dohvis/SimpleHoocking.c

## SimpleHoocking.c
#include <stdio.h>
#include <Windows.h>
#include <tlhelp32.h>

DWORD GetPIDByName(LPCTSTR szProcessName)
{
	DWORD PID = 0xFFFFFFFF;
	HANDLE hSnapShot = INVALID_HANDLE_VALUE;
	PROCESSENTRY32 pe;
	char proc_name[260];

	pe.dwSize = sizeof(PROCESSENTRY32);
	hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);
	Process32First(hSnapShot, &pe);
	do
	{
		strncpy(proc_name, pe.szExeFile, strlen(pe.szExeFile));
		if (!_strnicmp(szProcessName, proc_name, strlen(szProcessName)))
		{
			PID = pe.th32ProcessID;
			break;
		}
	} while (Process32Next(hSnapShot, &pe));
	CloseHandle(hSnapShot);
	return PID;
}

DWORD GetModuleBaseAddrByPID(int pid)
{
	HANDLE hSnapshot;
	MODULEENTRY32 me32;
	DWORD dwAddress = 0xFFFFFFFF;

	hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);

	if (!hSnapshot)
		return FALSE;

	me32.dwSize = sizeof(MODULEENTRY32);

	if (!Module32First(hSnapshot, &me32))
		return FALSE;

	do {
		if (me32.th32ProcessID == pid)
		{
			dwAddress = me32.modBaseAddr;
			break;
		}
	} while (Module32Next(hSnapshot, &me32));
	return dwAddress;
}

void main()
{
	DWORD old, BaseAddr, Read, TargetAddr, MulAddr;
	BYTE ReadBytes[20];
	int pid = GetPIDByName("target");
	printf(" PID : %d\n", pid);
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
	BaseAddr = GetModuleBaseAddrByPID(pid);

	if (!hProcess)
	{
		printf("Error : %d", GetLastError());
		exit(0);
	}
	TargetAddr = BaseAddr + 0x110FA;
	// MulAddr = BaseAddr + ;
	ReadProcessMemory(hProcess, TargetAddr, &ReadBytes, 5 ,&Read);
	printf("OPCODE : %x \n", ReadBytes[1]); // E9
	// target addr + 5(jmp opcode) + 쓰여질 주소 == 점프할 주소
	// 쓰여질 주소 = 점프할 주소(overwrite 될 함수주소) - TargetAddr - 4(E9 제외)
	VirtualProtectEx(hProcess, (LPVOID)TargetAddr, 1, PAGE_EXECUTE_READWRITE, &old);
	WriteProcessMemory(hProcess, (LPVOID)(TargetAddr+1), MulAddr-TargetAddr-4, 4, &old);

}
	#include <stdio.h>
	#include <Windows.h>
	#include <tlhelp32.h>

	DWORD GetPIDByName(LPCTSTR szProcessName)
	{
	DWORD PID = 0xFFFFFFFF;
	HANDLE hSnapShot = INVALID_HANDLE_VALUE;
	PROCESSENTRY32 pe;
	char proc_name[260];

	pe.dwSize = sizeof(PROCESSENTRY32);
	hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);
	Process32First(hSnapShot, &pe);
	do
	{
	strncpy(proc_name, pe.szExeFile, strlen(pe.szExeFile));
	if (!_strnicmp(szProcessName, proc_name, strlen(szProcessName)))
	{
	PID = pe.th32ProcessID;
	break;
	}
	} while (Process32Next(hSnapShot, &pe));
	CloseHandle(hSnapShot);
	return PID;
	}

	DWORD GetModuleBaseAddrByPID(int pid)
	{
	HANDLE hSnapshot;
	MODULEENTRY32 me32;
	DWORD dwAddress = 0xFFFFFFFF;

	hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);

	if (!hSnapshot)
	return FALSE;

	me32.dwSize = sizeof(MODULEENTRY32);

	if (!Module32First(hSnapshot, &me32))
	return FALSE;

	do {
	if (me32.th32ProcessID == pid)
	{
	dwAddress = me32.modBaseAddr;
	break;
	}
	} while (Module32Next(hSnapshot, &me32));
	return dwAddress;
	}

	void main()
	{
	DWORD old, BaseAddr, Read, TargetAddr, MulAddr;
	BYTE ReadBytes[20];
	int pid = GetPIDByName("target");
	printf(" PID : %d\n", pid);
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
	BaseAddr = GetModuleBaseAddrByPID(pid);

	if (!hProcess)
	{
	printf("Error : %d", GetLastError());
	exit(0);
	}
	TargetAddr = BaseAddr + 0x110FA;
	// MulAddr = BaseAddr + ;
	ReadProcessMemory(hProcess, TargetAddr, &ReadBytes, 5 ,&Read);
	printf("OPCODE : %x \n", ReadBytes[1]); // E9
	// target addr + 5(jmp opcode) + 쓰여질 주소 == 점프할 주소
	// 쓰여질 주소 = 점프할 주소(overwrite 될 함수주소) - TargetAddr - 4(E9 제외)
	VirtualProtectEx(hProcess, (LPVOID)TargetAddr, 1, PAGE_EXECUTE_READWRITE, &old);
	WriteProcessMemory(hProcess, (LPVOID)(TargetAddr+1), MulAddr-TargetAddr-4, 4, &old);

	}