GitHub - microsoft/Detours: Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form.
/*挂载钩子 setdll /d:C:\Users\g\source\repos\LotTest\Release\lotDll.dll C:\Users\g\source\repos\LotTest\bin\x86\Release\net6.0-windows\LotTest.exe
卸载钩子 setdll /r C:\Users\g\source\repos\LotTest\bin\x86\Release\net6.0-windows\LotTest.exe
*/#include <Windows.h>
#include "detours/detours.h"//真实的调用函数,函数原型必须和真实API一致。部分类型如果无法声明可以用void *替代
static int (WINAPI* REALMessageBox) (HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType) = MessageBox;
//伪造的调用函数,也就是我们的钩子,参数类型和返回值必须和真实的一样,
static int WINAPI MYMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType)
{//在这里可以任意发挥~~~//在函数末尾调用真正的API来返回return REALMessageBox(NULL, "MyHook!! MessageBoxCRACK!!", "Please", MB_OK);
}void StartHook()
{long err;DetourRestoreAfterWith();//开始事务DetourTransactionBegin();//更新线程信息 DetourUpdateThread(GetCurrentThread());//将拦截的函数附加到原函数的地址上DetourAttach(&(PVOID&)REALMessageBox, MYMessageBox);//结束事务err = DetourTransactionCommit();
}//解除钩子
void EndHook()
{//开始事务DetourTransactionBegin();//更新线程信息 DetourUpdateThread(GetCurrentThread());//将拦截的函数从原函数的地址上解除DetourDetach(&(PVOID&)REALMessageBox, MYMessageBox);//结束事务DetourTransactionCommit();
}/*
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include "framework.h"extern void StartHook();//新增//新增一个导出函数,这个可以随便写,但必须至少有一个导出函数才能使用setdll远程注入
VOID __declspec(dllexport) test()
{OutputDebugString(L"__declspec(dllexport) test() \r\n");
}BOOL APIENTRY DllMain(HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved
)
{switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:{ StartHook(); } //新增case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE;
}
*/void injectProcess() {HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ,FALSE, pid);if (hProcess != NULL){TRACE("InjectHook \n");HANDLE hThread;char szLibPath[_MAX_PATH];void* pLibRemote = 0;DWORD hLibModule = 0;HMODULE hKernel32 = ::GetModuleHandle("Kernel32");if (!::GetSystemDirectory(szLibPath, _MAX_PATH))return;strcat(szLibPath, "C:\\windows\\HookDll.dll");pLibRemote = ::VirtualAllocEx(hProcess, NULL, sizeof(szLibPath), MEM_COMMIT, PAGE_READWRITE);if (pLibRemote == NULL)return;::WriteProcessMemory(hProcess, pLibRemote, (void*)szLibPath, sizeof(szLibPath), NULL);hThread = ::CreateRemoteThread(hProcess, NULL, 0,(LPTHREAD_START_ROUTINE) ::GetProcAddress(hKernel32, "LoadLibraryA"),pLibRemote, 0, NULL);if (hThread != NULL){::WaitForSingleObject(hThread, INFINITE);::GetExitCodeThread(hThread, &hLibModule);::CloseHandle(hThread);}}
}void test() {StartHook();PVOID g_pOldMessageBoxW = NULL;PVOID g_pOldMessageBoxA = NULL;g_pOldMessageBoxA = DetourFindFunction("User32.dll", "MessageBoxA");MessageBox(0, "test", "test", 0);EndHook();
}