HOOK IAT
2014-05-04 17:09
316 查看
template <class T> __forceinline T* VA2RVA(PVOID Base, ULONG_PTR Va) { return (T*)((PCHAR)Base + Va); } PIMAGE_IMPORT_DESCRIPTOR GetImageImportDescriptor(HMODULE hModule) { IMAGE_DOS_HEADER *lpDosHeader = (IMAGE_DOS_HEADER*)hModule; IMAGE_NT_HEADERS *lpNtHeader = VA2RVA<IMAGE_NT_HEADERS>(hModule, lpDosHeader->e_lfanew); if (DWORD v = lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress) { return VA2RVA<IMAGE_IMPORT_DESCRIPTOR>(hModule, v); } return NULL; } BOOL IsVaildImage(HMODULE hModule) { IMAGE_DOS_HEADER *lpDosHeader = (IMAGE_DOS_HEADER*)hModule; if (lpDosHeader && lpDosHeader->e_magic == IMAGE_DOS_SIGNATURE) { IMAGE_NT_HEADERS *lpNtHeader = VA2RVA<IMAGE_NT_HEADERS>(hModule, lpDosHeader->e_lfanew); if (lpNtHeader->Signature == IMAGE_NT_SIGNATURE) { return TRUE; } } return FALSE; } PVOID HookIAT(HMODULE hModule, LPCSTR lpModuleName, LPCSTR lpApiName, PVOID lpNewApiAddress) { PVOID lpPrevAddress = NULL; if (IsVaildImage(hModule)) { if (PIMAGE_IMPORT_DESCRIPTOR lpImportDescriptor = GetImageImportDescriptor(hModule)) { while (lpImportDescriptor->Characteristics) { LPCSTR lpLibName = VA2RVA<CONST CHAR>(hModule, lpImportDescriptor->Name); if (lstrcmpiA(lpModuleName, lpLibName) == 0) { PIMAGE_THUNK_DATA lpThunk = VA2RVA<IMAGE_THUNK_DATA>(hModule, lpImportDescriptor->OriginalFirstThunk); for (UINT i = 0; lpThunk[i].u1.Ordinal; i++) { if (!(lpThunk[i].u1.Ordinal & IMAGE_ORDINAL_FLAG)) { PIMAGE_IMPORT_BY_NAME lpImportByName = VA2RVA<IMAGE_IMPORT_BY_NAME>(hModule, lpThunk[i].u1.AddressOfData); if (lstrcmpA((CHAR*)lpImportByName->Name, lpApiName) == 0) { PVOID *lppProcTable = VA2RVA<PVOID>(hModule, lpImportDescriptor->FirstThunk); DWORD dwProtect; VirtualProtect(&lppProcTable[i], sizeof(PVOID), PAGE_EXECUTE_READWRITE, &dwProtect); lpPrevAddress = InterlockedExchangePointer(&lppProcTable[i], lpNewApiAddress); } } } } lpImportDescriptor++; } } } return lpPrevAddress; }
相关文章推荐
- IAT HOOK
- 从PE文件入手绕过IAT HOOK(ZT)
- 我的学习笔记之二——修改导入表HOOK API(ring3_iat_exe_hook_Messagebox)
- HOOK -- IAT HOOK 本进程MessageBox
- C++基于hook iat改变Messagebox实例
- HOOK -- IAT HOOK 本进程MessageBox
- IAT Hook的原理
- IAT随便HOOK+反检测方法
- HOOKAPI之修改IAT法则
- rootkit之[七]IAT Hook -- HybridHook之终极打造
- IAT和JMP方式的HOOK
- 利用IAT hook实现windows通用密码后门
- HOOKAPI之修改IAT法则
- IAT HOOK RING3
- IAT Hook示例
- Windows Practice_Dll&Hook_封装IAT Hook
- 利用IAT hook实现windows通用密码后门
- 发个 IAT HOOK代码
- IAT HOOK及遍历IAT
- 使用API-HOOK修改IAT的地址