</FONT> <FONT color=#871f78>[</FONT>mbp<FONT color=#9932cd><B>.</B></FONT>lpszIcon<FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> IDI_LC<BR><A name=L105> <FONT color=#ff0000>invoke</FONT> MessageBoxIndirect<FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>addr</FONT> mbp<BR><A name=L106><BR><A name=L107> <FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>elseif</FONT> <FONT color=#ff0000>eax</FONT> <FONT color=#3080ca>=</FONT><FONT color=#3080ca>=</FONT> IDC_CHECKBUTTON_HOOK<BR><A name=L108> <FONT color=#238e23>; 把內(nèi)存保護(hù)設(shè)置成 可讀/可寫(xiě)/可執(zhí)行:</FONT><BR><A name=L109> <FONT color=#ff0000>invoke</FONT> VirtualProtect<FONT color=#9932cd><B>,</B></FONT> <FONT color=#871f78>[</FONT>dwAddress<FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>1</FONT><FONT color=#9932cd><B>,</B></FONT> PAGE_EXECUTE_READWRITE<FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>addr</FONT> dwOldProtect<BR><A name=L110> <FONT color=#ff0000>invoke</FONT> IsDlgButtonChecked<FONT color=#9932cd><B>,</B></FONT> hWnd<FONT color=#9932cd><B>,</B></FONT> IDC_CHECKBUTTON_HOOK<BR><A name=L111> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>edx</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#871f78>[</FONT>dwAddress<FONT color=#871f78>]</FONT><BR><A name=L112> <FONT color=#ff0000>test</FONT> <FONT color=#ff0000>eax</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>eax</FONT><BR><A name=L113> <FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>if</FONT> zero<FONT color=#3080ca>?</FONT> <FONT color=#238e23>; uninstall hook</FONT><BR><A name=L114> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>cl</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#871f78>[</FONT>bOldByte<FONT color=#871f78>]</FONT> <FONT color=#238e23>; bOldByte = API 原入口地址</FONT><BR><A name=L115> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>byte</FONT> <FONT color=#ff0000>ptr</FONT> <FONT color=#871f78>[</FONT><FONT color=#ff0000>edx</FONT><FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>cl</FONT> <FONT color=#238e23>; 恢復(fù) API 的原入口地址</FONT><BR><A name=L116> <FONT color=#ff0000>invoke</FONT> lstrcpy<FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>addr</FONT> szMsgAbout<FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>addr</FONT> szText <FONT color=#238e23>; 恢復(fù)原對(duì)話框的輸出文字:</FONT><BR><A name=L117> <FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>else</FONT> <FONT color=#238e23>; re-install hook</FONT><BR><A name=L118> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>cl</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>byte</FONT> <FONT color=#ff0000>ptr</FONT> <FONT color=#871f78>[</FONT><FONT color=#ff0000>edx</FONT><FONT color=#871f78>]</FONT> <FONT color=#238e23>; byte ptr [edx] = API 原入口地址</FONT><BR><A name=L119> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>byte</FONT> <FONT color=#ff0000>ptr</FONT> <FONT color=#871f78>[</FONT><FONT color=#ff0000>edx</FONT><FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>0CCh</FONT> <FONT color=#238e23>; 斷點(diǎn)異常(INT 3 指令)</FONT><BR><A name=L120> <FONT color=#ff0000>mov</FONT> <FONT color=#871f78>[</FONT>bOldByte<FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>cl</FONT> <FONT color=#238e23>; 儲(chǔ)存 API 的原入口地址</FONT><BR><A name=L121> <FONT color=#ff0000>invoke</FONT> lstrcat<FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>addr</FONT> szMsgAbout<FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>addr</FONT> szMyText <FONT color=#238e23>; 改變?cè)瓕?duì)話框的輸出文字:</FONT><BR><A name=L122> <FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>endif</FONT><BR><A name=L123><BR><A name=L124> <FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>endif</FONT><BR><A name=L125> <FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>endif</FONT><BR><A name=L126> <FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>else</FONT><BR><A name=L127> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>eax</FONT><FONT color=#9932cd><B>,</B></FONT> FALSE<BR><A name=L128> <FONT color=#ff0000>ret</FONT><BR><A name=L129> <FONT color=#9932cd><B>.</B></FONT><FONT color=#ff0000>endif</FONT><BR><A name=L130> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>eax</FONT><FONT color=#9932cd><B>,</B></FONT> TRUE<BR><A name=L131> <FONT color=#ff0000>ret</FONT><BR><A name=L132>WndProc <FONT color=#ff0000>endp</FONT><BR><A name=L133><BR><A name=L134><FONT color=#238e23>;****************************************</FONT><BR><A name=L135><FONT color=#238e23>; 函數(shù)功能:處理異常錯(cuò)誤</FONT><BR><A name=L136><FONT color=#238e23>;****************************************</FONT><BR><A name=L137>Error_Handler <FONT color=#ff0000>proc</FONT> <FONT color=#ff0000>uses</FONT> <FONT color=#ff0000>ecx</FONT> lpExceptRecord<FONT color=#3080ca>:</FONT><FONT color=#ff0000>DWORD</FONT><FONT color=#9932cd><B>,</B></FONT> lpFrame<FONT color=#3080ca>:</FONT><FONT color=#ff0000>DWORD</FONT><FONT color=#9932cd><B>,</B></FONT> lpContext<FONT color=#3080ca>:</FONT><FONT color=#ff0000>DWORD</FONT><FONT color=#9932cd><B>,</B></FONT> lpDispatch<FONT color=#3080ca>:</FONT><FONT color=#ff0000>DWORD</FONT><BR><A name=L138> <FONT color=#238e23>; 輸出 "API hooked":</FONT><BR><A name=L139> <FONT color=#ff0000>invoke</FONT> MessageBox<FONT color=#9932cd><B>,</B></FONT> <FONT color=#871f78>[</FONT>mbp<FONT color=#9932cd><B>.</B></FONT>hwndOwner<FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>addr</FONT> szMsgHooked<FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>addr</FONT> szCaption<FONT color=#9932cd><B>,</B></FONT><FONT color=#3080ca>\</FONT><BR><A name=L140> MB_OK <FONT color=#ff0000>or</FONT> MB_ICONINFORMATION<BR><A name=L141><BR><A name=L142> <FONT color=#238e23>; 儲(chǔ)存并改變 SetHook 函數(shù)的返回值:(經(jīng)過(guò)修正)</FONT><BR><A name=L143> <FONT color=#238e23>; (想不明白?呵呵����,用調(diào)試器跟蹤一下吧,我也說(shuō)不清楚�,只能意會(huì)不能言傳……)</FONT><BR><A name=L144> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>eax</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#871f78>[</FONT>lpContext<FONT color=#871f78>]</FONT><BR><A name=L145> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>eax</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#871f78>[</FONT><FONT color=#ff0000>eax</FONT><FONT color=#871f78>]</FONT><FONT color=#871f78>[</FONT>CONTEXT<FONT color=#9932cd><B>.</B></FONT>regEsp<FONT color=#871f78>]</FONT><BR><A name=L146> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>ecx</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#871f78>[</FONT><FONT color=#ff0000>eax</FONT><FONT color=#871f78>]</FONT><BR><A name=L147> <FONT color=#ff0000>mov</FONT> <FONT color=#871f78>[</FONT><FONT color=#ff0000>eax</FONT><FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>offset</FONT> SetHook<BR><A name=L148> <FONT color=#ff0000>mov</FONT> <FONT color=#871f78>[</FONT>dwRetAddr<FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>ecx</FONT><BR><A name=L149><BR><A name=L150> <FONT color=#238e23>; 把 API 原入口地址寫(xiě)回去,以便繼續(xù)運(yùn)行原 API:</FONT><BR><A name=L151> <FONT color=#238e23>; (跟蹤一下吧����,我實(shí)在是不知道怎么才能說(shuō)得清楚……)</FONT><BR><A name=L152> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>eax</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#871f78>[</FONT>dwAddress<FONT color=#871f78>]</FONT><BR><A name=L153> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>cl</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#871f78>[</FONT>bOldByte<FONT color=#871f78>]</FONT><BR><A name=L154> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>byte</FONT> <FONT color=#ff0000>ptr</FONT> <FONT color=#871f78>[</FONT><FONT color=#ff0000>eax</FONT><FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>cl</FONT><BR><A name=L155><BR><A name=L156> <FONT color=#238e23>; 繼續(xù)下一個(gè) Execution:</FONT><BR><A name=L157> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>eax</FONT><FONT color=#9932cd><B>,</B></FONT> ExceptionContinueExecution<BR><A name=L158> <FONT color=#ff0000>ret</FONT><BR><A name=L159>Error_Handler <FONT color=#ff0000>endp</FONT><BR><A name=L160><BR><A name=L161><FONT color=#238e23>;****************************************</FONT><BR><A name=L162><FONT color=#238e23>; 函數(shù)功能:設(shè)置 API Hook</FONT><BR><A name=L163><FONT color=#238e23>;****************************************</FONT><BR><A name=L164>SetHook <FONT color=#ff0000>proc</FONT> <FONT color=#ff0000>uses</FONT> <FONT color=#ff0000>ecx</FONT><BR><A name=L165> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>eax</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#871f78>[</FONT>dwAddress<FONT color=#871f78>]</FONT><BR><A name=L166> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>cl</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#871f78>[</FONT><FONT color=#ff0000>eax</FONT><FONT color=#871f78>]</FONT><BR><A name=L167> <FONT color=#ff0000>mov</FONT> <FONT color=#ff0000>byte</FONT> <FONT color=#ff0000>ptr</FONT> <FONT color=#871f78>[</FONT><FONT color=#ff0000>eax</FONT><FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#802000>0CCh</FONT> <FONT color=#238e23>; 斷點(diǎn)異常(INT 3 指令)</FONT><BR><A name=L168> <FONT color=#ff0000>mov</FONT> <FONT color=#871f78>[</FONT>bOldByte<FONT color=#871f78>]</FONT><FONT color=#9932cd><B>,</B></FONT> <FONT color=#ff0000>cl</FONT><BR><A name=L169> <FONT color=#ff0000>jmp</FONT> <FONT color=#871f78>[</FONT>dwRetAddr<FONT color=#871f78>]</FONT> <FONT color=#238e23>; 跳回經(jīng)過(guò) Hook 之后的 API 的返回地址(很重要!)</FONT><BR><A name=L170>SetHook <FONT color=#ff0000>endp</FONT><BR><A name=L171><BR><A name=L172><FONT color=#ff0000>end</FONT> main<BR><A name=L173><FONT color=#238e23>;******************** over ********************</FONT><BR><A name=L174><FONT color=#238e23>;by LC</FONT></A></TD></TR></TBODY></TABLE><BR>它的資源文件:<BR><BR>
/ _' k) ^* E7 l<TABLE cellSpacing=0 cellPadding=0 bgColor=#fbedbb border=0>
4 T* B9 a) `" a; i s1 |<TBODY>
, J& U! G/ |/ L) U; w/ A. m<TR>
. ?- {) L0 X9 n5 U& j I<TD>#include "resource.h"<BR><BR>#define IDI_LC 1<BR>#define IDC_CHECKBOX_HOOK 3000<BR>#define IDC_BUTTON_ABOUT 3001<BR>#define IDC_BUTTON_EXIT 3002<BR>#define IDC_STATIC -1<BR><BR>IDI_LC ICON "lc.ico"<BR><BR>LC_DIALOG DIALOGEX 10, 10, 200, 50<BR>STYLE DS_SETFONT | DS_CENTER | WS_MINIMIZEBOX | WS_VISIBLE | WS_CAPTION | WS_SYSMENU<BR>CAPTION "SEH for API Hook by LC, 2002-11-22"<BR>FONT 8, "MS Sans Serif"<BR>BEGIN<BR> AUTOCHECKBOX "&Hook MessageBoxIndirectA", IDC_CHECKBOX_HOOK, 5, 5, 190, 12<BR> PUSHBUTTON "關(guān)于(&A)", IDC_BUTTON_ABOUT, 5, 30, 90, 14, BS_FLAT | BS_CENTER<BR> PUSHBUTTON "退出(&X)", IDC_BUTTON_EXIT, 105, 30, 90, 14, BS_FLAT | BS_CENTER<BR>END</TD></TR></TBODY></TABLE><BR>沒(méi)啥特別的�����,仔細(xì)一想就明白了�。 |
發(fā)表于 2008-9-28 16:37:47
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡