EasyHook vc++ 使用
使用esyhook去hook系统api,可以抓取一些想要的信息
先创建一个dll工程
1 #include "easyhook.h" 2 3 #if _WIN64 4 #pragma comment(lib, "EasyHook64.lib") 5 #else 6 #pragma comment(lib, "EasyHook32.lib") 7 #endif
1 // MyHookDll.cpp : 定义 DLL 应用程序的导出函数。 2 // 3 4 #include "stdafx.h" 5 #include <tchar.h> 6 #include <string> 7 using namespace std; 8 9 DWORD gFreqOffset = 0; 10 BOOL WINAPI myBeepHook(DWORD dwFreq, DWORD dwDuration) 11 { 12 OutputDebugStringA("BeepHook: ****All your beeps belong to us!\n"); 13 return Beep(dwFreq + gFreqOffset, dwDuration); 14 } 15 16 BOOL WINAPI myCreateProcessA(LPCSTR lpApplicationName, 17 LPSTR lpCommandLine, 18 LPSECURITY_ATTRIBUTES lpProcessAttributes, 19 LPSECURITY_ATTRIBUTES lpThreadAttributes, 20 BOOL bInheritHandles, 21 DWORD dwCreationFlags, 22 LPVOID lpEnvironment, 23 LPCSTR lpCurrentDirectory, 24 LPSTARTUPINFOA lpStartupInfo, 25 LPPROCESS_INFORMATION lpProcessInformation) 26 { 27 OutputDebugStringA("myCreateProcessA"); 28 OutputDebugStringA(lpApplicationName); 29 OutputDebugStringA(lpCommandLine); 30 return CreateProcessA(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, 31 bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation); 32 } 33 34 BOOL WINAPI myCreateProcessW(LPCWSTR lpApplicationName, 35 LPWSTR lpCommandLine, 36 LPSECURITY_ATTRIBUTES lpProcessAttributes, 37 LPSECURITY_ATTRIBUTES lpThreadAttributes, 38 BOOL bInheritHandles, 39 DWORD dwCreationFlags, 40 LPVOID lpEnvironment, 41 LPCWSTR lpCurrentDirectory, 42 LPSTARTUPINFOW lpStartupInfo, 43 LPPROCESS_INFORMATION lpProcessInformation) 44 { 45 OutputDebugStringA("myCreateProcessW"); 46 OutputDebugStringW(lpApplicationName); 47 OutputDebugStringW(lpCommandLine); 48 return CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, 49 bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation); 50 } 51 52 wstring GetModulePath() 53 { 54 TCHAR path[MAX_PATH]; 55 memset(path, 0, MAX_PATH); 56 GetModuleFileName(NULL, path, MAX_PATH); 57 (_tcsrchr(path, '\\'))[1] = 0; 58 59 wstring str(path); 60 return str; 61 } 62 63 64 void wirteLog(LPCWSTR log) 65 { 66 wstring path = GetModulePath(); 67 path += _T("\\hook.log"); 68 FILE* file; 69 OutputDebugStringW(path.c_str()); 70 _tfopen_s(&file, path.c_str(), _T("a+")); 71 fwrite(log, _tcslen(log), 1, file); 72 fclose(file); 73 } 74 75 void wirteLog(LPCSTR log) 76 { 77 wstring path = GetModulePath(); 78 path += _T("\\hook.log"); 79 FILE* file; 80 OutputDebugStringW(path.c_str()); 81 _tfopen_s(&file, path.c_str(), _T("a+")); 82 fwrite(log, strlen(log), 1, file); 83 fclose(file); 84 } 85 86 void myOutputDebugStringW( 87 LPCWSTR lpOutputString 88 ) 89 { 90 wirteLog(lpOutputString); 91 OutputDebugStringW(lpOutputString); 92 } 93 94 void myOutputDebugStringA( 95 LPCSTR lpOutputString 96 ) 97 { 98 //wirteLog(lpOutputString); 99 OutputDebugStringA("myHook"); 100 OutputDebugStringA(lpOutputString); 101 } 102 103 extern "C" void __declspec(dllexport) __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo); 104 105 char szTemp[256] = { 0 }; 106 void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo) 107 { 108 OutputDebugStringA("\n\nNativeInjectionEntryPointt(REMOTE_ENTRY_INFO* inRemoteInfo)\n\n"); 109 110 wsprintfA(szTemp, "Injected by process Id: %d", inRemoteInfo->HostPID); 111 OutputDebugStringA(szTemp); 112 113 wsprintfA(szTemp, "Passed in data size: %d", inRemoteInfo->UserDataSize); 114 OutputDebugStringA(szTemp); 115 if (inRemoteInfo->UserDataSize == sizeof(DWORD)) 116 { 117 gFreqOffset = *reinterpret_cast<DWORD *>(inRemoteInfo->UserData); 118 119 wsprintfA(szTemp, "Adjusting Beep frequency by: %d", gFreqOffset); 120 OutputDebugStringA(szTemp); 121 } 122 123 // Perform hooking 124 HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook 125 126 wsprintfA(szTemp, "Win32 Beep found at address:: %p", GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep")); 127 OutputDebugStringA(szTemp); 128 129 // Install the hook 130 /*NTSTATUS result = LhInstallHook( 131 GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep"), 132 myBeepHook, 133 NULL, 134 &hHook);*/ 135 NTSTATUS result = LhInstallHook( 136 GetProcAddress(GetModuleHandle(TEXT("kernel32")), "OutputDebugStringA"), 137 myOutputDebugStringA, 138 NULL, 139 &hHook); 140 if (FAILED(result)) 141 { 142 OutputDebugStringW(RtlGetLastErrorString()); 143 OutputDebugStringA("Failed to install hook: "); 144 } 145 else 146 { 147 OutputDebugStringA("Hook 'myBeepHook installed successfully."); 148 } 149 150 // If the threadId in the ACL is set to 0, 151 // then internally EasyHook uses GetCurrentThreadId() 152 ULONG ACLEntries[1] = { 0 }; 153 154 // Disable the hook for the provided threadIds, enable for all others 155 LhSetExclusiveACL(ACLEntries, 1, &hHook); 156 157 return; 158 }
然后再建立一个exe工程
同样包含头文件和导入库接口
1 #include "easyhook.h" 2 3 #if _WIN64 4 #pragma comment(lib, "EasyHook64.lib") 5 #else 6 #pragma comment(lib, "EasyHook32.lib") 7 #endif
1 CEditUI *pEdit = static_cast<CEditUI*>(m_PaintManager.FindControl(_T("processid"))); 2 if (pEdit && !pEdit->GetText().IsEmpty()) 3 { 4 CDuiString pid = pEdit->GetText(); 5 DWORD processId = _wtol(pid.GetData()); 6 WCHAR* dllToInject = L"..\\Debug\\MyHookDll.dll"; 7 DWORD freqOffset = 2000; 8 NTSTATUS nt = RhInjectLibrary( 9 processId, // The process to inject into 10 0, // ThreadId to wake up upon injection 11 EASYHOOK_INJECT_DEFAULT, 12 dllToInject, // 32-bit 13 NULL, // 64-bit not provided 14 &freqOffset, // data to send to injected DLL entry point 15 sizeof(DWORD)// size of data to send 16 ); 17 if (nt != 0) 18 { 19 OutputDebugStringA("RhInjectLibrary failed with error code\n"); 20 PWCHAR err = RtlGetLastErrorString(); 21 OutputDebugStringW(err); 22 } 23 else 24 { 25 OutputDebugStringW(L"Library injected successfully.\n"); 26 } 27 }
上面是在UI中输入进程id,再将生成的dll作为参数去调用,就可以成功hook api了
还有可以在exe中直接hook本身exe调用的api
1 BOOL WINAPI myBeepHook(DWORD dwFreq, DWORD dwDuration); 2 3 BOOL WINAPI myBeepHook(DWORD dwFreq, DWORD dwDuration) 4 { 5 OutputDebugString(_T("\n****All your beeps belong to us!\n\n")); 6 return Beep(dwFreq + 800, dwDuration); 7 } 8 9 HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook 10 int hook() 11 { 12 GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep"); 13 14 NTSTATUS result = LhInstallHook( 15 GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep"), 16 myBeepHook, 17 NULL, 18 &hHook); 19 if (FAILED(result)) 20 { 21 return -1; 22 } 23 24 OutputDebugString(_T("Beep after hook installed but not enabled.\n")); 25 Beep(500, 500); 26 27 OutputDebugString(_T("Activating hook for current thread only.\n")); 28 // If the threadId in the ACL is set to 0, 29 // then internally EasyHook uses GetCurrentThreadId() 30 ULONG ACLEntries[1] = { 0 }; 31 LhSetInclusiveACL(ACLEntries, 1, &hHook); 32 33 OutputDebugString(_T("Beep after hook enabled.\n")); 34 Beep(500, 500); 35 } 36 37 int unhook() 38 { 39 OutputDebugString(_T("Uninstall hook\n")); 40 LhUninstallHook(&hHook); 41 42 OutputDebugString(_T("Beep after hook uninstalled\n")); 43 Beep(500, 500); 44 45 OutputDebugString(_T("\n\nRestore ALL entry points of pending removals issued by LhUninstallHook()\n")); 46 LhWaitForPendingRemovals(); 47 48 return 0; 49 }
初始时调用hook(),退出前调用unhook()即可
附上easyhook的dll,也可以自己去github下载源码进行编译
