一个模块的导入段包含一组DLL,导入段还包含一个符号表,其中列出了该模块从各DLL中导入的符号,
当该模块调用一个导入函数的时候,线程实际上会先从模块的导入表中得到相应的导入函数的地址,然后再跳转到那个地址。
模块的导入段中所有的字符串都是以ANSI格式保存的,有的编译器会生成多个导入段。

//hook dll
/******************************************************************************
Module:  APIHook.h
Notices: Copyright (c) 2008 Jeffrey Richter & Christophe Nasarre
******************************************************************************/#pragma once///class CAPIHook {
public:// Hook a function in all modulesCAPIHook(PSTR pszCalleeModName, PSTR pszFuncName, PROC pfnHook);// Unhook a function from all modules~CAPIHook();// Returns the original address of the hooked functionoperator PROC() { return(m_pfnOrig); }// Hook module w/CAPIHook implementation?// I have to make it static because I need to use it // in ReplaceIATEntryInAllModsstatic BOOL ExcludeAPIHookMod; public:// Calls the real GetProcAddress static FARPROC WINAPI GetProcAddressRaw(HMODULE hmod, PCSTR pszProcName);private:static PVOID sm_pvMaxAppAddr; // Maximum private memory addressstatic CAPIHook* sm_pHead;    // Address of first objectCAPIHook* m_pNext;            // Address of next  objectPCSTR m_pszCalleeModName;     // Module containing the function (ANSI)PCSTR m_pszFuncName;          // Function name in callee (ANSI)PROC  m_pfnOrig;              // Original function address in calleePROC  m_pfnHook;              // Hook function addressprivate:// Replaces a symbol's address in a module's import sectionstatic void WINAPI ReplaceIATEntryInAllMods(PCSTR pszCalleeModName, PROC pfnOrig, PROC pfnHook);// Replaces a symbol's address in all modules' import sectionsstatic void WINAPI ReplaceIATEntryInOneMod(PCSTR pszCalleeModName, PROC pfnOrig, PROC pfnHook, HMODULE hmodCaller);// Replaces a symbol's address in a module's export sectionsstatic void ReplaceEATEntryInOneMod(HMODULE hmod, PCSTR pszFunctionName, PROC pfnNew);private:// Used when a DLL is newly loaded after hooking a functionstatic void    WINAPI FixupNewlyLoadedModule(HMODULE hmod, DWORD dwFlags);// Used to trap when DLLs are newly loadedstatic HMODULE WINAPI LoadLibraryA(PCSTR pszModulePath);static HMODULE WINAPI LoadLibraryW(PCWSTR pszModulePath);static HMODULE WINAPI LoadLibraryExA(PCSTR pszModulePath, HANDLE hFile, DWORD dwFlags);static HMODULE WINAPI LoadLibraryExW(PCWSTR pszModulePath, HANDLE hFile, DWORD dwFlags);// Returns address of replacement function if hooked function is requestedstatic FARPROC WINAPI GetProcAddress(HMODULE hmod, PCSTR pszProcName);private:// Instantiates hooks on these functionsstatic CAPIHook sm_LoadLibraryA;static CAPIHook sm_LoadLibraryW;static CAPIHook sm_LoadLibraryExA;static CAPIHook sm_LoadLibraryExW;static CAPIHook sm_GetProcAddress;
};End of File ///******************************************************************************
Module:  APIHook.cpp
Notices: Copyright (c) 2008 Jeffrey Richter & Christophe Nasarre
******************************************************************************/#include <Windows.h>
#include <CommCtrl.h>
#include <process.h> #include <ImageHlp.h>
#pragma comment(lib, "ImageHlp")#include "APIHook.h"
#include <tlhelp32.h>
#include <tchar.h>
#include <StrSafe.h>/// The head of the linked-list of CAPIHook objects
CAPIHook* CAPIHook::sm_pHead = NULL;// By default, the module containing the CAPIHook() is not hooked
BOOL CAPIHook::ExcludeAPIHookMod = TRUE; ///CAPIHook::CAPIHook(PSTR pszCalleeModName, PSTR pszFuncName, PROC pfnHook) {// Note: the function can be hooked only if the exporting module //       is already loaded. A solution could be to store the function//       name as a member; then, in the hooked LoadLibrary* handlers, parse//       the list of CAPIHook instances, check if pszCalleeModName//       is the name of the loaded module to hook its export table and //       re-hook the import tables of all loaded modules.m_pNext  = sm_pHead;    // The next node was at the headsm_pHead = this;        // This node is now at the head// Save information about this hooked functionm_pszCalleeModName   = pszCalleeModName;m_pszFuncName        = pszFuncName;m_pfnHook            = pfnHook;m_pfnOrig            = GetProcAddressRaw(GetModuleHandleA(pszCalleeModName), m_pszFuncName);// If function does not exit,... bye bye// This happens when the module is not already loadedif (m_pfnOrig == NULL){wchar_t szPathname[MAX_PATH];GetModuleFileNameW(NULL, szPathname, _countof(szPathname));wchar_t sz[1024];StringCchPrintfW(sz, _countof(sz), TEXT("[%4u - %s] impossible to find %S\r\n"), GetCurrentProcessId(), szPathname, pszFuncName);OutputDebugString(sz);return;}#ifdef _DEBUG// This section was used for debugging sessions when Explorer died as // a folder content was requested// //static BOOL s_bFirstTime = TRUE;//if (s_bFirstTime)//{//   s_bFirstTime = FALSE;//   wchar_t szPathname[MAX_PATH];//   GetModuleFileNameW(NULL, szPathname, _countof(szPathname));//   wchar_t* pszExeFile = wcsrchr(szPathname, L'\\') + 1;//   OutputDebugStringW(L"Injected in ");//   OutputDebugStringW(pszExeFile);//   if (_wcsicmp(pszExeFile, L"Explorer.EXE") == 0)//   {//      DebugBreak();//   }//   OutputDebugStringW(L"\n   --> ");//   StringCchPrintfW(szPathname, _countof(szPathname), L"%S", pszFuncName);//   OutputDebugStringW(szPathname);//   OutputDebugStringW(L"\n");//}
#endif// Hook this function in all currently loaded modulesReplaceIATEntryInAllMods(m_pszCalleeModName, m_pfnOrig, m_pfnHook);
}///CAPIHook::~CAPIHook() {// Unhook this function from all modulesReplaceIATEntryInAllMods(m_pszCalleeModName, m_pfnHook, m_pfnOrig);// Remove this object from the linked listCAPIHook* p = sm_pHead; if (p == this) {     // Removing the head nodesm_pHead = p->m_pNext; } else {BOOL bFound = FALSE;// Walk list from head and fix pointersfor (; !bFound && (p->m_pNext != NULL); p = p->m_pNext) {if (p->m_pNext == this) { // Make the node that points to us point to our next nodep->m_pNext = p->m_pNext->m_pNext; bFound = TRUE;}}}
}///// NOTE: This function must NOT be inlined
FARPROC CAPIHook::GetProcAddressRaw(HMODULE hmod, PCSTR pszProcName) {return(::GetProcAddress(hmod, pszProcName));
}///// Returns the HMODULE that contains the specified memory address
static HMODULE ModuleFromAddress(PVOID pv) {MEMORY_BASIC_INFORMATION mbi;return((VirtualQuery(pv, &mbi, sizeof(mbi)) != 0) ? (HMODULE) mbi.AllocationBase : NULL);
}///void CAPIHook::ReplaceIATEntryInAllMods(PCSTR pszCalleeModName, PROC pfnCurrent, PROC pfnNew) {HMODULE hmodThisMod = ExcludeAPIHookMod ? ModuleFromAddress(ReplaceIATEntryInAllMods) : NULL;// Get the list of modules in this process//CToolhelp th(TH32CS_SNAPMODULE, GetCurrentProcessId());HANDLE m_hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId());//if(m_hSnapshot == INVALID_HANDLE_VALUE)MODULEENTRY32 me = { sizeof(me) };for (BOOL bOk = Module32First(m_hSnapshot, &me); bOk; bOk = Module32Next(m_hSnapshot, &me)) {// NOTE: We don't hook functions in our own moduleif (me.hModule != hmodThisMod) {// Hook this function in this moduleReplaceIATEntryInOneMod(pszCalleeModName, pfnCurrent, pfnNew, me.hModule);}}if (m_hSnapshot != INVALID_HANDLE_VALUE)CloseHandle(m_hSnapshot);
}///// Handle unexpected exceptions if the module is unloaded
LONG WINAPI InvalidReadExceptionFilter(PEXCEPTION_POINTERS pep) {// handle all unexpected exceptions because we simply don't patch// any module in that caseLONG lDisposition = EXCEPTION_EXECUTE_HANDLER;// Note: pep->ExceptionRecord->ExceptionCode has 0xc0000005 as a valuereturn(lDisposition);
}void CAPIHook::ReplaceIATEntryInOneMod(PCSTR pszCalleeModName, PROC pfnCurrent, PROC pfnNew, HMODULE hmodCaller) {// Get the address of the module's import sectionULONG ulSize;// An exception was triggered by Explorer (when browsing the content of // a folder) into imagehlp.dll. It looks like one module was unloaded...// Maybe some threading problem: the list of modules from Toolhelp might // not be accurate if FreeLibrary is called during the enumeration.PIMAGE_IMPORT_DESCRIPTOR pImportDesc = NULL;__try {pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR) ImageDirectoryEntryToData(hmodCaller, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize);} __except (InvalidReadExceptionFilter(GetExceptionInformation())) {// Nothing to do in here, thread continues to run normally// with NULL for pImportDesc }if (pImportDesc == NULL)return;  // This module has no import section or is no longer loaded// Find the import descriptor containing references to callee's functionsfor (; pImportDesc->Name; pImportDesc++) {PSTR pszModName = (PSTR) ((PBYTE) hmodCaller + pImportDesc->Name);if (lstrcmpiA(pszModName, pszCalleeModName) == 0) {// Get caller's import address table (IAT) for the callee's functionsPIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA) ((PBYTE) hmodCaller + pImportDesc->FirstThunk);// Replace current function address with new function addressfor (; pThunk->u1.Function; pThunk++) {// Get the address of the function addressPROC* ppfn = (PROC*) &pThunk->u1.Function;// Is this the function we're looking for?BOOL bFound = (*ppfn == pfnCurrent);if (bFound) {if (!WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL) && (ERROR_NOACCESS == GetLastError())) {DWORD dwOldProtect;if (VirtualProtect(ppfn, sizeof(pfnNew), PAGE_WRITECOPY, &dwOldProtect)) {WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL);VirtualProtect(ppfn, sizeof(pfnNew), dwOldProtect, &dwOldProtect);}}return;  // We did it, get out}}}  // Each import section is parsed until the right entry is found and patched}
}///void CAPIHook::ReplaceEATEntryInOneMod(HMODULE hmod, PCSTR pszFunctionName, PROC pfnNew) {// Get the address of the module's export sectionULONG ulSize;PIMAGE_EXPORT_DIRECTORY pExportDir = NULL;__try {pExportDir = (PIMAGE_EXPORT_DIRECTORY) ImageDirectoryEntryToData(hmod, TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &ulSize);} __except (InvalidReadExceptionFilter(GetExceptionInformation())) {// Nothing to do in here, thread continues to run normally// with NULL for pExportDir }if (pExportDir == NULL)return;  // This module has no export section or is unloadedPDWORD pdwNamesRvas = (PDWORD) ((PBYTE) hmod + pExportDir->AddressOfNames);PWORD pdwNameOrdinals = (PWORD) ((PBYTE) hmod + pExportDir->AddressOfNameOrdinals);PDWORD pdwFunctionAddresses = (PDWORD) ((PBYTE) hmod + pExportDir->AddressOfFunctions);// Walk the array of this module's function names for (DWORD n = 0; n < pExportDir->NumberOfNames; n++) {// Get the function namePSTR pszFuncName = (PSTR) ((PBYTE) hmod + pdwNamesRvas[n]);// If not the specified function, try the next functionif (lstrcmpiA(pszFuncName, pszFunctionName) != 0) continue;// We found the specified function// --> Get this function's ordinal valueWORD ordinal = pdwNameOrdinals[n];// Get the address of this function's addressPROC* ppfn = (PROC*) &pdwFunctionAddresses[ordinal];// Turn the new address into an RVApfnNew = (PROC) ((PBYTE) pfnNew - (PBYTE) hmod);// Replace current function address with new function addressif (!WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL) && (ERROR_NOACCESS == GetLastError())) {DWORD dwOldProtect;if (VirtualProtect(ppfn, sizeof(pfnNew), PAGE_WRITECOPY, &dwOldProtect)) {WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL);VirtualProtect(ppfn, sizeof(pfnNew), dwOldProtect, &dwOldProtect);}}break;  // We did it, get out}
}///
// Hook LoadLibrary functions and GetProcAddress so that hooked functions
// are handled correctly if these functions are called.CAPIHook CAPIHook::sm_LoadLibraryA  ("Kernel32.dll", "LoadLibraryA",   (PROC) CAPIHook::LoadLibraryA);CAPIHook CAPIHook::sm_LoadLibraryW  ("Kernel32.dll", "LoadLibraryW",   (PROC) CAPIHook::LoadLibraryW);CAPIHook CAPIHook::sm_LoadLibraryExA("Kernel32.dll", "LoadLibraryExA", (PROC) CAPIHook::LoadLibraryExA);CAPIHook CAPIHook::sm_LoadLibraryExW("Kernel32.dll", "LoadLibraryExW", (PROC) CAPIHook::LoadLibraryExW);CAPIHook CAPIHook::sm_GetProcAddress("Kernel32.dll", "GetProcAddress", (PROC) CAPIHook::GetProcAddress);///void CAPIHook::FixupNewlyLoadedModule(HMODULE hmod, DWORD dwFlags) {// If a new module is loaded, hook the hooked functionsif ((hmod != NULL) &&   // Do not hook our own module(hmod != ModuleFromAddress(FixupNewlyLoadedModule)) && ((dwFlags & LOAD_LIBRARY_AS_DATAFILE) == 0) &&((dwFlags & LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE) == 0) &&((dwFlags & LOAD_LIBRARY_AS_IMAGE_RESOURCE) == 0)) {for (CAPIHook* p = sm_pHead; p != NULL; p = p->m_pNext) {if (p->m_pfnOrig != NULL) {ReplaceIATEntryInAllMods(p->m_pszCalleeModName, p->m_pfnOrig, p->m_pfnHook);  } else {
#ifdef _DEBUG// We should never end up here wchar_t szPathname[MAX_PATH];GetModuleFileNameW(NULL, szPathname, _countof(szPathname));wchar_t sz[1024];StringCchPrintfW(sz, _countof(sz), TEXT("[%4u - %s] impossible to find %S\r\n"), GetCurrentProcessId(), szPathname, p->m_pszCalleeModName);OutputDebugString(sz);
#endif}}}
}///HMODULE WINAPI CAPIHook::LoadLibraryA(PCSTR pszModulePath) {HMODULE hmod = ::LoadLibraryA(pszModulePath);FixupNewlyLoadedModule(hmod, 0);return(hmod);
}///HMODULE WINAPI CAPIHook::LoadLibraryW(PCWSTR pszModulePath) {HMODULE hmod = ::LoadLibraryW(pszModulePath);FixupNewlyLoadedModule(hmod, 0);return(hmod);
}///HMODULE WINAPI CAPIHook::LoadLibraryExA(PCSTR pszModulePath, HANDLE hFile, DWORD dwFlags) {HMODULE hmod = ::LoadLibraryExA(pszModulePath, hFile, dwFlags);FixupNewlyLoadedModule(hmod, dwFlags);return(hmod);
}///HMODULE WINAPI CAPIHook::LoadLibraryExW(PCWSTR pszModulePath, HANDLE hFile, DWORD dwFlags) {HMODULE hmod = ::LoadLibraryExW(pszModulePath, hFile, dwFlags);FixupNewlyLoadedModule(hmod, dwFlags);return(hmod);
}///FARPROC WINAPI CAPIHook::GetProcAddress(HMODULE hmod, PCSTR pszProcName) {// Get the true address of the functionFARPROC pfn = GetProcAddressRaw(hmod, pszProcName);// Is it one of the functions that we want hooked?CAPIHook* p = sm_pHead;for (; (pfn != NULL) && (p != NULL); p = p->m_pNext) {if (pfn == p->m_pfnOrig) {// The address to return matches an address we want to hook// Return the hook function address insteadpfn = p->m_pfnHook;break;}}return(pfn);
}End of File //// Prototypes for the hooked functions
typedef int (WINAPI *PFNMESSAGEBOXA)(HWND hWnd, PCSTR pszText, PCSTR pszCaption, UINT uType);typedef int (WINAPI *PFNMESSAGEBOXW)(HWND hWnd, PCWSTR pszText, PCWSTR pszCaption, UINT uType);// We need to reference these variables before we create them.
extern CAPIHook g_MessageBoxA;
extern CAPIHook g_MessageBoxW;///// This function sends the MessageBox info to our main dialog box
void SendLastMsgBoxInfo(BOOL bUnicode, PVOID pvCaption, PVOID pvText, int nResult) {// Get the pathname of the process displaying the message boxwchar_t szProcessPathname[MAX_PATH];GetModuleFileNameW(NULL, szProcessPathname, MAX_PATH);// Convert the return value into a human-readable stringPCWSTR pszResult = L"(Unknown)";switch (nResult) {case IDOK:       pszResult = L"Ok";        break;case IDCANCEL:   pszResult = L"Cancel";    break;case IDABORT:    pszResult = L"Abort";     break;case IDRETRY:    pszResult = L"Retry";     break;case IDIGNORE:   pszResult = L"Ignore";    break;case IDYES:      pszResult = L"Yes";       break;case IDNO:       pszResult = L"No";        break;case IDCLOSE:    pszResult = L"Close";     break;case IDHELP:     pszResult = L"Help";      break;case IDTRYAGAIN: pszResult = L"Try Again"; break;case IDCONTINUE: pszResult = L"Continue";  break;}// Construct the string to send to the main dialog boxwchar_t sz[2048];StringCchPrintfW(sz, _countof(sz), bUnicode ? L"Process: (%d) %s\r\nCaption: %s\r\nMessage: %s\r\nResult: %s": L"Process: (%d) %s\r\nCaption: %S\r\nMessage: %S\r\nResult: %s",GetCurrentProcessId(), szProcessPathname,pvCaption, pvText, pszResult);// Send the string to the main dialog box//COPYDATASTRUCT cds = { 0, ((DWORD)wcslen(sz) + 1) * sizeof(wchar_t), sz };//FORWARD_WM_COPYDATA(FindWindow(NULL, TEXT("Last MessageBox Info")), //   NULL, &cds, SendMessage);::OutputDebugStringW(sz);
}///// This is the MessageBoxW replacement function
int WINAPI Hook_MessageBoxW(HWND hWnd, PCWSTR pszText, LPCWSTR pszCaption, UINT uType) {// Call the original MessageBoxW functionint nResult = ((PFNMESSAGEBOXW)(PROC) g_MessageBoxW)(hWnd, pszText, pszCaption, uType);// Send the information to the main dialog boxSendLastMsgBoxInfo(TRUE, (PVOID) pszCaption, (PVOID) pszText, nResult);// Return the result back to the callerreturn(nResult);
}///// This is the MessageBoxA replacement function
int WINAPI Hook_MessageBoxA(HWND hWnd, PCSTR pszText, PCSTR pszCaption, UINT uType) {// Call the original MessageBoxA functionint nResult = ((PFNMESSAGEBOXA)(PROC) g_MessageBoxA)(hWnd, pszText, pszCaption, uType);// Send the information to the main dialog boxSendLastMsgBoxInfo(FALSE, (PVOID) pszCaption, (PVOID) pszText, nResult);// Return the result back to the callerreturn(nResult);
}// Hook the MessageBoxA and MessageBoxW functions
CAPIHook g_MessageBoxA("User32.dll", "MessageBoxA", (PROC) Hook_MessageBoxA);CAPIHook g_MessageBoxW("User32.dll", "MessageBoxW", (PROC) Hook_MessageBoxW);//dllmain.cpp#include <windows.h>wchar_t log[1024] = { 0 };BOOL APIENTRY DllMain( HMODULE hModule,DWORD  ul_reason_for_call,LPVOID lpReserved)
{switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:wsprintfW(log,L"DLL_PROCESS_ATTACH tid:%d \n",GetCurrentThreadId());::OutputDebugStringW(log);break;case DLL_THREAD_ATTACH:wsprintfW(log,L"DLL_THREAD_ATTACH tid:%d \n",GetCurrentThreadId());::OutputDebugStringW(log);break;case DLL_THREAD_DETACH:wsprintfW(log,L"DLL_THREAD_DETACH tid:%d \n",GetCurrentThreadId());::OutputDebugStringW(log);break;case DLL_PROCESS_DETACH:wsprintfW(log,L"DLL_PROCESS_DETACH tid:%d \n",GetCurrentThreadId());::OutputDebugStringW(log);break;}return TRUE;
}

hook dll project will generate injectdll.dll

// inject exe project, it will inject hook dll to test project.
#include <Windows.h>
#include <TlHelp32.h>
#include <tchar.h>
#include <stdio.h>wchar_t log[1024] = { 0 };BOOL WINAPI InjectLibW(DWORD dwProcessId, PCWSTR pszLibFile) {BOOL bOk = FALSE; // Assume that the function failsHANDLE hProcess = NULL, hThread = NULL;PWSTR pszLibFileRemote = NULL;__try {// Get a handle for the target process.hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |   // Required by AlphaPROCESS_CREATE_THREAD     |   // For CreateRemoteThreadPROCESS_VM_OPERATION      |   // For VirtualAllocEx/VirtualFreeExPROCESS_VM_WRITE,             // For WriteProcessMemoryFALSE, dwProcessId);if (hProcess == NULL) __leave;// Calculate the number of bytes needed for the DLL's pathnameint cch = 1 + lstrlenW(pszLibFile);int cb  = cch * sizeof(wchar_t);// Allocate space in the remote process for the pathnamepszLibFileRemote = (PWSTR) VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);if (pszLibFileRemote == NULL) __leave;// Copy the DLL's pathname to the remote process' address spaceif (!WriteProcessMemory(hProcess, pszLibFileRemote, (PVOID) pszLibFile, cb, NULL)) __leave;// Get the real address of LoadLibraryW in Kernel32.dllPTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");if (pfnThreadRtn == NULL) __leave;// Create a remote thread that calls LoadLibraryW(DLLPathname)DWORD remoteTID = 0;hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, pszLibFileRemote, 0, &remoteTID);wsprintfW(log,L"CreateRemoteThread tid:%d for inject dll.\n",remoteTID);::OutputDebugStringW(log);if (hThread == NULL) __leave;// Wait for the remote thread to terminateWaitForSingleObject(hThread, INFINITE);bOk = TRUE; // Everything executed successfully}__finally { // Now, we can clean everything up// Free the remote memory that contained the DLL's pathnameif (pszLibFileRemote != NULL) VirtualFreeEx(hProcess, pszLibFileRemote, 0, MEM_RELEASE);if (hThread  != NULL) CloseHandle(hThread);if (hProcess != NULL) CloseHandle(hProcess);}return(bOk);
}BOOL WINAPI EjectLibW(DWORD dwProcessId, PCWSTR pszLibFile) {BOOL bOk = FALSE; // Assume that the function failsHANDLE hthSnapshot = NULL;HANDLE hProcess = NULL, hThread = NULL;__try {// Grab a new snapshot of the processhthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);if (hthSnapshot == INVALID_HANDLE_VALUE) __leave;// Get the HMODULE of the desired libraryMODULEENTRY32W me = { sizeof(me) };BOOL bFound = FALSE;BOOL bMoreMods = Module32FirstW(hthSnapshot, &me);for (; bMoreMods; bMoreMods = Module32NextW(hthSnapshot, &me)) {bFound = (_wcsicmp(me.szModule,  pszLibFile) == 0) || (_wcsicmp(me.szExePath, pszLibFile) == 0);if (bFound) break;}if (!bFound) __leave;// Get a handle for the target process.hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |   PROCESS_CREATE_THREAD     | PROCESS_VM_OPERATION,  // For CreateRemoteThreadFALSE, dwProcessId);if (hProcess == NULL) __leave;// Get the real address of FreeLibrary in Kernel32.dllPTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "FreeLibrary");if (pfnThreadRtn == NULL) __leave;// Create a remote thread that calls FreeLibrary()//hThread = CreateRemoteThread(hProcess, NULL, 0, //   pfnThreadRtn, me.modBaseAddr, 0, NULL);DWORD remoteTID = 0;hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, me.hModule, 0, &remoteTID);wsprintfW(log,L"CreateRemoteThread tid:%d for Eject dll.\n",remoteTID);::OutputDebugStringW(log);if (hThread == NULL) __leave;// Wait for the remote thread to terminateWaitForSingleObject(hThread, INFINITE);bOk = TRUE; // Everything executed successfully}__finally { // Now we can clean everything upif (hthSnapshot != NULL) CloseHandle(hthSnapshot);if (hThread     != NULL) CloseHandle(hThread);if (hProcess    != NULL) CloseHandle(hProcess);}return(bOk);
}int main()
{wchar_t szLibFile[MAX_PATH];GetModuleFileNameW(NULL, szLibFile, _countof(szLibFile));wchar_t *pFilename = wcsrchr(szLibFile, L'\\') + 1;wcscpy_s(pFilename, _countof(szLibFile) - (pFilename-szLibFile),L"injectdll.dll");DWORD pid = 0;wprintf_s(L"Please put in inject process ID:\n");wscanf_s(L"%d",&pid);InjectLibW(pid,szLibFile);getchar();EjectLibW(pid,szLibFile);return 0;
}
//test project, this project will be hooked
#include <Windows.h>
#include <stdio.h>void main()
{OutputDebugStringW(L"this process will be inject hook dll.\n");while(true){MessageBoxA(NULL,"MessageBoxA","MessageBoxA TEST",MB_OKCANCEL);int ret = MessageBoxW(NULL,L"MessageBoxW",L"MessageBoxW TEST",MB_YESNOCANCEL);if( ret == IDNO ) break;}getchar();
}

the test result:

方式四:修改模块导入段来拦截API相关推荐

  1. Python学习之==第三方模块的安装、模块导入

    一.模块&包 1.模块 模块实质上就是一个Python文件,它是用来组织代码的.意思就是把Python代码写在里面,文件名就是模块的名称.例如:random.py,random就是模块的名称. ...

  2. HIVE的安装配置、mysql的安装、hive创建表、创建分区、修改表等内容、hive beeline使用、HIVE的四种数据导入方式、使用Java代码执行hive的sql命令

    1.上传tar包 这里我上传的是apache-hive-1.2.1-bin.tar.gz 2.解压 mkdir -p /home/tuzq/software/hive/ tar -zxvf apach ...

  3. python怎么导入时间-Python,模块导入方式和time模块的使用

    一.模块的导入 1. 模块导入会将要导入的文件执行一遍 2. 导入模块的名称就是我们定义的脚本或包的名称 3. 我们导入模块的过程总结就是:在指定的范围内搜索指定名称对 python 脚本或者包,将其 ...

  4. 项目一:第十二天 1、常见权限控制方式 2、基于shiro提供url拦截方式验证权限 3、在realm中授权 5、总结验证权限方式(四种) 6、用户注销7、基于treegrid实现菜单展示...

    1 课程计划 1. 常见权限控制方式 2. 基于shiro提供url拦截方式验证权限 3. 在realm中授权 4. 基于shiro提供注解方式验证权限 5. 总结验证权限方式(四种) 6. 用户注销 ...

  5. 9.4 Scratch3/www,踩坑,修改chroblocks模块LED输入方式,第五天:修改模块并同步一键云部署(软连接制作,密钥生成,编写shell脚本实现发布,与git pull 分支更新)。

    1.git clone 官网的scratch3.0/www 问题1: python2模块. 方案:需安装到c://Python27下 问题2: 先安装Cocos2d-x模块. https://coco ...

  6. python 入门学习---模块导入三种方式及中文注释

    Python 有三种模块导入函数 1. 使用import 导入模块 import modname : 模块是指一个可以交互使用,或者从另一Python 程序访问的代码段.只要导入了一个模块,就可以引用 ...

  7. python模块导入教学_【python基础课|今日教学内容:Python导入模块的方式,学python的必备技能】- 环球网校...

    [摘要]在这个科学技术高速发展的时代,越来越多的人都开始选择学习编程软件,那么首先被大家选择的编程软件就是python,也用在各行各业之中,并被大家所熟知,所以也有越来越多的python学习者关注py ...

  8. Apollo8.0 | 场景四:感知激光雷达功能测试 | 使用 mainboard 方式启动激光雷达模块 「失败」

    官方教程 步骤五:模块运行 在同一个终端,输入以下命令,启动 Apollo 的 DreamView 程序. aem bootstrap start 打开浏览器输入 localhost:8888 地址出 ...

  9. django模块导入/函数/中间件/MVC和MTV/CSRF

    目录 一:模块导入 二:函数 三:中间件 四:MVC和MTV 五:csrf 一:模块导入 第一种:继承 这里的母版更像是一个架子,子板都是定义的内容(如果多个页面中 ,存在相同的页面:这样我们可以抽到 ...

最新文章

  1. IEEE 发布年终总结,AI 奇迹不再是故事
  2. python计算身体质量指数_利用Python计算身体质量指数BMI来判断体型
  3. android 中使用ExpandableListView控件结合服务器json文件的下载
  4. MySQL中的用户管理
  5. WinForm下ListBox控件“设置DataSource属性后无法修改项集合”的问题解决方案
  6. Ajax同步和异步的区别?
  7. Python和SQL Server 2017的力量
  8. LeetCode 1008. 先序遍历构造二叉树(已知先序,求二叉搜索树)
  9. Linux检查依赖库,linux 查看依赖库
  10. java入门的注意点_Java基础之Integer使用的注意事项及面试题
  11. P102、面试题14:调整数组顺序使奇数位于偶数前面
  12. 在struct 中使用string,赋值会报错
  13. java web相关试卷_JavaWeb试卷四
  14. 使用 matlab 数字图像处理(十)—— 维纳滤波复原
  15. 深入浅出讲解LDA主题模型(一)
  16. 将win10家庭版、教育版系统激活为win10专业版
  17. python绘制彩色地震剖面断层解释_地震剖面上断层的识别标志主要有哪些
  18. QCOM chi-camera bring up
  19. 如何搭建免费的个人网站
  20. AndroidStudio gradle 7.0+配置说明

热门文章

  1. AI公开课:19.04.03周明—MSRA副院长《NLP的进步如何改变搜索的体验》课堂笔记以及个人感悟
  2. 成功解决ModuleNotFoundError: No module named 'urllib2'
  3. twisted:基于python的twisted框架编写一个客户端和服务端的对话聊天空间
  4. JAVA_OA管理系统(四)番外篇:使用Spring注解注入属性
  5. 机器学习-特征工程中的特征降维
  6. ubuntu 安装git
  7. 递归算法之排列组合-求一个集合S的m个元素的组合和所有可能的组合情况
  8. Window上,启动Tomcat服务之后,关闭启动窗口,服务器也随之关闭
  9. 大数据之路- Hadoop环境搭建(Linux)
  10. SQLserver单表数据导入导出