主题
远程Hook API - HookRemoteApi
函数简介
在目标进程的指定地址安装远程 Hook,当目标进程执行到该地址时,会在当前进程内调用你提供的回调函数。支持 x86 与 x64 目标进程。(高级版功能,普通版无法使用)
回调函数与上下文结构
64 位回调(目标进程为 x64 时使用)
上下文结构 HookContext64(寄存器布局):
| 成员 | 类型 | 偏移 | 说明 |
|---|---|---|---|
| rax | uint64_t | +0 | |
| rbx | uint64_t | +8 | |
| rcx | uint64_t | +16 | |
| rdx | uint64_t | +24 | |
| rsi | uint64_t | +32 | |
| rdi | uint64_t | +40 | |
| rbp | uint64_t | +48 | |
| rsp | uint64_t | +56 | |
| r8 | uint64_t | +64 | |
| r9 | uint64_t | +72 | |
| r10 | uint64_t | +80 | |
| r11 | uint64_t | +88 | |
| r12 | uint64_t | +96 | |
| r13 | uint64_t | +104 | |
| r14 | uint64_t | +112 | |
| r15 | uint64_t | +120 | |
| rflags | uint64_t | +128 |
回调类型:int (*HookCallback64)(HookContext64& ctx, DWORD pid, DWORD threadId)
- 返回值:1 = 修改了寄存器并写回目标进程;0 = 仅拦截,不修改寄存器。
32 位回调(目标进程为 x86 时使用)
上下文结构 HookContext32(寄存器布局):
| 成员 | 类型 | 偏移 | 说明 |
|---|---|---|---|
| eax | uint32_t | +0 | |
| ebx | uint32_t | +4 | |
| ecx | uint32_t | +8 | |
| edx | uint32_t | +12 | |
| esi | uint32_t | +16 | |
| edi | uint32_t | +20 | |
| ebp | uint32_t | +24 | |
| esp | uint32_t | +28 | |
| eflags | uint32_t | +32 |
回调类型:int (*HookCallback32)(HookContext32& ctx, DWORD pid, DWORD threadId)
- 返回值:1 = 修改寄存器并写回;0 = 只拦截不修改。
接口名称
HookRemoteApiDLL调用
int HookRemoteApi(long instance, long hwnd, long targetAddr, long size, long hook_proc);参数说明
| 参数名 | 类型 | 说明 |
|---|---|---|
| instance | 长整数型 | OLAPlug对象的指针,由 CreateCOLAPlugInterFace 接口生成。 |
| hwnd | 长整数型 | 窗口句柄或进程ID |
| targetAddr | 长整数型 | 目标进程中要 Hook 的地址 |
| size | 长整数型 | Hook 占用字节数(与指令长度相关,需至少覆盖一条完整指令) |
| hook_proc | 长整数型 | 当前进程内的回调函数地址(整型传参便于跨语言)。目标进程为 x64 时使用 HookCallback64,为 x86 时使用 HookCallback32 |
示例
SDK 调用
cpp
#include "OLAPlugServer.h"
OLAPlugServer ola;
int ret = ola.HookRemoteApi(hwnd, 0, 0, 0);csharp
using OLAPlug;
var ola = new OLAPlugServer();
int ret = ola.HookRemoteApi(hwnd, 0, 0, 0);python
from OLAPlugServer import OLAPlugServer
ola = OLAPlugServer()
ret = ola.HookRemoteApi(hwnd, 0, 0, 0)java
import com.olaplug.OLAPlugServer;
OLAPlugServer ola = new OLAPlugServer();
int ret = ola.HookRemoteApi(hwnd, 0, 0, 0);cpp
var ola = com("OlaPlug.OlaSoft")
var ret = ola.HookRemoteApi(hwnd, 0, 0, 0)vbscript
Set ola = CreateObject("OlaPlug.OlaSoft")
ret = ola.HookRemoteApi(hwnd, 0, 0, 0)text
.局部变量 ola, OLAPlug
ola.创建 ()
ret = ola.HookRemoteApi(hwnd, 0, 0, 0)aardio
import OLAPlugServer;
var ola = OLAPlugServer();
var ret = ola.HookRemoteApi(hwnd, 0, 0, 0);text
变量 ola <类型 = OLAPlugServer>
ola = 新建 OLAPlugServer
整数 ret = ola.HookRemoteApi(hwnd, 0, 0, 0)cpp
#include "OLAPlugServer.h"
OLAPlugServer ola;
int32_t ret = ola.HookRemoteApi(hwnd, 0, 0, 0);原生 DLL 调用
cpp
long instance = CreateCOLAPlugInterFace();
HookRemoteApi(instance, hwnd, 0, 0, 0);csharp
using System.Runtime.InteropServices;
using System.Text;
[DllImport("OLAPlug_x64.dll", CallingConvention = CallingConvention.StdCall)]
static extern long CreateCOLAPlugInterFace();
[DllImport("OLAPlug_x64.dll", CallingConvention = CallingConvention.StdCall)]
static extern int HookRemoteApi(long ola, long hwnd, long targetAddr, long size, long hook_proc);
long instance = CreateCOLAPlugInterFace();
HookRemoteApi(instance, hwnd, 0, 0, 0);python
from ctypes import CDLL, c_int, c_int64, create_string_buffer
ola = CDLL("OLAPlug_x64.dll")
ola.CreateCOLAPlugInterFace.restype = c_int64
instance = ola.CreateCOLAPlugInterFace()
ola.HookRemoteApi(instance, hwnd, 0, 0, 0)返回值
1 成功,0 失败。
注意事项
- 回调在本进程内执行。C# 等语言可使用
Marshal.GetFunctionPointerForDelegate传入委托地址,并保持委托引用以防被 GC 回收。