(转)IAT Hook

http://www.52pojie.cn/thread-95426-1-1.html

// IATHook02.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include "IATHook02.h"

#ifdef _DEBUG
#define new DEBUG_NEW
#endif


// The one and only application object

CWinApp theApp;

using namespace std;

//////////////////////////////////////////////////////////////////////////////////////
HWND HookProc(void);
BOOL IATHook(LPCSTR pDLLName, PDWORD pOldAddr, PDWORD pNewAddr);

//////////////////////////////////////////////////////////////////////////////////////
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
    int nRetCode = 0;

    // initialize MFC and print and error on failure
    if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0))
    {
        // TODO: change error code to suit your needs
        _tprintf(_T("Fatal Error: MFC initialization failed\n"));
        nRetCode = 1;
    }
    else
    {
        // TODO: code your application's behavior here.
    }

    HMODULE    hmod = GetModuleHandle("USER32.dll");
    FARPROC    hold = GetProcAddress(hmod, "GetForegroundWindow");

    if (IATHook("USER32.dll", (PDWORD)hold, (PDWORD)HookProc))
    {
        GetForegroundWindow();
    }
    else
        MessageBox(NULL, "Not Hook", "MesageBox", MB_OK);

    return nRetCode;
}

//////////////////////////////////////////////////////////////////////////////////////
HWND HookProc(void)
{
    MessageBox(NULL, "I have hooked by IAT", "IAT HOOK", MB_OK);

    return NULL;
}

//////////////////////////////////////////////////////////////////////////////////////
BOOL IATHook(LPCSTR pDLLName, PDWORD pOldAddr, PDWORD pNewAddr)
{
    HMODULE                hModule = NULL;
    DWORD                OldProtect;
    LPVOID                lpaddr;
    LPSTR                pModuleLabel = NULL;
    PIMAGE_THUNK_DATA    pThunkData = NULL;
    PIMAGE_DOS_HEADER    pIMAGE_DOS_HEADER = NULL;
    PIMAGE_NT_HEADERS    pNTHeader = NULL;

    PIMAGE_OPTIONAL_HEADER32    pOptionalHeader = NULL;
    PIMAGE_DATA_DIRECTORY        DataDirectory = NULL;
    PIMAGE_IMPORT_DESCRIPTOR    pImportHeader = NULL;
    PIMAGE_IMPORT_DESCRIPTOR    pDllModule = NULL;


    hModule = GetModuleHandle(NULL);
    pIMAGE_DOS_HEADER = (PIMAGE_DOS_HEADER)hModule;

    if (pIMAGE_DOS_HEADER->e_magic == IMAGE_DOS_SIGNATURE)
    {
        pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pIMAGE_DOS_HEADER + (DWORD)pIMAGE_DOS_HEADER->e_lfanew);
        if (pNTHeader->Signature == IMAGE_NT_SIGNATURE)
        {
            pOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)&(pNTHeader->OptionalHeader);
            DataDirectory = pOptionalHeader->DataDirectory;
            pImportHeader = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)hModule + 
                                DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
        }
        else
            return FALSE;
    }
    else
        return FALSE;

    while (pImportHeader->Name != NULL)
    {
        pModuleLabel = (LPSTR)((DWORD)hModule + (DWORD)pImportHeader->Name);
        if (*pModuleLabel == *pDLLName)
        {
            pDllModule = pImportHeader;
            pThunkData = (PIMAGE_THUNK_DATA)((DWORD)hModule + (DWORD)pDllModule->FirstThunk);
            while (pThunkData->u1.Function != NULL)
            {
                if (pOldAddr == (PVOID)pThunkData->u1.Function)
                {
                    MEMORY_BASIC_INFORMATION  mbi;
                    lpaddr = &pThunkData->u1.Function;
                    VirtualQuery(lpaddr, &mbi,sizeof(mbi));
                    VirtualProtect(lpaddr, sizeof(PDWORD), PAGE_READWRITE, &OldProtect);
                    WriteProcessMemory(GetCurrentProcess(), lpaddr, &pNewAddr, sizeof(PDWORD), NULL);
                    VirtualProtect(&pThunkData->u1.Function, sizeof(PDWORD), OldProtect, &OldProtect);
                    return TRUE;
                }
                else
                    pThunkData++;
            }
        }

        pImportHeader++;
    }

    return FALSE;
}

 

posted @ 2012-12-20 11:14  himessage  阅读(369)  评论(0编辑  收藏  举报