在你的程序中做一个函数func(...)
调用 func1 = ApiSpy(NULL,"GDI32.DLL","TextOutA",(PROC)func)
那么你的程序没次调用TextOut时,就会调用func 为了不破坏原有功能
请在func中调用func1。如果想截获整个系统的api,你需要做一个全局HOOK
在HOOK的DLL里的初始化时调用本函数。主要代码如下:
PROC WINAPI
ApiSpy(PSTR pDllUse,PSTR pDllName,PSTR pApiName,PROC pNewPorc){ PIMAGE_DOS_HEADER pDosHeader; PIMAGE_NT_HEADERS pNTHeader; PIMAGE_IMPORT_DESCRIPTOR pImportDesc; PIMAGE_THUNK_DATA pThunk; PROC pOldProc; DWORD oldpr; static int Layer = 0; if ( pDllUse == NULL ) Layer = 0; pOldProc = GetProcAddress( GetModuleHandle(pDllName),pApiName ); if ( pOldProc == NULL ) return NULL; pDosHeader = (PIMAGE_DOS_HEADER)GetModuleHandle(pDllUse); if ( IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER)) ) return NULL; if ( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE ) return NULL; pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew); if ( IsBadReadPtr(pNTHeader, sizeof(IMAGE_NT_HEADERS)) ) return NULL; if ( pNTHeader->Signature != IMAGE_NT_SIGNATURE ) return NULL; pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, pDosHeader, pNTHeader->OptionalHeader. DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]. VirtualAddress); if ( pImportDesc == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeader ) return NULL; __try{ while ( pImportDesc->Name ){ PSTR pszModName = MakePtr(PSTR, pDosHeader, pImportDesc->Name); REM("[%s]",pszModName); if ( stricmp(pszModName, pDllName) == 0 ){ pThunk = MakePtr(PIMAGE_THUNK_DATA, pDosHeader, pImportDesc->FirstThunk); while ( pThunk->u1.Function ){ REM("[%s:%s] ? %s %8x ==> %8x",pDllName,pApiName,pszModName, // (DWORD)pOldProc,(DWORD)pThunk->u1.Function); if ( pThunk->u1.Function == (PDWORD)pOldProc ){ if (!VirtualProtect(pThunk, 16, PAGE_READWRITE,&oldpr)){ REM("VirtualProtect False"); } REM("ApiSpy [%s:%s] OK !",pDllName,pApiName); pThunk->u1.Function=(PDWORD)pNewPorc; return pOldProc; } pThunk++; } return NULL; } else{ if ( Layer < __Layer ){ Layer ++; ApiSpy(pszModName,pDllName,pApiName,pNewPorc); } } pImportDesc++; } } __except(TRUE){ return NULL; } return NULL; }
