Code: Select all
; #NTDDI_VERSION = $05010000
; #WINVER = $0501
; #WIN32_WINNT = $0501
; #WIN32_IE = $0600
; #UNICODE = 1
;
BY: 知易 CLLROOT
Global ghInstance.i ; ' handle of DLL instance
Global gfInitialized.i
Global ghHookList.i ;' Tail of linked-list of HookStructs
#HEAP_ZERO_MEMORY = 8
Structure HookStruct
hPrev.i ;' 前项目表
hNext.i ;' 下一个项目表
lpfnHook.i ;' 断点地址
lpfnHookCallback.i ;' 回调地址
bOriginalCodeByte.B ;' 原始代码字节
dwOriginalProtection.i ;' 原始页面的保护
EndStructure
Import "kernel32.lib"
AddVectoredExceptionHandler(a.i, b.i) As "_AddVectoredExceptionHandler@8"
EndImport
Procedure.i MemoryHook_IsDuplicate(lpfnHook.i)
Define.HookStruct pths
*pths.HookStruct=*pths
hItem.i
hPrev.i
fDuplicate.i
fDuplicate = #False
hItem = ghHookList
; 干掉钩子
While hItem
*pths = hItem
If *pths\lpfnHook = lpfnHook
fDuplicate = #True
Break
EndIf
hItem = *pths\hPrev
Wend
ProcedureReturn fDuplicate
EndProcedure
Procedure MemoryHook_Remove(lpfnHook.i)
Define.HookStruct pths
*pths.HookStruct=*pths
hItem.i
Local.i
hNext.i
hItem = ghHookList
; 移除处链表数据
While hItem
*pths = hItem
If *pths\lpfnHook = lpfnHook
hPrev = *pths\hPrev
hNext = *pths\hNext
HeapFree_(GetProcessHeap_(), 0, hItem)
If hPrev
*pths = hPrev
*pths\hNext = hNext
EndIf
If hNext
*pths = hNext
*pths\hPrev = hPrev
EndIf
If hItem = ghHookList
ghHookList = hPrev
EndIf
Break
EndIf
hItem = *pths\hPrev
Wend
EndProcedure
Procedure.i MemoryHook_getValueFromStack(*ctx.Context,dwOffset.i) ;可能是错误点
;CompilerIf #PB_Compiler_Processor=#PB_Processor_x64
ProcedureReturn *ctx\Esp + dwOffset
; CompilerElse
; ProcedureReturn @ctx.Esp + dwOffset
; CompilerEndIf
EndProcedure
Procedure.i MemoryHook_getArg(*ctx.Context, num.l)
Define.Integer *pdwAddress
ProcedureReturn MemoryHook_getValueFromStack(*ctx, SizeOf(*pdwAddress) * (num + 1))
EndProcedure
Procedure MemoryHook_setArg(*ctx.Context,num.l,dwValue.i)
Define.Integer *pdwAddress
*pdwAddress = MemoryHook_getArg(*ctx, num)
*pdwAddress\i = dwValue
EndProcedure
Procedure.i MemoryHook_getReturnAddress(*ctx.Context)
ProcedureReturn MemoryHook_getValueFromStack(*ctx, 0)
EndProcedure
Procedure MemoryHook_setReturnAddress(*ctx.Context,dwValue.i)
Define.Integer *pdwAddress
pdwAddress = MemoryHook_getReturnAddress(*ctx)
*pdwAddress\i = dwValue
EndProcedure
Procedure MemoryHook_setValueToStack(*ctx.CONTEXT,dwOffset.i,dwValue.i)
Define.Integer *pdwAddress
pdwAddress = MemoryHook_getValueFromStack(*ctx, dwOffset)
*pdwAddress\i = dwValue
EndProcedure
;Rem 设置断点
Procedure.b SetBreakpoint(pAddr.i)
nBytes.i
bOriginalOpcode.b
bpOpcode.b
dwOldProtection.i
dwTemp.i
Define.Byte *pbAddr
SizeOf(bOriginalOpcode)
; Debug "-------------------------------------"
;Debug pAddr
VirtualProtect_(pAddr,SizeOf(bOriginalOpcode), #PAGE_EXECUTE_READWRITE, @dwOldProtection)
*pbAddr = pAddr
bOriginalOpcode = *pbAddr\b
*pbAddr\b = $CC ;可能是错误点 补码相关
;PokeB(*pbAddr, $CC)
VirtualProtect_(pAddr, SizeOf(bOriginalOpcode), dwOldProtection, @dwTemp)
;Debug "111"
ProcedureReturn bOriginalOpcodef
EndProcedure
Procedure MemoryHook_Add(lpfnHook.i,lpfnHookCallback.i)
Define.HookStruct pths
*pths.HookStruct=*pths
hItem.i
If gfInitialized = 0
gfInitialized = #True
Debug " AddVectoredExceptionHandler"
Debug AddVectoredExceptionHandler(#True, @BreakpointHandler)
EndIf
If MemoryHook_IsDuplicate(lpfnHook) = 0
hItem = HeapAlloc_(GetProcessHeap_(), #HEAP_ZERO_MEMORY, SizeOf(pths))
Debug "hItem "
Debug hItem
If hItem
If ghHookList
*pths = ghHookList
*pths\hNext = hItem
EndIf
*pths = hItem
*pths\hNext = #Null
*pths\hPrev = ghHookList
*ghHookList = hItem
*pths\lpfnHook = lpfnHook
*pths\lpfnHookCallback = lpfnHookCallback
;' 设置
Debug lpfnHookCallback
*pths\bOriginalCodeByte = SetBreakpoint(lpfnHook)
EndIf
EndIf
EndProcedure
Procedure RemoveBreakpoint(pAddr.i,bOriginalOpcode.b)
nBytes.i
dwOldProtection.i
dwTemp.i
Define.Byte *pbAddr
VirtualProtect_(pAddr, SizeOf(bOriginalOpcode), #PAGE_EXECUTE_READWRITE, @dwOldProtection)
*pbAddr = pAddr
*pbAddr\b = bOriginalOpcode
VirtualProtect_(pAddr, SizeOf(bOriginalOpcode), dwOldProtection, @dwTemp)
EndProcedure
;Rem 处理LIB...
Procedure.l BreakpointHandler(*exc.EXCEPTION_POINTERS)
Define.HookStruct pths
*pths.HookStruct=*pths
hItem.i
hActiveHook.i
exceptionCode.i
exceptionAddress.i
dwContext.i
lpfnCallback.i
exceptionCode = *exc\ExceptionRecord\ExceptionCode
exceptionAddress = *exc\ExceptionRecord\ExceptionAddress
If exceptionCode = #STATUS_BREAKPOINT
; '// 需要判断是不是我们的断点
hItem = ghHookList
While hItem
*pths = hItem
If *pths\lpfnHook = exceptionAddress
hActiveHook = hItem
Break
EndIf
hItem = *pths\hPrev
Wend
If hActiveHook = #Null
ProcedureReturn #EXCEPTION_CONTINUE_SEARCH
EndIf
;Rem 暂时删除原始的断点
*pths = hActiveHook
RemoveBreakpoint(*pths\lpfnHook, *pths\bOriginalCodeByte)
;Rem 调用我们的代码
dwContext = *exc\ContextRecord
lpfnCallback = *pths\lpfnHookCallback
EnableASM
PUSH ebx
PUSH esi
PUSH edi
PUSH dwContext
CALL lpfnCallback
POP edi
POP esi
POP ebx
DisableASM
; Rem 设置跟踪标志的EFlags寄存器
; Rem 指令将执行之前STATUS_SINGLE_STEP
*exc\ContextRecord\EFlags = *exc\ContextRecord\EFlags | $00000100
;'// Restart the instruction
ProcedureReturn #EXCEPTION_CONTINUE_EXECUTION
ElseIf exceptionCode =#STATUS_SINGLE_STEP
;Rem 假如不是我们的传给其他地址
hItem = ghHookList
While hItem
*pths = hItem
If (*pths\lpfnHook + 2) = exceptionAddress
hActiveHook = hItem
Break
EndIf
hItem = *pths\hPrev
Wend
If hActiveHook = #Null
ProcedureReturn #EXCEPTION_CONTINUE_SEARCH
EndIf
;Rem 原指令
*pths = hActiveHook
SetBreakpoint(*pths\lpfnHook)
; Rem 关闭
If *exc\ContextRecord\EFlags = $00000100
*exc\ContextRecord\EFlags=0
Else
*exc\ContextRecord\EFlags = *exc\ContextRecord\EFlags ;And Not &H00000100;可能是错误点
EndIf
;' 继续辖区
ProcedureReturn #EXCEPTION_CONTINUE_EXECUTION
;Rem 如果不是一个断点和单步。绝对不是我们的!
Else
ProcedureReturn #EXCEPTION_CONTINUE_SEARCH
EndIf
EndProcedure
Procedure MessageBoxWHook(*ctx.Context)
Debug "sss"
EndProcedure
DLLHandle.l =OpenLibrary(0, "User32.dll") ;可以用API 但我还是选择用内置的API
Debug LibraryFunction$
OldAddr.l = GetFunction(0, "MessageBoxA")
MessageRequester("sss","ddd",0)
lpfn.l=OldAddr
;lpfn = GetProcAddress_(GetModuleHandle_("User32.dll"), "MessageBoxW")
Debug lpfn
If lpfn
Debug "back "+Str(@MessageBoxWHook)
MemoryHook_Add(lpfn, @MessageBoxWHook)
;Delay (1000)
MessageRequester("sss","22222222222222",1)
;PathFileExists_("123")
EndIf
Still have some questions
Can modify the error in the upload
Too late to rest and have no patience to debug
Repair successfully please upload