使用API-HOOK修改IAT的地址
来源:互联网 发布:sql语句单引号转义 编辑:程序博客网 时间:2024/04/30 05:29
#include <windows.h>
#include <imagehlp.h>
#pragma comment(lib, "imagehlp.lib")
char *szModName = NULL;
char *szHacked = "my MessageBoxA!";
DWORD dwHookFun;
DWORD dwHookApiAddr;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
PIMAGE_THUNK_DATA32 pThunk;
ULONG uSize;
void MyHook()
{
__asm
{
mov esp, ebp
push szHacked
pop DWORD PTR[esp + 12];//将szHacked的值赋给[esp+12]
pop ebp
jmp dwHookApiAddr
}
}
int main()
{
HMODULE hInstance = GetModuleHandle(NULL);
dwHookFun = (DWORD)MyHook;
dwHookApiAddr = (DWORD)GetProcAddress(LoadLibrary(TEXT("USER32.dll")), "MessageBoxA");
//通过函数ImageDirectroyEntryToData()获取IAT
pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hInstance, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &uSize);
//找到要HOOK的函数所在的dll
while (pImportDesc->Name)
{
szModName = (char *)((PBYTE)hInstance + pImportDesc->Name);
if (strcmp(szModName, "USER32.dll") == 0)
{
break;
}
pImportDesc++;
}
//获取指向THUNK数组的指针
pThunk = (PIMAGE_THUNK_DATA32)((PBYTE)hInstance + pImportDesc->FirstThunk);
for (; pThunk->u1.Function; pThunk++)
{
if (pThunk->u1.Function == dwHookApiAddr)
if (VirtualProtect(&pThunk->u1.Function, 4096, PAGE_READWRITE, &dwOldProtect))
{
pThunk->u1.Function = (PDWORD)dwHookFun;
break;
}
}
}
MessageBoxA(0, "original MessageBoxA", "test", 0);
return 0;
#include <imagehlp.h>
#pragma comment(lib, "imagehlp.lib")
char *szModName = NULL;
char *szHacked = "my MessageBoxA!";
DWORD dwHookFun;
DWORD dwHookApiAddr;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
PIMAGE_THUNK_DATA32 pThunk;
ULONG uSize;
void MyHook()
{
__asm
{
mov esp, ebp
push szHacked
pop DWORD PTR[esp + 12];//将szHacked的值赋给[esp+12]
pop ebp
jmp dwHookApiAddr
}
}
int main()
{
HMODULE hInstance = GetModuleHandle(NULL);
dwHookFun = (DWORD)MyHook;
dwHookApiAddr = (DWORD)GetProcAddress(LoadLibrary(TEXT("USER32.dll")), "MessageBoxA");
//通过函数ImageDirectroyEntryToData()获取IAT
pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hInstance, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &uSize);
//找到要HOOK的函数所在的dll
while (pImportDesc->Name)
{
szModName = (char *)((PBYTE)hInstance + pImportDesc->Name);
if (strcmp(szModName, "USER32.dll") == 0)
{
break;
}
pImportDesc++;
}
//获取指向THUNK数组的指针
pThunk = (PIMAGE_THUNK_DATA32)((PBYTE)hInstance + pImportDesc->FirstThunk);
for (; pThunk->u1.Function; pThunk++)
{
if (pThunk->u1.Function == dwHookApiAddr)
{
//VirtualProtect()函数的第四个参数必须填写,否则返回false。
DWORD dwOldProtect;if (VirtualProtect(&pThunk->u1.Function, 4096, PAGE_READWRITE, &dwOldProtect))
{
pThunk->u1.Function = (PDWORD)dwHookFun;
break;
}
}
}
MessageBoxA(0, "original MessageBoxA", "test", 0);
return 0;
}
结果如下:
0 0
- 使用API-HOOK修改IAT的地址
- 修改IAT,HOOK API
- 修改IAT,HOOK API
- API HOOK的 IAT方法
- 通过下全局API Hook修改IAT中函数地址为何截获不了Ws2_32.dll的recv()
- 修改IAT实现本进程API HOOK
- 用修改IAT法HOOK API
- 修改IAT法来hook api
- 替换 IAT 中的导入函数地址实现 Hook API
- IAT Hook的原理
- C++ Hook IAT (基于IAT的Hook实践)
- ring3下的IAT HOOK
- 获取IAT里的函数地址并修改
- IAT HOOK
- IAT HOOK
- HOOK IAT
- IAT HOOK
- IAT HOOK
- Python编写Hadoop MapReduce程序
- swtich与if else是否能作用在byte上,作用在long上,作用在String上?
- CCActionInterval源码解析
- vs2010安装问题
- Node.js中“同步”的EventEmitter
- 使用API-HOOK修改IAT的地址
- Wiki_Android_双击或多次点击事件
- JMS 学习 一
- gcc之静态库和动态库
- HDU1068Girls and Boys二分图最大匹配
- 【HTML】仿淘宝五星评价显示任何分数
- 索引
- for(i=0,j=0;i<10,j<10;i++,j++)用python怎么写
- 转载:PostgreSQL 内部概貌
