Windows Hook Hook Example

1. First write a Win32 DLL project.

" stdafx.h "
int WINAPI Add (int A,int  b) {  return a +b;}
BOOL apientry DllMain (HANDLE hmodule,                       DWORD  ul_reason_for_call,                       lpvoid lpreserved) {      return  TRUE;}

Add an explicit export to the DEF file: (No def file found to add)

" ADD LA " exports add  @1;

2. Write the main program calling this DLL new dialog-based MFC project

Add a declaration to the DLG header file:

#include <windef.h>publicint (WINAPI*ADDPROC) (int A,int b); Addproc add;

Write the load function at the program entrance:

if (hadddll==NULL)  hadddll=::loadlibrary ("add.dll"); Add= (Addproc):: GetProcAddress (Hadddll,"add");

Add a button function call:

int a=1int b=2int c=Add (A, b); CString temp; Temp. Format ("%d+%d=%d", A,b,c); AfxMessageBox (temp);

Run the main program here and you'll see. Pop-up window 1+2 = 3 results.

3. Write the hook DLL to create a new MFC DLL project.

In the InitInstance function, add:

hinst=:: AfxGetInstanceHandle (); DWORD dwpid=:: GetCurrentProcessId (); hprocess=openprocess (process_all_access,0, dwpid) ;   return CWinApp::InitInstance ();

All the statements:

#pragmaData_seg ("SHARED")StaticHhook Hhk=null;//Mouse Hook handleStaticHINSTANCE Hinst=null;//instance handle for this DLL (Hook.dll)#pragmaData_seg ()#pragmaComment (linker, "/SECTION:SHARED,RWS")CString temp;//temporary variable to display the errorBOOLbhook=false;//whether the function is hookBOOLM_binjected=false;//whether the API was hookBYTE oldcode[5];//the old system API entry codeBYTE newcode[5];//API code to jump to (jmp xxxx)typedefint(Winapi*addproc) (intAintb);//the Add function definition in Add.dllAddproc add;//the Add function in Add.dllHANDLE Hprocess=null;//handle to the process in which it is locatedFarproc Pfadd;//far pointer to the Add functionDWORD Dwpid;//The process ID://end of variable definition//function DefinitionvoidHookon ();voidHookoff ();//Close HooksLRESULT CALLBACK Mouseproc (intNcode,wparam Wparam,lparam LPARAM);//Mouse hook functionvoidInject ();//A function that specifically injects, replaces the entranceintWINAPI Myadd (intAintb);//The new Add () function that we defineBOOL Installhook ();//Install hook functionvoidUninstallhook ();//Unload hook function

Declare the implementation of the function:

LRESULT CALLBACK Mouseproc (intNcode,wparam Wparam,lparam LPARAM) {LRESULT RetVal=CallNextHookEx (Hhk,ncode,wparam,lparam); returnRetVal;} BOOL Installhook () {hhk=::setwindowshookex (Wh_mouse,mouseproc,hinst,0); return true;}voidUninstallhook () {:: UnhookWindowsHookEx (HHK);} voidInject () {if(m_binjected==false) {m_binjected=true; Hmodule Hmod=::loadlibrary ("Add.dll"); Add= (Addproc):: GetProcAddress (Hmod,"Add"); Pfadd=(FARPROC) add; if(pfadd==NULL) {AfxMessageBox ("cannot locate Add ()"); }    //Save the entry code in Add () into oldcode[]_asm {Lea Edi,oldcode mov esi,pfadd CLD movsd MOVSB } newcode[0]=0xe9;//Actually, 0xe9 is equivalent to the JMP Directive .//gets the relative address of the Myadd ()_asm {Lea Eax,myadd mov ebx,pfadd sub eax,ebx sub eax,5mov dword ptr [Newcode+1],eax}//filled, now newcode[] in the instruction equivalent of jmp MyaddHookon ();//You can open the hook. }}voidHookon () {ASSERT (hprocess!=NULL); DWORD dwtemp=0;    DWORD Dwoldprotect; //Change the memory protection mode to writable, old mode saved into DwoldprotectVirtualprotectex (Hprocess,pfadd,5,page_readwrite,&dwoldprotect); //Change the first 5 bytes of Add () in a owning process to jmp MyaddWriteProcessMemory (Hprocess,pfadd,newcode,5,0); //Change the memory protection mode back to DwoldprotectVirtualprotectex (Hprocess,pfadd,5,dwoldprotect,&dwtemp); Bhook=true; }voidHookoff ()//restores the entry code for Add () in the owning process{ASSERT (hprocess!=NULL); DWORD dwtemp=0;    DWORD Dwoldprotect; Virtualprotectex (Hprocess,pfadd,5,page_readwrite,&dwoldprotect); WriteProcessMemory (Hprocess,pfadd,oldcode,5,0); Virtualprotectex (Hprocess,pfadd,5,dwoldprotect,&dwtemp); Bhook=false; }intWINAPI Myadd (intAintb) {    //intercept the call to add (), we add 1 to a, Ba=a+1; b=b+1; Hookoff ();//Turn off the Myadd () hook to prevent a dead loop    intret; RET=Add (A, b); Hookon ();//Turn on the Myadd () Hook    returnret;}

To add an explicit export to a DEF file:

Installhook   

The hook DLL is complete.

4. Go back to the main program add 2 buttons one to inject an uninstall:

Injection:

Hinst=loadlibrary ("Hook.dll"); if(hinst==NULL) {AfxMessageBox ("No hook.dll!"); return; } typedef BOOL (CALLBACK*Inshook)  (); Inshook Insthook; Insthook=::getprocaddress (Hinst,"Installhook"); if(insthook==NULL) {AfxMessageBox ("func not found!"); return;

DWORD Pid=::getcurrentprocessid ();
BOOL Ret=insthook ();

Unloading:

typedef BOOL (CALLBACK *unhookproc) ();  Unhookproc Uninstallhook; Uninstallhook=::getprocaddress (hinst,"uninstallhook"if( uninstallhook==if (hinst!=null) {  if (hadddll!=null) {  :: FreeLibrary (Hadddll); } cdialog::oncancel ();

To run the main program:

Calculation: Display 1+2 =3

Injection: Display 1+2=5

Finish.

There's no place to understand. Welcome harassment: 0x7317af28

Windows Hook Hook Example