// ConsoleApplication2.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <Windows.h>
#include <stdlib.h>
// 定义MessageBoxA函数原型
typedef int (WINAPI *PFNMESSAGEBOX)(HWND, LPCSTR, LPCSTR, UINT uType);
int WINAPI MessageBoxProxy(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType)
{
printf("MessageBox已经被hook了\n");
return 0;
}
int * addr = (int *)MessageBoxA; //保存函数的入口地址
int * myaddr = (int *)MessageBoxProxy;
int _tmain(int argc, _TCHAR* argv[])
{
HMODULE hModule = GetModuleHandle(NULL);
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule;
PIMAGE_NT_HEADERS pNTHeaders = (PIMAGE_NT_HEADERS)((BYTE *)hModule + pDosHeader->e_lfanew);
PIMAGE_OPTIONAL_HEADER pOptHeader = (PIMAGE_OPTIONAL_HEADER)&(pNTHeaders->OptionalHeader);
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((BYTE *)hModule + pOptHeader->DataDirectory[1].VirtualAddress);
while(pImportDescriptor->FirstThunk)
{
char * dllname = (char *)((BYTE *)hModule + pImportDescriptor->Name);
printf("Module Name : %s\n", dllname);
PIMAGE_THUNK_DATA pThunkData = (PIMAGE_THUNK_DATA)((BYTE *)hModule + pImportDescriptor->OriginalFirstThunk);
int no = 1;
while(pThunkData->u1.Function)
{
char * funname = (char *)((BYTE *)hModule + (DWORD)pThunkData->u1.AddressOfData + 2);
printf("%s\n", funname);
PDWORD lpAddr = (DWORD *)((BYTE *)hModule + (DWORD)pImportDescriptor->FirstThunk) +(no-1);
//修改内存的部分
if((*lpAddr) == (int)addr)
{
//修改内存页的属性
DWORD dwOLD;
MEMORY_BASIC_INFORMATION mbi;
VirtualQuery(lpAddr,&mbi,sizeof(mbi));
VirtualProtect(lpAddr,sizeof(DWORD),PAGE_READWRITE,&dwOLD);
WriteProcessMemory(GetCurrentProcess(),
lpAddr, &myaddr, sizeof(DWORD), NULL); //此处,修改了IAT的地址为我们自己定义函数的地址
//恢复内存页的属性
VirtualProtect(lpAddr,sizeof(DWORD),dwOLD,0);
}
no++;
pThunkData++;
}
pImportDescriptor++;
}
MessageBoxA(NULL, "messagebox test", "tip", 0);
system("pause");
return 0;
}
682
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
