文档介绍:优质资料
题目
Windows API HOOK通用框架的实现
摘要
Windows API 拦截的主要目的是在其他应用程序调用API 之前将其拦截, 由拦截者先处理传递的参数数据, 然后决定是否再调用原来的API。API 拦截的原理很简单, 但是要实现可靠的拦截则需要很多工作要做, 首先需要把替换被拦截API 的代码注入到目标进程中,这些代码一般是以动态链接库(DLL) 的形式存在的, 然后修改目标进程执行代码, 使其在调用被拦截API 之前先调用我们的替代代码。
本文介绍了Windows API 拦截的关键技术和方法, 重点介绍了拦截DLL注入方法和API 拦截方法。系统通过分析与设计,实现三个功能模块:DLL文件加载模块、HOOK API模块、进程监视模块。其中DLL文件加载模块负责加载钩子函数,并且将钩子函数导入到目标进程来HOOK API;HOOK API模块通过在PE文件中定位导入表,使用自定义函数的地址覆盖导入表中原API函数的地址来实现HOOK API;进程监视模块创建一个目标进程来监视应用程序,当有特定的消息发出时,目标进程截获该消息并做相应出处理。本文完成一个在用户模式下侦测Win32 API的例子,实现了在Windows平台下调用一个已HOOK的API函数并查看结果。
关键词:拦截,动态链接库,钩子,进程监视
ABSTRACT
Windows API to intercept the main purpose is to call in other applications before API interception, interception, first dealt with by the parameters of data transmission, and then decide whether to call the original API. API interception is very simple principle, but in order to achieve reliable you need to intercept a lot of work to do, first of all need to be replaced by block of code into the API to the target process, the code is generally a dynamic link library (DLL) form of the , and then modify the process of implementation of the target code, its API calls were intercepted before the call to replace our code.
The article described the Windows API to intercept the key technology and methods, focus on the intercept DLL injection methods and methods of API interception. System analysis and design, the realization of the three functional modules: DLL file to load modules, HOOK API module, the process of monitoring modules. DLL file to load module which is responsible for load hook function, and will hook into the target process function to HOOK API; HOOK API module in the PE file through the import table positioning, the use of custom import function address table Zhongyuan API coverage function's address to achieve HOOK API; the process of monitoring the target to create a module to monitor the application process, when the news of a specific issue, the goal of the process an