kumatti1 · September 28, 2015 02:54
diff --git a/Module1.bas b/Module1.bas
 Option Explicit
 Private Const PAGE_EXECUTE_READWRITE = &H40
 Private Declare Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _
        (Destination As Long, Source As Long, ByVal Length As Long)
 Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Long, _
        ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
 Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As Long
 Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, _
        ByVal lpProcName As String) As Long
 Private Declare Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As Long, _
        ByVal pTemplateName As Long, ByVal hWndParent As Long, _
        ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer
 Private Declare PtrSafe Function MessageBox Lib "user32" Alias "MessageBoxW" (ByVal hwnd As LongPtr, ByVal lpText As LongPtr, ByVal lpCaption As LongPtr, ByVal wType As Long) As Long
 Dim HookBytes(0 To 5) As Byte
 Dim OriginBytes(0 To 5) As Byte
 Dim pFunc As Long
 Dim Flag As Boolean
 Public Sub RecoverBytes()
    MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6
 End Sub
 Public Function Hook() As Boolean
    Dim TmpBytes(0 To 5) As Byte
    Dim p As Long
    Dim OriginProtect As Long
    Hook = False
    Dim hdll&
    hdll = GetModuleHandleA("vbe7.dll")
    pFunc = GetProcAddress(hdll, "rtcMsgBox")
    If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then
        MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6
        If TmpBytes(0) <> &H68 Then
            MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6
            p = VBA.CLng(AddressOf Hookd)
            HookBytes(0) = &H68
            MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4
            HookBytes(5) = &HC3
            MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6
            Flag = True
            Hook = True
        End If
    End If
 End Function
 Private Function Hookd(a, ByVal b&, c, d, e) As Long
    Hookd = MessageBox(Application.hwnd, StrPtr(a), StrPtr(""), b)
 End Function
 Sub Main()
    Hook
    MsgBox ChrW(&H2113)
    RecoverBytes
 End Sub
	Option Explicit
	Private Const PAGE_EXECUTE_READWRITE = &H40
	Private Declare Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _
	(Destination As Long, Source As Long, ByVal Length As Long)
	Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Long, _
	ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
	Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As Long
	Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, _
	ByVal lpProcName As String) As Long
	Private Declare Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As Long, _
	ByVal pTemplateName As Long, ByVal hWndParent As Long, _
	ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer
	Private Declare PtrSafe Function MessageBox Lib "user32" Alias "MessageBoxW" (ByVal hwnd As LongPtr, ByVal lpText As LongPtr, ByVal lpCaption As LongPtr, ByVal wType As Long) As Long
	Dim HookBytes(0 To 5) As Byte
	Dim OriginBytes(0 To 5) As Byte
	Dim pFunc As Long
	Dim Flag As Boolean
	Public Sub RecoverBytes()
	MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6
	End Sub
	Public Function Hook() As Boolean
	Dim TmpBytes(0 To 5) As Byte
	Dim p As Long
	Dim OriginProtect As Long
	Hook = False
	Dim hdll&
	hdll = GetModuleHandleA("vbe7.dll")
	pFunc = GetProcAddress(hdll, "rtcMsgBox")
	If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then
	MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6
	If TmpBytes(0) <> &H68 Then
	MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6
	p = VBA.CLng(AddressOf Hookd)
	HookBytes(0) = &H68
	MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4
	HookBytes(5) = &HC3
	MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6
	Flag = True
	Hook = True
	End If
	End If
	End Function
	Private Function Hookd(a, ByVal b&, c, d, e) As Long
	Hookd = MessageBox(Application.hwnd, StrPtr(a), StrPtr(""), b)
	End Function
	Sub Main()
	Hook
	MsgBox ChrW(&H2113)
	RecoverBytes
	End Sub