[C#] 纯文本查看 复制代码
#include <windows.h>
#include <winuser.h>
#include <string.h>
// ==========================
// 1. 全局函数指针
// ==========================
static HWND(WINAPI* pCreateWindowExW)(
DWORD dwExStyle,
LPCWSTR lpClassName,
LPCWSTR lpWindowName,
DWORD dwStyle,
int X,
int Y,
int nWidth,
int nHeight,
HWND hWndParent,
HMENU hMenu,
HINSTANCE hInstance,
LPVOID lpParam
) = NULL;
// ==========================
// 2. 广告窗口拦截 Hook 函数
// ==========================
static HWND WINAPI HCreateWindowExW(
DWORD dwExStyle,
LPCWSTR lpClassName,
LPCWSTR lpWindowName,
DWORD dwStyle,
int X,
int Y,
int nWidth,
int nHeight,
HWND hWndParent,
HMENU hMenu,
HINSTANCE hInstance,
LPVOID lpParam
) {
// 精准拦截 Bandizip 广告窗口
if (lpWindowName && wcsncmp(lpWindowName, L"BandiViewAdWnd", 14) == 0) {
TerminateProcess(GetCurrentProcess(), 0);
}
return pCreateWindowExW(
dwExStyle, lpClassName, lpWindowName, dwStyle,
X, Y, nWidth, nHeight, hWndParent,
hMenu, hInstance, lpParam
);
}
// ==========================
// 3. Native API 声明(手动声明,避免头文件冲突)
// ==========================
typedef LONG NTSTATUS;
typedef NTSTATUS(WINAPI* PNtProtectVirtualMemory)(
HANDLE ProcessHandle,
PVOID* BaseAddress,
PSIZE_T RegionSize,
ULONG NewProtect,
PULONG OldProtect
);
typedef NTSTATUS(WINAPI* PNtAllocateVirtualMemory)(
HANDLE ProcessHandle,
PVOID* BaseAddress,
PULONG ZeroBits,
PSIZE_T RegionSize,
ULONG AllocationType,
ULONG Protect
);
// ==========================
// 4. Inline Hook 核心实现(修复所有参数/宏错误)
// ==========================
static void apihook(void* apiname, void** apiname2, void* apiname3) {
if (!apiname || !apiname2 || !apiname3) return;
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
if (!hNtdll) return;
PNtProtectVirtualMemory NtProtectVirtualMemory = (PNtProtectVirtualMemory)
GetProcAddress(hNtdll, "NtProtectVirtualMemory");
PNtAllocateVirtualMemory NtAllocateVirtualMemory = (PNtAllocateVirtualMemory)
GetProcAddress(hNtdll, "NtAllocateVirtualMemory");
if (!NtProtectVirtualMemory || !NtAllocateVirtualMemory) return;
SIZE_T size = 16;
ULONG OldProtect;
NTSTATUS status;
status = NtProtectVirtualMemory((HANDLE)-1, &apiname, &size, PAGE_EXECUTE_READWRITE, &OldProtect);
if (status != 0) return;
PBYTE addr = NULL;
SIZE_T memSize = 128;
ULONG zeroBits = 0;
// 修复:补全参数 + 修正宏名 MEM_RESERVE
status = NtAllocateVirtualMemory(
(HANDLE)-1, (PVOID*)&addr, &zeroBits, &memSize,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE
);
if (status != 0) {
NtProtectVirtualMemory((HANDLE)-1, &apiname, &size, OldProtect, &OldProtect);
return;
}
memcpy(addr, apiname, 12);
addr[12] = 0xFF; addr[13] = 0x25;
addr[14] = 0x00; addr[15] = 0x00;
addr[16] = 0x00; addr[17] = 0x00;
*(ULONG_PTR*)(addr + 18) = (ULONG_PTR)apiname3;
PBYTE p = (PBYTE)apiname;
p[0] = 0x48; p[1] = 0xB8;
*(void**)(p + 2) = apiname3;
p[10] = 0xFF; p[11] = 0xE0;
*apiname2 = addr;
NtProtectVirtualMemory((HANDLE)-1, &apiname, &size, OldProtect, &OldProtect);
}
// ==========================
// 5. DLL 入口函数(修复 switch 作用域问题)
// ==========================
static BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH: {
// 修复:加花括号限定作用域,避免变量被 case 跳过
HMODULE hUser32 = GetModuleHandleA("user32.dll");
if (hUser32) {
apihook(
(void*)GetProcAddress(hUser32, "CreateWindowExW"),
(void**)&pCreateWindowExW,
(void*)HCreateWindowExW
);
}
break;
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
[复制链接]
发表于 2026-4-13 10:44
|
发表于 2026-4-13 10:46
