过用户层HOOK思路

以FindWinow为例,首先逆向FindWindow,分析写出下面代码

#pragma pack(1)
typedef struct _UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength; 
    PWSTR  Buffer;
 
} UNICODE_STRING,*PUNICODE_STRING;
#pragma pack()

__declspec(naked) void sysFastCall()
{

 __asm{
  mov edx,esp
  __emit 0x0f
  __emit 0x34
 }
}

__declspec(naked)  HWND  __stdcall My_FindWindow(
            int p1,
            int p2,
            PUNICODE_STRING pu_classname,
            PUNICODE_STRING pu_catption,
            int p5)
{
 __asm
 {
  MOV EAX,0x1179
   call sysFastCall
   RETN 0x14
   
 }
}

下面是调用:


void CFindWindowsDemoDlg::OnBtnMyFindwindow()
{
 // TODO: Add your control notification handler code here
 UNICODE_STRING pu_className,pu_Caption;
 typedef   (__stdcall *PRtlInitUnicodeString)(PUNICODE_STRING, PCWSTR);
 PRtlInitUnicodeString  RtlInitUnicodeString;
 RtlInitUnicodeString=(PRtlInitUnicodeString)GetProcAddress(GetModuleHandle("ntdll.dll"),"RtlInitUnicodeString");
 RtlInitUnicodeString(&pu_className,L"SciCalc");
 RtlInitUnicodeString(&pu_Caption,L"计算器");
 HWND h=My_FindWindow(0,0,&pu_className,&pu_Caption,0);
  ::SendMessage(h,WM_CLOSE,0,0);
}

posted @ 2012-06-01 09:42  einyboy  阅读(557)  评论(0编辑  收藏  举报