我一直试图弄清楚DirectInput8挂钩项目中一个参数的用途。我在这里生成opensource代码的一部分。为了简洁起见,我只发布了一些功能。
ULONG oldCreateDevice;
HRESULT WINAPI xCreateDevice(DWORD d1, DWORD d2, DWORD d3, DWORD d4)
{
HRESULT hr = ((HRESULT(WINAPI*)(DWORD,DWORD,DWORD,DWORD))oldCreateDevice)(d1,d2,d3,d4);
// hook only if keyboard requested
if(*(DWORD*)d2 != GUID_SysKeyboard)
return hr;
DWORD dwKeybTable = *(DWORD*)(*(DWORD*)d3);
DWORD oldprot;
VirtualProtect((LPVOID)dwKeybTable, 0x2C, PAGE_EXECUTE_READWRITE, &oldprot);
// already hooked?
if((DWORD)xGetDeviceState == *((DWORD*)(dwKeybTable+0x24))) goto ex1;
// hook it!
oldGetDeviceState = *((DWORD*)(dwKeybTable+0x24));
*((DWORD*)(dwKeybTable+0x24)) = (DWORD)xGetDeviceState;
ex1:
// already hooked?
if((DWORD)xGetDeviceData == *((DWORD*)(dwKeybTable+0x28))) goto ex2;
// hook it!
oldGetDeviceData = *((DWORD*)(dwKeybTable+0x28));
*((DWORD*)(dwKeybTable+0x28)) = (DWORD)xGetDeviceData;
ex2:
return hr;
}
ULONG oldDirectInput8Create;
HRESULT WINAPI xDirectInput8Create(HINSTANCE hinst, DWORD dwVersion, REFIID riidltf, VOID **ppvOut, LPUNKNOWN punkOuter)
{
HRESULT ret = ((HRESULT(WINAPI*)(HINSTANCE,DWORD,REFIID,VOID**,LPUNKNOWN))oldDirectInput8Create)(hinst,dwVersion,riidltf,ppvOut,punkOuter);
DWORD dwFuncTable = (DWORD)*((DWORD*)*ppvOut);
DWORD oldprot;
VirtualProtect((LPVOID)dwFuncTable, 0x10, PAGE_EXECUTE_READWRITE, &oldprot);
//already hooked?
if((DWORD)xCreateDevice == *((DWORD*)(dwFuncTable + 0x0C))) goto ex;
//hook it
oldCreateDevice = *((DWORD*)(dwFuncTable + 0x0C));
*((DWORD*)(dwFuncTable + 0x0C)) = (DWORD)xCreateDevice;
ex:
return ret;
}
DWORD WINAPI RemoteMain(LPVOID lpParam)
{
LoadLibrary("user32.dll");
LoadLibrary("advapi32.dll");
Splice_Init();
Splice((ULONG)GetProcAddress(LoadLibrary("dinput8.dll"),"DirectInput8Create"), xDirectInput8Create, &oldDirectInput8Create);
ThreadControl(FALSE); // resume all
return 0;
}
您可能会注意到代码正在用重定向(挂钩)替换函数。我的问题是xCreateDevice函数中的第一个参数 对于DirectInput8,CreateDevice函数根据我理解的文档占用3个参数。但我不确定为什么这里使用了4个参数。它是否指向原始" oldCreateDevice"?还是别的什么?
我希望有人可以指导我。感谢