Programming with VC to prevent the global hook from loading

Let's talk about how the global hook came into our program. If a program A has a wh_getmessage global hook installed, and the hook function is in B.dll, then when the other program takes a message from its own message queue, the system Discovery program a installs the Wh_getmessage global hook, Checks whether the process calling GetMessage has loaded the B.dll, and if not, calls LoadLibrary to load and then calls the hook process in B.dll. In this way, the hook DLL is loaded in all processes that invoke getmessage.

The job we have to do is to let it fail when the system calls LoadLibrary. There are two problems with doing this:

The LoadLibrary function fails this time, and the next time the system tries to load it. It may seem to affect efficiency, but even if you don't let it fail, the system will also call the hook process every time there is a message, which method is more effective? This is not known, hehe;

How do you know when to let LoadLibrary fail? Can't all let it fail, this will die very miserable: (. After the study found that the normal load DLL function calls are from the Kernel32.dll, and only the loading hook process is carried out in the User32.dll (WinXP system, later do not know whether this is the case).　　We can judge the return address of the LoadLibrary function, if it is in the User32.dll address space, it is considered to be the hook DLL loading, directly return 0 on it. And then we're going to talk about our API interception. Because the LOADLIBRARYEXW is used in user32.dll to load the hook DLL, we just need to intercept such a function. Divided into three steps:

Provide a function to replace LOADLIBRARYEXW, assuming the name is NEWLOADLIBRARYEXW, note that the function prototype is identical to LOADLIBRARYEXW, all calls to LOADLIBRARYEXW in this process will be transferred here;

HMODULE WINAPI newLoadLibraryExW(LPCWSTR lpLibFileName,HANDLE hFile,DWORD dwFlags)
{
//获取函数的返回地址参考文章最后的注1
DWORD dwCaller;
__asm push dword ptr [ebp+4]
__asm pop　dword ptr [dwCaller]　

//判断是否是 从User32.dll调用的
//m_dwUser32Low和m_dwUser32Hi保存user32.dll的加载地址的上 下限
if(dwCaller > m_dwUser32Low && dwCaller < m_dwUser32Hi)
{
　 //TRACE something hint infomation
　 return 0;
}
return rawLoadLibraryExW(lpLibFileName,hFile,dwFlags);
}

Provides a space, assuming that the starting address of this space is FAKELOADLIBRARYEXW, save the first N bytes of the LOADLIBRARYEXW function, and then jump back (loadlibraryexw+n) to the address with a JMP command, where N take 7, the concrete reason is speaking below;

Modify the first 5 bytes of the LOADLIBRARYEXW function and jump to the beginning of our NEWLOADLIBRARYEXW function with a jmp instruction. Although this is only 5 bytes, let's take a look at the first two instructions of the LOADLIBRARYEXW function://你机器上的版本具体的数字可能和我的不一样
push 34h?//6A 34
push 7C80E288h?//68 88 E2 80 7C