cpp
复制代码
/*
挂载钩子 setdll /d:C:\Users\g\source\repos\LotTest\Release\lotDll.dll C:\Users\g\source\repos\LotTest\bin\x86\Release\net6.0-windows\LotTest.exe
卸载钩子 setdll /r C:\Users\g\source\repos\LotTest\bin\x86\Release\net6.0-windows\LotTest.exe
*/
#include <Windows.h>
#include "detours/detours.h"
//真实的调用函数,函数原型必须和真实API一致。部分类型如果无法声明可以用void *替代
static int (WINAPI* REALMessageBox) (HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType) = MessageBox;
//伪造的调用函数,也就是我们的钩子,参数类型和返回值必须和真实的一样,
static int WINAPI MYMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType)
{
//在这里可以任意发挥~~~
//在函数末尾调用真正的API来返回
return REALMessageBox(NULL, "MyHook!! MessageBoxCRACK!!", "Please", MB_OK);
}
void StartHook()
{
long err;
DetourRestoreAfterWith();
//开始事务
DetourTransactionBegin();
//更新线程信息
DetourUpdateThread(GetCurrentThread());
//将拦截的函数附加到原函数的地址上
DetourAttach(&(PVOID&)REALMessageBox, MYMessageBox);
//结束事务
err = DetourTransactionCommit();
}
//解除钩子
void EndHook()
{
//开始事务
DetourTransactionBegin();
//更新线程信息
DetourUpdateThread(GetCurrentThread());
//将拦截的函数从原函数的地址上解除
DetourDetach(&(PVOID&)REALMessageBox, MYMessageBox);
//结束事务
DetourTransactionCommit();
}
/*
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include "framework.h"
extern void StartHook();//新增
//新增一个导出函数,这个可以随便写,但必须至少有一个导出函数才能使用setdll远程注入
VOID __declspec(dllexport) test()
{
OutputDebugString(L"__declspec(dllexport) test() \r\n");
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{ StartHook(); } //新增
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
*/
void injectProcess() {
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ,
FALSE, pid);
if (hProcess != NULL)
{
TRACE("InjectHook \n");
HANDLE hThread;
char szLibPath[_MAX_PATH];
void* pLibRemote = 0;
DWORD hLibModule = 0;
HMODULE hKernel32 = ::GetModuleHandle("Kernel32");
if (!::GetSystemDirectory(szLibPath, _MAX_PATH))
return;
strcat(szLibPath, "C:\\windows\\HookDll.dll");
pLibRemote = ::VirtualAllocEx(hProcess, NULL, sizeof(szLibPath), MEM_COMMIT, PAGE_READWRITE);
if (pLibRemote == NULL)
return;
::WriteProcessMemory(hProcess, pLibRemote, (void*)szLibPath, sizeof(szLibPath), NULL);
hThread = ::CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) ::GetProcAddress(hKernel32, "LoadLibraryA"),
pLibRemote, 0, NULL);
if (hThread != NULL)
{
::WaitForSingleObject(hThread, INFINITE);
::GetExitCodeThread(hThread, &hLibModule);
::CloseHandle(hThread);
}
}
}
void test() {
StartHook();
PVOID g_pOldMessageBoxW = NULL;
PVOID g_pOldMessageBoxA = NULL;
g_pOldMessageBoxA = DetourFindFunction("User32.dll", "MessageBoxA");
MessageBox(0, "test", "test", 0);
EndHook();
}