/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *实现钩OpenProcess实现ring3保护进程,,c++完整代码,,* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
# include & lt; windows.h>
PIMAGE_IMPORT_BY_NAME, pImportByName=零;
PIMAGE_THUNK_DATA,,pOriginalThunk=零;
PIMAGE_THUNK_DATA,,pFirstThunk=零;
//IAT钩的核心函数,
int IatHook (const char * DllName, const char * FunName, DWORD RealAddr);
//自己的OpenProcess函数,
处理,WINAPI,MyOpenProcess大敌;,(DWORD dwDesiredAccess, BOOL bInheritHandle,用来,DWORD dwProcessId);
DWORD MyOpenProcessAddr=(字)MyOpenProcess;
//真正的OpenProcess函数指针,,
typedef处理(WINAPI * RealOpenProcess)字(DWORD, BOOL);
RealOpenProcess pRealOpenProcess=(RealOpenProcess) OpenProcess;
//DLL主要函数,
BOOL WINAPI开始(实例句柄hinstDLL, DWORD fdwReason, lpvReserved)的值
{
如果(fdwReason==DLL_PROCESS_ATTACH)
{
, IatHook (“Kernel32.dll”、“OpenProcess”, MyOpenProcessAddr);
}
返回TRUE;
}
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * MyOpenProcess函数的实现部分* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
处理WINAPI MyOpenProcess (DWORD dwDesiredAccess, BOOL bInheritHandle,用来DWORD dwProcessId)
{
//获取,要保护进程的标题,的窗口句柄系统API函数前使用::为了和类扩展函数区别
//为了代码的健壮性使用文本宏,HWND窗口句柄,
HWND HProtect=:: FindWindow (NULL,文本(“Windows当前所有进程”)),
如果(! HProtect)
{
,返回(pRealOpenProcess (dwDesiredAccess, bInheritHandle,用来dwProcessId));
},,,,,,,,,,,,//若不存在则调用返回
,,,,,,,,,,,,,,//获取创建此窗口的进程的ID,保存在,,ProtectId,地址中,
DWORD ProtectId;,,,,,,,,//下边找出某个窗口的创建者(线程或进程)
GetWindowThreadProcessId (HProtect,和ProtectId);
如果(ProtectId==dwProcessId),,,,,,,,,,,//dwProcessId是任务管理器要结束的进程ID
{
,返回0;,,,,,,,,,,,,,,,//如果结束的是我们的进程则返回错误码0
}
,返回(pRealOpenProcess (dwDesiredAccess, bInheritHandle,用来dwProcessId));
}
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * IAT,钩,函数的实现部分* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
int IatHook (const char * DllName, const char * FunName, DWORD RealAddr)
{
/* * * * * * * * * * * * * * * * * * * * * * * * * *,找相同的DLL,* * * * * * * * * * * * * * * * * * * * * * * * * * * */
处理pBegin=GetModuleHandle (NULL);
PBYTE, pBegin2=(PBYTE) pBegin;
PIMAGE_DOS_HEADER DOS=PIMAGE_DOS_HEADER (pBegin2);
PIMAGE_NT_HEADERS NT=PIMAGE_NT_HEADERS (pBegin2 + DOS→e_lfanew);
PIMAGE_OPTIONAL_HEADER选项=,(NT→OptionalHeader);
PIMAGE_IMPORT_DESCRIPTOR进口=PIMAGE_IMPORT_DESCRIPTOR(选项→DataDirectory [1]。VirtualAddress + pBegin2);
,(进口→名称)
{
大敌;char * OurDllName=(char *)(进口→名称+ pBegin2);
,如果(0==strcmpi (DllName OurDllName))
, {
,打破;
,}
,进口+ +;
}
/* * * * * * * * * * * * * * * * * * * * * * * * *,找相同的API函数,,* * * * * * * * * * * * * * * * * * * * * * * * * * * */
PIMAGE_IMPORT_BY_NAME, pImportByName=零;
PIMAGE_THUNK_DATA,pOriginalThunk=零;
PIMAGE_THUNK_DATA,pFirstThunk=零;
pOriginalThunk=(PIMAGE_THUNK_DATA)(进口→OriginalFirstThunk + pBegin2);
pFirstThunk=(PIMAGE_THUNK_DATA)(进口→FirstThunk + pBegin2);
, (pOriginalThunk→u1.Function)//记住是函数
{
, DWORD u1=pOriginalThunk→u1.Ordinal;,//记住是序数
,如果(u1,IMAGE_ORDINAL_FLAG) !=IMAGE_ORDINAL_FLAG)//说明MSB不是1,不是以序号导入
, {
,字pImportByName=(PIMAGE_IMPORT_BY_NAME) (() pOriginalThunk→u1。AddressOfData + pBegin2);
,char * OurFunName=(char *) (pImportByName→名称);//下边的计算也可以,
,//char * OurFunName2=(char *)(字()pOriginalThunk→u1。AddressOfData + pBegin2 + 2);,
如果(0==strcmpi (FunName OurFunName))
,{
,,//获取以pFirstThunk开始的内存的信息并将其保存到MEMORY_BASIC_INFORMATION结构中
,MEMORY_BASIC_INFORMATION大敌;mbi_thunk;
,,VirtualQuery (pFirstThunk, mbi_thunk, sizeof (MEMORY_BASIC_INFORMATION));
,//VirtualProtect (mbi_thunk.BaseAddress, mbi_thunk。RegionSize、PAGE_READWRITE, mbi_thunk.Protect);
,,//修改以pFirstThunk开始的内存的的保护属性为PAGE_READWRITE并将原保护属性保存到,dwOLD中
,字,dwOLD;
