S.l.e!ep.￠%

__declspec(naked) test()
{

  _asm
  {
    ret
    jmp oldaddr
  }
}

DWORD * KernelCallbackTable = NULL;
_asm
{
     push eax
     mov eax,dword ptr fs:[0x18]
     mov eax,dword ptr ds:[eax+0x30]
     mov eax,dword ptr ds:[eax+0x2C]
     mov KernelCallbackTable, eax
     pop eax
}
DWORD old = 0;
if(VirtualProtect(&KernelCallbackTable[40], sizeof(PVOID),PAGE_EXECUTE_READWRITE, &old))
{
  oldaddr = KernelCallbackTable[40];
  KernelCallbackTable[40] = (DWORD)test;
}

前几天研究windows的消息机制时偶尔发现。
通过修改KernelCallbackTable内供ring3回调用ring0的函数分派表实现

-0------
HideTool就是这么做的，不过人家是在驱动实现的，在ntdll领空内找一个ret

另外，你这个硬编码40是从哪来的，好像不对，各平台上是不一样的。

--------

跟这个不一样吧，防全局钩子拦ClientLoadLibrary,XP下是66,不知道你的40是哪来的。。
查了下XPSP2的40是fnHkINDWORD，不知道你拦截了什么。也能拦键盘钩子？离奇了吧 呵呵

XP SP2的callback函数对照表

01       fnCOPYDATA
02       fnCOPYGLOBALDATA
03       fnDWORD
04       fnNCDESTROY
05       fnDWORDOPTINLPMSG
06       fnINOUTDRAG
07       fnGETTEXTLENGTHS
08       fnINCNTOUTSTRING
09       fnPOUTLPINT
10       fnINLPCOMPAREITEMSTRUCT
11       fnINLPCREATESTRUCT
12       fnINLPDELETEITEMSTRUCT
13       fnINLPDRAWITEMSTRUCT
14       fnINLPHLPSTRUCT
15       fnINLPHLPSTRUCT
16       fnINLPMDICREATESTRUCT
17       fnINOUTLPMEASUREITEMSTRUCT
18       fnINLPWINDOWPOS
19       fnINOUTLPPOINT5
20       fnINOUTLPSCROLLINFO
21       fnINOUTLPRECT
22       fnINOUTNCCALCSIZE
23       fnINOUTLPSCROLLINFO
24       fnINPAINTCLIPBRD
25       fnINSIZECLIPBRD
26       fnINDESTROYCLIPBRD
27       fnINSTRINGNULL
28       fnINSTRINGNULL
29       fnINDEVICECHANGE
30       fnINOUTNEXTMENU
31       fnLOGONNOTIFY
32       fnOPTOUTLPDWORDOPTOUTLPDWORD
33       fnOPTOUTLPDWORDOPTOUTLPDWORD
34       fnOUTDWORDINDWORD
35       fnOUTLPRECT
36       fnPOUTLPINT
37       fnINLPHLPSTRUCT
38       fnPOUTLPINT
39       fnSENTDDEMSG
40       fnINOUTSTYLECHANGE
41       fnHkINDWORD
42       fnHkINLPCBTACTIVATESTRUCT
43       fnHkINLPCBTCREATESTRUCT
44       fnHkINLPDEBUGHOOKSTRUCT
45       fnHkINLPMOUSEHOOKSTRUCTEX
46       fnHkINLPKBDLLHOOKSTRUCT
47       fnHkINLPMSLLHOOKSTRUCT
48       fnHkINLPMSG
49       fnHkINLPRECT
50       fnHkOPTINLPEVENTMSG
51       ClientCopyDDEIn1
52       ClientCopyDDEIn2
53       ClientCopyDDEOut1
54       ClientCopyDDEOut2
55       ClientCopyImage
56       ClientEventCallback
57       ClientFindMnemChar
58       ClientFontSweep
59       ClientFreeDDEHandle
60       ClientFreeLibrary
61       ClientGetCharsetInfo
62       ClientGetDDEFlags
63       ClientGetDDEHookData
64       ClientGetListboxString
65       ClientGetMessageMPH
66       ClientLoadImage
67       ClientLoadLibrary
68       ClientLoadMenu
69       ClientLoadLocalT1Fonts
70       ClientLoadRemoteT1Fonts
71       ClientPSMTextOut
72       ClientLpkDrawTextEx
73       ClientExtTextOutW
74       ClientGetTextExtentPointW
75       ClientCharToWchar
76       ClientAddFontResourceW
77       ClientThreadSetup
78       ClientDeliverUserApc
79       ClientNoMemoryPopup
80       ClientMonitorEnumProc
81       ClientCallWinEventProc
82       ClientWaitMessageExMPH
83       ClientWOWGetProcModule
84       ClientWOWTask16SchedNotify
85       ClientImmLoadLayout
86       ClientImmProcessKey
87       fnIMECONTROL
88       fnINWPARAMDBCSCHAR
89       fnGETTEXTLENGTHS
90       fnINLPKDRAWSWITCHWND
91       ClientLoadStringW
92       ClientLoadOLE
93       ClientRegisterDragDrop
94       ClientRevokeDragDrop
95       fnINOUTMENUGETOBJECT
96       ClientPrinterThunk
97       fnOUTLPCOMBOBOXINFO
98       fnOUTLPSCROLLBARINFO