移除API Hook_风飞雪

查看文章

移除API Hook

2009年06月17日星期三 09:35

Private Declare Function VirtualProtect _

Lib "kernel32.dll" (ByRef lpAddress As Any, _

ByVal dwSize As Long, _

ByVal flNewProtect As Long, _

ByRef lpflOldProtect As Long) As Long

Private Declare Function MapViewOfFile _

Lib "kernel32.dll" (ByVal hFileMappingObject As Long, _

ByVal dwDesiredAccess As Long, _

ByVal dwFileOffsetHigh As Long, _

ByVal dwFileOffsetLow As Long, _

ByVal dwNumberOfBytesToMap As Long) As Long

Private Declare Sub CopyMemory _

Lib "kernel32.dll" _

Alias "RtlMoveMemory" (ByRef Destination As Any, _

ByRef Source As Any, _

ByVal Length As Long)

Private Declare Function CloseHandle _

Lib "kernel32.dll" (ByVal hObject As Long) As Long

Private Declare Function UnmapViewOfFile _

Lib "kernel32.dll" (ByRef lpBaseAddress As Any) As Long

Private Declare Function GetProcAddress _

Lib "kernel32.dll" (ByVal hModule As Long, _

ByVal lpProcName As String) As Long

Private Declare Function LoadLibrary _

Lib "kernel32.dll" _

Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long

Private Declare Function CreateFile _

Lib "kernel32.dll" _

Alias "CreateFileA" (ByVal lpFileName As String, _

ByVal dwDesiredAccess As Long, _

ByVal dwShareMode As Long, _

ByRef lpSecurityAttributes As Long, _

ByVal dwCreationDisposition As Long, _

ByVal dwFlagsAndAttributes As Long, _

ByVal hTemplateFile As Long) As Long

Private Declare Function CreateFileMapping _

Lib "kernel32.dll" _

Alias "CreateFileMappingA" (ByVal hFile As Long, _

ByRef lpFileMappigAttributes As Long, _

ByVal flProtect As Long, _

ByVal dwMaximumSizeHigh As Long, _

ByVal dwMaximumSizeLow As Long, _

ByVal lpName As String) As Long

Private Declare Function GetFileSize _

Lib "kernel32.dll" (ByVal hFile As Long, _

ByRef lpFileSizeHigh As Long) As Long

Private Type SECURITY_ATTRIBUTES

nLength As Long

lpSecurityDescriptor As Long

bInheritHandle As Long

End Type

Private Const FILE_ATTRIBUTE_NORMAL As Long = &H80

Private Const SECTION_MAP_READ As Long = &H4

Private Const FILE_MAP_READ As Long = SECTION_MAP_READ

Private Const FILE_SHARE_READ As Long = &H1

Private Const GENERIC_READ As Long = &H80000000

Private Const OPEN_EXISTING As Long = 3

Private Const PAGE_EXECUTE_READWRITE As Long = &H40

Private Const PAGE_READONLY As Long = &H2

Private Const SEC_IMAGE As Long = &H1000000

Private Const INVALID_HANDLE_VALUE As Long = -1

Private Declare Function OpenProcess _

Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, _

ByVal bInheritHandle As Long, _

ByVal dwProcessId As Long) As Long

Private Const PROCESS_ALL_ACCESS As Long = (&HFFF)

Public Function RemoveFWHook(szDllPath As String, _

szFuncName As String) As Boolean ' szDllPath为DLL的完整路径!

' 取得指向函数的指针

lpBase = LoadLibrary(szDllPath)

lpFunc = GetProcAddress(lpBase, szFuncName)

If lpFunc = 0 Then RemoveFWHook = False

' 取得RVA

dwRVA = lpFunc - lpBase

' 将文件映射入内存

hFile = CreateFile(szDllPath, GENERIC_READ, FILE_SHARE_READ, ByVal 0&, _

OPEN_EXISTING, 0, 0)

If hFile = INVALID_HANDLE_VALUE Then

RemoveFWHook = False

Exit Function

End If

dwSize = GetFileSize(hFile, 0)

hMapFile = CreateFileMapping(hFile, 0, PAGE_READONLY Or SEC_IMAGE, 0, dwSize, _

vbNullString)

lpBaseMap = MapViewOfFile(hMapFile, FILE_MAP_READ, 0, 0, dwSize)

' 指向当前函数的指针

lpRealFunc = lpBaseMap + dwRVA

' 修改访问权限并拷贝

bRes = True

If (VirtualProtect(lpFunc, 10, PAGE_EXECUTE_READWRITE, dwOldProtect)) Then

CopyMemory lpFunc, lpRealFunc, 10

Else

bRes = False

End If

UnmapViewOfFile (lpBaseMap)

CloseHandle (hMapFile)

CloseHandle (hFile)

RemoveFWHook = bRes

End Function

类别：Vb | 添加到搜藏 | 浏览() | 评论 (0)

姓　名：	*姓名最长为50字节

网址或邮箱：	(选填)

内　容：

验证码：	请点击后输入四位验证码，字母不区分大小写看不清?
	取消回复