EAT Hook
2009-10-30 19:44
369 查看
EAT Hook
typedef int (__stdcall *pfnMessageBoxA)(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType ); pfnMessageBoxA OldMessageBoxA = NULL; LPVOID HookEAT(HMODULE hMod,char *szApiName,LPVOID lpHookRoutine); int __stdcall HookMessageBoxA(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType); int _tmain(int argc, _TCHAR* argv[]) { HMODULE hUser32 = LoadLibraryA("user32.dll"); OldMessageBoxA = (pfnMessageBoxA)HookEAT(hUser32,"MessageBoxA",HookMessageBoxA); if ( !OldMessageBoxA ) { printf("Hook EAT failed. "); goto __exit; } pfnMessageBoxA MsgBox = (pfnMessageBoxA)GetProcAddress(hUser32,"MessageBoxA"); if ( !MsgBox ) { printf("Get MessageBoxA failed. "); goto __exit; } MsgBox(0,"Hello","Hello",0); __exit: system("pause"); return 0; } LPVOID HookEAT(HMODULE hMod,char *szApiName,LPVOID lpHookRoutine) { LPVOID lpOldAddr = NULL; PIMAGE_DOS_HEADER pDosHdr = (PIMAGE_DOS_HEADER)hMod; PIMAGE_NT_HEADERS pNtHdr = (PIMAGE_NT_HEADERS)((DWORD)hMod + pDosHdr->e_lfanew); PIMAGE_EXPORT_DIRECTORY pExpDir = (PIMAGE_EXPORT_DIRECTORY) ((DWORD)hMod + pNtHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); WORD *pwOrds = (WORD*)((DWORD)hMod + pExpDir->AddressOfNameOrdinals); DWORD *pdwRvas = (DWORD*)((DWORD)hMod + pExpDir->AddressOfFunctions); DWORD *pdwNames = (DWORD*)((DWORD)hMod + pExpDir->AddressOfNames); int i = 0 , j = 0; char *pszApiName = NULL; for (i=0;i<pExpDir->NumberOfFunctions;i++) { pszApiName = NULL; if ( *pdwRvas ) { for (j = 0;j<pExpDir->NumberOfNames;j++) { if ( i == pwOrds[j] ) { pszApiName = (char *)((DWORD)hMod + pdwNames[j]); break; } } if ( _stricmp(szApiName,pszApiName) == 0 ) { DWORD dwOldProtect; lpOldAddr = (LPVOID)((DWORD)hMod + *pdwRvas); printf("Hook EAT : %s.0x%08X. ",pszApiName,lpOldAddr); DWORD dwDelta = (DWORD)HookMessageBoxA - (DWORD)hMod; printf("Delta : 0x%08X. ",dwDelta); VirtualProtectEx( GetCurrentProcess(),pdwRvas,sizeof(DWORD), PAGE_READWRITE,&dwOldProtect); *pdwRvas = dwDelta; break; } } pdwRvas++; } return lpOldAddr; } int __stdcall HookMessageBoxA(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType) { return OldMessageBoxA(hWnd,lpText,"EAT Hook Demo",uType); } |