15,471
社区成员
发帖
与我相关
我的任务
分享
#include "stdafx.h"
#include <windows.h>
#include "stdio.h"
#include "stdlib.h"
HANDLE hProcess=0;
UCHAR OldCode[5]={0}, NewCode[5]={0};
ULONG FunAddr=0;
HWND hExe=0;
HINSTANCE hMod=0;
HHOOK hHook=0;
// Status: FALSE 关闭HOOK,写入原函数地址,也就是CreateProcessW
// Status:TRUE 打开HOOK,写入自己HOOK函数地址,也就是 CreateProcessWCallBack
BOOL HookStatus(BOOL Status)
{
BOOL ret=FALSE;
if (Status) {
ret = WriteProcessMemory(hProcess, (void *)FunAddr, NewCode, 5, 0);
if (ret) return TRUE;}
else {
ret = WriteProcessMemory(hProcess, (void *)FunAddr, OldCode, 5, 0);
if (ret) return TRUE;}
return FALSE;
}
// CreateProcessW的HOOK函数原型,在调用真实的CreateProcessW之前先做自己的事
BOOL WINAPI CreateProcessWCallBack(LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation){
ULONG ret=0;
BOOL b=FALSE;
COPYDATASTRUCT cds={0};
cds.lpData = (void *)lpApplicationName;
cds.cbData = 255;
// 把lpApplicationName(创建新进程的文件路径)的信息用WM_COPY消息发到自己的窗口
ret = SendMessage(hExe, WM_COPYDATA, GetCurrentProcessId(), (LPARAM)&cds);
// 根据你自己处理WM_COPYDATA消息的结果决定是否创建这个进程,返回1234则创建,否则不创建
if (ret==1234) {
HookStatus(FALSE);
b = CreateProcessW(lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
HookStatus(TRUE);
return b;
} else return FALSE;
return FALSE;
}
// HOOK CreateProcessW函数
BOOL HookCreateProcess(){
ULONG JmpAddr=0;
char msg[255]={0};
FunAddr = (ULONG)GetProcAddress(LoadLibrary("Kernel32.dll"), "CreateProcessW");
memcpy(OldCode, (void *)FunAddr, 5);
NewCode[0] = 0xe9; // jmp 的机器码
// 计算你自定义CreateProcessW的函数原型相对于CreateProcessW函数地址的偏移,5是jmp XXXX指令的长度
JmpAddr = (ULONG)CreateProcessWCallBack - FunAddr - 5;
memcpy(&NewCode[1], &JmpAddr, 4);
//sprintf(msg, "NewCode: %x %x %x %x %x\nFunAddr: %x\nJmpAddr: %x\nMyFun: %x", NewCode[0], NewCode[1], NewCode[2], NewCode[3], NewCode[4], FunAddr, JmpAddr, (ULONG)CreateProcessWCallBack);
//MessageBox(0, msg, "", MB_OK);
// 打开HOOK
HookStatus(TRUE);
return TRUE;
}
// DLL入口函数
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved)
{
hMod = (HINSTANCE)hModule;
if (ul_reason_for_call==DLL_PROCESS_ATTACH){
// 打开进程,得到进程HANDLE,用于WriteMemory
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId());
// 查找自己程序的主窗体,用于发送WM_COPYDATA消息
hExe = FindWindow(NULL, "Hook CreateProcessW");
// Hook CreateProcessW函数
HookCreateProcess();}
// DLL从进程中卸载,关闭HOOK
if (ul_reason_for_call==DLL_PROCESS_DETACH) HookStatus(FALSE);
return TRUE;
}
// 卸载windows HOOK
extern "C" __declspec(dllexport) BOOL UnLoadHook(){
return(UnhookWindowsHookEx(hHook));
}
// Windows HOOK 函数
LRESULT CALLBACK HookProc(int nCode,WPARAM wParam,LPARAM lParam){
return(CallNextHookEx(hHook,nCode,wParam,lParam));
}
// 安装钩子
extern "C" __declspec(dllexport) BOOL StartHook(){
hHook = SetWindowsHookEx(WH_GETMESSAGE,(HOOKPROC)HookProc, hMod, 0);
if (hHook) return TRUE;
return FALSE;
}
Private Declare Function StartHook Lib "Hook.dll" () As Boolean
Private Declare Function UnLoadHook Lib "Hook.dll" () As Boolean
'download by http://www.codefans.net
Private Sub cmdHook_Click()
If StartHook Then cmdHook.Enabled = False
End Sub
Private Sub cmdUnHook_Click()
If UnLoadHook Then cmdUnHook.Enabled = False: MsgBox "已经解除!": Unload Me
End Sub
Private Sub Form_Initialize()
SetButtonFlat cmdHook.hwnd
SetButtonFlat cmdUnHook.hwnd
End Sub
Private Sub Form_Load()
c = GetWindowLong(hwnd, -4)
SetWindowLong hwnd, -4, AddressOf Wndproc
End Sub
Private Sub Form_Unload(Cancel As Integer)
If cmdUnHook.Enabled Then UnLoadHook: Unload Me
End Sub
Private Function SetButtonFlat(ByVal hwnd As Long) As Boolean
Dim style As Long
style = GetWindowLong(hwnd, (-16))
style = style Or &H8000&
SetButtonFlat = SetWindowLong(hwnd, (-16), style)
End Function
Public Declare Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long) As Long
Public Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Public Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hwnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Private Declare Function MessageBoxA Lib "user32" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Type COPYDATASTRUCT
dwData As Long
cbData As Long
lpData As Long
End Type
Public c As Long
'download by http://www.codefans.net
Public Function Wndproc(ByVal hwnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Dim s As String
Dim cds As COPYDATASTRUCT
'FrmMain.Text1.Text = Msg
FrmMain.Print Msg
If Msg = &H4A Then
CopyMemory cds, ByVal lParam, Len(cds)
s = Space(cds.cbData)
CopyMemory ByVal s, ByVal cds.lpData, cds.cbData
s = StrConv(s, vbFromUnicode)
s = Left(s, InStr(1, s, Chr(0)) - 1)
s = "进程(Pid:" & wParam & ")要创建新进程: " & s & ",是否允许?"
If MessageBoxA(0, s, "", 4) = 6 Then
Wndproc = 1234
Else
Wndproc = 0
End If
Exit Function
End If
Wndproc = CallWindowProc(c, hwnd, Msg, wParam, lParam)
End Function