// godll.cpp : 定義 DLL 應用程式的進入點。//#include "stdafx.h"#include #pragma comment(lib,"ImageHlp.lib") #pragma data_seg(".mydata")POINT g_point;int g_px=-1;int g_py=-1;#pragma data_seg()#pragma comment(linker, "/SECTION:.mydata,rws")HANDLE g_hInstance = NULL;PROC bak_addr = NULL; BOOL WINAPI MyGetCursorPos( LPPOINT lpPoint // address of structure for cursor position ){ if(g_px == -1 ){ typedef BOOL (WINAPI *OldGetCursorPosFun)(LPPOINT); OldGetCursorPosFun ofun = (OldGetCursorPosFun)bak_addr; ofun(lpPoint); }else{ lpPoint->x = g_px; lpPoint->y = g_py; } return TRUE;} extern "C" __declspec(dllexport)void GetPoint(LPPOINT p){ p->x = g_px; p->y = g_py;}extern "C" __declspec(dllexport)void SetPoint(LPPOINT p){ g_px = p->x; g_py = p->y;} //hook api//PCSTR modelStr : model 名稱. 如 NULL 、 objsys.dll//PCSTR byHookDllStr: model 內的 dll 名稱. 如User32.dll//PCSTR byHookFunStr: 被hook api 的名稱//PROC pfnNew : 替代函數的地址//返回舊函數 的址。//extern "C" __declspec(dllexport)PROC HookApi(PCSTR modelStr , PCSTR byHookDllStr , PCSTR byHookFunStr , PROC pfnNew){ //讀取 model 基地址 LPVOID base = (LPVOID)GetModuleHandleA(modelStr); if(base == NULL){ //MessageBoxA(NULL,"find model base addr err!",modelStr,0); return NULL; } //找到該 dll 的IAT ULONG ulSize; PIMAGE_IMPORT_DESCRIPTOR pImportTable = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(base,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&ulSize); if( pImportTable == NULL ){ MessageBox(NULL,L"pImportTable is null",NULL,0); return NULL; } //在 ImportTable 中 找到需要 hook 的 dll for(;pImportTable->Name;pImportTable++){ PSTR pszModName = (PSTR) ( (PBYTE)base + pImportTable->Name ); if( lstrcmpiA( pszModName, byHookDllStr ) == 0 ) break ; // if found } if( pImportTable->Name == 0 ){ MessageBoxA(NULL,"not found by hook dll. ",byHookDllStr,0); return NULL; } PIMAGE_THUNK_DATA pOrigThunk = (PIMAGE_THUNK_DATA)((PBYTE)base + pImportTable->OriginalFirstThunk); PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA) ( (PBYTE)base + pImportTable->FirstThunk ); for( ;pThunk->u1.Function;pThunk++,pOrigThunk++){ PROC *ppfnEntry = (PROC*) &(pThunk->u1.Function); PROC bak = (PROC)(*ppfnEntry); PIMAGE_IMPORT_BY_NAME pByName =(PIMAGE_IMPORT_BY_NAME)((PBYTE)base + pOrigThunk->u1.AddressOfData); if(lstrcmpiA((char*)pByName->Name , byHookFunStr) == 0) { MEMORY_BASIC_INFORMATION memInfo; VirtualQuery( ppfnEntry, &memInfo, sizeof( memInfo )); DWORD dwOldProtect = 0; if(VirtualProtect(memInfo.BaseAddress,memInfo.RegionSize,PAGE_READWRITE,&dwOldProtect)==0){ MessageBox(NULL,L"VirtualProtect[1] is Err!",NULL,0); return NULL; } if(WriteProcessMemory(GetCurrentProcess(),ppfnEntry,&pfnNew,sizeof(pfnNew),NULL) == 0){ MessageBox(NULL,L"WriteProcessMemory Err!",NULL,0); } if(VirtualProtect(memInfo.BaseAddress,memInfo.RegionSize,PAGE_READONLY,&dwOldProtect )==0){ MessageBox(NULL,L"VirtualProtect[2] is Err!",NULL,0); } return bak; } } //MessageBox(NULL,L"not found PIMAGE_THUNK_DATA",NULL,0); return NULL;} BOOL APIENTRY DllMain( HMODULE hModule, DWORD reason, LPVOID lpReserved ){ switch (reason){ case DLL_PROCESS_ATTACH: g_hInstance = hModule; if(bak_addr==NULL){ bak_addr = HookApi("objsys","user32.dll","GetCursorPos",(PROC)MyGetCursorPos); //bak_addr = HookApi(NULL,"user32.dll","GetCursorPos",(PROC)MyGetCursorPos); } break; case DLL_PROCESS_DETACH: //當 dll 卸載 時 需要恢複, 原 dll 功能地址 if(bak_addr!=NULL){ //HookApi(NULL,"user32.dll","GetCursorPos",bak_addr); HookApi("objsys","user32.dll","GetCursorPos",bak_addr); bak_addr = NULL; } break; } return TRUE;}