(转)IAT Hook-白红宇

(转)IAT Hook

阅读量：5302 次

发布时间：2019-06-14

本文共 3557 字，大约阅读时间需要 11 分钟。

// IATHook02.cpp : Defines the entry point for the console application.//#include "stdafx.h"#include "IATHook02.h"#ifdef _DEBUG#define new DEBUG_NEW#endif// The one and only application objectCWinApp theApp;using namespace std;//HWND HookProc(void);BOOL IATHook(LPCSTR pDLLName, PDWORD pOldAddr, PDWORD pNewAddr);//int _tmain(int argc, TCHAR* argv[], TCHAR* envp[]){    int nRetCode = 0;    // initialize MFC and print and error on failure    if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0))    {        // TODO: change error code to suit your needs        _tprintf(_T("Fatal Error: MFC initialization failed\n"));        nRetCode = 1;    }    else    {        // TODO: code your application's behavior here.    }    HMODULE    hmod = GetModuleHandle("USER32.dll");    FARPROC    hold = GetProcAddress(hmod, "GetForegroundWindow");    if (IATHook("USER32.dll", (PDWORD)hold, (PDWORD)HookProc))    {        GetForegroundWindow();    }    else        MessageBox(NULL, "Not Hook", "MesageBox", MB_OK);    return nRetCode;}//HWND HookProc(void){    MessageBox(NULL, "I have hooked by IAT", "IAT HOOK", MB_OK);    return NULL;}//BOOL IATHook(LPCSTR pDLLName, PDWORD pOldAddr, PDWORD pNewAddr){    HMODULE                hModule = NULL;    DWORD                OldProtect;    LPVOID                lpaddr;    LPSTR                pModuleLabel = NULL;    PIMAGE_THUNK_DATA    pThunkData = NULL;    PIMAGE_DOS_HEADER    pIMAGE_DOS_HEADER = NULL;    PIMAGE_NT_HEADERS    pNTHeader = NULL;    PIMAGE_OPTIONAL_HEADER32    pOptionalHeader = NULL;    PIMAGE_DATA_DIRECTORY        DataDirectory = NULL;    PIMAGE_IMPORT_DESCRIPTOR    pImportHeader = NULL;    PIMAGE_IMPORT_DESCRIPTOR    pDllModule = NULL;    hModule = GetModuleHandle(NULL);    pIMAGE_DOS_HEADER = (PIMAGE_DOS_HEADER)hModule;    if (pIMAGE_DOS_HEADER->e_magic == IMAGE_DOS_SIGNATURE)    {        pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pIMAGE_DOS_HEADER + (DWORD)pIMAGE_DOS_HEADER->e_lfanew);        if (pNTHeader->Signature == IMAGE_NT_SIGNATURE)        {            pOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)&(pNTHeader->OptionalHeader);            DataDirectory = pOptionalHeader->DataDirectory;            pImportHeader = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)hModule +                                 DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);        }        else            return FALSE;    }    else        return FALSE;    while (pImportHeader->Name != NULL)    {        pModuleLabel = (LPSTR)((DWORD)hModule + (DWORD)pImportHeader->Name);        if (*pModuleLabel == *pDLLName)        {            pDllModule = pImportHeader;            pThunkData = (PIMAGE_THUNK_DATA)((DWORD)hModule + (DWORD)pDllModule->FirstThunk);            while (pThunkData->u1.Function != NULL)            {                if (pOldAddr == (PVOID)pThunkData->u1.Function)                {                    MEMORY_BASIC_INFORMATION  mbi;                    lpaddr = &pThunkData->u1.Function;                    VirtualQuery(lpaddr, &mbi,sizeof(mbi));                    VirtualProtect(lpaddr, sizeof(PDWORD), PAGE_READWRITE, &OldProtect);                    WriteProcessMemory(GetCurrentProcess(), lpaddr, &pNewAddr, sizeof(PDWORD), NULL);                    VirtualProtect(&pThunkData->u1.Function, sizeof(PDWORD), OldProtect, &OldProtect);                    return TRUE;                }                else                    pThunkData++;            }        }        pImportHeader++;    }    return FALSE;}

转载于:https://www.cnblogs.com/himessage/archive/2012/12/20/2826084.html

你可能感兴趣的文章