.NETプログラミング .NETプログラミング

extern __declspec(dllexport) ULONG __stdcall GetHookInfo(HANDLE hHook, int info_type)
{
NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;
PVOID ImageBase;
PVOID User32InitializeImmEntryTable = NULL;
UNICODE_STRING DllName;
ANSI_STRING ProcedureName;
ULONG i;
ULONG UserDelta = 0;
ULONG HandleEntries = 0;
SHAREDINFO *SharedInfo = NULL;
HANDLEENTRY *UserHandleTable = NULL;
HOOK *HookInfo = NULL;

HMODULE module = LoadLibrary(L"ntdll.dll");

fp_LdrLoadDll LdrLoadDll = NULL;
LdrLoadDll = (fp_LdrLoadDll)GetProcAddress(module,"LdrLoadDll");
if(LdrLoadDll == NULL)
return 0;

fp_LdrGetProcedureAddress LdrGetProcedureAddress = NULL;
LdrGetProcedureAddress = (fp_LdrGetProcedureAddress)GetProcAddress(module,"LdrGetProcedureAddress");
if(LdrGetProcedureAddress == NULL)
return 0;

fp_RtlInitAnsiString RtlInitAnsiString = NULL;
RtlInitAnsiString = (fp_RtlInitAnsiString)GetProcAddress(module,"RtlInitAnsiString");
if(RtlInitAnsiString == NULL)
return 0;

fp_RtlInitUnicodeString RtlInitUnicodeString = NULL;
RtlInitUnicodeString = (fp_RtlInitUnicodeString )GetProcAddress(module,"RtlInitUnicodeString");
if(RtlInitUnicodeString == NULL)
return 0;

RtlInitUnicodeString(&DllName, L"user32");

NtStatus = LdrLoadDll(0,0,&DllName, // DllName
&ImageBase); // DllHandle
if(NtStatus == STATUS_SUCCESS)
{
RtlInitAnsiString(&ProcedureName,"User32InitializeImmEntryTable");
NtStatus = LdrGetProcedureAddress(
ImageBase, // DllHandle
&ProcedureName, // ProcedureName
0, // ProcedureNumber OPTIONAL
(PVOID*)&User32InitializeImmEntryTable); // ProcedureAddress
if(NtStatus == STATUS_SUCCESS)
{
__asm
{
mov esi, User32InitializeImmEntryTable
test esi, esi
jz __exit2
mov ecx, 0x80
__loop:
dec ecx
test ecx, ecx
jz __exit1
lodsb
cmp al, 0x50
jnz __loop
lodsb
cmp al, 0x68
jnz __loop
lodsd
mov SharedInfo, eax
jmp __exit2
__exit1:
mov SharedInfo, ecx
__exit2:
sub eax, eax
mov eax, fs:[eax+0x18]
lea eax, [eax+0x06CC]
mov eax, [eax+0x001C]
mov UserDelta, eax
}
HandleEntries = **1;
UserHandleTable = (HANDLEENTRY *)SharedInfo->aheList;
for(i=0; ioffPfn == hHook)
{
if(info_type == 0)
return HookInfo->flags;
if(info_type==1)
return (ULONG)HookInfo->ptiHooked;
}
}
__except(EXCEPTION_EXECUTE_HANDLER) {}
}
}
}
}
return -1;
}

*1:ULONG *)((ULONG)SharedInfo->psi + 8