HOOK是一種WINDOWS下存在很久的技術(shù)了。?
HOOK一般分兩種1。HOOK?MESSAGE??2。HOOK?API?本問(wèn)討論的是HOOK?API。（如果你是HOOK高手就不要看了）?
在最初學(xué)HOOK-API的時(shí)候通常都是通過(guò)覆蓋地址和修改IAT的方法。
通過(guò)這兩種技術(shù)，我們基本都可以實(shí)現(xiàn)對(duì)本進(jìn)程的API函數(shù)進(jìn)行HOOK了。但是在高興之余會(huì)有點(diǎn)遺憾，
怎么才能HOOK其他進(jìn)程的API函數(shù)呢？怎么才能對(duì)一個(gè)API函數(shù)進(jìn)行全局的HOOK呢？
下面是我的一個(gè)簡(jiǎn)單的“HOOK其他進(jìn)程API函數(shù)”的實(shí)現(xiàn)。（對(duì)另一進(jìn)程的MessageBoxA這個(gè)函數(shù)進(jìn)行HOOK）?

其實(shí)里面的應(yīng)用了兩個(gè)技術(shù)
1。遠(yuǎn)程線程注入?
2。修改IAT，HOOK-API

好了貼出代碼如下：
一共是3個(gè)文件
install.c??注入程序?
fundll.cpp??DLL程序?
test.cpp??測(cè)試程序??

CODE:

//-------------------------install.c--------------------------
//
//install.c

#include?"windows.h"
#include?"tlhelp32.h"

#pragma?comment(lib,"th32.lib")

const?char?*pkill="fundll.dll";????????????????//DLL文件的路徑

//這個(gè)路徑很有意思，這個(gè)路徑是相對(duì)于目標(biāo)進(jìn)程的，而不是自身進(jìn)程。
//所以要嘛寫(xiě)成絕對(duì)路徑，要嘛寫(xiě)成相對(duì)于目標(biāo)進(jìn)程的相對(duì)路徑。
//如果寫(xiě)成相對(duì)于自身的路徑就要麻煩了，本程序就找不到DLL文件了。?

char?*prosess="test.exe";???//要注入的進(jìn)程名(目標(biāo)進(jìn)程名)

int?main()
{
????????HANDLE?hSnap;
????????HANDLE?hkernel32;????????//被注入進(jìn)程的句柄
????????PROCESSENTRY32?pe;?
????????BOOL?bNext;
????????HANDLE?hToken;
????????TOKEN_PRIVILEGES?tp;
????????LUID?Luid;
????????LPVOID?p;
????????FARPROC?pfn;

????????if?(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
????????{
????????????????return?1;
????????}

????????if?(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&Luid))
????????{
????????????????return?1;
????????}

????????tp.PrivilegeCount?=?1;
????????tp.Privileges[0].Attributes?=?SE_PRIVILEGE_ENABLED;
????????tp.Privileges[0].Luid?=?Luid;

????????if?(!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
????????{
????????????????return?1;
????????}

????????pe.dwSize?=?sizeof(pe);
????????hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,?0);
????????bNext=Process32First(hSnap,?&pe);?
????????while(bNext)?
????????{
????????????????if(!stricmp(pe.szExeFile,prosess))????????????????//--->>
????????????????{
????????????????????????hkernel32=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_WRITE|PROCESS_VM_OPERATION,1,pe.th32ProcessID);
????????????????????????break;
????????????????}
????????????????bNext=Process32Next(hSnap,?&pe);?
????????}

????????CloseHandle(hSnap);



????????p=VirtualAllocEx(hkernel32,NULL,strlen(pkill),MEM_COMMIT,PAGE_READWRITE);
????????WriteProcessMemory(hkernel32,p,pkill,strlen(pkill),NULL);
????????pfn=GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
????????CreateRemoteThread(hkernel32,NULL,0,pfn,p,NULL,0);?

????????return?0;
}


//----------------------fundll.cpp-----------------------------
//
//fundll.cpp

#include?"windows.h"
#include?"process.h"
#include?"tlhelp32.h"
#include?"stdio.h"

#pragma?comment(lib,"th32.lib")

PIMAGE_DOS_HEADER??pDosHeader;
PIMAGE_NT_HEADERS??pNTHeaders;
PIMAGE_OPTIONAL_HEADER???pOptHeader;
PIMAGE_IMPORT_DESCRIPTOR??pImportDescriptor;
PIMAGE_THUNK_DATA?????????pThunkData;
PIMAGE_IMPORT_BY_NAME?????pImportByName;
HMODULE?hMod;


//?定義MessageBoxA函數(shù)原型
typedef?int?(WINAPI?*PFNMESSAGEBOX)(HWND,?LPCSTR,?LPCSTR,?UINT?uType);
int?WINAPI?MessageBoxProxy(IN?HWND?hWnd,?IN?LPCSTR?lpText,?IN?LPCSTR?lpCaption,?IN?UINT?uType);

int?*?addr?=?(int?*)MessageBoxA;????????//保存函數(shù)的入口地址
int?*?myaddr?=?(int?*)MessageBoxProxy;


void?ThreadProc(void?*param);//線程函數(shù)

//-------------------------------------------------------主函數(shù)開(kāi)始

BOOL?WINAPI?DllMain(HINSTANCE?hinstDLL,DWORD?fdwReason,LPVOID?lpvReserved)
{
????????if(fdwReason==DLL_PROCESS_ATTACH)????????
????????????????_beginthread(ThreadProc,0,NULL);????????

????????return?TRUE;?
}


//結(jié)束進(jìn)程的函數(shù)

void?ThreadProc(void?*param)
{
????????//------------hook?api----------------
????????hMod?=?GetModuleHandle(NULL);

????????pDosHeader?=?(PIMAGE_DOS_HEADER)hMod;
????????pNTHeaders?=?(PIMAGE_NT_HEADERS)((BYTE?*)hMod?+?pDosHeader->e_lfanew);
????????pOptHeader?=?(PIMAGE_OPTIONAL_HEADER)&(pNTHeaders->OptionalHeader);

????????pImportDescriptor?=?(PIMAGE_IMPORT_DESCRIPTOR)((BYTE?*)hMod?+?pOptHeader->DataDirectory[1].VirtualAddress);

????????while(pImportDescriptor->FirstThunk)
????????{
????????????????char?*?dllname?=?(char?*)((BYTE?*)hMod?+?pImportDescriptor->Name);

????????????????pThunkData?=?(PIMAGE_THUNK_DATA)((BYTE?*)hMod?+?pImportDescriptor->OriginalFirstThunk);

????????????????int?no?=?1;
????????????????while(pThunkData->u1.Function)
????????????????{
????????????????????????char?*?funname?=?(char?*)((BYTE?*)hMod?+?(DWORD)pThunkData->u1.AddressOfData?+?2);
????????????????????????PDWORD?lpAddr?=?(DWORD?*)((BYTE?*)hMod?+?(DWORD)pImportDescriptor->FirstThunk)?+(no-1);
????????????????
????????????????????????//修改內(nèi)存的部分
????????????????????????if((*lpAddr)?==?(int)addr)
????????????????????????{
????????????????????????????????//修改內(nèi)存頁(yè)的屬性
????????????????????????????????DWORD?dwOLD;
????????????????????????????????MEMORY_BASIC_INFORMATION??mbi;
????????????????????????????????VirtualQuery(lpAddr,&mbi,sizeof(mbi));
????????????????????????????????VirtualProtect(lpAddr,sizeof(DWORD),PAGE_READWRITE,&dwOLD);
????????????????????????????????
????????????????????????????????WriteProcessMemory(GetCurrentProcess(),?
????????????????????????????????????????????????lpAddr,?&myaddr,?sizeof(DWORD),?NULL);
????????????????????????????????//恢復(fù)內(nèi)存頁(yè)的屬性
????????????????????????????????VirtualProtect(lpAddr,sizeof(DWORD),dwOLD,0);
????????????????????????}
????????????//---------
????????????????????????no++;
????????????????????????pThunkData++;
????????????????}

????????????????pImportDescriptor++;
????????}
????????//-------------------HOOK?END-----------------
}

//new?messagebox?function
int?WINAPI?MessageBoxProxy(IN?HWND?hWnd,?IN?LPCSTR?lpText,?IN?LPCSTR?lpCaption,?IN?UINT?uType)
{
????????return?????????((PFNMESSAGEBOX)addr)(NULL,?"gxter_test",?"gxter_title",?0);
????????//這個(gè)地方可以寫(xiě)出對(duì)這個(gè)API函數(shù)的處理代碼
}


//----------------------------test.cpp------------------------------------
//test.cpp

#include?"stdio.h"
#include?"windows.h"

int?main()
{
????????printf("test---\n");
????????while(1)
????????{
????????????????getchar();
????????????????MessageBoxA(NULL,?"原函數(shù)",?"09HookDemo",?0);
????????}
????????return?0;
}



測(cè)試過(guò)程：先運(yùn)行TEST不要關(guān)閉（建立目標(biāo)），再運(yùn)行install（進(jìn)行注入）。但要注意FUNDLL和TEST文件位置。?

上面的代碼進(jìn)本上就實(shí)現(xiàn)了對(duì)其他進(jìn)程的API進(jìn)行HOOK了。
但還有一個(gè)問(wèn)題就是對(duì)“API函數(shù)進(jìn)行全局的HOOK”。我的想法就是注入所有進(jìn)程就可以實(shí)現(xiàn)了。
只要簡(jiǎn)單的改一下上面的代碼就可以實(shí)現(xiàn)了。?這好象有點(diǎn)像SetWindowsHookEx這個(gè)函數(shù)的的實(shí)現(xiàn)過(guò)程。
以上就是我想法了，如果在什么地方有錯(cuò)誤還請(qǐng)糾正。?


參考資料：
《WINDOWS?程序設(shè)計(jì)》
《WINDOWS?核心編程》