HOOK 本进程的API
通过修改IAT表来 达到API 劫持的目的,现在仅仅是劫持本进程的APIDWORD GetFileOffset(char *pImage, DWORD dwRVA)
{
PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER )pImage;
PIMAGE_NT_HEADERS pNtHeads = (PIMAGE_NT_HEADERS)((DWORD)pDos + pDos->e_lfanew);
DWORD NumOfSection = pNtHeads->FileHeader.NumberOfSections;
PIMAGE_SECTION_HEADER pSectionHead = (PIMAGE_SECTION_HEADER )(sizeof(IMAGE_FILE_HEADER) + 4 + pNtHeads->FileHeader.SizeOfOptionalHeader + (DWORD)pNtHeads);
DWORD RawOfEntryPoint = 0;
DWORD RawinSection = 0;
WORD count=0;
while(count<NumOfSection)
{
if((dwRVA >= pSectionHead->VirtualAddress)
&&(dwRVA < pSectionHead->VirtualAddress+pSectionHead->Misc.VirtualSize))
{
RawinSection=dwRVA-pSectionHead->VirtualAddress;
RawOfEntryPoint=pSectionHead->PointerToRawData+RawinSection;
break;
}
pSectionHead++;
count++;
}
if (RawOfEntryPoint == 0)
{
::MessageBox(NULL, "PE file is a error file", NULL, NULL);
return 0;
}
return RawOfEntryPoint;
}
typedef int (WINAPI * FUNC)(HWND h, PSTR pText, PSTR pTittle, UINT uiStyle);
FUNC g_OirMessageBox = (FUNC) & MessageBoxA;
int WINAPI MyMessageBox(HWND h, PSTR pText, PSTR pTittle, UINT uiStyle)
{
int iRet = g_OirMessageBox(h, "被Hook咯!", "哈哈", uiStyle);
return iRet;
}
void CGetImportTableDlg::OnOK()
{
g_pBuffer = (PBYTE)GetModuleHandle(NULL);
IMAGE_DOS_HEADER *pDosHeader = NULL;
IMAGE_NT_HEADERS *pNtHeaders = NULL;
pDosHeader = (IMAGE_DOS_HEADER *)g_pBuffer;
pNtHeaders = (IMAGE_NT_HEADERS *)((DWORD)pDosHeader + (DWORD)pDosHeader->e_lfanew);
DWORD dwImportTableAddress = GetFileOffset((char *)pDosHeader, pNtHeaders->OptionalHeader.DataDirectory.VirtualAddress);
DWORD dwImprotTableSize = pNtHeaders->OptionalHeader.DataDirectory.Size;
IMAGE_IMPORT_DESCRIPTOR *pTempImprotDescriptor = (IMAGE_IMPORT_DESCRIPTOR*)(dwImportTableAddress + (DWORD)pDosHeader);
while (pTempImprotDescriptor->Name != NULL)
{
if (stricmp("user32.dll", (LPSTR)(GetFileOffset((char *)pDosHeader, pTempImprotDescriptor->Name) + (DWORD)pDosHeader)) == 0)
{
break;
}
pTempImprotDescriptor++;
}
//API Info
char szText = {0};
IMAGE_THUNK_DATA *pImageThunkData = (IMAGE_THUNK_DATA *)(GetFileOffset((char *)pDosHeader, pTempImprotDescriptor->OriginalFirstThunk) + (DWORD)pDosHeader);
DWORD dwThunkRVA = pTempImprotDescriptor->FirstThunk;
DWORD dwMessageBoxAddress = 0;
while(pImageThunkData->u1.Function)
{
if ((pImageThunkData->u1.AddressOfData & IMAGE_ORDINAL_FLAG32) == 0)
{
IMAGE_IMPORT_BY_NAME *pImageImportByName = (IMAGE_IMPORT_BY_NAME*)(GetFileOffset((char *)pDosHeader,pImageThunkData->u1.AddressOfData) + (DWORD)pDosHeader);
if (stricmp("MessageBoxA", (PSTR)(pImageImportByName->Name)) == 0)
{
PDWORD lpAddr = (DWORD*)((BYTE*)pDosHeader + dwThunkRVA) ;
DWORD dwOldProtect, dwTemp;
VirtualProtect( (LPVOID)lpAddr, 4,PAGE_EXECUTE_READWRITE, &dwOldProtect );//去掉代码区内存保护
*lpAddr = (DWORD)&MyMessageBox;
VirtualProtect( (LPVOID)lpAddr, 4,dwOldProtect, &dwTemp); //恢复内存保护
break;
}
}
pImageThunkData++;
dwThunkRVA += 4;
}
::MessageBoxA(NULL, NULL, NULL, NULL);
} 对于动态加载的完全无视IAT了。。
对于本进程最好的方法也是动态加载,再HOOK,jmp xxxx 就好了。。
简洁方便,几句代码的事情
页:
[1]