HOOK -- IAT HOOK 本进程MessageBox
========================================================================================
?
?
結合網上資料、使用IAT?HOOK截獲MessageBox函數、、、
步驟如下
1..寫一個自己的MessageBox函數注意調用約定為__stdcall、、
2..定義一MessageBox函數指針如下
?????typedef int (__stdcall *pOldMBox)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType);
3..遍歷本進程的導入表尋找MessageBox的地址、、
4..修改MessageBox所在THUNK的地址為自己寫的函數地址、、代碼如下:
?
#include <windows.h>
?
HANDLE pBegin = GetModuleHandle(NULL);
PBYTE??pBegin2 = (PBYTE)pBegin;
?
PIMAGE_DOS_HEADER DOS = PIMAGE_DOS_HEADER(pBegin2);
PIMAGE_NT_HEADERS NT = PIMAGE_NT_HEADERS(pBegin2+DOS->e_lfanew);
PIMAGE_OPTIONAL_HEADER OPTION = &(NT->OptionalHeader);
PIMAGE_IMPORT_DESCRIPTOR IMPORT = PIMAGE_IMPORT_DESCRIPTOR(OPTION->DataDirectory[1].VirtualAddress + pBegin2);
?
typedef int (__stdcall *pOldMBox)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType);
pOldMBox pMBox = NULL;
?
int __stdcall HookMBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType)
{
???????if (NULL == pMBox)
???????{
??????????????return MessageBox(hWnd,lpText,lpCaption,uType);
???????}
????else
???????{
?????????????return pMBox(NULL,"哈哈! IAT??HOOK到了","HOOK",MB_OK);
???????}
}
?
int ReAPI(const char* DllName, const char* FunName)
{
???????while (IMPORT->Name)
???????{
??????????????char* OurDllName = (char*)(IMPORT->Name + pBegin2);
??????????????if (0 == strcmpi(DllName , OurDllName))
??????????????{
?????????????????????break;
??????????????}
?????IMPORT++;
???????}
?
????????PIMAGE_IMPORT_BY_NAME ?pImportByName = NULL;
???????PIMAGE_THUNK_DATA???pOriginalThunk = NULL;
???????PIMAGE_THUNK_DATA???pFirstThunk = NULL;
?
???????pOriginalThunk = (PIMAGE_THUNK_DATA)(IMPORT->OriginalFirstThunk + pBegin2);
???????pFirstThunk = (PIMAGE_THUNK_DATA)(IMPORT->FirstThunk + pBegin2);
?
???????while (pOriginalThunk->u1.Function) //記住是Function
???????{
??????????????DWORD u1 =?pOriginalThunk->u1.Ordinal;??//記住是Ordinal
??????????????if ((u1 & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG)??//說明MSB不是1??不是以序號導入
??????????????{
?????????????????????pImportByName = (PIMAGE_IMPORT_BY_NAME)((DWORD)pOriginalThunk->u1.AddressOfData + pBegin2);
?????????????????????char* OurFunName = (char*)(pImportByName->Name); //下邊的計算也可以
?????????????????????//char* OurFunName2 = (char*)((DWORD)pOriginalThunk->u1.AddressOfData + pBegin2 + 2);
????????????????????if (0 == strcmpi(FunName,OurFunName))
????????????????????{
??????????????????????//獲取以pFirstThunk開始的內存的信息并將其保存到MEMORY_BASIC_INFORMATION結構中
??????????????????????MEMORY_BASIC_INFORMATION mbi_thunk;
??????????????????????VirtualQuery(pFirstThunk, &mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION));
??????????????????????//VirtualProtect(mbi_thunk.BaseAddress,mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect);
??????????????????????//修改以pFirstThunk開始的內存的的保護屬性為PAGE_READWRITE并將原保護屬性保存到&dwOLD中
??????????????????????DWORD dwOLD;
???????????????????????VirtualProtect(pFirstThunk,sizeof(DWORD),PAGE_READWRITE,&dwOLD);
???????????????????????//更改真正MessageBoxA的地址為自己寫的HookMBox函數的地址、、
??????????????????????//將真正的地址付給先前定義的函數指針
???????????????????????//結果正確的話就是當本程序調用messagebox的時候程序轉去執行咱的HookMBox函數
??????????????????????//并且在咱的HookMBox函數中咱還調用了真正的messagebox函數、、
??????????????????????pMBox =(pOldMBox)(pFirstThunk->u1.Function);
??????????????????????pFirstThunk->u1.Function = (PDWORD)HookMBox;
??????????????????????//恢復之前更改的內存的保護屬性為人家自己的、、????????????
?????????????????????VirtualProtect(pFirstThunk,sizeof(DWORD),dwOLD,0);
?????????????????????break;
??????????????}
??????????????}
??????????????pOriginalThunk++;
??????????????pFirstThunk++;
???????}
???????
???????return 0;
}
int main()
{
??ReAPI("User32.dll","MessageBoxA");
??MessageBox(NULL,"沒有HOOK到","HOOK",MB_OK);
}
總結
以上是生活随笔為你收集整理的HOOK -- IAT HOOK 本进程MessageBox的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 另一种sysenter hook方法(绕
- 下一篇: Win7 od下send断点