first commit

Author: l-iberty

APIHookDemo/v1.0/APIHookDemo/.vs/APIHookDemo/v14/.suo

@@ -0,0 +1,38 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.23107.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "APIHookDemo", "APIHookDemo\APIHookDemo.vcxproj", "{F971A6B0-A734-402F-9E09-DF980A11273A}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "spy", "spy\spy.vcxproj", "{9126C561-B734-4D0B-98CA-F400A63D44D7}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{F971A6B0-A734-402F-9E09-DF980A11273A}.Debug|x64.ActiveCfg = Debug|x64
+		{F971A6B0-A734-402F-9E09-DF980A11273A}.Debug|x64.Build.0 = Debug|x64
+		{F971A6B0-A734-402F-9E09-DF980A11273A}.Debug|x86.ActiveCfg = Debug|Win32
+		{F971A6B0-A734-402F-9E09-DF980A11273A}.Debug|x86.Build.0 = Debug|Win32
+		{F971A6B0-A734-402F-9E09-DF980A11273A}.Release|x64.ActiveCfg = Release|x64
+		{F971A6B0-A734-402F-9E09-DF980A11273A}.Release|x64.Build.0 = Release|x64
+		{F971A6B0-A734-402F-9E09-DF980A11273A}.Release|x86.ActiveCfg = Release|Win32
+		{F971A6B0-A734-402F-9E09-DF980A11273A}.Release|x86.Build.0 = Release|Win32
+		{9126C561-B734-4D0B-98CA-F400A63D44D7}.Debug|x64.ActiveCfg = Debug|x64
+		{9126C561-B734-4D0B-98CA-F400A63D44D7}.Debug|x64.Build.0 = Debug|x64
+		{9126C561-B734-4D0B-98CA-F400A63D44D7}.Debug|x86.ActiveCfg = Debug|Win32
+		{9126C561-B734-4D0B-98CA-F400A63D44D7}.Debug|x86.Build.0 = Debug|Win32
+		{9126C561-B734-4D0B-98CA-F400A63D44D7}.Release|x64.ActiveCfg = Release|x64
+		{9126C561-B734-4D0B-98CA-F400A63D44D7}.Release|x64.Build.0 = Release|x64
+		{9126C561-B734-4D0B-98CA-F400A63D44D7}.Release|x86.ActiveCfg = Release|Win32
+		{9126C561-B734-4D0B-98CA-F400A63D44D7}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

APIHookDemo/v1.0/APIHookDemo/APIHookDemo.sln

@@ -0,0 +1,72 @@
+#define _CRT_SECURE_NO_WARNINS
+
+#include <Windows.h>
+#include <stdio.h>
+#include <ImageHlp.h>
+#pragma comment(lib,"ImageHlp")
+
+void ReplaceIATEntryInOneMod(PCSTR pszCalleeModName, PROC pfnOrig, PROC pfnNew, HMODULE hModCaller) {
+	ULONG ulSize;
+	PIMAGE_IMPORT_DESCRIPTOR pImportDesc = NULL;
+
+	pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(
+		hModCaller, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize);
+
+	if (pImportDesc == NULL)
+		return;  // This module has no import section or is no longer loaded
+
+				 // Find the import descriptor containing references to callee's functions
+	for (; pImportDesc->Name; pImportDesc++) {
+		PSTR pszModName = (PSTR)((PBYTE)hModCaller + pImportDesc->Name);
+		if (lstrcmpiA(pszModName, pszCalleeModName) == 0) {
+
+			// Get caller's import address table (IAT) for the callee's functions
+			PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)
+				((PBYTE)hModCaller + pImportDesc->FirstThunk);
+
+			// Replace original function address with new function address
+			for (; pThunk->u1.Function; pThunk++) {
+
+				// Is this the function we're looking for?
+				BOOL bFound = ((PROC)pThunk->u1.Function == pfnOrig);
+				if (bFound) {
+					// Get the address of the function address
+					PROC* ppfn = (PROC*)&pThunk->u1.Function;
+
+					DWORD dwOldProtect;
+					if (VirtualProtect(ppfn, sizeof(pfnNew), PAGE_EXECUTE_READWRITE, &dwOldProtect)) {
+						WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL);
+					}
+					return;  // We did it, get out
+				}
+			}
+		}  // Each import section is parsed until the right entry is found and patched
+	}
+}
+
+int main() {
+	PROC pfnOrig, pfnNew;
+	HMODULE hModCaller, hInstLib;
+
+	pfnOrig = GetProcAddress(GetModuleHandle(TEXT("user32.dll")), "MessageBoxW");
+
+	hModCaller = GetModuleHandle(TEXT("APIHookDemo.exe")); // self-hook
+
+	hInstLib = LoadLibrary(TEXT("spy.dll"));
+	if (hInstLib == NULL) {
+		printf("LoadLibraryA Error: %d\n", GetLastError());
+		return EXIT_FAILURE;
+	}
+
+	pfnNew = (PROC)GetProcAddress(hInstLib, "SpyApiCalling");
+	if (pfnNew == NULL) {
+		printf("GetProcAddress Error: %d\n", GetLastError());
+		return EXIT_FAILURE;
+	}
+
+	ReplaceIATEntryInOneMod("user32.dll", pfnOrig, pfnNew, hModCaller);
+
+	MessageBoxW(0, TEXT("hello"), TEXT("test"), MB_OK);
+
+	return EXIT_SUCCESS;
+}

APIHookDemo/v1.0/APIHookDemo/APIHookDemo/APIHookDemo.cpp

@@ -0,0 +1,154 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{F971A6B0-A734-402F-9E09-DF980A11273A}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>APIHookDemo</RootNamespace>
+    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="APIHookDemo.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

APIHookDemo/v1.0/APIHookDemo/APIHookDemo/APIHookDemo.vcxproj

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="源文件">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="头文件">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="资源文件">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="APIHookDemo.cpp">
+      <Filter>源文件</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>

APIHookDemo/v1.0/APIHookDemo/APIHookDemo/APIHookDemo.vcxproj.filters

@@ -0,0 +1,4 @@
+LIBRARY
+
+EXPORTS
+	SpyApiCalling

APIHookDemo/v1.0/APIHookDemo/Debug/APIHookDemo.exe

@@ -0,0 +1,12 @@
+#include <Windows.h>
+
+int WINAPI SpyApiCalling(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType) {
+	DWORD dwProcessId;
+	CHAR szMessage[128];
+
+	dwProcessId = GetCurrentProcessId();
+	wsprintfA(szMessage, "Process %d is calling MessageBoxW.", dwProcessId);
+	MessageBoxA(0, szMessage, "API Hook", MB_OK);
+
+	return 0;
+}