64位系统InlineHook

Posted 2020-10-29 BiaoGe

APIHook64Class.h

 1 #ifndef APIHOOK64CLASS_H_
 2 #define APIHOOK64CLASS_H_
 3 #include <Windows.h>
 4 
 5 class APIHook64
 6 {
 7 private:
 8     unsigned char code[12];
 9     unsigned char oldcode[12];
10     FARPROC addr;
11 
12 public:
13     APIHook64();
14     BOOL Hook(char *dllName,char *apiName,long long callfunc,BOOL bHook=TRUE);
15 };
16 
17 #endif

 

APIHook64Class.cpp

 1 #include "APIHook64Class.h"
 2 
 3 APIHook64::APIHook64()
 4 {
 5     /*
 6         mov eax,0x12345678
 7         push eax
 8         ret
 9     */
10     unsigned char c[12] = { 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0xC3 };
11     RtlMoveMemory(APIHook64::code, c, 12);
12     memset(APIHook64::oldcode, 0, 12);
13     addr = NULL;
14 }
15 
16 BOOL APIHook64::Hook(char *dllName, char *apiName, long long callfunc, BOOL bHook)
17 {
18     BOOL bOk = FALSE;
19     DWORD dwOldProtect = 0;
20     long long api = callfunc;
21     HANDLE hPro = GetCurrentProcess();
22 
23     if (!APIHook64::oldcode[0])
24     {
25         addr = GetProcAddress(LoadLibrary(dllName), apiName);
26         RtlMoveMemory(APIHook64::code+2, &api, 8);
27         if (VirtualProtectEx(hPro, addr, 12, PAGE_EXECUTE_READWRITE, &dwOldProtect))
28         {
29             RtlMoveMemory(APIHook64::oldcode, addr, 12);
30         }
31     }
32     if (bHook)
33     {
34         bOk = WriteProcessMemory(hPro, addr, APIHook64::code, 12, NULL);
35     }
36     else {
37         bOk = WriteProcessMemory(hPro, addr, APIHook64::oldcode, 12, NULL);
38     }
39     VirtualProtectEx(hPro, addr, 12, dwOldProtect, &dwOldProtect);
40     CloseHandle(hPro);
41     return bOk;
42 }