修改函数头5个字节Hook,不明白
把函数头5个字节修改为jmp XXXX,其中XXXX的值是这样计算出来的
DWORD dwNew = (DWORD)MyHookAPI - (DWORD)m_AddrAPI - 5;
不明白上面是根据什么原理计算出来的,请了解的朋友帮解释下,谢谢!
// hook5bytes_.cpp : 定义 DLL 应用程序的入口点。//#include "stdafx.h"#include <Windows.h>#include <stdio.h>#define HookModName "user32.dll"#define HookApiName "MessageBoxW"//修改API入口为jmp eax是程序能跳转到自己的函数BYTE g_btNew5Bytes[5] = { 0xE9, 0x0, 0x0,0x0, 0x0};//保存原API入口的5个字节BYTE g_dwOld5Bytes[5] = { 0x0, 0x0, 0x0, 0x0, 0x0};//API地址void * m_AddrAPI;//定义自己的API,参数表和原函数一致,MyHookAPI中调用的也一样int WINAPI MyHookAPI(HWND hWnd,LPCWSTR lpText,LPCWSTR lpCaption,UINT uType);BOOL APIENTRY DllMain( HANDLE hModule,DWORD ul_reason_for_call,LPVOID lpReserved){ if(ul_reason_for_call==DLL_PROCESS_ATTACH) { //找到API地址 HMODULE hModule = LoadLibrary(HookModName); m_AddrAPI = (void *)GetProcAddress( hModule,HookApiName); /*修改5字节*/ //保存原始字节 ReadProcessMemory(INVALID_HANDLE_VALUE,m_AddrAPI, ( void * )g_dwOld5Bytes, sizeof( DWORD )+1, NULL ); DWORD dwNew = (DWORD)MyHookAPI - (DWORD)m_AddrAPI - 5; memcpy(&g_btNew5Bytes[1], &dwNew, 4); WriteProcessMemory( INVALID_HANDLE_VALUE,m_AddrAPI,( void * )g_btNew5Bytes, sizeof( DWORD )+1, NULL ); } return TRUE;}int _stdcall MyHookAPI(HWND hWnd,LPCWSTR lpText,LPCWSTR lpCaption,UINT uType){ WriteProcessMemory( INVALID_HANDLE_VALUE,m_AddrAPI,( void * )g_dwOld5Bytes, sizeof( DWORD )+1, NULL ); ::MessageBoxW(hWnd,lpText,L"HOOK",uType); WriteProcessMemory( INVALID_HANDLE_VALUE,m_AddrAPI,( void * )g_btNew5Bytes, sizeof( DWORD )+1, NULL ); return 0;}