Ring3 IAT Hook例子
2011-12-14 22:28
776 查看
Ring3 IAT Hook例子
#include <windows.h> #include <stdio.h> #include <tchar.h> #define UNICODE #define _UNICODE PIMAGE_DOS_HEADER pDosHeader; PIMAGE_NT_HEADERS pNTHeaders; PIMAGE_OPTIONAL_HEADER pOptHeader; PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor; PIMAGE_THUNK_DATA pThunkData; PIMAGE_IMPORT_BY_NAME pImportByName; HMODULE hMod; int * addr = (int *)MessageBoxA; //保存函数的入口地址 // 定义MessageBoxA函数原型 typedef int (WINAPI *PFNMESSAGEBOX)(HWND, LPCSTR, LPCSTR, UINT uType); int WINAPI MessageBoxProxy(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType); int * myaddr = (int *)MessageBoxProxy; int main() { //OutputDebugString(_T("start !")); //MessageBoxA(NULL, "原函数", "09HookDemo", 0); //-------------HOOK部分 hMod = GetModuleHandle(NULL); pDosHeader = (PIMAGE_DOS_HEADER)hMod; pNTHeaders = (PIMAGE_NT_HEADERS)((BYTE *)hMod + pDosHeader->e_lfanew); pOptHeader = (PIMAGE_OPTIONAL_HEADER)&(pNTHeaders->OptionalHeader); pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((BYTE *)hMod + pOptHeader->DataDirectory[1].VirtualAddress); while(pImportDescriptor->FirstThunk) { char * dllname = (char *)((BYTE *)hMod + pImportDescriptor->Name); printf("函数模块:%s\n",dllname); pThunkData = (PIMAGE_THUNK_DATA)((BYTE *)hMod + pImportDescriptor->OriginalFirstThunk); int no = 1; while(pThunkData->u1.Function) { char * funname = (char *)((BYTE *)hMod + (DWORD)pThunkData->u1.AddressOfData + 2); PDWORD lpAddr = (DWORD *)((BYTE *)hMod + (DWORD)pImportDescriptor->FirstThunk) +(no-1); //printf("%4d: ",no); //printf("%30s",funname); //printf("%8x\n",lpAddr); //printf("%8x\n",*lpAddr); //修改内存的部分 if((*lpAddr) == (int)addr) { //修改内存页的属性 DWORD dwOLD; MEMORY_BASIC_INFORMATION mbi; VirtualQuery(lpAddr,&mbi,sizeof(mbi)); VirtualProtect(lpAddr,sizeof(DWORD),PAGE_READWRITE,&dwOLD); //写内存 WriteProcessMemory(GetCurrentProcess(), lpAddr, &myaddr, sizeof(DWORD), NULL); //恢复内存页的属性 VirtualProtect(lpAddr,sizeof(DWORD),dwOLD,0); } //--------- no++; pThunkData++; } pImportDescriptor++; } //用于测试的API函数 MessageBoxA(NULL, "原函数", "09HookDemo", 0); getchar(); return 0; } int WINAPI MessageBoxProxy(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType) { return ((PFNMESSAGEBOX)addr)(NULL, "Gxter", "Gxter", 0); //用地址调用一个API函数 }
相关文章推荐
- 修改导入表HOOK API(ring3_iat_exe_hook_Messagebox)
- ring3 inline hook例子
- HOOK IAT RING3
- 修改导入表HOOK API(ring3_iat_exe_hook_Messagebox)<转>
- IAT HOOK RING3
- 我的学习笔记之二——修改导入表HOOK API(ring3_iat_exe_hook_Messagebox)
- Windows平台Ring3下DLL注入(HOOK)方法整理汇总
- HOOK编程例子
- VC6.0 DLL调用与创建的例子(HOOK)
- IAT HOOK
- hook iat 简单示例
- HOOK IAT
- 抛砖引玉 - hook的小例子
- Ring3下Hook API实现分析
- API拦截——实现Ring3全局HOOK
- SSDT_Helper for Delphi v1(Ring3下查看SSDT HOOK的Delphi版)
- ring3 hook ZwWriteVirtualMemory
- hook iat改变Messagebox
- IAT随便HOOK+反检测方法
- hook钩子例子