在你的程序中做一个函数func(...)
调用 func1 = ApiSpy(NULL,"GDI32.DLL","TextOutA",(PROC)func)
那么你的程序没次调用TextOut时,就会调用func 为了不破坏原有功能
请在func中调用func1。如果想截获整个系统的api,你需要做一个全局HOOK
在HOOK的DLL里的初始化时调用本函数。主要代码如下:
PROC WINAPI
ApiSpy(PSTR pDllUse,PSTR pDllName,PSTR pApiName,PROC pNewPorc)
{
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pNTHeader;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
PIMAGE_THUNK_DATA pThunk;
PROC pOldProc;
DWORD oldpr;
static int Layer = 0;
if ( pDllUse == NULL )
Layer = 0;
pOldProc = GetProcAddress( GetModuleHandle(pDllName),pApiName );
if ( pOldProc == NULL )
return NULL;
pDosHeader = (PIMAGE_DOS_HEADER)GetModuleHandle(pDllUse);
if ( IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER)) )
return NULL;
if ( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE )
return NULL;
pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew);
if ( IsBadReadPtr(pNTHeader, sizeof(IMAGE_NT_HEADERS)) )
return NULL;
if ( pNTHeader->Signature != IMAGE_NT_SIGNATURE )
return NULL;
pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, pDosHeader,
pNTHeader->OptionalHeader.
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].
VirtualAddress);
if ( pImportDesc == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeader )
return NULL;
__try{
while ( pImportDesc->Name ){
PSTR pszModName = MakePtr(PSTR, pDosHeader, pImportDesc->Name);
REM("[%s]",pszModName);
if ( stricmp(pszModName, pDllName) == 0 ){
pThunk = MakePtr(PIMAGE_THUNK_DATA, pDosHeader, pImportDesc->FirstThunk);
while ( pThunk->u1.Function ){
REM("[%s:%s] ? %s %8x ==> %8x",pDllName,pApiName,pszModName,
// (DWORD)pOldProc,(DWORD)pThunk->u1.Function);
if ( pThunk->u1.Function == (PDWORD)pOldProc ){
if (!VirtualProtect(pThunk, 16, PAGE_READWRITE,&oldpr)){
REM("VirtualProtect False");
}
REM("ApiSpy [%s:%s] OK !",pDllName,pApiName);
pThunk->u1.Function=(PDWORD)pNewPorc;
return pOldProc;
}
pThunk++;
}
return NULL;
}
else{
if ( Layer < __Layer ){
Layer ++;
ApiSpy(pszModName,pDllName,pApiName,pNewPorc);
}
}
pImportDesc++;
}
}
__except(TRUE){
return NULL;
}
return NULL;
} |
