Ring3 IAT Hook例子
来源:互联网 发布:python与数据挖掘 pdf 编辑:程序博客网 时间:2024/06/06 05:14
Ring3 IAT Hook例子
#include <windows.h>#include <stdio.h>#include <tchar.h>#define UNICODE#define _UNICODEPIMAGE_DOS_HEADER pDosHeader;PIMAGE_NT_HEADERS pNTHeaders;PIMAGE_OPTIONAL_HEADER pOptHeader;PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor;PIMAGE_THUNK_DATA pThunkData;PIMAGE_IMPORT_BY_NAME pImportByName;HMODULE hMod;int * addr = (int *)MessageBoxA; //保存函数的入口地址// 定义MessageBoxA函数原型typedef int (WINAPI *PFNMESSAGEBOX)(HWND, LPCSTR, LPCSTR, UINT uType);int WINAPI MessageBoxProxy(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType);int * myaddr = (int *)MessageBoxProxy;int main(){//OutputDebugString(_T("start !"));//MessageBoxA(NULL, "原函数", "09HookDemo", 0);//-------------HOOK部分hMod = GetModuleHandle(NULL);pDosHeader = (PIMAGE_DOS_HEADER)hMod;pNTHeaders = (PIMAGE_NT_HEADERS)((BYTE *)hMod + pDosHeader->e_lfanew);pOptHeader = (PIMAGE_OPTIONAL_HEADER)&(pNTHeaders->OptionalHeader);pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((BYTE *)hMod + pOptHeader->DataDirectory[1].VirtualAddress);while(pImportDescriptor->FirstThunk){char * dllname = (char *)((BYTE *)hMod + pImportDescriptor->Name);printf("函数模块:%s\n",dllname);pThunkData = (PIMAGE_THUNK_DATA)((BYTE *)hMod + pImportDescriptor->OriginalFirstThunk);int no = 1;while(pThunkData->u1.Function){char * funname = (char *)((BYTE *)hMod + (DWORD)pThunkData->u1.AddressOfData + 2);PDWORD lpAddr = (DWORD *)((BYTE *)hMod + (DWORD)pImportDescriptor->FirstThunk) +(no-1);//printf("%4d: ",no);//printf("%30s",funname);//printf("%8x\n",lpAddr);//printf("%8x\n",*lpAddr);//修改内存的部分if((*lpAddr) == (int)addr){//修改内存页的属性DWORD dwOLD;MEMORY_BASIC_INFORMATION mbi;VirtualQuery(lpAddr,&mbi,sizeof(mbi));VirtualProtect(lpAddr,sizeof(DWORD),PAGE_READWRITE,&dwOLD);//写内存WriteProcessMemory(GetCurrentProcess(), lpAddr, &myaddr, sizeof(DWORD), NULL);//恢复内存页的属性VirtualProtect(lpAddr,sizeof(DWORD),dwOLD,0);}//---------no++;pThunkData++;}pImportDescriptor++;}//用于测试的API函数MessageBoxA(NULL, "原函数", "09HookDemo", 0);getchar();return 0;}int WINAPI MessageBoxProxy(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType){return ((PFNMESSAGEBOX)addr)(NULL, "Gxter", "Gxter", 0);//用地址调用一个API函数}
- Ring3 IAT Hook例子
- IAT HOOK RING3
- IAT HOOK RING3
- ring3下的IAT HOOK
- ring3 inline hook例子
- IAT HOOK
- IAT HOOK
- HOOK IAT
- IAT HOOK
- IAT HOOK
- IAT HOOK
- IAT HOOK
- IAT HOOK
- IAT HOOK
- IAT HOOK及遍历IAT
- 修改IAT,HOOK API
- 修改IAT,HOOK API
- R3 IAT HOOK
- 冷备份---删除控制文件
- 统计一个字符串中字符出现的次数(带上机课时候发现学生都有很好的思路bitmap)
- R类反射混淆,找不到资源ID
- 用Gvim建立IDE编程环境 (Windows篇)
- 21个常用的PHP函数代码段
- Ring3 IAT Hook例子
- 一个高效的内存池实现
- 文件系统
- 判断一个数的二进制形式是否只有一个1,是的话就输出
- UI组件详解2---- RadioGroup、RadioButton、CheckBox、ListView、Spinner
- Extjs ajax的使用主要是获取值
- MapReduce and K-Means Clustering
- sysaid的安装
- 使用Soap消息调用Web Services
