-
Notifications
You must be signed in to change notification settings - Fork 49
/
Copy pathTSVIPHookFuntion.h
145 lines (125 loc) · 4.45 KB
/
TSVIPHookFuntion.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
#pragma once
#include <Windows.h>
#include "TSRuntime.h"
//XP系统下挂钩位置偏移
//77D184AE __stdcall NtUserCallOneParam(x, x)
#define NtUserCallOneParam_XPOffset 0x84AE
//77D298A6 __stdcall NtUserGetThreadState(x)
#define NtUserGetThreadState_XPOffset 0x198A6
//77D29F5E __stdcall NtUserGetKeyState(x)
#define NtUserGetKeyState_XPOffset 0x19F5E
//77D2A822 __stdcall NtUserGetAsyncKeyState
#define NtUserGetAsyncKeyState_XPOffset 0x1A822
//77D2A93A __stdcall NtUserCallTwoParam(x, x, x)
#define NtUserCallTwoParam_XPOffset 0x1A93A
//77D184AE __stdcall NtUserCallOneParam(x, x)
#define NtUserCallOneParam_Win2003Offset 0x1b626
//77D298A6 __stdcall NtUserGetThreadState(x)
#define NtUserGetThreadState_Win2003Offset 0x1cb3c
//77D29F5E __stdcall NtUserGetKeyState(x)
#define NtUserGetKeyState_Win2003Offset 0x16348
//77D2A822 __stdcall NtUserGetAsyncKeyState
#define NtUserGetAsyncKeyState_Win2003Offset 0xED3A
//77D2A93A __stdcall NtUserCallTwoParam(x, x, x)
#define NtUserCallTwoParam_Win2003Offset 0x755F
//WIN7X86系统下挂钩位置偏移
//77D184AE __stdcall NtUserCallOneParam(x, x)
#define NtUserCallOneParam_WIN7X86Offset 0x1D8F7
//77D298A6 __stdcall NtUserGetThreadState(x)
#define NtUserGetThreadState_WIN7X86Offset 0x13A20
//77D29F5E __stdcall NtUserGetKeyState(x)
#define NtUserGetKeyState_WIN7X86Offset 0x12D17
//77D2A822 __stdcall NtUserGetAsyncKeyState
#define NtUserGetAsyncKeyState_WIN7X86Offset 0xA2F4
//77D2A93A __stdcall NtUserCallTwoParam(x, x, x)
#define NtUserCallTwoParam_WIN7X86Offset 0xDBCC
//WIN8X86系统下挂钩位置偏移
//77D184AE __stdcall NtUserCallOneParam(x, x)
#define NtUserCallOneParam_WIN8X86Offset 0x7470
//77D2A93A __stdcall NtUserCallTwoParam(x, x, x)
#define NtUserCallTwoParam_WIN8X86Offset 0x8FA7
//77D298A6 __stdcall NtUserGetThreadState(x)
#define NtUserGetThreadState_WIN8X86Offset 0xb9d7
//77D29F5E __stdcall NtUserGetKeyState(x)
#define NtUserGetKeyState_WIN8X86Offset 0x24F08
//77D2A822 __stdcall NtUserGetAsyncKeyState
#define NtUserGetAsyncKeyState_WIN8X86Offset 0xC08D
//WIN7X64系统下挂钩位置偏移
//77D184AE __stdcall NtUserCallOneParam(x, x)
//#define NtUserCallOneParam_WIN7X64Offset 0x160cd
//77D298A6 __stdcall NtUserGetThreadState(x)
#define NtUserGetThreadState_WIN7X64Offset 0x20DCE
//77D29F5E __stdcall NtUserGetKeyState(x)
#define NtUserGetKeyState_WIN7X64Offset 0x229AE
//77D2A822 __stdcall NtUserGetAsyncKeyState
#define NtUserGetAsyncKeyState_WIN7X64Offset 0x3EC48
//77D2A93A __stdcall NtUserCallTwoParam(x, x, x)
#define NtUserCallTwoParam_WIN7X64Offset 0x17426
//WIN8X64系统下挂钩位置偏移
//77D184AE __stdcall NtUserCallOneParam(x, x)
//#define NtUserCallOneParam_WIN7X64Offset 0x160cd
//77D298A6 __stdcall NtUserGetThreadState(x)
#define NtUserGetThreadState_WIN8X64Offset 0x8040
//77D29F5E __stdcall NtUserGetKeyState(x)
#define NtUserGetKeyState_WIN8X64Offset 0x9c12
//77D2A822 __stdcall NtUserGetAsyncKeyState
#define NtUserGetAsyncKeyState_WIN8X64Offset 0x17ad5
//77D2A93A __stdcall NtUserCallTwoParam(x, x, x)
#define NtUserCallTwoParam_WIN8X64Offset 0x8012
DWORD EAX_NtUserCallOneParam=0;
DWORD EAX_NtUserGetThreadState=0;
DWORD EAX_NtUserGetKeyState=0;
DWORD EAX_NtUserGetAsyncKeyState=0;
DWORD EAX_NtUserCallTwoParam=0;
DWORD NtUserCallOneParamRet=0;
DWORD NtUserGetThreadStateRet=0;
DWORD NtUserGetKeyStateRet=0;
DWORD NtUserGetAsyncKeyStateRet=0;
DWORD NtUserCallTwoParamRet=0;
BYTE NtUserCallOneParamUnhookByte[5]={0};
BYTE NtUserGetThreadStateUnhookByte[5]={0};
BYTE NtUserGetKeyStateUnhookByte[5]={0};
BYTE NtUserGetAsyncKeyStateUnhookByte[5]={0};
BYTE NtUserCallTwoParamUnhookByte[5]={0};
void VIPHookandUnhookAPI(void *para);
__declspec(naked) ULONG __stdcall NtUserCallOneParam(DWORD Param, DWORD Routine)
{
_asm{
mov eax,EAX_NtUserCallOneParam
//mov eax,0x1143
jmp NtUserCallOneParamRet
ret
}
}
__declspec(naked) ULONG_PTR __stdcall NtUserGetThreadState(DWORD Routine)
{
_asm{
mov eax,EAX_NtUserGetThreadState
jmp NtUserGetThreadStateRet
ret
}
}
__declspec(naked) SHORT __stdcall NtUserGetKeyState(int nVirtKey)
{
_asm{
mov eax,EAX_NtUserGetKeyState
jmp NtUserGetKeyStateRet
ret
}
}
__declspec(naked) SHORT __stdcall NtUserGetAsyncKeyState(int nVirtKey)
{
_asm{
mov eax,EAX_NtUserGetAsyncKeyState
jmp NtUserGetAsyncKeyStateRet
ret
}
}
__declspec(naked) ULONG __stdcall NtUserCallTwoParam( DWORD Param1,DWORD Param2,DWORD Routine)
{
_asm{
mov eax,EAX_NtUserCallTwoParam
jmp NtUserCallTwoParamRet
ret
}
}