HOOK WINDOWS API 一例

 // godll.cpp : 定義 DLL 應用程式的進入點。//#include "stdafx.h"#include #pragma   comment(lib,"ImageHlp.lib") #pragma data_seg(".mydata")POINT g_point;int g_px=-1;int g_py=-1;#pragma data_seg()#pragma comment(linker, "/SECTION:.mydata,rws")HANDLE g_hInstance = NULL;PROC bak_addr = NULL;  BOOL WINAPI MyGetCursorPos(  LPPOINT lpPoint   // address of structure for cursor position  ){   if(g_px == -1 ){    typedef BOOL (WINAPI *OldGetCursorPosFun)(LPPOINT);    OldGetCursorPosFun ofun = (OldGetCursorPosFun)bak_addr;    ofun(lpPoint);   }else{    lpPoint->x = g_px;    lpPoint->y = g_py;   }   return TRUE;} extern "C" __declspec(dllexport)void GetPoint(LPPOINT p){ p->x = g_px; p->y = g_py;}extern "C" __declspec(dllexport)void SetPoint(LPPOINT p){ g_px = p->x; g_py = p->y;}  //hook api//PCSTR modelStr : model 名稱. 如 NULL 、 objsys.dll//PCSTR byHookDllStr: model 內的 dll 名稱. 如User32.dll//PCSTR byHookFunStr: 被hook api 的名稱//PROC pfnNew  : 替代函數的地址//返回舊函數 的址。//extern "C" __declspec(dllexport)PROC HookApi(PCSTR modelStr , PCSTR byHookDllStr , PCSTR byHookFunStr , PROC pfnNew){ //讀取 model 基地址 LPVOID base = (LPVOID)GetModuleHandleA(modelStr); if(base == NULL){  //MessageBoxA(NULL,"find model base addr err!",modelStr,0);        return NULL; }  //找到該 dll 的IAT ULONG ulSize; PIMAGE_IMPORT_DESCRIPTOR pImportTable = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(base,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&ulSize); if( pImportTable == NULL ){  MessageBox(NULL,L"pImportTable is null",NULL,0);        return NULL; } //在 ImportTable 中 找到需要  hook 的 dll    for(;pImportTable->Name;pImportTable++){        PSTR pszModName = (PSTR) ( (PBYTE)base + pImportTable->Name );        if( lstrcmpiA( pszModName, byHookDllStr ) == 0 )   break ; // if found    } if( pImportTable->Name == 0 ){  MessageBoxA(NULL,"not found by hook dll. ",byHookDllStr,0);        return NULL;    } PIMAGE_THUNK_DATA pOrigThunk = (PIMAGE_THUNK_DATA)((PBYTE)base + pImportTable->OriginalFirstThunk); PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA) ( (PBYTE)base + pImportTable->FirstThunk );    for( ;pThunk->u1.Function;pThunk++,pOrigThunk++){  PROC *ppfnEntry = (PROC*) &(pThunk->u1.Function);  PROC bak = (PROC)(*ppfnEntry);  PIMAGE_IMPORT_BY_NAME pByName =(PIMAGE_IMPORT_BY_NAME)((PBYTE)base + pOrigThunk->u1.AddressOfData);  if(lstrcmpiA((char*)pByName->Name , byHookFunStr) == 0) {   MEMORY_BASIC_INFORMATION memInfo;    VirtualQuery( ppfnEntry, &memInfo, sizeof( memInfo ));   DWORD dwOldProtect = 0;   if(VirtualProtect(memInfo.BaseAddress,memInfo.RegionSize,PAGE_READWRITE,&dwOldProtect)==0){    MessageBox(NULL,L"VirtualProtect[1] is Err!",NULL,0);    return NULL;   }       if(WriteProcessMemory(GetCurrentProcess(),ppfnEntry,&pfnNew,sizeof(pfnNew),NULL) == 0){    MessageBox(NULL,L"WriteProcessMemory Err!",NULL,0);   }        if(VirtualProtect(memInfo.BaseAddress,memInfo.RegionSize,PAGE_READONLY,&dwOldProtect )==0){    MessageBox(NULL,L"VirtualProtect[2] is Err!",NULL,0);   }      return bak;        }      } //MessageBox(NULL,L"not found PIMAGE_THUNK_DATA",NULL,0); return NULL;}  BOOL APIENTRY DllMain( HMODULE hModule,                       DWORD  reason,                       LPVOID lpReserved      ){ switch (reason){  case DLL_PROCESS_ATTACH:   g_hInstance = hModule;   if(bak_addr==NULL){    bak_addr = HookApi("objsys","user32.dll","GetCursorPos",(PROC)MyGetCursorPos);     //bak_addr = HookApi(NULL,"user32.dll","GetCursorPos",(PROC)MyGetCursorPos);    }       break;  case DLL_PROCESS_DETACH:   //當 dll 卸載 時 需要恢複， 原 dll 功能地址   if(bak_addr!=NULL){    //HookApi(NULL,"user32.dll","GetCursorPos",bak_addr);     HookApi("objsys","user32.dll","GetCursorPos",bak_addr);     bak_addr = NULL;   }   break; } return TRUE;}