最近开始研究应用层的Hook,但是由于时间紧迫,所以也没什么深入的东西。这个程序是基于《Windows Via C/C++》的基础上改出来的。所以所有的技术都是作者的,原理呢,就是这个原理了,这里只是hook了send和recv函数,其他的函数hook方式是一样的。自己改一下就可以了。
由于Hook功能作者已经封装成了一个类,因而用起来十分方便,这里是源代码(全部代码猛击此处下载):
/******************************************************************************
Module: Wsock32Hook.cpp
Notices: Hook wsock32 send and recv functions
******************************************************************************/
#include "..\..\CommonFiles\CmnHdr.h"
#include
#include
#include
#include "APIHook.h"
#define WSOCK32HOOKAPI extern "C" __declspec(dllexport)
#include "Wdll.h"
#include
///////////////////////////////////////////////////////////////////////////////
// Prototypes for the hooked functions
typedef int (WINAPI *PFNSEND)(SOCKET s, char *buf, int len, int flags);
typedef int (WINAPI *PFNRECV)(SOCKET s, char *buf, int len, int flags);
extern CAPIHook g_Send;
extern CAPIHook g_Recv;
///////////////////////////////////////////////////////////////////////////////
// This function sends the Send data to our main dialog box
void SendLastMsgInfo(BOOL bUnicode,char *buf) {
// Get Send Datas
wchar_t szProcessPathname[MAX_PATH];
GetModuleFileNameW(NULL, szProcessPathname, MAX_PATH);
wchar_t sz[2048];
StringCchPrintfW(sz, _countof(sz), bUnicode
? L"Send data: %s\n"
: L"Send data: %s\n",
buf);
// Send the string to the main dialog box
COPYDATASTRUCT cds = { 0, ((DWORD)wcslen(sz) + 1) * sizeof(wchar_t), sz };
FORWARD_WM_COPYDATA(FindWindow(NULL, TEXT("Wsock32hook by obaby")),
NULL, &cds, SendMessage);
}
// This function sends the Recv data to our main dialog box
void RecvLastMsgInfo(BOOL bUnicode,char *buf) {
// Get the Recv Datas
wchar_t szProcessPathname[MAX_PATH];
GetModuleFileNameW(NULL, szProcessPathname, MAX_PATH);
wchar_t sz[2048];
StringCchPrintfW(sz, _countof(sz), bUnicode
? L"Recv data: %s\n"
: L"Recv data: %s\n",
buf);
// Send the string to the main dialog box
COPYDATASTRUCT cds = { 0, ((DWORD)wcslen(sz) + 1) * sizeof(wchar_t), sz };
FORWARD_WM_COPYDATA(FindWindow(NULL, TEXT("Wsock32hook by obaby")),
NULL, &cds, SendMessage);
}
///////////////////////////////////////////////////////////////////////////////
// This is the send replacement function
int WINAPI Hook_Send(SOCKET s, char *buf, int len, int flags)
{
// Call the original send function
int nResult = ((PFNSEND)(PROC) g_Send)
(s, buf, len, flags);
// Send the information to the main dialog box
SendLastMsgInfo(FALSE, buf);
// Return the result back to the caller
return(nResult);
}
///////////////////////////////////////////////////////////////////////////////
// This is the recv replacement function
int WINAPI Hook_Recv(SOCKET s, char *buf, int len, int flags) {
// Call the original recv function
int nResult = ((PFNRECV)(PROC) g_Recv)
(s, buf, len, flags);
// Send the information to the main dialog box
RecvLastMsgInfo(FALSE, buf);
// Return the result back to the caller
return(nResult);
}
///////////////////////////////////////////////////////////////////////////////
// Hook the send and recv functions
CAPIHook g_Send("wsock32.dll", "send",
(PROC) Hook_Send);
CAPIHook g_Recv("wsock32.dll", "recv",
(PROC) Hook_Recv);
HHOOK g_hhook = NULL;
///////////////////////////////////////////////////////////////////////////////
static LRESULT WINAPI GetMsgProc(int code, WPARAM wParam, LPARAM lParam) {
return(CallNextHookEx(g_hhook, code, wParam, lParam));
}
///////////////////////////////////////////////////////////////////////////////
// Returns the HMODULE that contains the specified memory address
static HMODULE ModuleFromAddress(PVOID pv) {
MEMORY_BASIC_INFORMATION mbi;
return((VirtualQuery(pv, &mbi, sizeof(mbi)) != 0)
? (HMODULE) mbi.AllocationBase : NULL);
}
///////////////////////////////////////////////////////////////////////////////
BOOL WINAPI Wsock32_HookAllApps(BOOL bInstall, DWORD dwThreadId) {
BOOL bOk;
if (bInstall) {
chASSERT(g_hhook == NULL); // Illegal to install twice in a row
// Install the Windows' hook
g_hhook = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc,
ModuleFromAddress(Wsock32_HookAllApps), dwThreadId);
bOk = (g_hhook != NULL);
} else {
chASSERT(g_hhook != NULL); // Can't uninstall if not installed
bOk = UnhookWindowsHookEx(g_hhook);
g_hhook = NULL;
}
return(bOk);
}
//////////////////////////////// End of File //////////////////////////////////
1 comment
hook the wsock32.dll send and recv functions , any problem ?