想在你的程序中截住API函数吗?那就快看吧!

类别:VC语言 点击:0 评论:0 推荐:

在你的程序中做一个函数func(...)

调用 func1 = ApiSpy(NULL,"GDI32.DLL","TextOutA",(PROC)func)

那么你的程序没次调用TextOut时,就会调用func 为了不破坏原有功能

请在func中调用func1。如果想截获整个系统的api,你需要做一个全局HOOK

在HOOK的DLL里的初始化时调用本函数。主要代码如下:

PROC WINAPI

ApiSpy(PSTR pDllUse,PSTR pDllName,PSTR pApiName,PROC pNewPorc)
{
    PIMAGE_DOS_HEADER   pDosHeader;
    PIMAGE_NT_HEADERS   pNTHeader;
    PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
    PIMAGE_THUNK_DATA   pThunk;
    PROC      pOldProc;
    DWORD oldpr;
    static int Layer = 0;
    if ( pDllUse == NULL )
             Layer = 0;
    pOldProc = GetProcAddress( GetModuleHandle(pDllName),pApiName );
    if ( pOldProc == NULL )
           return NULL;
    pDosHeader = (PIMAGE_DOS_HEADER)GetModuleHandle(pDllUse);    
    if ( IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER)) )
        return NULL;
    if ( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE )
        return NULL;
    pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew);
   if ( IsBadReadPtr(pNTHeader, sizeof(IMAGE_NT_HEADERS)) )
        return NULL;
   if ( pNTHeader->Signature != IMAGE_NT_SIGNATURE )
        return NULL;
  pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, pDosHeader,
                            pNTHeader->OptionalHeader.
                            DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].
                            VirtualAddress);
    if ( pImportDesc == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeader )
        return NULL;
 __try{
     while ( pImportDesc->Name ){
    PSTR pszModName = MakePtr(PSTR, pDosHeader, pImportDesc->Name);
    REM("[%s]",pszModName);
    if ( stricmp(pszModName, pDllName) == 0 ){
     pThunk = MakePtr(PIMAGE_THUNK_DATA, pDosHeader, pImportDesc->FirstThunk);
     while ( pThunk->u1.Function ){ 
      REM("[%s:%s]  ?  %s %8x ==> %8x",pDllName,pApiName,pszModName,
      // (DWORD)pOldProc,(DWORD)pThunk->u1.Function);
      if ( pThunk->u1.Function == (PDWORD)pOldProc ){
       if (!VirtualProtect(pThunk, 16, PAGE_READWRITE,&oldpr)){
        REM("VirtualProtect False");
       }
       REM("ApiSpy [%s:%s] OK !",pDllName,pApiName);
       pThunk->u1.Function=(PDWORD)pNewPorc;
       return pOldProc;
      }
      pThunk++;  
     }      
     return NULL;
    }
    else{
     if ( Layer < __Layer ){
      Layer ++;
      ApiSpy(pszModName,pDllName,pApiName,pNewPorc);     
     }
    }
    pImportDesc++;
   }
    }
 __except(TRUE){
  return NULL;
 }
    return NULL; 
}

本文地址:http://com.8s8s.com/it/it3942.htm