1 #include <stdio.h>
2 #include "MainConsole.h"
3 #include "PEData.h"
4
5
6 int g_iIndexOfMessageBoxWInIAT = -1;
7 DWORD g_dwOldFunAddr{};
8
9 void main()
10 {
11 MessageBoxW(0, L"", L"", 0);
12
13 DWORD dw1 = (DWORD)MyMessageBoxW;
14 int iRes = HookIAT_MessageBoxW("USER32.dll", "MessageBoxW", g_dwOldFunAddr, dw1);
15 if (iRes)
16 {
17 char strErrorText[MAX_PATH] = "HookIAT_MessageBoxW!";
18 sprintf_s(strErrorText, MAX_PATH, "%s %s%x", strErrorText, "ErrorCode:", iRes);
19 MessageBoxA(GetConsoleWindow(), strErrorText, "Error:", MB_ICONERROR);
20 }
21
22 MessageBoxW(0, L"", L"", 0);
23
24 return;
25 }
26
27
28 //****************************************************
29 // Name: HookIAT_MessageBoxW
30 // Func: hook指定函数(修改IAT中的地址)
31 // Args: char * strDllName DLL名
32 // Args: char * strFunNameOrOdinal 函数名
33 // Args: _Out_ DWORD & dwOldFunAddr 被HOOK的函数地址,调用函数后返回
34 // Args: DWORD & dwNewFunAddr HOOK后的地址
35 // RetV: int
36 // return 0; 成功
37 // return 1; 没有找到同名DLL
38 // return 2; 找到的(IAT & INT)RVA无效
39 // return 3; VirtualProtect faild
40 //****************************************************
41 int HookIAT_MessageBoxW(char * strDllName, char * strFunNameOrOdinal, _Out_ DWORD & dwOldFunAddr, DWORD & dwNewFunAddr)
42 {
43 // 1.填充PE ************************************************************
44 DWORD dwMod = (DWORD)GetModuleHandle(NULL);
45 CPEData o((IMAGE_DOS_HEADER*)dwMod);
46
47 // 2.IAT INT ************************************************************
48 IMAGE_IMPORT_DESCRIPTOR* pID = (IMAGE_IMPORT_DESCRIPTOR*)(o.m_pDDT[1].VirtualAddress + dwMod);
49 //如果是找到相同dll
50 BOOL bDllFound{};
51 while (pID->Name)
52 {
53 char* strName = (char*)(pID->Name + dwMod);
54 if (0 == strcmp(strDllName, strName))
55 {
56 bDllFound = TRUE;
57 break;
58 }
59
60 pID++;
61 }
62
63 // return 1; 没有找到同名DLL
64 if (!bDllFound) { return 1; }
65
66 // return 2; 找到的(IAT & INT)RVA无效
67 if (!pID->FirstThunk || !pID->OriginalFirstThunk) { return 2; }
68
69 IMAGE_THUNK_DATA* pIAT = (IMAGE_THUNK_DATA*)(pID->FirstThunk + dwMod);
70 IMAGE_THUNK_DATA* pINT = (IMAGE_THUNK_DATA*)(pID->OriginalFirstThunk + dwMod);
71
72 // 3.找到函数地址 ************************************************************
73 BOOL bIsFunAddrFound{};
74 g_iIndexOfMessageBoxWInIAT = 0;
75 // 如果为0,循环退出,因为IAT结束了
76 while ((pIAT+ g_iIndexOfMessageBoxWInIAT)->u1.Function)
77 {
78 // 最高位为0时,以名称导入
79 if (0 == ((pIAT + g_iIndexOfMessageBoxWInIAT)->u1.Ordinal >> 0x1f))
80 {
81 IMAGE_IMPORT_BY_NAME* pIBN = (IMAGE_IMPORT_BY_NAME*)((pINT + g_iIndexOfMessageBoxWInIAT)->u1.AddressOfData + dwMod);
82 if (0 == strcmp(strFunNameOrOdinal, pIBN->Name)) // 找到函数名
83 {
84 bIsFunAddrFound = TRUE;
85 break;
86 }
87 }
88
89 g_iIndexOfMessageBoxWInIAT++;
90 }
91
92 // 4.保存要修改的函数地址 ************************************************************
93 dwOldFunAddr = (DWORD)(pIAT[g_iIndexOfMessageBoxWInIAT].u1.Function);
94
95 // 4.修改对应函数地址 ************************************************************
96 DWORD dwOldProtect{};
97 if (!VirtualProtect(&pIAT[g_iIndexOfMessageBoxWInIAT].u1.Function, 4, PAGE_READWRITE, &dwOldProtect))
98 { return 3;} // return 3; VirtualProtect faild
99 pIAT[g_iIndexOfMessageBoxWInIAT].u1.Function = dwNewFunAddr;
100 if (!VirtualProtect(&pIAT[g_iIndexOfMessageBoxWInIAT].u1.Function, 4, dwOldProtect, &dwOldProtect))
101 { return 3;} // return 3; VirtualProtect faild
102
103 // 收尾 **********************************************************************
104 return 0;
105 }
106
107 int WINAPI MyMessageBoxW(HWND hWnd, LPCWSTR wcsText, LPCWSTR wcsCaption, UINT uType)
108 {
109 // ::MessageBoxA(hWnd, "", "", uType);
110
111 _asm
112 {
113 push eax;
114
115 {
116 mov eax, [ebp + 0x14];
117 push eax;
118 mov eax, [ebp + 0x10];
119 push eax;
120 mov eax, [ebp + 0x0c];
121 push eax;
122 mov eax, [ebp + 0x8];
123 push eax;
124 call g_dwOldFunAddr; // WINAPI --> __stdcall
125 // add esp, 0x10;
126 }
127
128 pop eax;
129 }
130
131 return 0;
132 }
633
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
