Hook API的实现(pe)
2009-06-26 11:18
387 查看
为了截获API调用,只要用自定义函数的地址覆盖掉导入表中真实的API函数地址即可
导入表属于PE的知识
下面是挂钩MessageBoxA的例子,这个例子用自定义的函数MyMessgeBoxA取代API函数中的MessageBoxA,使得主模块对MessageBoxA的调用变成对自定义函数MyMessageBoxA的调用!
下面是代码:
导入表属于PE的知识
下面是挂钩MessageBoxA的例子,这个例子用自定义的函数MyMessgeBoxA取代API函数中的MessageBoxA,使得主模块对MessageBoxA的调用变成对自定义函数MyMessageBoxA的调用!
下面是代码:
CWinApp theApp; bool SetHook(HMODULE hMod); typedef int (WINAPI *PFNMESSAGEBOX)(HWND, LPCSTR, LPCSTR, UINT uType); PROC g_orgProc = (PROC)GetProcAddress(LoadLibrary("user32.dll"), "MessageBoxA"); using namespace std; int _tmain(int argc, TCHAR* argv[], TCHAR* envp[]) { int nRetCode = 0; // initialize MFC and print and error on failure if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0)) { // TODO: change error code to suit your needs cerr << _T("Fatal Error: MFC initialization failed") << endl; nRetCode = 1; } else { // TODO: code your application's behavior here. CString strHello; strHello.LoadString(IDS_HELLO); cout << (LPCTSTR)strHello << endl; } ::MessageBox(NULL, "原函数", "09HookDemo", 0); SetHook(::GetModuleHandle(NULL)); ::MessageBox(NULL, "原函数", "09HookDemo", 0); return nRetCode; } int WINAPI MyMessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) { return ((PFNMESSAGEBOX)g_orgProc)(hWnd, "新函数", "09HookDemo", 0); } bool SetHook(HMODULE hMod) { IMAGE_DOS_HEADER *pDosHeader = (IMAGE_DOS_HEADER *)hMod; IMAGE_OPTIONAL_HEADER *pOptHeader = (IMAGE_OPTIONAL_HEADER *)( (BYTE *)hMod + pDosHeader->e_lfanew + 24 ); IMAGE_IMPORT_DESCRIPTOR *pImportDesc = (IMAGE_IMPORT_DESCRIPTOR *)( (BYTE *)hMod + pOptHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); while(pImportDesc->FirstThunk) { char *pszDllName = (char *) ( (BYTE *)hMod + pImportDesc->Name); if(_stricmp(pszDllName, "user32.dll") == 0 ) { break; } pImportDesc++; } if(pImportDesc->FirstThunk) { IMAGE_THUNK_DATA *pThunk = (IMAGE_THUNK_DATA *)( (BYTE *)hMod + pImportDesc->FirstThunk); while(pThunk->u1.Function) { DWORD *lpAddr = (DWORD *)&pThunk->u1.Function; if(*lpAddr == (DWORD)g_orgProc) { DWORD *lpNewProc = (DWORD *)MyMessageBoxA; DWORD dwOldProtect; MEMORY_BASIC_INFORMATION mbi; VirtualQuery(lpAddr, &mbi, sizeof(mbi)); ::VirtualProtect(lpAddr, sizeof(DWORD), PAGE_READWRITE, &dwOldProtect); ::WriteProcessMemory(GetCurrentProcess(), lpAddr, &lpNewProc, sizeof(lpNewProc), NULL); //*lpAddr = (DWORD)lpNewProc; ::VirtualProtect(lpAddr, sizeof(DWORD), dwOldProtect, 0); return TRUE; } pThunk++; } } return false; }
相关文章推荐
- Hook导入表 —— 实现挂钩FreeLibaray和HOOK延迟加载模块的API
- EasyHook远程进程注入并hook api的实现
- windows下面hook系统api实现禁止任务管理器关闭程序
- API拦截——实现Ring3全局HOOK
- EasyHook远程进程注入并hook api的实现
- API拦截—实现Ring3全局HOOK
- Ring3 下 API Inline Hook 优化方案探索与实现
- API 通过HOOK OpenProcess() 实现进程防杀
- 实现拦截API的钩子(Hook)
- API拦截—实现Ring3全局HOOK
- Hook导入表 —— 实现挂钩FreeLibaray和HOOK延迟加载模块的API
- 实现拦截API的钩子(Hook)
- 自实现API, 过所有用户层HOOK
- API 通过HOOK OpenProcess() 实现进程防杀
- 自实现API, 过所有用户层HOOK
- 实现拦截API的钩子(Hook)
- CreateProcess挂起进程实现Hook API补丁
- 通过HOOK系统的API接口实现对API功能的修改
- WIN32汇编实现进程导入表HOOK API
- API拦截—实现Ring3全局HOOK