int WINAPI InstallExplorerMsgHook(HWND hAlphaWnd) { sg_hAlphaWnd = NULL; sg_hGetMsgHook = ::SetWindowsHookEx( WH_GETMESSAGE, (HOOKPROC)(GetMsgProc), ModuleFromAddress(GetMsgProc), 0); if (sg_hGetMsgHook == NULL) { return 0; } sg_hCallWndProcHook = ::SetWindowsHookEx( WH_CALLWNDPROC, (HOOKPROC)(CallWndProc), ModuleFromAddress(CallWndProc), 0); if (sg_hCallWndProcHook == NULL) { UnhookWindowsHookEx(sg_hGetMsgHook); return 0; } sg_hAlphaWnd = hAlphaWnd; return 1; }
//--------------------------------------------------------------------------- //ReplaceIATEntryInAllModules void WINAPI TAPIHook::ReplaceIATEntryInAllModules(PCSTR DllName, PROC pfnCurrent,PROC pfnNew,bool IsHookSelfDll) { // 是否Hook DLL本身的相应函数。对一些系统函数,如GetProcAddress、LoadLibraryA、 // LoadLibraryW、LoadLibraryEx、LoadLibraryExW这些函数,DLL本身是不能对它们进 // 行Hook的,否则会引起死循环。 HMODULE hThisModule = NULL; hThisModule = (IsHookSelfDll) ? NULL : ModuleFromAddress(ReplaceIATEntryInAllModules); ///// HANDLE hSnapshot; MODULEENTRY32 ModEntry32; DWORD dwProcessId; BOOL Result; dwProcessId = GetCurrentProcessId(); hSnapshot = CreateToolhelp32Snapshot((DWORD)TH32CS_SNAPMODULE,dwProcessId); ModEntry32.dwSize = sizeof(MODULEENTRY32); Result = Module32First(hSnapshot,&ModEntry32); while(Result) { if(ModEntry32.hModule != hThisModule) ReplaceIATEntryInModule(DllName,pfnCurrent,pfnNew,ModEntry32.hModule); Result = Module32Next(hSnapshot,&ModEntry32); } CloseHandle(hSnapshot); }
void CAPIHook::FixupNewlyLoadedModule(HMODULE hmod, DWORD dwFlags) { // If a new module is loaded, hook the hooked functions if ((hmod != NULL) && // Do not hook our own module (hmod != ModuleFromAddress(FixupNewlyLoadedModule)) && ((dwFlags & LOAD_LIBRARY_AS_DATAFILE) == 0) && ((dwFlags & LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE) == 0) && ((dwFlags & LOAD_LIBRARY_AS_IMAGE_RESOURCE) == 0) ) { for (CAPIHook* p = sm_pHead; p != NULL; p = p->m_pNext) { if (p->m_pfnOrig != NULL) { ReplaceIATEntryInAllMods(p->m_pszCalleeModName, p->m_pfnOrig, p->m_pfnHook); } else { #ifdef _DEBUG // We should never end up here wchar_t szPathname[MAX_PATH]; GetModuleFileNameW(NULL, szPathname, _countof(szPathname)); wchar_t sz[1024]; StringCchPrintfW(sz, _countof(sz), TEXT("[%4u - %s] impossible to find %S\r\n"), GetCurrentProcessId(), szPathname, p->m_pszCalleeModName); OutputDebugString(sz); #endif } } } }
BOOL WINAPI SetLowMouseHook() { g_hLLMouseHook = SetWindowsHookEx( WH_MOUSE_LL, /* Type of hook */ LLMouseHookProc, /* Hook process */ ModuleFromAddress(LLMouseHookProc),//hInstance, /* Instance */ NULL); return g_hLLMouseHook != NULL; }
BOOL WINAPI SetLowKeyboardHook() { g_hLLKeyBoardHook = SetWindowsHookEx( WH_KEYBOARD_LL, /* Type of hook */ LLKeyboardHookProc, /* Hook process */ ModuleFromAddress(LLKeyboardHookProc),//hInstance, /* Instance */ NULL); return g_hLLKeyBoardHook != NULL; }
static CString GetIniName() { HMODULE hMod = ModuleFromAddress( GetIniName ); TCHAR b[MAX_PATH] = _T(""); GetModuleFileName( hMod, b, MAX_PATH ); CString strIniName = b; int pos = strIniName.ReverseFind( _T('\\') ); strIniName = strIniName.Left(pos+1); strIniName += _T("CloseApplicationOnChange.flg"); return strIniName; }
BOOL CHookedFunction::ReplaceInAllModules( BOOL bHookOrRestore, PCSTR pszCalleeModName, PROC pfnCurrent, PROC pfnNew ) { BOOL bResult = FALSE; if ((NULL != pfnCurrent) && (NULL != pfnNew)) { BOOL bReplace = FALSE; CExeModuleInstance *pProcess = NULL; CTaskManager taskManager; CModuleInstance *pModule; // // Retrieves information about current process and modules. // The taskManager dynamically decides whether to use ToolHelp // library or PSAPI // taskManager.PopulateProcess(::GetCurrentProcessId(), TRUE); pProcess = taskManager.GetProcessById(::GetCurrentProcessId()); if (NULL != pProcess) { // Enumerates all modules loaded by (pProcess) process for (int i = 0; i < pProcess->GetModuleCount(); i++) { pModule = pProcess->GetModuleByIndex(i); bReplace = (pModule->Get_Module() != ModuleFromAddress(CApiHookMgr::MyLoadLibraryA)); // We don't hook functions in our own modules if (bReplace) // Hook this function in this module bResult = ReplaceInOneModule( pszCalleeModName, pfnCurrent, pfnNew, pModule->Get_Module() ) || bResult; } // for // Hook this function in the executable as well bResult = ReplaceInOneModule( pszCalleeModName, pfnCurrent, pfnNew, pProcess->Get_Module() ) || bResult; } // if } // if return bResult; }
CApiHookMgr::CApiHookMgr(CModuleScope* pModuleScope) { sm_pModuleScope = pModuleScope; // // Obtain the handle to the DLL which code executes // m_hmodThisInstance = ModuleFromAddress(CApiHookMgr::MyGetProcAddress); // // No system functions have been hooked up yet // m_bSystemFuncsHooked = FALSE; // // Create an instance of the map container // sm_pHookedFunctions = new CHookedFunctions(this); }
//--------------------------------------------------------------------------- //当动态装载DLL时,必须Hook那个DLL的相应函数 void WINAPI TAPIHook::FixupNewlyLoadedModule(HMODULE hMod, DWORD dwFlags) { HMODULE hThisModule = NULL; //不能Hook DLL本身的函数 hThisModule = ModuleFromAddress(FixupNewlyLoadedModule); if(hMod == hThisModule) return; // If a new module is loaded, hook the hooked functions if((hMod != NULL) && ((dwFlags & LOAD_LIBRARY_AS_DATAFILE) == 0)) { for(TAPIHook* p = pHeadHook; p != NULL; p = p->pNextHook) { ReplaceIATEntryInModule(p->FDllName,p->pfnOrig, p->pfnHook, hMod); } } }
BOOL WINAPI SetLowKeyboardHook(BOOL bInstall, DWORD dwThreadId, HWND hWndCaller) { BOOL bOk; g_hWnd = hWndCaller; if (bInstall) { g_hHook = ::SetWindowsHookEx(WH_KEYBOARD_LL, LowKeyboardHookProc, ModuleFromAddress(LowKeyboardHookProc), dwThreadId); bOk = (g_hHook != NULL); } else { bOk = ::UnhookWindowsHookEx(g_hHook); g_hHook = NULL; } return bOk; }
BOOL WINAPI SetWndHook(BOOL bInstall, DWORD dwThreadId, HWND hWndCaller) { BOOL bOk; g_hWndF = hWndCaller; if (bInstall) { g_hHookF = ::SetWindowsHookEx(WH_CBT, SetWndHookProc, ModuleFromAddress(SetWndHookProc), dwThreadId); bOk = (g_hHookF != NULL); } else { bOk = ::UnhookWindowsHookEx(g_hHookF); g_hHookF = NULL; } return bOk; }
void CAPIHook::ReplaceIATEntryInAllMods(PCSTR pszCalleeModName, PROC pfnCurrent, PROC pfnNew) { HMODULE hmodThisMod = ExcludeAPIHookMod ? ModuleFromAddress(ReplaceIATEntryInAllMods) : NULL; // Get the list of modules in this process CToolhelp th(TH32CS_SNAPMODULE, GetCurrentProcessId()); MODULEENTRY32 me = { sizeof(me) }; for (BOOL bOk = th.ModuleFirst(&me); bOk; bOk = th.ModuleNext(&me)) { // NOTE: We don't hook functions in our own module if (me.hModule != hmodThisMod) { // Hook this function in this module ReplaceIATEntryInOneMod( pszCalleeModName, pfnCurrent, pfnNew, me.hModule); } } }
BOOL WINAPI LastMsgBoxInfo_HookAllApps(BOOL bInstall, DWORD dwThreadId) { BOOL bOk; if (bInstall) { chASSERT(g_hhook == NULL); // Illegal to install twice in a row // Install the Windows' hook g_hhook = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc, ModuleFromAddress(LastMsgBoxInfo_HookAllApps), dwThreadId); bOk = (g_hhook != NULL); } else { chASSERT(g_hhook != NULL); // Can't uninstall if not installed bOk = UnhookWindowsHookEx(g_hhook); g_hhook = NULL; } return(bOk); }