PureBasic Forums - English

Code: Select all

; #NTDDI_VERSION                                  = $05010000
; #WINVER                                         = $0501
; #WIN32_WINNT                                    = $0501
; #WIN32_IE                                       = $0600
; #UNICODE                                        = 1       
; 

BY： 知易 CLLROOT


Global  ghInstance.i       ; ' handle of DLL instance
Global  gfInitialized.i   
Global  ghHookList.i        ;' Tail of linked-list of HookStructs     
#HEAP_ZERO_MEMORY = 8

Structure HookStruct
 hPrev.i                   ;' 前项目表
 hNext.i                   ;' 下一个项目表
 lpfnHook.i               ;' 断点地址
 lpfnHookCallback.i        ;' 回调地址
 bOriginalCodeByte.B       ;' 原始代码字节
 dwOriginalProtection.i   ;' 原始页面的保护
EndStructure


Import "kernel32.lib"
  
  AddVectoredExceptionHandler(a.i, b.i) As "_AddVectoredExceptionHandler@8"
  
EndImport

Procedure.i MemoryHook_IsDuplicate(lpfnHook.i) 

 Define.HookStruct pths
  
 *pths.HookStruct=*pths
 
 hItem.i
 hPrev.i
 fDuplicate.i

  fDuplicate = #False

  hItem = ghHookList

; 干掉钩子
  While hItem
    *pths = hItem
    If *pths\lpfnHook = lpfnHook
      fDuplicate = #True
      Break
    EndIf
    hItem = *pths\hPrev
  Wend

  ProcedureReturn  fDuplicate

EndProcedure       




Procedure  MemoryHook_Remove(lpfnHook.i)
  Define.HookStruct pths
  
  *pths.HookStruct=*pths
  
  hItem.i
  Local.i
  hNext.i
  hItem = ghHookList

  ; 移除处链表数据
  While hItem
    *pths = hItem
    If *pths\lpfnHook = lpfnHook
      hPrev = *pths\hPrev
      hNext = *pths\hNext
      HeapFree_(GetProcessHeap_(), 0, hItem)
      If hPrev
        *pths = hPrev
        *pths\hNext = hNext
      EndIf
      If hNext 
        *pths = hNext
        *pths\hPrev = hPrev
      EndIf
      If hItem = ghHookList
        ghHookList = hPrev
      EndIf
      Break
    EndIf
    hItem = *pths\hPrev
  Wend

EndProcedure











  


Procedure.i MemoryHook_getValueFromStack(*ctx.Context,dwOffset.i) ;可能是错误点

    ;CompilerIf #PB_Compiler_Processor=#PB_Processor_x64
      
       ProcedureReturn  *ctx\Esp + dwOffset
        
  ;  CompilerElse
   
    ;   ProcedureReturn  @ctx.Esp + dwOffset
      
   ; CompilerEndIf
      
EndProcedure


Procedure.i MemoryHook_getArg(*ctx.Context, num.l)

Define.Integer *pdwAddress
  
ProcedureReturn MemoryHook_getValueFromStack(*ctx, SizeOf(*pdwAddress) * (num + 1))

EndProcedure

Procedure MemoryHook_setArg(*ctx.Context,num.l,dwValue.i)

  Define.Integer *pdwAddress

    *pdwAddress = MemoryHook_getArg(*ctx, num)
    *pdwAddress\i = dwValue

EndProcedure



Procedure.i MemoryHook_getReturnAddress(*ctx.Context)

    ProcedureReturn  MemoryHook_getValueFromStack(*ctx, 0)

  EndProcedure
  
  
  Procedure MemoryHook_setReturnAddress(*ctx.Context,dwValue.i)


Define.Integer *pdwAddress

    pdwAddress = MemoryHook_getReturnAddress(*ctx)

    *pdwAddress\i = dwValue

EndProcedure  


Procedure MemoryHook_setValueToStack(*ctx.CONTEXT,dwOffset.i,dwValue.i)


   Define.Integer *pdwAddress

    pdwAddress = MemoryHook_getValueFromStack(*ctx, dwOffset)
    *pdwAddress\i = dwValue

EndProcedure

;Rem 设置断点
Procedure.b SetBreakpoint(pAddr.i)
  nBytes.i
  bOriginalOpcode.b
  bpOpcode.b
  dwOldProtection.i
  dwTemp.i
  Define.Byte *pbAddr 
 SizeOf(bOriginalOpcode)
 ; Debug "-------------------------------------"
  
  ;Debug pAddr
  
  VirtualProtect_(pAddr,SizeOf(bOriginalOpcode), #PAGE_EXECUTE_READWRITE, @dwOldProtection)

  *pbAddr = pAddr
  bOriginalOpcode = *pbAddr\b

  *pbAddr\b = $CC ;可能是错误点 补码相关
  ;PokeB(*pbAddr, $CC)


  VirtualProtect_(pAddr, SizeOf(bOriginalOpcode), dwOldProtection, @dwTemp)
;Debug "111"
  ProcedureReturn  bOriginalOpcodef

EndProcedure       

Procedure MemoryHook_Add(lpfnHook.i,lpfnHookCallback.i) 
  
  Define.HookStruct pths
  
  *pths.HookStruct=*pths
  

  hItem.i
  
  If gfInitialized = 0  
    gfInitialized = #True
    
    Debug " AddVectoredExceptionHandler"
    Debug AddVectoredExceptionHandler(#True, @BreakpointHandler) 
 
  EndIf
  
  If MemoryHook_IsDuplicate(lpfnHook) = 0
  
    
    
    hItem = HeapAlloc_(GetProcessHeap_(), #HEAP_ZERO_MEMORY, SizeOf(pths))
    Debug "hItem "
    Debug hItem 
    If hItem 
      
      If ghHookList
        *pths = ghHookList
        *pths\hNext = hItem
        EndIf
        
          *pths = hItem
          *pths\hNext                = #Null
          *pths\hPrev                = ghHookList
          *ghHookList = hItem
          *pths\lpfnHook             = lpfnHook
          *pths\lpfnHookCallback     = lpfnHookCallback
          ;' 设置
          
        
          Debug  lpfnHookCallback
          *pths\bOriginalCodeByte    = SetBreakpoint(lpfnHook)
         
          EndIf
        EndIf
              
              
             
              
 EndProcedure


Procedure  RemoveBreakpoint(pAddr.i,bOriginalOpcode.b)

 nBytes.i
 dwOldProtection.i
  dwTemp.i
  Define.Byte *pbAddr 
  
  VirtualProtect_(pAddr, SizeOf(bOriginalOpcode), #PAGE_EXECUTE_READWRITE, @dwOldProtection)

  *pbAddr = pAddr
  *pbAddr\b = bOriginalOpcode 

  VirtualProtect_(pAddr, SizeOf(bOriginalOpcode), dwOldProtection, @dwTemp)

EndProcedure

;Rem 处理LIB...

Procedure.l  BreakpointHandler(*exc.EXCEPTION_POINTERS)


  Define.HookStruct pths
  
  *pths.HookStruct=*pths
  
  hItem.i
  hActiveHook.i
  exceptionCode.i
  exceptionAddress.i
  dwContext.i
  lpfnCallback.i
  


  exceptionCode = *exc\ExceptionRecord\ExceptionCode
  exceptionAddress = *exc\ExceptionRecord\ExceptionAddress

    If exceptionCode = #STATUS_BREAKPOINT
     ; '// 需要判断是不是我们的断点
      hItem = ghHookList

      While hItem
        *pths = hItem
        If *pths\lpfnHook = exceptionAddress 
          hActiveHook = hItem
          Break
        EndIf
        hItem = *pths\hPrev
      Wend

      If hActiveHook = #Null
        
        ProcedureReturn  #EXCEPTION_CONTINUE_SEARCH

      EndIf

      ;Rem 暂时删除原始的断点

      *pths = hActiveHook
      RemoveBreakpoint(*pths\lpfnHook, *pths\bOriginalCodeByte)

      ;Rem 调用我们的代码
            dwContext     = *exc\ContextRecord
            lpfnCallback  = *pths\lpfnHookCallback
EnableASM  
PUSH  ebx
PUSH  esi
PUSH  edi
PUSH  dwContext
CALL  lpfnCallback
POP   edi
POP   esi
POP   ebx  
DisableASM 

      ; Rem 设置跟踪标志的EFlags寄存器
      ; Rem 指令将执行之前STATUS_SINGLE_STEP
        *exc\ContextRecord\EFlags = *exc\ContextRecord\EFlags | $00000100

        ;'// Restart the instruction
        ProcedureReturn #EXCEPTION_CONTINUE_EXECUTION
       
    ElseIf exceptionCode =#STATUS_SINGLE_STEP
      ;Rem 假如不是我们的传给其他地址
      hItem = ghHookList

      While hItem
        *pths = hItem
        If (*pths\lpfnHook + 2) = exceptionAddress 
          hActiveHook = hItem
          Break
        EndIf
        hItem = *pths\hPrev
      Wend

      If hActiveHook = #Null 
        ProcedureReturn  #EXCEPTION_CONTINUE_SEARCH
      
      EndIf

      ;Rem 原指令
      *pths = hActiveHook
      SetBreakpoint(*pths\lpfnHook)

      ; Rem 关闭
      If *exc\ContextRecord\EFlags = $00000100
      *exc\ContextRecord\EFlags=0
      Else
      *exc\ContextRecord\EFlags = *exc\ContextRecord\EFlags ;And Not &H00000100;可能是错误点
      EndIf
      ;' 继续辖区
      ProcedureReturn  #EXCEPTION_CONTINUE_EXECUTION
    
    ;Rem 如果不是一个断点和单步。绝对不是我们的!
    Else
      ProcedureReturn #EXCEPTION_CONTINUE_SEARCH
    EndIf

EndProcedure
Procedure  MessageBoxWHook(*ctx.Context)
              
       Debug "sss"
              
EndProcedure

   DLLHandle.l =OpenLibrary(0, "User32.dll") ;可以用API 但我还是选择用内置的API
  
   Debug LibraryFunction$  
  
   OldAddr.l = GetFunction(0,  "MessageBoxA")
   
  

MessageRequester("sss","ddd",0)

lpfn.l=OldAddr

           ;lpfn = GetProcAddress_(GetModuleHandle_("User32.dll"), "MessageBoxW")
           
           Debug lpfn
          
           
           If lpfn 
             
             Debug "back     "+Str(@MessageBoxWHook)
           
             MemoryHook_Add(lpfn, @MessageBoxWHook)
             
           
             
             ;Delay (1000)
             
             MessageRequester("sss","22222222222222",1)
             
             ;PathFileExists_("123")
             
          EndIf