Created
September 28, 2015 02:54
-
-
Save kumatti1/f9ec1a011987dd3f2753 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Option Explicit | |
| Private Const PAGE_EXECUTE_READWRITE = &H40 | |
| Private Declare Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _ | |
| (Destination As Long, Source As Long, ByVal Length As Long) | |
| Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Long, _ | |
| ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long | |
| Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As Long | |
| Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, _ | |
| ByVal lpProcName As String) As Long | |
| Private Declare Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As Long, _ | |
| ByVal pTemplateName As Long, ByVal hWndParent As Long, _ | |
| ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer | |
| Private Declare PtrSafe Function MessageBox Lib "user32" Alias "MessageBoxW" (ByVal hwnd As LongPtr, ByVal lpText As LongPtr, ByVal lpCaption As LongPtr, ByVal wType As Long) As Long | |
| Dim HookBytes(0 To 5) As Byte | |
| Dim OriginBytes(0 To 5) As Byte | |
| Dim pFunc As Long | |
| Dim Flag As Boolean | |
| Public Sub RecoverBytes() | |
| MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6 | |
| End Sub | |
| Public Function Hook() As Boolean | |
| Dim TmpBytes(0 To 5) As Byte | |
| Dim p As Long | |
| Dim OriginProtect As Long | |
| Hook = False | |
| Dim hdll& | |
| hdll = GetModuleHandleA("vbe7.dll") | |
| pFunc = GetProcAddress(hdll, "rtcMsgBox") | |
| If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then | |
| MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6 | |
| If TmpBytes(0) <> &H68 Then | |
| MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6 | |
| p = VBA.CLng(AddressOf Hookd) | |
| HookBytes(0) = &H68 | |
| MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4 | |
| HookBytes(5) = &HC3 | |
| MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6 | |
| Flag = True | |
| Hook = True | |
| End If | |
| End If | |
| End Function | |
| Private Function Hookd(a, ByVal b&, c, d, e) As Long | |
| Hookd = MessageBox(Application.hwnd, StrPtr(a), StrPtr(""), b) | |
| End Function | |
| Sub Main() | |
| Hook | |
| MsgBox ChrW(&H2113) | |
| RecoverBytes | |
| End Sub |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment