Hook API的实现(pe)
2009-06-26 11:18
387 查看
为了截获API调用,只要用自定义函数的地址覆盖掉导入表中真实的API函数地址即可
导入表属于PE的知识
下面是挂钩MessageBoxA的例子,这个例子用自定义的函数MyMessgeBoxA取代API函数中的MessageBoxA,使得主模块对MessageBoxA的调用变成对自定义函数MyMessageBoxA的调用!
下面是代码:
导入表属于PE的知识
下面是挂钩MessageBoxA的例子,这个例子用自定义的函数MyMessgeBoxA取代API函数中的MessageBoxA,使得主模块对MessageBoxA的调用变成对自定义函数MyMessageBoxA的调用!
下面是代码:
CWinApp theApp;
bool SetHook(HMODULE hMod);
typedef int (WINAPI *PFNMESSAGEBOX)(HWND, LPCSTR, LPCSTR, UINT uType);
PROC g_orgProc = (PROC)GetProcAddress(LoadLibrary("user32.dll"), "MessageBoxA");
using namespace std;
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
int nRetCode = 0;
// initialize MFC and print and error on failure
if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0))
{
// TODO: change error code to suit your needs
cerr << _T("Fatal Error: MFC initialization failed") << endl;
nRetCode = 1;
}
else
{
// TODO: code your application's behavior here.
CString strHello;
strHello.LoadString(IDS_HELLO);
cout << (LPCTSTR)strHello << endl;
}
::MessageBox(NULL, "原函数", "09HookDemo", 0);
SetHook(::GetModuleHandle(NULL));
::MessageBox(NULL, "原函数", "09HookDemo", 0);
return nRetCode;
}
int WINAPI MyMessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
{
return ((PFNMESSAGEBOX)g_orgProc)(hWnd, "新函数", "09HookDemo", 0);
}
bool SetHook(HMODULE hMod)
{
IMAGE_DOS_HEADER *pDosHeader = (IMAGE_DOS_HEADER *)hMod;
IMAGE_OPTIONAL_HEADER *pOptHeader = (IMAGE_OPTIONAL_HEADER *)( (BYTE *)hMod + pDosHeader->e_lfanew + 24 );
IMAGE_IMPORT_DESCRIPTOR *pImportDesc = (IMAGE_IMPORT_DESCRIPTOR *)( (BYTE *)hMod + pOptHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
while(pImportDesc->FirstThunk)
{
char *pszDllName = (char *) ( (BYTE *)hMod + pImportDesc->Name);
if(_stricmp(pszDllName, "user32.dll") == 0 )
{
break;
}
pImportDesc++;
}
if(pImportDesc->FirstThunk)
{
IMAGE_THUNK_DATA *pThunk = (IMAGE_THUNK_DATA *)( (BYTE *)hMod + pImportDesc->FirstThunk);
while(pThunk->u1.Function)
{
DWORD *lpAddr = (DWORD *)&pThunk->u1.Function;
if(*lpAddr == (DWORD)g_orgProc)
{
DWORD *lpNewProc = (DWORD *)MyMessageBoxA;
DWORD dwOldProtect;
MEMORY_BASIC_INFORMATION mbi;
VirtualQuery(lpAddr, &mbi, sizeof(mbi));
::VirtualProtect(lpAddr, sizeof(DWORD), PAGE_READWRITE, &dwOldProtect);
::WriteProcessMemory(GetCurrentProcess(), lpAddr, &lpNewProc, sizeof(lpNewProc), NULL);
//*lpAddr = (DWORD)lpNewProc;
::VirtualProtect(lpAddr, sizeof(DWORD), dwOldProtect, 0);
return TRUE;
}
pThunk++;
}
}
return false;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Hook导入表 —— 实现挂钩FreeLibaray和HOOK延迟加载模块的API
- EasyHook远程进程注入并hook api的实现
- windows下面hook系统api实现禁止任务管理器关闭程序
- API拦截——实现Ring3全局HOOK
- EasyHook远程进程注入并hook api的实现
- API拦截—实现Ring3全局HOOK
- Ring3 下 API Inline Hook 优化方案探索与实现
- API 通过HOOK OpenProcess() 实现进程防杀
- 实现拦截API的钩子(Hook)
- API拦截—实现Ring3全局HOOK
- Hook导入表 —— 实现挂钩FreeLibaray和HOOK延迟加载模块的API
- 实现拦截API的钩子(Hook)
- 自实现API, 过所有用户层HOOK
- API 通过HOOK OpenProcess() 实现进程防杀
- 自实现API, 过所有用户层HOOK
- 实现拦截API的钩子(Hook)
- CreateProcess挂起进程实现Hook API补丁
- 通过HOOK系统的API接口实现对API功能的修改
- WIN32汇编实现进程导入表HOOK API
- API拦截—实现Ring3全局HOOK