(转)IAT Hook
http://www.52pojie.cn/thread-95426-1-1.html
// IATHook02.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include "IATHook02.h" #ifdef _DEBUG #define new DEBUG_NEW #endif // The one and only application object CWinApp theApp; using namespace std; ////////////////////////////////////////////////////////////////////////////////////// HWND HookProc(void); BOOL IATHook(LPCSTR pDLLName, PDWORD pOldAddr, PDWORD pNewAddr); ////////////////////////////////////////////////////////////////////////////////////// int _tmain(int argc, TCHAR* argv[], TCHAR* envp[]) { int nRetCode = 0; // initialize MFC and print and error on failure if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0)) { // TODO: change error code to suit your needs _tprintf(_T("Fatal Error: MFC initialization failed\n")); nRetCode = 1; } else { // TODO: code your application's behavior here. } HMODULE hmod = GetModuleHandle("USER32.dll"); FARPROC hold = GetProcAddress(hmod, "GetForegroundWindow"); if (IATHook("USER32.dll", (PDWORD)hold, (PDWORD)HookProc)) { GetForegroundWindow(); } else MessageBox(NULL, "Not Hook", "MesageBox", MB_OK); return nRetCode; } ////////////////////////////////////////////////////////////////////////////////////// HWND HookProc(void) { MessageBox(NULL, "I have hooked by IAT", "IAT HOOK", MB_OK); return NULL; } ////////////////////////////////////////////////////////////////////////////////////// BOOL IATHook(LPCSTR pDLLName, PDWORD pOldAddr, PDWORD pNewAddr) { HMODULE hModule = NULL; DWORD OldProtect; LPVOID lpaddr; LPSTR pModuleLabel = NULL; PIMAGE_THUNK_DATA pThunkData = NULL; PIMAGE_DOS_HEADER pIMAGE_DOS_HEADER = NULL; PIMAGE_NT_HEADERS pNTHeader = NULL; PIMAGE_OPTIONAL_HEADER32 pOptionalHeader = NULL; PIMAGE_DATA_DIRECTORY DataDirectory = NULL; PIMAGE_IMPORT_DESCRIPTOR pImportHeader = NULL; PIMAGE_IMPORT_DESCRIPTOR pDllModule = NULL; hModule = GetModuleHandle(NULL); pIMAGE_DOS_HEADER = (PIMAGE_DOS_HEADER)hModule; if (pIMAGE_DOS_HEADER->e_magic == IMAGE_DOS_SIGNATURE) { pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pIMAGE_DOS_HEADER + (DWORD)pIMAGE_DOS_HEADER->e_lfanew); if (pNTHeader->Signature == IMAGE_NT_SIGNATURE) { pOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)&(pNTHeader->OptionalHeader); DataDirectory = pOptionalHeader->DataDirectory; pImportHeader = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)hModule + DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); } else return FALSE; } else return FALSE; while (pImportHeader->Name != NULL) { pModuleLabel = (LPSTR)((DWORD)hModule + (DWORD)pImportHeader->Name); if (*pModuleLabel == *pDLLName) { pDllModule = pImportHeader; pThunkData = (PIMAGE_THUNK_DATA)((DWORD)hModule + (DWORD)pDllModule->FirstThunk); while (pThunkData->u1.Function != NULL) { if (pOldAddr == (PVOID)pThunkData->u1.Function) { MEMORY_BASIC_INFORMATION mbi; lpaddr = &pThunkData->u1.Function; VirtualQuery(lpaddr, &mbi,sizeof(mbi)); VirtualProtect(lpaddr, sizeof(PDWORD), PAGE_READWRITE, &OldProtect); WriteProcessMemory(GetCurrentProcess(), lpaddr, &pNewAddr, sizeof(PDWORD), NULL); VirtualProtect(&pThunkData->u1.Function, sizeof(PDWORD), OldProtect, &OldProtect); return TRUE; } else pThunkData++; } } pImportHeader++; } return FALSE; }