#include <windows.h>
#include <imagehlp.h>
#pragma comment(lib, "imagehlp.lib")
char *szModName = NULL;
char *szHacked = "my MessageBoxA!";
DWORD dwHookFun;
DWORD dwHookApiAddr;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
PIMAGE_THUNK_DATA32 pThunk;
ULONG uSize;
void MyHook()
{
__asm
{
mov esp, ebp
push szHacked
pop DWORD PTR[esp + 12]; //将szHacked的值赋给[esp+12]
pop ebp
jmp dwHookApiAddr
}
}
int main()
{
HMODULE hInstance = GetModuleHandle(NULL);
dwHookFun = (DWORD)MyHook;
dwHookApiAddr = (DWORD)GetProcAddress(LoadLibrary(TEXT("USER32.dll")), "MessageBoxA");
//通过函数ImageDirectroyEntryToData()获取IAT
pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hInstance, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &uSize);
//找到要HOOK的函数所在的dll
while (pImportDesc->Name)
{
szModName = (char *)((PBYTE)hInstance + pImportDesc->Name);
if (strcmp(szModName, "USER32.dll") == 0)
{
break;
}
pImportDesc++;
}
//获取指向THUNK数组的指针
pThunk = (PIMAGE_THUNK_DATA32)((PBYTE)hInstance + pImportDesc->FirstThunk);
for (; pThunk->u1.Function; pThunk++)
{
if (pThunk->u1.Function == dwHookApiAddr)
if (VirtualProtect(&pThunk->u1.Function, 4096, PAGE_READWRITE, &dwOldProtect))
{
pThunk->u1.Function = (PDWORD)dwHookFun;
break;
}
}
}
MessageBoxA(0, "original MessageBoxA", "test", 0);
return 0;
#include <imagehlp.h>
#pragma comment(lib, "imagehlp.lib")
char *szModName = NULL;
char *szHacked = "my MessageBoxA!";
DWORD dwHookFun;
DWORD dwHookApiAddr;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
PIMAGE_THUNK_DATA32 pThunk;
ULONG uSize;
void MyHook()
{
__asm
{
mov esp, ebp
push szHacked
pop DWORD PTR[esp + 12]; //将szHacked的值赋给[esp+12]
pop ebp
jmp dwHookApiAddr
}
}
int main()
{
HMODULE hInstance = GetModuleHandle(NULL);
dwHookFun = (DWORD)MyHook;
dwHookApiAddr = (DWORD)GetProcAddress(LoadLibrary(TEXT("USER32.dll")), "MessageBoxA");
//通过函数ImageDirectroyEntryToData()获取IAT
pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hInstance, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &uSize);
//找到要HOOK的函数所在的dll
while (pImportDesc->Name)
{
szModName = (char *)((PBYTE)hInstance + pImportDesc->Name);
if (strcmp(szModName, "USER32.dll") == 0)
{
break;
}
pImportDesc++;
}
//获取指向THUNK数组的指针
pThunk = (PIMAGE_THUNK_DATA32)((PBYTE)hInstance + pImportDesc->FirstThunk);
for (; pThunk->u1.Function; pThunk++)
{
if (pThunk->u1.Function == dwHookApiAddr)
{
//VirtualProtect()函数的第四个参数必须填写,否则返回false。
DWORD dwOldProtect;if (VirtualProtect(&pThunk->u1.Function, 4096, PAGE_READWRITE, &dwOldProtect))
{
pThunk->u1.Function = (PDWORD)dwHookFun;
break;
}
}
}
MessageBoxA(0, "original MessageBoxA", "test", 0);
return 0;
}
结果如下: