IATHook
IATHookClass.h
1 #pragma once 2 3 #include <Windows.h> 4 5 class IATHookClass 6 { 7 private: 8 DWORD oldAddr; 9 DWORD newAddr; 10 11 public: 12 BOOL Hook(char *apiName, DWORD callfunc); 13 BOOL UnHook(void); 14 };
IATHookClass.cpp
1 #include "IATHookClass.h" 2 3 BOOL IATHookClass::Hook(char *apiName, DWORD callfunc) 4 { 5 BOOL bOk = FALSE; 6 HMODULE hMod = GetModuleHandle(NULL); 7 IMAGE_DOS_HEADER *pDosHeader = (IMAGE_DOS_HEADER *)hMod; 8 IMAGE_OPTIONAL_HEADER *pOptHeader = (IMAGE_OPTIONAL_HEADER *)((BYTE *)hMod + pDosHeader->e_lfanew + 24); 9 IMAGE_IMPORT_DESCRIPTOR *pImportDesc = (IMAGE_IMPORT_DESCRIPTOR *)((BYTE *)hMod + pOptHeader->DataDirectory[1].VirtualAddress); 10 11 while (pImportDesc->FirstThunk) 12 { 13 char *pszDllName = (char *)((BYTE *)hMod + pImportDesc->Name); 14 IMAGE_THUNK_DATA *pThunk = (IMAGE_THUNK_DATA *)((BYTE *)hMod + pImportDesc->FirstThunk); 15 IMAGE_THUNK_DATA *pThunkDesc = (IMAGE_THUNK_DATA *)((BYTE *)hMod + pImportDesc->OriginalFirstThunk); 16 17 while (pThunkDesc->u1.Function) 18 { 19 if (!lstrcmpi(apiName, (char *)((BYTE *)hMod + (DWORD)pThunkDesc->u1.AddressOfData + 2))) 20 { 21 IATHookClass::oldAddr = pThunk->u1.Function; 22 IATHookClass::newAddr = (DWORD)callfunc; 23 DWORD dwOldProtect = 0; 24 25 VirtualProtect((LPVOID)&pThunk->u1.Function, 4, PAGE_EXECUTE_READWRITE, &dwOldProtect); 26 bOk = (pThunk->u1.Function = callfunc) ? TRUE : FALSE; 27 VirtualProtect((LPVOID)&pThunk->u1.Function, 4, dwOldProtect, &dwOldProtect); 28 CloseHandle(hMod); 29 return bOk; 30 } 31 pThunk++; 32 pThunkDesc++; 33 } 34 pImportDesc++; 35 } 36 CloseHandle(hMod); 37 return bOk; 38 } 39 40 BOOL IATHookClass::UnHook(void) 41 { 42 BOOL bOk = FALSE; 43 HMODULE hMod = GetModuleHandle(NULL); 44 IMAGE_DOS_HEADER *pDosHeader = (IMAGE_DOS_HEADER *)hMod; 45 IMAGE_OPTIONAL_HEADER *pOptHeader = (IMAGE_OPTIONAL_HEADER *)((BYTE *)hMod + pDosHeader->e_lfanew + 24); 46 IMAGE_IMPORT_DESCRIPTOR *pImportDesc = (IMAGE_IMPORT_DESCRIPTOR *)((BYTE *)hMod + pOptHeader->DataDirectory[1].VirtualAddress); 47 48 while (pImportDesc->FirstThunk) 49 { 50 char *pszDllName = (char *)((BYTE *)hMod + pImportDesc->Name); 51 IMAGE_THUNK_DATA *pThunk = (IMAGE_THUNK_DATA *)((BYTE *)hMod + pImportDesc->FirstThunk); 52 while (pThunk->u1.Function) 53 { 54 if (IATHookClass::newAddr == pThunk->u1.Function) 55 { 56 DWORD dwOldProtect = 0; 57 VirtualProtect((LPVOID)&pThunk->u1.Function, 4, PAGE_EXECUTE_READWRITE, &dwOldProtect); 58 bOk = (pThunk->u1.Function = IATHookClass::oldAddr) ? TRUE : FALSE; 59 VirtualProtect((LPVOID)&pThunk->u1.Function, 4, dwOldProtect, &dwOldProtect); 60 CloseHandle(hMod); 61 if (bOk) 62 { 63 IATHookClass::newAddr = 0; 64 IATHookClass::oldAddr = 0; 65 } 66 return bOk; 67 } 68 } 69 } 70 CloseHandle(hMod); 71 return bOk; 72 }