(转)修改IAT实现本进程API HOOK

http://www.cppblog.com/gezidan/archive/2011/08/08/152757.html

// IATHook.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include "IATHook.h"
#include <windows.h>  
#include <imagehlp.h>
#pragma comment(lib, "imagehlp.lib")  

#ifdef _DEBUG
#define new DEBUG_NEW
#endif


// The one and only application object

CWinApp theApp;

using namespace std;

//////////////////////////////////////////////////////////////////////////////////////
char *    szModName = NULL ;  
char *    szHacked = "不好意思hook到了!" ;  
DWORD    dwHookFun ;  
DWORD    dwHookApiAddr;  
ULONG    uSize ;  
PIMAGE_IMPORT_DESCRIPTOR    pImportDesc ;  
PIMAGE_THUNK_DATA32            pThunk;  

//////////////////////////////////////////////////////////////////////////////////////
void MYhook()  
{  
    __asm  
    {  
        mov  esp,ebp  
        push szHacked  
        pop  DWORD PTR [ebp+12]  
        pop  ebp  
        jmp  dwHookApiAddr  
    }  
} 

//////////////////////////////////////////////////////////////////////////////////////
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
    int nRetCode = 0;

    // initialize MFC and print and error on failure
    if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0))
    {
        // TODO: change error code to suit your needs
        _tprintf(_T("Fatal Error: MFC initialization failed\n"));
        nRetCode = 1;
    }
    else
    {
        // TODO: code your application's behavior here.
    }

    HMODULE    hInstance = GetModuleHandle(NULL);  
    dwHookFun = (DWORD)MYhook;  
    dwHookApiAddr = (DWORD)GetProcAddress(LoadLibrary("USER32.dll"), "MessageBoxA") ;  
    
    //通过函数)ImageDirectoryEntryToData获得IAT  
    pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hInstance,  
        TRUE,  
        IMAGE_DIRECTORY_ENTRY_IMPORT,  
        &uSize) ; 

    //找到要HOOK的函数所在的模块  
    while (pImportDesc->Name)  
    {  
        szModName = (char *)((PBYTE)hInstance+pImportDesc->Name) ;  
        if (strcmp(szModName, "USER32.dll")==0)  
            break ;   
        pImportDesc++ ;  
    }  

    //原始的THUNK信息指针  
    pThunk= (PIMAGE_THUNK_DATA32)((PBYTE)hInstance + pImportDesc->FirstThunk) ;  
    for (; pThunk->u1.Function; pThunk++)  
    {  
        if (pThunk->u1.Function== dwHookApiAddr)  
        {  
            VirtualProtect(&pThunk->u1.Function, 4096, PAGE_READWRITE, 0);  
            pThunk->u1.Function = (DWORD)dwHookFun;  
            break ;  
        }  
    }

    //要hook下面这个API  
    MessageBoxA(0, "这是正常的!", "xicao", 0);  

    return nRetCode;
}