- A+
Mhook是个免费的hook库与微软的Detours差不多不多不过免费的Detours仅支持x86,而mhook支持x86和x64,而且使用更简单,看示例代码
//=========================================================================
#include "stdafx.h"
#include "mhook.h"//=========================================================================
// Define _NtOpenProcess so we can dynamically bind to the function
//
typedefULONG (WINAPI* _NtOpenProcess)(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask, IN PVOID ObjectAttributes,
IN PCLIENT_ID ClientId );//=========================================================================
// Get the current (original) address to the function to be hooked
//
_NtOpenProcess TrueNtOpenProcess = (_NtOpenProcess)
GetProcAddress(GetModuleHandle(L"ntdll"), "NtOpenProcess");//=========================================================================
// This is the function that will replace NtOpenProcess once the hook
// is in place
//
ULONG WINAPI MyNtOpenProcess(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN PVOID ObjectAttributes,
IN PCLIENT_ID ClientId ){
// do any processing here if needed
// ...
// punt the call to the the OS in the end
returnTrueNtOpenProcess(ProcessHandle, AccessMask,
ObjectAttributes, ClientId);}
//=========================================================================
// This is how you go about putting the hook in place. When you're done,
// any calls to NtOpenProcess will be redirected to MyNtOpenProcess.// If you need to access the original, unmodified API, call
// TrueNtOpenProcess from your code, just like the hook function above does.
//
BOOL WINAPI SetHooksAndDoWork () {BOOL bHook = Mhook_SetHook((PVOID*)&TrueNtOpenProcess,
MyNtOpenProcess));// Minimalist error handling
if(!bHook)returnFALSE;// ... any calls to NtOpenProcess within this process are now
// rerouted to MyNtOpenProcess.
// For example, this call will end up in our hook function since
// kernel32!OpenProcess just calls ntdll!NtOpenProcess internally
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE,GetCurrentProcessId());
// ...
// This call will bypass the hook:
// (parameter initialization omitted for brevity)
TrueNtOpenProcess(&hProc, &accessMask, &objAttrs, &clientId);// ...
// Remove the hook when we're done.
returnMhook_Unhook((PVOID*)&TrueNtOpenProcess);}
//=========================================================================
