// Godll. cpp: defines the entry point of the DLL application. // # Include "stdafx. H" # include
# Pragma comment (Lib, "imagehlp. lib ") # pragma data_seg (". mydata ") Point g_point; int g_px =-1; int g_py =-1; # pragma data_seg () # pragma comment (linker,"/section :. mydata, RWS ") handle g_hinstance = NULL; proc bak_addr = NULL; bool winapi mygetcursorpos (lppoint // address of structure for cursor position) {If (g_px =-1) {typedef bool (winapi * oldgetcursorposfun) (lppoint); oldgetcursorposfun ofun = (Oldgetcursorposfun) bak_addr; ofun (lppoint) ;}else {lppoint-> X = g_px; lppoint-> Y = g_py;} return true ;} extern "C" _ declspec (dllexport) void getpoint (lppoint p) {P-> X = g_px; P-> Y = g_py ;} extern "C" _ declspec (dllexport) void setpoint (lppoint p) {g_px = p-> X; g_py = p-> Y ;} // hook api // pcstr modelstr: model name. such as null and objsys. DLL // pcstr byhookdllstr: name of the DLL in the model. for example, user32.dll // pcstr byhookfuns TR: name of the hook api // proc pfnnew: Address of the substitute function // return the address of the old function. // Extern "C" _ declspec (dllexport) proc hookapi (pcstr modelstr, pcstr byhookdllstr, pcstr byhookfunstr, Proc pfnnew) {// read model base address lpvoid base = (lpvoid) getmodulehandlea (modelstr); If (base = NULL) {// messageboxa (null, "Find Model Base ADDR Err! ", Modelstr, 0); return NULL;} // find the IAT ulong ulsize of the DLL; required pimporttable = (pimage_import_descriptor) imagedirectoryentrytodata (base, true, image_directory_entry_import, & ulsize ); if (pimporttable = NULL) {MessageBox (null, l "pimporttable is null", null, 0); return NULL ;} // find the DLL for (; pimporttable-> name; pimporttable ++ to be hooked in importtable {pstr pszmodname = (pstr) (pbyte) Base + pimporttable-> name); If (lstrcmpia (pszmodname, byhookdllstr) = 0) break; // if found} If (pimporttable-> name = 0) {messageboxa (null, "not found by hook DLL. ", byhookdllstr, 0); return NULL;} export porigthunk = (bytes) (pbyte) base + pimporttable-> bytes); export pthunk = (pimage_thunk_data) (pbyte) base + pimporttable-> firstthunk); (; Pthunk-> u1.function; pthunk ++, porigthunk ++) {proc * ppfnentry = (Proc *) & (pthunk-> u1.function); proc Bak = (Proc) (* ppfnentry); export pbyname = (pimage_import_by_name) (pbyte) base + porigthunk-> u1.addressofdata); If (lstrcmpia (char *) pbyname-> name, byhookfunstr) = 0) {memory_basic_information meminfo; virtualquery (ppfnentry, & meminfo, sizeof (meminfo); DWORD dwoldprotect = 0; I F (virtualprotect (meminfo. baseaddress, meminfo. regionsize, page_readwrite, & dwoldprotect) = 0) {MessageBox (null, l "virtualprotect [1] is err! ", Null, 0); return NULL;} If (writeprocessmemory (getcurrentprocess (), ppfnentry, & pfnnew, sizeof (pfnnew), null) = 0) {MessageBox (null, L "writeprocessmemory Err! ", Null, 0);} If (virtualprotect (meminfo. baseaddress, meminfo. regionsize, page_readonly, & dwoldprotect) = 0) {MessageBox (null, l "virtualprotect [2] is err! ", Null, 0) ;}return Bak ;}// MessageBox (null, l" not found pimage_thunk_data ", null, 0); return NULL ;} bool apientry dllmain (hmodule, DWORD reason, lpvoid lpreserved) {Switch (reason) {Case dll_process_attach: g_hinstance = hmodule; If (bak_addr = NULL) {bak_addr = hookapi ("objsys", "user32.dll", "getcursorpos", (Proc) mygetcursorpos); // bak_addr = hookapi (null, "user32.dll", "getcursorpos ", (Proc) m Ygetcursorpos);} break; Case dll_process_detach: // The original DLL function address if (bak_addr! = NULL) {// hookapi (null, "user32.dll", "getcursorpos", bak_addr); hookapi ("objsys", "user32.dll", "getcursorpos", bak_addr ); bak_addr = NULL;} break;} return true ;}