#include <Windows.h>
#define HIJCAKDLLNAME "hijack.dll"
HMODULE g_hModule = NULL; // 原始模块句柄// 获取EXE的名称
void GetExePath(char* pExePath) { int pathlen = GetModuleFileName(NULL, pExePath, MAX_PATH); while(1) { if(pExePath[pathlen--]=='\\') break; } pExePath[++pathlen] = 0; }// 加载原始模块
void Load(){ CHAR tmpPath[MAX_PATH] = {0}; GetExePath(tmpPath); strcat(tmpPath,"\\"); strcat(tmpPath,HIJCAKDLLNAME); g_hModule = LoadLibrary(tmpPath);}// 释放原始模块void Free(){ if (g_hModule) { FreeLibrary(g_hModule); }}// 获取原始函数地址FARPROC GetAddress(PCSTR pszProcName){ FARPROC fpAddress; Load(); fpAddress = GetProcAddress(g_hModule, pszProcName); return fpAddress;}BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call, LPVOID lpReserved ){ switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: MessageBox(NULL,"DLL_PROCESS_ATTACH","RemoteThread inject",MB_OK); break; case DLL_THREAD_ATTACH: //MessageBox(NULL,"DLL_THREAD_ATTACH","RemoteThread inject",MB_OK); break; case DLL_THREAD_DETACH: //MessageBox(NULL,"DLL_THREAD_DETACH","RemoteThread inject",MB_OK); break; case DLL_PROCESS_DETACH: //Free(); MessageBox(NULL,"DLL_PROCESS_DETACH","RemoteThread inject",MB_OK); break; }return TRUE;
}// 导出函数,转发方式
//#pragma comment(linker, "/EXPORT:add=hijack.add,@1")// 直接调用方式
// #pragma comment(linker, "/EXPORT:add=_myadd,@1")// typedef int (__cdecl *lpFun)(int, int);// int __cdecl myadd(int x, int y)// { // // 获取了原函数的地址// lpFun myFun = (lpFun)GetAddress("add");// return myFun(x,y);// }