應用aspose.word 第三方的插件完成導出word。本站提示廣大學習愛好者:(應用aspose.word 第三方的插件完成導出word)文章只能為提供參考,不一定能成為您想要的結果。以下是應用aspose.word 第三方的插件完成導出word正文
本文實例講述了C++基於hook iat轉變Messagebox的辦法,分享給年夜家供年夜家參考。詳細辦法以下:
步調:
1. 界說原始函數類型的寫法
//界說函數原型
typedef int (WINAPI *PFNMESSAGEBOX)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
//保留原始的MessageBox地址,留意這裡
PROC g_orgProc = (PROC)MessageBox;
2. 先找到dll,找到後設置標記
if (stricmp(pszDllName, "user32.dll") == 0)//假如是user32.dll
{
bFindDll = TRUE;
break;
}
3. 找到dll後,查找函數稱號
//在這裡是比擬的函數稱號
if (stricmp(pszFuncName, "MessageBoxA") == 0)
{
//獲得函數地址
PDWORD lpAddr = (DWORD*)((BYTE*)hModule + pImportDesc->FirstThunk) + n; //從第一個函數的地址,今後每次+4字節
//在這裡是比擬的函數地址
printf("addrss:%X\n", lpAddr);
DWORD* lpNewProc = (DWORD*)MyMessageBox;
::WriteProcessMemory(GetCurrentProcess(), lpAddr, &lpNewProc, sizeof(DWORD), NULL);
return;
}
固然 在3.中,也能夠依據函數地址比擬
#include <windows.h>
#include <stdio.h>
//界說函數原型
typedef int (WINAPI *PFNMESSAGEBOX)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
//保留原始的MessageBox地址,留意這裡
PROC g_orgProc = (PROC)MessageBox;
int MyMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType)
{
return ((PFNMESSAGEBOX)g_orgProc)(hWnd, "mymessagebox", lpCaption, uType);
}
void SetHook()
{
HMODULE hModule = ::GetModuleHandleA(NULL);
IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)hModule;
IMAGE_OPTIONAL_HEADER* pOpNtHeader = (IMAGE_OPTIONAL_HEADER*)((BYTE*)hModule + pDosHeader->e_lfanew + 24); //這裡加24
IMAGE_IMPORT_DESCRIPTOR* pImportDesc = (IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)hModule + pOpNtHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
BOOL bFindDll = FALSE;
while (pImportDesc->FirstThunk)
{
char* pszDllName = (char*)((BYTE*)hModule + pImportDesc->Name);
printf("模塊稱號:%s\n", pszDllName);
if (stricmp(pszDllName, "user32.dll") == 0)//假如是user32.dll
{
bFindDll = TRUE;
break;
}
pImportDesc++;
}
if (bFindDll)
{
DWORD n = 0;
//一個IMAGE_THUNK_DATA就是一個導入函數
IMAGE_THUNK_DATA* pThunk = (IMAGE_THUNK_DATA*)((BYTE*)hModule + pImportDesc->OriginalFirstThunk);
while (pThunk->u1.Function)
{
//獲得函數稱號
char* pszFuncName = (char*)((BYTE*)hModule+pThunk->u1.AddressOfData+2); //函數名後面有兩個..
printf("function name:%-25s, ", pszFuncName);
//在這裡是比擬的函數稱號
if (stricmp(pszFuncName, "MessageBoxA") == 0)
{
//獲得函數地址
PDWORD lpAddr = (DWORD*)((BYTE*)hModule + pImportDesc->FirstThunk) + n; //從第一個函數的地址,今後每次+4字節
//在這裡是比擬的函數地址
printf("addrss:%X\n", lpAddr);
DWORD* lpNewProc = (DWORD*)MyMessageBox;
::WriteProcessMemory(GetCurrentProcess(), lpAddr, &lpNewProc, sizeof(DWORD), NULL);
return;
}
n++; //每次增長一個DWORD
}
printf("\n");
}
}
int main(int argc, char* argv[])
{
::MessageBoxA(NULL, "before hook", "", MB_OK);
SetHook();
::MessageBoxA(NULL, "AFTERE hook", "", MB_OK);
return 0;
}
上面這個是比擬函數地址的版本
#include <windows.h>
#include <stdio.h>
//界說函數原型
typedef int (WINAPI *PFNMESSAGEBOX)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
//保留原始的MessageBox地址,留意這裡
PROC g_orgProc = (PROC)MessageBox;
int MyMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType)
{
return ((PFNMESSAGEBOX)g_orgProc)(hWnd, "mymessagebox", lpCaption, uType);
}
void SetHook()
{
HMODULE hModule = ::GetModuleHandleA(NULL);
IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)hModule;
IMAGE_OPTIONAL_HEADER* pOpNtHeader = (IMAGE_OPTIONAL_HEADER*)((BYTE*)hModule + pDosHeader->e_lfanew + 24); //這裡加24
IMAGE_IMPORT_DESCRIPTOR* pImportDesc = (IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)hModule + pOpNtHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
BOOL bFindDll = FALSE;
while (pImportDesc->FirstThunk)
{
char* pszDllName = (char*)((BYTE*)hModule + pImportDesc->Name);
printf("模塊稱號:%s\n", pszDllName);
if (stricmp(pszDllName, "user32.dll") == 0)//假如是user32.dll
{
bFindDll = TRUE;
break;
}
pImportDesc++;
}
if (bFindDll)
{
DWORD n = 0;
//一個IMAGE_THUNK_DATA就是一個導入函數
IMAGE_THUNK_DATA* pThunk = (IMAGE_THUNK_DATA*)((BYTE*)hModule + pImportDesc->OriginalFirstThunk);
while (pThunk->u1.Function)
{
//獲得函數稱號
char* pszFuncName = (char*)((BYTE*)hModule+pThunk->u1.AddressOfData+2); //函數名後面有兩個..
printf("function name:%-25s, ", pszFuncName);
//獲得函數地址
PDWORD lpAddr = (DWORD*)((BYTE*)hModule + pImportDesc->FirstThunk) + n; //從第一個函數的地址,今後每次+4字節
printf("addrss:%X\n", lpAddr);
//在這裡是比擬的函數地址
if (*lpAddr == (DWORD)g_orgProc)
{
DWORD* lpNewProc = (DWORD*)MyMessageBox;
::WriteProcessMemory(GetCurrentProcess(), lpAddr, &lpNewProc, sizeof(DWORD), NULL);
return;
}
n++; //每次增長一個DWORD
}
printf("\n");
}
}
int main(int argc, char* argv[])
{
::MessageBoxA(NULL, "before hook", "", MB_OK);
SetHook();
::MessageBoxA(NULL, "AFTERE hook", "", MB_OK);
return 0;
}
附上修正內存頁掩護屬性的代碼:
//修正內存頁的掩護屬性
::VirtualQuery(lpAddr, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
::VirtualProtect(lpAddr, sizeof(DWORD), PAGE_READWRITE, &dwOldProtect);
::WriteProcessMemory(GetCurrentProcess(), lpAddr, &lpNewProc, sizeof(DWORD), NULL);
::VirtualProtect(lpAddr, sizeof(DWORD), dwOldProtect, NULL);
願望本文所述對年夜家的C++法式設計有所贊助。
