IAT Hook示例
2017-03-01 08:38
519 查看
#include "stdafx.h" //在这个文件中实现IATHook //这个函数,只Hook exe文件的IAT typedef int (WINAPI *MESSAGEBOXW)( _In_opt_ HWND hWnd, _In_opt_ LPCWSTR lpText, _In_opt_ LPCWSTR lpCaption, _In_ UINT uType); MESSAGEBOXW g_MessageBox; int WINAPI MyMessageBox( _In_opt_ HWND hWnd, _In_opt_ LPCWSTR lpText, _In_opt_ LPCWSTR lpCaption, _In_ UINT uType) { lpText = L"IATHook成功"; lpCaption = L"哈哈"; return g_MessageBox(hWnd, lpText, lpCaption, 0); } //************************************ // 函数名: OnIATHook // 说明 :进行IATHook,只能Hook exe部分 // 参数1:要Hook的Dll名字 // 参数2:要Hook的函数名字 // 返回值: bool 成功的返回true,失败的话返回false //************************************ bool OnIATHook(char * szDllName,char * szFunName,DWORD NewFunAddress,DWORD *OldFunAddress) { OutputDebugStringA("开始进行IAThook"); // 1找到exe的加载基址 PBYTE pBuf = (PBYTE)GetModuleHandle(NULL); //2 找到导入表 PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)pBuf; PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)(pDos->e_lfanew + pBuf); PIMAGE_DATA_DIRECTORY pImportDir = (pNt->OptionalHeader.DataDirectory + 1); PIMAGE_IMPORT_DESCRIPTOR pImport = (PIMAGE_IMPORT_DESCRIPTOR)(pImportDir->VirtualAddress + pBuf); //3 遍历导入表,找到对应的dll while (pImport->Name != NULL) { //dll的名字 char * szImportDllName = (char*)(pImport->Name + pBuf); OutputDebugStringA(szImportDllName); if (_stricmp(szImportDllName, szDllName) == 0)//不管大小写比较 { OutputDebugStringA("开始寻找函数名"); //找到这个dll了 //4 在对应dll的导入名称表中,找到我们要Hook的函数,得到位置 // 先检测一下是单桥结构的导入表还是双桥结构的导入表 // 本方法不适用于单桥结构的IATHook。 if (pImport->OriginalFirstThunk == 0) { return false; } PIMAGE_THUNK_DATA pInt = (PIMAGE_THUNK_DATA) (pImport->OriginalFirstThunk + pBuf); PDWORD pIat = (PDWORD)(pImport->FirstThunk + pBuf); int nLoc = 0; while (pInt->u1.Function!=NULL) { if ((pInt->u1.Ordinal & 0x80000000) != 1) { OutputDebugStringA("hehe"); PIMAGE_IMPORT_BY_NAME pName = (PIMAGE_IMPORT_BY_NAME)(pInt->u1.AddressOfData + pBuf); //5 在对应dll的导入地址表中,进行Hook OutputDebugStringA("输出名称之前"); OutputDebugStringA(pName->Name); if (_stricmp(pName->Name, szFunName) == 0) { DWORD OldProtect = 0; //*OldFunAddress = pIat[nLoc]; OutputDebugStringA("开始修改"); VirtualProtect(&pIat[nLoc], 4, PAGE_READWRITE, &OldProtect); pIat[nLoc] = NewFunAddress; VirtualProtect(&pIat[nLoc], 4, OldProtect, &OldProtect); OutputDebugStringA("修改完毕"); return true; } } nLoc++; pInt++; } break; } pImport++; } return false; } //HMODULE g_hModule = 0; BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: OutputDebugStringA("Hook成功"); //g_hModule = hModule; OnIATHook( "user32.dll", "MessageBoxW", (DWORD)MyMessageBox, (DWORD*)&g_MessageBox ); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }
相关文章推荐
- hook iat 简单示例
- FreeSWITCH - mod_fifo On-hook Agent模式配置示例
- EAT/IAT Hook
- HOOK IAT RING3
- 高级Hook示例(1)
- C++ Hook IAT (基于IAT的Hook实践)
- 20171011WindowsPrj08_03IAT Hook
- IAT HOOK 实现进程保护
- FreeSWITCH - mod_fifo Off-hook Agent模式配置示例
- linux下 hook 系统调用示例
- EasyHook远注简单监控示例 z
- 利用IAT hook实现windows通用密码后门
- 20171011WindowsPrj08_03IAT Hook
- HOOKAPI之修改IAT法则
- c# 使用hook来监控鼠标键盘事件的示例代码
- 20171011WindowsPrj08_03IAT Hook
- HOOKAPI之修改IAT法则
- rootkit之[七]IAT Hook -- HybridHook之终极打造
- 利用IAT hook实现windows通用密码后门
- 20171011WindowsPrj08_03IAT Hook