IAT Hook\u65e9\u4e86\u89e3\u8fc7\u4e86\u4e00\u76f4\u6ca1\u6709\u81ea\u5df1\u52a8\u624b\u5b9e\u73b0\u8fc7\uff0c\u5199\u4e86\u4e2ademo\u5374\u4e5f\u82b1\u4e86\u4e0d\u5c11\u65f6\u95f4\uff0c\u8bb0\u4e0b\u6765\u5907\u7528\u3002<\/p>\n
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule; PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)(pDosHeader->e_lfanew + (DWORD_PTR)hModule); \/\/ \u4ece\u5bfc\u5165\u8868\u4e2d\u627e\u5230lpImageName\u7684IMAGE_THUNK_DATA \/\/ \u4eceIMAGE_THUNK_DATA\u627e\u5230\u9700\u8981\u66ff\u6362\u7684\u5177\u4f53\u51fd\u6570 \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ int _tmain(int argc, TCHAR* argv[]) IAT Hook\u65e9\u4e86\u89e3\u8fc7\u4e86\u4e00\u76f4\u6ca1\u6709\u81ea\u5df1\u52a8\u624b\u5b9e\u73b0\u8fc7\uff0c\u5199\u4e86\u4e2ademo\u5374\u4e5f\u82b1\u4e86\u4e0d\u5c11\u65f6\u95f4\uff0c\u8bb0\u4e0b\u6765\u5907\u7528\u3002 #includ … <\/p>\n#include <Windows.h>
\n#include <tchar.h><\/code><\/p>\n
\n\/\/ \u7528lpNewFunction\u66ff\u6362hModule\u4e2d\u5bfc\u5165\u7684lpImageName\u7684lpOldFunction
\nBOOL IATHook(HMODULE hModule, char* lpImageName, void* lpOldFunction, void* lpNewFunction)
\n{
\nBOOL bRet = FALSE;
\ndo
\n{
\nif(NULL == hModule || NULL == lpImageName || NULL == lpOldFunction || NULL == lpNewFunction)
\n{
\nbreak;
\n}<\/p>\n
\nif(pDosHeader->e_magic != IMAGE_DOS_SIGNATURE || pDosHeader->e_lfanew <= 0)
\n{
\nbreak;
\n}<\/p>\n
\nif(pNtHeaders->Signature != IMAGE_NT_SIGNATURE)
\n{
\nbreak;
\n}<\/p>\n
\nPIMAGE_IMPORT_DESCRIPTOR pDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (DWORD_PTR)hModule);
\nPIMAGE_THUNK_DATA pIATThunk = NULL;
\nwhile(pDescriptor->Characteristics != 0)
\n{
\nchar* lpszName = (char*)(pDescriptor->Name + (DWORD_PTR)hModule);
\nif(0 == _stricmp(lpszName, lpImageName))
\n{
\npIATThunk = (PIMAGE_THUNK_DATA)(pDescriptor->FirstThunk + (DWORD_PTR)hModule);
\nbreak;
\n}
\n++pDescriptor;
\n}<\/p>\n
\nif(NULL == pIATThunk)
\n{
\nbreak;
\n}
\nwhile(pIATThunk->u1.Function != 0)
\n{
\nif(pIATThunk->u1.Function == (DWORD_PTR)lpOldFunction)
\n{
\nDWORD dwProtect = 0;
\nif(VirtualProtect(&(pIATThunk->u1.Function), sizeof(DWORD), PAGE_READWRITE, &dwProtect))
\n{
\nbRet = WriteProcessMemory((HANDLE)-1, &(pIATThunk->u1.Function), &lpNewFunction, sizeof(DWORD), NULL);
\nVirtualProtect(&(pIATThunk->u1.Function), sizeof(DWORD), dwProtect, &dwProtect);
\n}
\nbreak;
\n}
\n++pIATThunk;
\n}
\n} while (0);
\nreturn bRet;
\n}<\/p>\n
\n\/\/ \u7528MyMessageBox\u66ff\u6362MessageBoxW
\ntypedef int (WINAPI *MESSAGE_BOX)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
\nMESSAGE_BOX RealMessageBox = NULL;
\nint WINAPI MyMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType)
\n{
\nint nRet = 0;
\nif(RealMessageBox != NULL)
\n{
\nRealMessageBox(NULL, _T(“In MyMessageBox”), _T(“IATHook”), MB_OK);
\nnRet = RealMessageBox(hWnd, lpText, lpCaption, uType);
\n}
\nreturn nRet;
\n}<\/p>\n
\n{
\nHMODULE hLib = LoadLibrary(_T(“user32.dll”));
\nif(hLib != NULL)
\n{
\nRealMessageBox = (MESSAGE_BOX)GetProcAddress(hLib, “MessageBoxW”);\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\/\/ \u9700\u8981IAT Hook\u7684\u51fd\u6570\u5730\u5740, \u7528\u4e8e\u5728IAT\u4e2d\u67e5\u627e\u5e76\u66ff\u6362
\nIATHook(GetModuleHandle(NULL), “user32.dll”, RealMessageBox, MyMessageBox);\u00a0\u00a0 \u00a0\/\/ IAT Hook\u672cexe\u6a21\u5757\u4e2d\u7684MessageBoxW
\nMessageBox(NULL, _T(“Real MessageBox”), _T(“IATHook”), MB_OK);
\nFreeLibrary(hLib);
\n}
\nreturn 0;
\n}<\/p>\n","protected":false},"excerpt":{"rendered":"