好强啊VFP HOOKAPI
*!* step:
*!* 1.execute hookexample.scx
*!* 2.click load libraries button
*!* 3.double click user32.dll libraried used item.
*!* 4.select messageboxA item in function used listbox
*!* 5.click hook api button
*!* 6.click testMessageBox button
*!* luyis(coolyylu)
*!* qq:95865818
*!* mail:95865818@qq.com
*!* date:2009-02-10
PUBLIC oform1
oform1=NEWOBJECT("hookexample")
oform1.Show
RETURN
*set procedure to (sys(16)) additive
#define IMAGE_DOS_SIGNATURE 0x5A4D
#define IMAGE_NT_SIGNATURE 0x00004550
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1+1 &&c语言的数组索引1就等于vfp的2
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
#define IMAGE_ORDINAL_FLAG 0x80000000
#define PAGE_READWRITE 0x0004
#define BYTE replicate(chr(0) ,1)
#define WORD replicate(chr(0) ,2)
#define DWORD replicate(chr(0) ,4)
#define PVOID replicate(chr(0) ,4)
#define BUILDTYPE_STRUCT 0
#define BUILDTYPE_UNION 1
#define GETTYPE_ALL 0
#define GETTYPE_ONE 1
Function LookupIAT
lparameters hModule As long ,sImportCall As String ,tlGetAll As Integer
local pDosHeader ,pNTHeader ,pImportDesc ,sCurrMod
pDosHeader = PIMAGE_DOS_HEADER(GetModuleHandle(0))
gn = pDosHeader
if pDOSHeader.e_magic # IMAGE_DOS_SIGNATURE &&如果不是dos exe
return NULL
endif
pNTHeader = PIMAGE_NT_HEADERS(hModule ,pDosHeader)
if pNTHeader.Signature # IMAGE_NT_SIGNATURE &&如果不是window exe
return NULL
endif
if pNTHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = 0
return NULL
endif
* pImportDesc.Name 是地址偏移量
local pImportDescIndex
pImportDescIndex = 0
pImportDesc = PIMAGE_IMPORT_DESCRIPTOR(hModule ,pNTHeader ,pImportDescIndex )
do while pImportDesc.Name>0
sCurrMod = sys(2600 ,hModule + pImportDesc.Name ,250)
sCurrMod = left(sCurrMod ,at(chr(0) ,sCurrMod)-1)
if tlGetAll = GETTYPE_ALL
evaluate(sImportCall+[(']+lower(sCurrMod)+[','] + ;
transform(hModule + pImportDesc.Name ,[@0]) + [')])
else
if lower(sImportCall)==lower(sCurrMod)
exit
endif
endif
pImportDescIndex = pImportDescIndex + 1
pImportDesc = PIMAGE_IMPORT_DESCRIPTOR(hModule ,pNTHeader ,pImportDescIndex )
enddo
if pImportDesc.Name = 0
return NULL
endif
return pImportDesc
EndFunc
function HookAPIByName
lparameters hModule As Integer, sImportMod As String ,;
pHookApi As Object ,tlGetAll As Integer
local pImportDesc
local pOrigThunk ,pRealThunk ,nThunkIndex
local pByName ,lcName
local mbi_thunk ,idata ,iProtect
pImportDesc = LookupIAT(hModule, sImportMod ,GETTYPE_ONE)
if isnull(pImportDesc)
return .f.
endif
iProtect = 0
nThunkIndex = 0
pOrigThunk = PIMAGE_THUNK_DATA(hModule ,pImportDesc.u.OriginalFirstThunk ,nThunkIndex )
pRealThunk = PIMAGE_THUNK_DATA(hModule ,pImportDesc.FirstThunk ,nThunkIndex )
do while pOrigThunk.u1.Function > 0
if bitand(pOrigThunk.u1.Ordinal ,IMAGE_ORDINAL_FLAG) # IMAGE_ORDINAL_FLAG
pByName = PIMAGE_IMPORT_BY_NAME(hModule ,pOrigThunk.u1.AddressOfData)
if pByName.Name[1] = 0
return false
endif
lcName = sys(2600 ,pByName.__addr + pByName.__Size([Hint]) ,250) &&pByName.Name
lcName = left(lcName ,at(chr(0) ,lcName)-1)
if tlGetAll = GETTYPE_ALL
evaluate(pHookApi+[(']+lcName+[','] + ;
transform(pRealThunk.u1.Function ,[@0]) + [')])
else
if lower(pHookApi.sFunc) == lower(lcName)
mbi_thunk = MEMORY_BASIC_INFORMATION()
idata = replicate(chr(0) ,SizeOf(mbi_thunk))
VirtualQuery(pRealThunk.__addr, @idata , SizeOf(mbi_thunk))
WriteToObj(mbi_thunk ,@idata)
iProtect = mbi_thunk.Protect
VirtualProtect(mbi_thunk.BaseAddress ,mbi_thunk.RegionSize , PAGE_READWRITE ,@iProtect)
mbi_thunk.Protect = iProtect
if pHookApi.pOldProc = 0
pHookApi.pOldProc = pRealThunk.u1.Function &&设置新的
*?'新函数',transform(pHookApi.pNewProc ,[@0]) ,'原函数:'+transform(pRealThunk.u1.Function ,[@0])
*pRealThunk.u1.Function = pHookApi.pNewProc
WriteToObj(pRealThunk.u1 ,bintoc(pHookApi.pNewProc ,[4rs]))
else
*pRealThunk.u1.Function = pHookApi.pOldProc &&恢复原
WriteToObj(pRealThunk.u1 ,bintoc(pHookApi.pOldProc ,[4rs]))
pHookApi.pOldProc = 0
endif
WriteObjToMemory(pRealThunk) &&写入更新
iProtect = 0
VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, mbi_thunk.Protect, @iProtect)
endif
endif
endif
nThunkIndex = nThunkIndex + 1
pOrigThunk = PIMAGE_THUNK_DATA(hModule ,pImportDesc.u.OriginalFirstThunk ,nThunkIndex )
pRealThunk = PIMAGE_THUNK_DATA(hModule ,pImportDesc.FirstThunk ,nThunkIndex )
enddo
endfunc
function MEMORY_BASIC_INFORMATION
local lp As Empty ,addr ,lphead
lp = BuildType(BUILDTYPE_STRUCT)
addItem(lp ,[BaseAddress] ,PVOID)
addItem(lp ,[AllocationBase] ,PVOID)
addItem(lp ,[AllocationProtect] ,DWORD)
addItem(lp ,[RegionSize] ,DWORD)
addItem(lp ,[State] ,DWORD)
addItem(lp ,[Protect] ,DWORD)
addItem(lp ,[Type] ,DWORD)
return lp
endfunc
function PIMAGE_IMPORT_BY_NAME
lparameters hModule ,pData
local lp As Empty ,addr ,lphead
lp = BuildType(BUILDTYPE_STRUCT)
addItem(lp ,[Hint] ,WORD)
addItem(lp ,[Name(1)] ,[BYTE] ,1)
addr = hModule + pData
lp.__addr = addr
lphead = sys(2600 ,addr ,Sizeof(lp))
WriteToObj(lp ,@lphead)
return lp
endfunc
Function PIMAGE_THUNK_DATA
Lparameters hModule ,pThunkAddr ,nIndex
local lp As Empty ,addr ,lphead
lp = BuildType(BUILDTYPE_STRUCT)
addItem(lp ,[u1] ,U1())
addr = hModule + pThunkAddr + nIndex*Sizeof(lp)
lp.__addr = addr
lphead = sys(2600 ,addr ,Sizeof(lp))
WriteToObj(lp ,@lphead)
return lp
EndFunc
Function U1
local lp
lp = BuildType(BUILDTYPE_UNION)
addItem(lp ,[ForwarderString] ,DWORD)
addItem(lp ,[Function] ,DWORD)
addItem(lp ,[Ordinal] ,DWORD)
addItem(lp ,[AddressOfData] ,DWORD)
Return lp
EndFunc
Function PIMAGE_IMPORT_DESCRIPTOR
lparameter hModule ,lpNT As PIMAGE_NT_HEADERS ,nIndex
local lp As Empty ,addr ,lphead
lp = BuildType(BUILDTYPE_STRUCT)
addItem(lp ,[u],DUMMYUNIONNAME())
addItem(lp ,[TimeDateStamp] ,DWORD)
addItem(lp ,[ForwarderChain],DWORD)
addItem(lp ,[Name] ,DWORD)
addItem(lp ,[FirstThunk] ,DWORD)
addr = hModule + ;
lpNT.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + ;
SizeOf(lp)*nIndex
lphead = sys(2600 ,addr ,Sizeof(lp))
WriteToObj(lp ,@lphead)
return lp
EndFunc
Function DUMMYUNIONNAME
local lp As Empty
lp = BuildType(BUILDTYPE_UNION)
addItem(lp ,[Characteristics] ,DWORD)
addItem(lp ,[OriginalFirstThunk] ,DWORD)
return lp
EndFunc
Function PIMAGE_NT_HEADERS
lparameter hModule ,lpDos As PIMAGE_DOS_HEADER
local lp As Empty ,addr ,lphead
lp = BuildType(BUILDTYPE_STRUCT)
addItem(lp ,[Signature] ,DWORD)
addItem(lp ,[FileHeader] ,IMAGE_FILE_HEADER())
addItem(lp ,[OptionalHeader],IMAGE_OPTIONAL_HEADER())
addr = hModule + lpDos.e_lfanew
lphead = sys(2600 ,addr ,Sizeof(lp))
WriteToObj(lp ,@lphead)
return lp
EndFunc
Function IMAGE_OPTIONAL_HEADER
local lp As Empty ,lphead
lp = BuildType(BUILDTYPE_STRUCT)
addItem(lp ,[Magic] ,WORD)
addItem(lp ,[MajorLinkerVersion] ,BYTE)
addItem(lp ,[MinorLinkerVersion] ,BYTE)
addItem(lp ,[SizeOfCode] ,DWORD)
addItem(lp ,[SizeOfInitializedData] ,DWORD)
addItem(lp ,[SizeOfUninitializedData] ,DWORD)
addItem(lp ,[AddressOfEntryPoint] ,DWORD)
addItem(lp ,[BaseOfCode] ,DWORD)
addItem(lp ,[BaseOfData] ,DWORD)
addItem(lp ,[ImageBase] ,DWORD)
addItem(lp ,[SectionAlignment] ,DWORD)
addItem(lp ,[FileAlignment] ,DWORD)
addItem(lp ,[MajorOperatingSystemVersion],WORD)
addItem(lp ,[MinorOperatingSystemVersion],WORD)
addItem(lp ,[MajorImageVersion] ,WORD)
addItem(lp ,[MinorImageVersion] ,WORD)
addItem(lp ,[MajorSubsystemVersion] ,WORD)
addItem(lp ,[MinorSubsystemVersion] ,WORD)
addItem(lp ,[Win32VersionValue] ,DWORD)
addItem(lp ,[SizeOfImage] ,DWORD)
addItem(lp ,[SizeOfHeaders] ,DWORD)
addItem(lp ,[CheckSum] ,DWORD)
addItem(lp ,[Subsystem] ,WORD)
addItem(lp ,[DllCharacteristics] ,WORD)
addItem(lp ,[SizeOfStackReserve] ,DWORD)
addItem(lp ,[SizeOfStackCommit] ,DWORD)
addItem(lp ,[SizeOfHeapReserve] ,DWORD)
addItem(lp ,[SizeOfHeapCommit] ,DWORD)
addItem(lp ,[LoaderFlags] ,DWORD)
addItem(lp ,[NumberOfRvaAndSizes] ,DWORD)
addItem(lp ,[DataDirectory(1)] ,[IMAGE_DATA_DIRECTORY()] ,IMAGE_NUMBEROF_DIRECTORY_ENTRIES)
return lp
EndFunc
