EasyHook vc++ 使用

使用esyhook去hook系统api，可以抓取一些想要的信息

先创建一个dll工程

#include "easyhook.h"

#if _WIN64
#pragma comment(lib, "EasyHook64.lib")
#else
#pragma comment(lib, "EasyHook32.lib")
#endif

// MyHookDll.cpp : 定义 DLL 应用程序的导出函数。
//

#include "stdafx.h"
#include <tchar.h>
#include <string>
using namespace std;

DWORD gFreqOffset = 0;
BOOL WINAPI myBeepHook(DWORD dwFreq, DWORD dwDuration)
{
    OutputDebugStringA("BeepHook: ****All your beeps belong to us!
");
    return Beep(dwFreq + gFreqOffset, dwDuration);
}

BOOL WINAPI myCreateProcessA(LPCSTR                lpApplicationName,
    LPSTR                 lpCommandLine,
    LPSECURITY_ATTRIBUTES lpProcessAttributes,
    LPSECURITY_ATTRIBUTES lpThreadAttributes,
    BOOL                  bInheritHandles,
    DWORD                 dwCreationFlags,
    LPVOID                lpEnvironment,
    LPCSTR                lpCurrentDirectory,
    LPSTARTUPINFOA        lpStartupInfo,
    LPPROCESS_INFORMATION lpProcessInformation)
{
    OutputDebugStringA("myCreateProcessA");
    OutputDebugStringA(lpApplicationName);
    OutputDebugStringA(lpCommandLine);
    return CreateProcessA(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, 
        bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
}

BOOL WINAPI myCreateProcessW(LPCWSTR               lpApplicationName,
    LPWSTR                lpCommandLine,
    LPSECURITY_ATTRIBUTES lpProcessAttributes,
    LPSECURITY_ATTRIBUTES lpThreadAttributes,
    BOOL                  bInheritHandles,
    DWORD                 dwCreationFlags,
    LPVOID                lpEnvironment,
    LPCWSTR               lpCurrentDirectory,
    LPSTARTUPINFOW        lpStartupInfo,
    LPPROCESS_INFORMATION lpProcessInformation)
{
    OutputDebugStringA("myCreateProcessW");
    OutputDebugStringW(lpApplicationName);
    OutputDebugStringW(lpCommandLine);
    return CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
        bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
}

wstring GetModulePath() 
{
    TCHAR path[MAX_PATH];
    memset(path, 0, MAX_PATH);
    GetModuleFileName(NULL, path, MAX_PATH);
    (_tcsrchr(path, '\'))[1] = 0;

    wstring str(path);
    return str;
}


void wirteLog(LPCWSTR log)
{
    wstring path = GetModulePath();
    path += _T("\hook.log");
    FILE* file;
    OutputDebugStringW(path.c_str());
    _tfopen_s(&file, path.c_str(), _T("a+"));
    fwrite(log, _tcslen(log), 1, file);
    fclose(file);
}

void wirteLog(LPCSTR log)
{
    wstring path = GetModulePath();
    path += _T("\hook.log");
    FILE* file;
    OutputDebugStringW(path.c_str());
    _tfopen_s(&file, path.c_str(), _T("a+"));
    fwrite(log, strlen(log), 1, file);
    fclose(file);
}

void myOutputDebugStringW(
    LPCWSTR lpOutputString
)
{
    wirteLog(lpOutputString);
    OutputDebugStringW(lpOutputString);
}

void myOutputDebugStringA(
    LPCSTR lpOutputString
)
{
    //wirteLog(lpOutputString);
    OutputDebugStringA("myHook");
    OutputDebugStringA(lpOutputString);
}

extern "C" void __declspec(dllexport) __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo);

char szTemp[256] = { 0 };
void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo)
{
    OutputDebugStringA("

NativeInjectionEntryPointt(REMOTE_ENTRY_INFO* inRemoteInfo)

"); 

    wsprintfA(szTemp, "Injected by process Id: %d", inRemoteInfo->HostPID);
    OutputDebugStringA(szTemp);
    
    wsprintfA(szTemp, "Passed in data size: %d", inRemoteInfo->UserDataSize);
    OutputDebugStringA(szTemp);
    if (inRemoteInfo->UserDataSize == sizeof(DWORD))
    {
        gFreqOffset = *reinterpret_cast<DWORD *>(inRemoteInfo->UserData);
        
        wsprintfA(szTemp, "Adjusting Beep frequency by: %d", gFreqOffset);
        OutputDebugStringA(szTemp);
    }

    // Perform hooking
    HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook

    wsprintfA(szTemp, "Win32 Beep found at address:: %p", GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep"));
    OutputDebugStringA(szTemp);

    // Install the hook
    /*NTSTATUS result = LhInstallHook(
        GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep"),
        myBeepHook,
        NULL,
        &hHook);*/
    NTSTATUS result = LhInstallHook(
        GetProcAddress(GetModuleHandle(TEXT("kernel32")), "OutputDebugStringA"),
        myOutputDebugStringA,
        NULL,
        &hHook);
    if (FAILED(result))
    {
        OutputDebugStringW(RtlGetLastErrorString());
        OutputDebugStringA("Failed to install hook: ");
    }
    else
    {
        OutputDebugStringA("Hook 'myBeepHook installed successfully.");
    }

    // If the threadId in the ACL is set to 0,
    // then internally EasyHook uses GetCurrentThreadId()
    ULONG ACLEntries[1] = { 0 };

    // Disable the hook for the provided threadIds, enable for all others
    LhSetExclusiveACL(ACLEntries, 1, &hHook);

    return;
}

然后再建立一个exe工程

同样包含头文件和导入库接口

#include "easyhook.h"

#if _WIN64
#pragma comment(lib, "EasyHook64.lib")
#else
#pragma comment(lib, "EasyHook32.lib")
#endif

            CEditUI *pEdit = static_cast<CEditUI*>(m_PaintManager.FindControl(_T("processid")));
            if (pEdit && !pEdit->GetText().IsEmpty())
            {
                CDuiString pid = pEdit->GetText();
                DWORD processId = _wtol(pid.GetData());
                WCHAR* dllToInject = L"..\Debug\MyHookDll.dll";
                DWORD freqOffset = 2000;
                NTSTATUS nt = RhInjectLibrary(
                    processId,   // The process to inject into
                    0,           // ThreadId to wake up upon injection
                    EASYHOOK_INJECT_DEFAULT,
                    dllToInject, // 32-bit
                    NULL,         // 64-bit not provided
                    &freqOffset, // data to send to injected DLL entry point
                    sizeof(DWORD)// size of data to send
                );
                if (nt != 0)
                {
                    OutputDebugStringA("RhInjectLibrary failed with error code
");
                    PWCHAR err = RtlGetLastErrorString();
                    OutputDebugStringW(err);
                }
                else
                {
                    OutputDebugStringW(L"Library injected successfully.
");
                }
            }

上面是在UI中输入进程id，再将生成的dll作为参数去调用，就可以成功hook api了

还有可以在exe中直接hook本身exe调用的api

BOOL WINAPI myBeepHook(DWORD dwFreq, DWORD dwDuration);

BOOL WINAPI myBeepHook(DWORD dwFreq, DWORD dwDuration)
{
    OutputDebugString(_T("
****All your beeps belong to us!

"));
    return Beep(dwFreq + 800, dwDuration);
}

HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook
int hook()
{
    GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep");

    NTSTATUS result = LhInstallHook(
        GetProcAddress(GetModuleHandle(TEXT("kernel32")), "Beep"),
        myBeepHook,
        NULL,
        &hHook);
    if (FAILED(result))
    {
        return -1;
    }

    OutputDebugString(_T("Beep after hook installed but not enabled.
"));
    Beep(500, 500);

    OutputDebugString(_T("Activating hook for current thread only.
"));
    // If the threadId in the ACL is set to 0, 
    // then internally EasyHook uses GetCurrentThreadId()
    ULONG ACLEntries[1] = { 0 };
    LhSetInclusiveACL(ACLEntries, 1, &hHook);

    OutputDebugString(_T("Beep after hook enabled.
"));
    Beep(500, 500);
}

int unhook()
{
    OutputDebugString(_T("Uninstall hook
"));
    LhUninstallHook(&hHook);

    OutputDebugString(_T("Beep after hook uninstalled
"));
    Beep(500, 500);

    OutputDebugString(_T("

Restore ALL entry points of pending removals issued by LhUninstallHook()
"));
    LhWaitForPendingRemovals();

    return 0;
}

初始时调用hook()，退出前调用unhook()即可

附上easyhook的dll，也可以自己去github下载源码进行编译

 https://files.cnblogs.com/files/george-cw/easyhooklib.zip