IAT Hook示例

#include "stdafx.h"//在这个文件中实现IATHook//这个函数，只Hook exe文件的IATtypedef int (WINAPI  *MESSAGEBOXW)(_In_opt_ HWND hWnd,_In_opt_ LPCWSTR lpText,_In_opt_ LPCWSTR lpCaption,_In_ UINT uType);MESSAGEBOXW g_MessageBox;int WINAPI MyMessageBox(_In_opt_ HWND hWnd, _In_opt_ LPCWSTR lpText,_In_opt_ LPCWSTR lpCaption,_In_ UINT uType){lpText = L"IATHook成功";lpCaption = L"哈哈";return g_MessageBox(hWnd, lpText, lpCaption, 0);}//************************************// 函数名: OnIATHook// 说明  ：进行IATHook，只能Hook exe部分// 参数1：要Hook的Dll名字// 参数2：要Hook的函数名字// 返回值:   bool 成功的返回true，失败的话返回false//************************************bool OnIATHook(char  * szDllName,char * szFunName,DWORD NewFunAddress,DWORD *OldFunAddress){OutputDebugStringA("开始进行IAThook");// 1找到exe的加载基址PBYTE pBuf = (PBYTE)GetModuleHandle(NULL);//2 找到导入表PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)pBuf;PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)(pDos->e_lfanew + pBuf);PIMAGE_DATA_DIRECTORY pImportDir = (pNt->OptionalHeader.DataDirectory + 1);PIMAGE_IMPORT_DESCRIPTOR pImport =(PIMAGE_IMPORT_DESCRIPTOR)(pImportDir->VirtualAddress + pBuf);//3 遍历导入表，找到对应的dllwhile (pImport->Name != NULL){//dll的名字char * szImportDllName = (char*)(pImport->Name + pBuf);OutputDebugStringA(szImportDllName);if (_stricmp(szImportDllName, szDllName) == 0)//不管大小写比较{OutputDebugStringA("开始寻找函数名");//找到这个dll了//4 在对应dll的导入名称表中，找到我们要Hook的函数，得到位置//  先检测一下是单桥结构的导入表还是双桥结构的导入表//  本方法不适用于单桥结构的IATHook。if (pImport->OriginalFirstThunk == 0){return false;}PIMAGE_THUNK_DATA pInt = (PIMAGE_THUNK_DATA)(pImport->OriginalFirstThunk + pBuf);PDWORD pIat = (PDWORD)(pImport->FirstThunk + pBuf);int nLoc = 0;while (pInt->u1.Function!=NULL){if ((pInt->u1.Ordinal & 0x80000000) != 1){OutputDebugStringA("hehe");PIMAGE_IMPORT_BY_NAME pName =(PIMAGE_IMPORT_BY_NAME)(pInt->u1.AddressOfData + pBuf);//5 在对应dll的导入地址表中，进行HookOutputDebugStringA("输出名称之前");OutputDebugStringA(pName->Name);if (_stricmp(pName->Name, szFunName) == 0){DWORD OldProtect = 0;//*OldFunAddress = pIat[nLoc];OutputDebugStringA("开始修改");VirtualProtect(&pIat[nLoc], 4, PAGE_READWRITE, &OldProtect);pIat[nLoc] = NewFunAddress;VirtualProtect(&pIat[nLoc], 4, OldProtect, &OldProtect);OutputDebugStringA("修改完毕");return true;}}nLoc++;pInt++;}break;}pImport++;}return false;}//HMODULE g_hModule = 0;BOOL APIENTRY DllMain( HMODULE hModule,                       DWORD  ul_reason_for_call,                       LPVOID lpReserved ){switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:OutputDebugStringA("Hook成功");//g_hModule = hModule;OnIATHook("user32.dll","MessageBoxW",(DWORD)MyMessageBox, (DWORD*)&g_MessageBox);break;case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE;}