- 实现HookFuncA,最后的实现垫入n个nop.
- 找到要hook的函数FuncA的绝对地址,改写前5个字节为jmp hookFuncA(假定前5个字节为n个完整的指令)
- 把FuncA的前5个字节拷贝到hookFuncA的后面,在加上一条指令jmp funcA+5.
----Code of HookDLL.dll, 可以通过CreateRemoteThread的方法把hook dll注入到一个普通的应用程序中。
// HookDLL.cpp : Defines the entry point for the DLL application.
//
#include "stdafx.h"
#include "HookDLL.h"
#include "Log.h"
//forward declare.
LRESULT WINAPI InstallTextoutHook();
LRESULT WINAPI UninstallTextoutHook();
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
if (InstallTextoutHook())
{
WriteLog("Install hook success.\n");
}else
{
WriteLog("Intall hook failed.\n");
}
break;
