Hook Specials 12 : Inline Hook MessageBox on ring3(demo)

Author:sding

The code is lead inline hook on ring,The part code refer to code of "wofeiwo",Thanks .

Two error is showed on original text

The code is used to vc++ 6.0，

Exe is builded in vc++ compiler, Functions proceed among jump to like API

as follows
0040100F $ /E9 CC020000 jmp MyFunc
00401014 $ |E9 37000000 jmp main
00401019 $ |E9 B2000000 jmp Hook


code:
#include "stdafx.h"
#include
#include
#include
//using namespace std;

DWORD head;//Save return address of API
int nRet;
BYTE orig_code[5] = {0x90, 0x90, 0x90, 0x90, 0x90};//Save original command
BYTE hook_code[5] = {0xe9, 0, 0, 0, 0};//Save to command of jump toMyMessageBoxA
BYTE jmp_org_code[5] = {0xe9, 0, 0, 0, 0};//Save five bytes command of original front address

int MyMessageBoxA(
HWND hWnd, // handle to owner window
LPCTSTR lpText, // text in message box
LPCTSTR lpCaption, // message box title
UINT uType // message box style
);
int MyMessageBoxAA(
HWND hWnd, // handle to owner window
LPCTSTR lpText, // text in message box
LPCTSTR lpCaption, // message box title
UINT uType // message box style
);
int MyFunc();
void Hook();
int jmp_back();

ULONG OldFuncAddr;
ULONG MyFuncAddr;
ULONG jmp_backAddr;

//在修改前几个字节时，注意：取出的指令为完整的

int main()
{
Hook();

int rt = MessageBoxA(NULL, "Hello World", "Title", MB_OK);
// cout << rt << endl;//查看返回值是否已修改成功

system("pause");

return 0;
}

void Hook()
{
DWORD dwOldProtect;
OldFuncAddr = (ULONG)MessageBoxA;

// MyFuncAddr ＝ MyMessageBoxA的实际地址
MyFuncAddr = *(ULONG *)((BYTE *)MyMessageBoxA+1) + (ULONG)MyMessageBoxA + 5;
// jmp_backAddr = jmp_back的实际地址
jmp_backAddr = *(ULONG *)((BYTE *)jmp_back+1) + (ULONG)jmp_back + 5;
//修改内存为PAGE_EXECUTE_READWRITE
VirtualProtect((LPVOID)jmp_backAddr, 10, PAGE_EXECUTE_READWRITE, &dwOldProtect);

VirtualProtect((LPVOID)OldFuncAddr, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);
//计算跳转地址
*((ULONG*)(hook_code+1)) = (ULONG)MyFuncAddr - (ULONG)OldFuncAddr - 5;

memcpy(orig_code,(BYTE *)OldFuncAddr, 5);

memcpy((BYTE*)OldFuncAddr, hook_code, 5);
//计算返回地址
*((ULONG*)(jmp_org_code+1)) = (ULONG)OldFuncAddr - (ULONG)jmp_backAddr - 5;

memcpy((BYTE *)jmp_backAddr, orig_code, 5);

memcpy((BYTE *)jmp_backAddr + 5, jmp_org_code, 5);
}

__declspec(naked) int jmp_back()
{
__asm
{
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
_emit 0x90
}
}

//MyMessageBoxA：在函数执行前进行自己的处理
__declspec(naked) int MyMessageBoxA(
HWND hWnd, // handle to owner window
LPCTSTR lpText, // text in message box
LPCTSTR lpCaption, // message box title
UINT uType // message box style
)
{
printf("MyMessageBoxA is called\r\n");
__asm
{
pop head
pop hWnd
pop lpText
pop lpCaption
pop uType
}
MyFunc();////可以加入函数过程
__asm
{
//压栈过程
push uType
push lpCaption
push lpText
push hWnd
push head
//跳回MessageBoxA入口点
jmp jmp_back;
ret;
}
}


//MyMessageBoxA：在函数执行后进行自己的处理
__declspec(naked) int MyMessageBoxAA(
HWND hWnd, // handle to owner window
LPCTSTR lpText, // text in message box
LPCTSTR lpCaption, // message box title
UINT uType // message box style
)
{
printf("MyMessageBoxAA is called\r\n");
__asm
{
pop head
push offset s1;//返回地址为S1:
//跳回MessageBoxA入口点
jmp jmp_back;
s1: nop
}

MyFunc();

__asm
{
;//将原返回地址压栈
mov eax, 0;////演示：将返回结果改为0，也可由MyFunc返回
push head
ret;
}
}

int MyFunc()
{
printf("Hello World\r\n");
return 1;
}