发布于yarpee

IAT Hook

IAT Hook早了解过了一直没有自己动手实现过,写了个demo却也花了不少时间,记下来备用。

#include <Windows.h>
#include <tchar.h>

//////////////////////////////////////////////////////////////////////////
// 用lpNewFunction替换hModule中导入的lpImageName的lpOldFunction
BOOL IATHook(HMODULE hModule, char* lpImageName, void* lpOldFunction, void* lpNewFunction)
{
BOOL bRet = FALSE;
do
{
if(NULL == hModule || NULL == lpImageName || NULL == lpOldFunction || NULL == lpNewFunction)
{
break;
}

PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule;
if(pDosHeader->e_magic != IMAGE_DOS_SIGNATURE || pDosHeader->e_lfanew <= 0)
{
break;
}

PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)(pDosHeader->e_lfanew + (DWORD_PTR)hModule);
if(pNtHeaders->Signature != IMAGE_NT_SIGNATURE)
{
break;
}

// 从导入表中找到lpImageName的IMAGE_THUNK_DATA
PIMAGE_IMPORT_DESCRIPTOR pDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (DWORD_PTR)hModule);
PIMAGE_THUNK_DATA pIATThunk = NULL;
while(pDescriptor->Characteristics != 0)
{
char* lpszName = (char*)(pDescriptor->Name + (DWORD_PTR)hModule);
if(0 == _stricmp(lpszName, lpImageName))
{
pIATThunk = (PIMAGE_THUNK_DATA)(pDescriptor->FirstThunk + (DWORD_PTR)hModule);
break;
}
++pDescriptor;
}

// 从IMAGE_THUNK_DATA找到需要替换的具体函数
if(NULL == pIATThunk)
{
break;
}
while(pIATThunk->u1.Function != 0)
{
if(pIATThunk->u1.Function == (DWORD_PTR)lpOldFunction)
{
DWORD dwProtect = 0;
if(VirtualProtect(&(pIATThunk->u1.Function), sizeof(DWORD), PAGE_READWRITE, &dwProtect))
{
bRet = WriteProcessMemory((HANDLE)-1, &(pIATThunk->u1.Function), &lpNewFunction, sizeof(DWORD), NULL);
VirtualProtect(&(pIATThunk->u1.Function), sizeof(DWORD), dwProtect, &dwProtect);
}
break;
}
++pIATThunk;
}
} while (0);
return bRet;
}

//////////////////////////////////////////////////////////////////////////
// 用MyMessageBox替换MessageBoxW
typedef int (WINAPI *MESSAGE_BOX)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
MESSAGE_BOX RealMessageBox = NULL;
int WINAPI MyMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType)
{
int nRet = 0;
if(RealMessageBox != NULL)
{
RealMessageBox(NULL, _T(“In MyMessageBox”), _T(“IATHook”), MB_OK);
nRet = RealMessageBox(hWnd, lpText, lpCaption, uType);
}
return nRet;
}

int _tmain(int argc, TCHAR* argv[])
{
HMODULE hLib = LoadLibrary(_T(“user32.dll”));
if(hLib != NULL)
{
RealMessageBox = (MESSAGE_BOX)GetProcAddress(hLib, “MessageBoxW”);            // 需要IAT Hook的函数地址, 用于在IAT中查找并替换
IATHook(GetModuleHandle(NULL), “user32.dll”, RealMessageBox, MyMessageBox);    // IAT Hook本exe模块中的MessageBoxW
MessageBox(NULL, _T(“Real MessageBox”), _T(“IATHook”), MB_OK);
FreeLibrary(hLib);
}
return 0;
}

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据