<![CDATA[Heck's Blog]]> https://www.heckjj.com/index.php zh-cn https://www.heckjj.com/intercept-and-capture-sys-function-html/ <![CDATA[截获系统函数]]> Heck <@hecks.tk> Wed, 27 Oct 2010 02:54:34 +0000 https://www.heckjj.com/intercept-and-capture-sys-function-html/ 系统函数重定位的例子,从<<计算机世界日报>>上Copy出来的.

    //源程序 relocate.c
    #include <WINDOWS.H>
    #include <dos.h>
    BOOL WINAPI MyExtTextOut(HDC hDC, int x, int y, UINT nIn
t1, const RECTFAR*p Rect,LPCSTR lpStr, UINT nInt2, int FAR*
lpInt);
    WORD FAR PASCAL AllocCStoDSAlias(WORD code_sel);
    typedef struct tagFUNC
    {
    FARPROC lpFarProcReplace;  //替代函数地址
    FARPROC lpFarProcWindows;  //Windows函数地址
    BYTE    bOld;        //保存原函数第一字节
    LONG    lOld;        //保存原函数接后的四字节长值
    }FUNC;
    FUNC  Func={MyExtTextOut,ExtTextOut};
    //Windows主函数
    int PASCAL WinMain(HINSTANCE hInstance,HINSTANCE hPrevIn
stance,LPSTR lpCmdi ne,int nCmdShow){
    HANDLE hMemCode;  //代码段句柄
    WORD hMemData;    //相同基址的可写数据段别名
    WORD   wOffset;   //函数偏移
    LPSTR  lpStr;
    LPLONG lpLong;
    char   lpNotice[96];
    hMemCode=HIWORD((LONG) Func.lpFarProcWindows );
    wOffset=LOWORD((LONG) Func.lpFarProcWindows );
    wsprintf(lpNotice,"函数所在模块句柄 0x%4xH,偏移 0x%4xH",
hMemCode,wOffset);
     MessageBox(NULL,lpNotice,"提示",MB_OK);
     //取与代码段有相同基址的可写数据段别名
     hMemData=AllocCStoDSAlias(hMemCode);
     lpStr=GlobalLock(hMemData);
     lpLong=(lpStr+wOffset+1 );
     //保存原函数要替换的头几个字节
    Func.bOld=*(lpStr+wOffset);
    Func.lOld=*lpLong;
    *(lpStr+wOffset)=0xEA;
    *lpLong=Func.lpFarProcReplace;
    GlobalUnlock(hMemData);
    MessageBox(NULL,"改为自己的函数","提示",MB_OK);
    //将保留的内容改回来
    hMemData=AllocCStoDSAlias(hMemCode);
    lpStr=GlobalLock(hMemData);
    lpLong=(lpStr+wOffset+1 );
    *(lpStr+wOffset)=Func.bOld;
    *lpLong=Func.lOld;
    GlobalUnlock(hMemData);
    MessageBox(NULL,"改回原Windows函数","提示",MB_OK);
    return 1;
    }
    //自己的替代函数
    BOOL WINAPI MyExtTextOut(HDC hDC, int x, int y, UINT nIn
t1, const RECT FAR lpRect, LPCSTR lpStr, UINT nInt2, int FAR
* lpInt){
    BYTE NameDot[96]={
    0x09, 0x00, 0xfd, 0x08, 0x09, 0x08, 0x09, 0x10, 0x09, 0x
20,
    0x79, 0x40, 0x41, 0x04, 0x47, 0xfe, 0x41, 0x40, 0x79, 0x
40,
    0x09, 0x20, 0x09, 0x20, 0x09, 0x10, 0x09, 0x4e, 0x51, 0x
84,
    0x21, 0x00, 0x02, 0x00, 0x01, 0x04, 0xff, 0xfe, 0x00, 0x
00,
    0x1f, 0xf0, 0x10, 0x10, 0x10, 0x10, 0x1f, 0xf0, 0x00, 0x
00,
    0x7f, 0xfc, 0x40, 0x04, 0x4f, 0xe4, 0x48, 0x24, 0x48, 0x
24,
    0x4f, 0xe4, 0x40, 0x0c, 0x10, 0x80, 0x10, 0xfc, 0x10, 0x
88,
    0x11, 0x50, 0x56, 0x20, 0x54, 0xd8, 0x57, 0x06, 0x54, 0x
20,
    0x55, 0xfc, 0x54, 0x20, 0x55, 0xfc, 0x5c, 0x20, 0x67, 0x
fe,
    0x00, 0x20, 0x00, 0x20, 0x00, 0x20
    };
    HBITMAP hBitmap,hOldBitmap;
    HDC     hMemDC;
    BYTE far *lpDot;
    int     i;
    for ( i=0;i<3;i++ )
    {
    lpDot=(LPSTR)NameDot+i*32;
    hMemDC=CreateCompatibleDC(hDC);
    hBitmap=CreateBitmap(16,16,1,1,lpDot);
    SetBitmapBits(hBitmap,32L,lpDot);
    hOldBitmap=SelectObject(hMemDC,hBitmap);
    BitBlt(hDC,x+i*16,y,16,16,hMemDC,0,0,SRCCOPY);
    DeleteDC(hMemDC);
    DeleteObject(hBitmap);
    }
    return TRUE;
    }
    //模块定义文件  relocate.def
    NAME    RELOCATE
    EXETYPE   WINDOWS
    CODE      PRELOAD MOVEABLE DISCARDABLE
    DATA      PRELOAD MOVEABLE MULTIPLE
    HEAPSIZE  1024
    EXPORTS
Tags - , ]]> https://www.heckjj.com/intercept-and-capture-sys-function-html/#blogcomment <![CDATA[[评论] 截获系统函数]]> <user@domain.com> Thu, 01 Jan 1970 00:00:00 +0000 https://www.heckjj.com/intercept-and-capture-sys-function-html/#blogcomment