#include<Windows.h>
#include<cstdio>
typedef struct _Register{
DWORD eax;
DWORD ecx;
DWORD edx;
DWORD ebx;
DWORD esp;
DWORD ebp;
DWORD esi;
DWORD edi;
}Register;
_Register reg = { 0 };
DWORD dwPlusFunctionAddr;
DWORD dwPlusFunctionHookAfterAddr;
PBYTE pEditedAddr;
extern "C" _declspec(naked)void HookProc(){
__asm{
pushad;
pushfd;
}
__asm{
mov reg.eax, eax;
mov reg.ecx, ecx;
mov reg.edx, edx;
mov reg.ebx, ebx;
mov reg.esp, esp;
mov reg.ebp, ebp;
mov reg.esi, esi;
mov reg.edi, edi;
}
printf("%x %x %x %x %x %x %x %x", reg.eax, reg.ecx, reg.edx, reg.ebx, reg.esp, reg.ebp, reg.esi, reg.edi);
__asm{
popfd;
popad;
}
__asm{
push ebp;
mov ebp, esp;
sub esp, 40h;
}
__asm{
jmp dwPlusFunctionHookAfterAddr;
}
}
void InstallInlineHook(DWORD dwPlusFunctionAddr, DWORD dwHookLength){
//保存原有的dwHookLength个字节
pEditedAddr = new BYTE(dwHookLength);
memcpy(pEditedAddr, (LPVOID)dwPlusFunctionAddr, dwHookLength);
DWORD dwOldProtect;
BOOL ret = VirtualProtect((LPVOID)dwPlusFunctionAddr, dwHookLength, PAGE_EXECUTE_READWRITE, &dwOldProtect);
if (!ret){
printf("VirtualProtect Failed, the error is %d", GetLastError());
return;
}
//获取HOOK的地址
DWORD dwHookProc = (DWORD)HookProc;
//计算JMP之后的地址
DWORD dwJmpAddr = dwHookProc - (dwPlusFunctionAddr + 5);
//初始化0x90数据
memset((PBYTE)dwPlusFunctionAddr, 0x90, dwHookLength);
//进行替换跳转的硬编码
*(PCHAR)dwPlusFunctionAddr = 0xE9;
*(PDWORD)((PCHAR)dwPlusFunctionAddr + 1) = dwJmpAddr;
}
void UninstallInlineHook(){
}
int plus(int x, int y)
{
return x + y;
}
int main(int argc, char* argv[]){
dwPlusFunctionAddr = (DWORD)0x0411510;
dwPlusFunctionHookAfterAddr = dwPlusFunctionAddr + 6;
InstallInlineHook(dwPlusFunctionAddr, 6);
plus(2,3);
return 0;
}
原文:https://www.cnblogs.com/zpchcbd/p/13382773.html