IAT HOOK

已于 2022-01-26 09:06:33 修改
阅读量458 收藏 2
点赞数 2
分类专栏: win32 文章标签: windows
于 2022-01-25 15:49:00 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/azraelxuemo/article/details/122661892
版权

IAT Hook通过修改输入表的地址使应用调用函数的时候跳转到恶意代码区域
这里我们获取到了指定进程的指定dll中导入的指定函数的地址和该IAT的地址,只要把该IAT修改了就可以达到hook的目的

文章目录

远程进程IAT Hook

大概步骤

获取IMAGE_BASE

获取IAT

找到需要修改的IAT位置,保存原始的函数地址,修改为自己定义的函数位置

困难

上述过程看起来很简单,但有需要困难的地方,比如说我们想hook MessageBoxA,hwnd就设置为0,uType设置为数字,但对应的字符串我们需要再远程进程里面分配,这个就比较麻烦,我们不能说一遍下断点一边获取返回值

代码

#include<windows.h>
#include<iostream>
#include<TlHelp32.h>
using  namespace std;
DWORD GetProcessIdByName(WCHAR* FileName) {
	if (!FileName) {
		return 0;
	}
	HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
	if (INVALID_HANDLE_VALUE == hSnapShot) {
		return 0;
	}
	PROCESSENTRY32 p32;
	p32.dwSize = sizeof(p32);
	DWORD ProcessId = 0;
	Process32First(hSnapShot, &p32);
	do {
		if (!wcscmp(p32.szExeFile, FileName)) {
			ProcessId = p32.th32ProcessID;
			break;
		}
	} while (Process32Next(hSnapShot, &p32));
	CloseHandle(hSnapShot);
	return ProcessId;
}
HANDLE GetProcessHandleById(DWORD ProcessId) {
	if (!ProcessId) {
		return 0;
	}
	return OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
}
HANDLE GetProcessHandleByName(WCHAR* FileName) {
	return GetProcessHandleById(GetProcessIdByName(FileName));
}

WCHAR EXE_NAME[] = L"1.exe";
CHAR  WantToHookDllName[] = "USER32.dll";
CHAR WantToHookFunName[] = "MessageBoxA";
DWORD OriginalHookedFunAddress = 0;
LPVOID HookedIATAddress = 0;
HANDLE hProcess = NULL;
DWORD ImageBase = 0;
VOID GetImageBase() {
	BYTE SHELLCODE[] = "\x64\xA1\x30\x00\x00\x00\x8b\x40\x08\xc2\x04\x00";
	LPVOID base_address = VirtualAllocEx(hProcess, NULL, sizeof(SHELLCODE), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (!base_address) {
		cout << "分配失败";
		CloseHandle(hProcess);
	}
	if (!WriteProcessMemory(hProcess, base_address, SHELLCODE, sizeof(SHELLCODE), NULL)) {
		cout << "写入失败";
		CloseHandle(hProcess);
	}
	HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)base_address, NULL, 0, NULL);
	if (!hThread) {
		cout << "线程创建失败";
		CloseHandle(hProcess);
	}
	WaitForSingleObject(hThread, INFINITE);
	GetExitCodeThread(hThread, &ImageBase);
	CloseHandle(hThread);
}

DWORD GetImageImportDescriptorRVA() {
	GetImageBase();
	if (!ImageBase) {
		return 0;
	}
	char header[1000];
	if (!ReadProcessMemory(hProcess, (LPCVOID)ImageBase, header, sizeof(header), NULL)) {
		cout << "获取文件内容失败";
		CloseHandle(hProcess);
		return 0;
	}
	PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)header;
	if (pDosHeader->e_magic != 0x5a4d) {
		cout << "不符合Dos文件头";
		CloseHandle(hProcess);
		return 0;
	}
	PIMAGE_NT_HEADERS pPeHeader = (PIMAGE_NT_HEADERS)(header + pDosHeader->e_lfanew);
	if (pPeHeader->Signature != 0x4550) {
		cout << "不是PE文件";
		CloseHandle(hProcess);
		return 0;
	}
	IMAGE_OPTIONAL_HEADER ImageOptionalHeader = (IMAGE_OPTIONAL_HEADER)pPeHeader->OptionalHeader;
	IMAGE_DATA_DIRECTORY ImportTableDataDirectroy = ImageOptionalHeader.DataDirectory[1];
	//这个是RVA
	return ImportTableDataDirectroy.VirtualAddress;
}
int  GetOriginalFuncAddress() {
	DWORD IIDRVA = GetImageImportDescriptorRVA();
	if (!IIDRVA) {
		return 0;
	}
	IMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor;
	int sum = 0;
	char DllName[100];
	while (true) {
		if (!ReadProcessMemory(hProcess, (LPVOID)(IIDRVA + ImageBase + sum * sizeof(ImageImportDescriptor)), &ImageImportDescriptor, sizeof(ImageImportDescriptor), NULL)) {
			cout << "读取IID失败";
			CloseHandle(hProcess);
			return 0;
		}
		if (ImageImportDescriptor.FirstThunk == NULL) {
			break;
		}
		sum++;
		if (!ReadProcessMemory(hProcess, (LPVOID)(ImageImportDescriptor.Name + ImageBase), DllName, sizeof(DllName), NULL)) {
			cout << "DllName读取失败";
			CloseHandle(hProcess);
			return 0;
		}
		if (!strcmp(DllName, WantToHookDllName)) {
			IMAGE_THUNK_DATA INT;
			int all = 0;
			while (true) {
				if (!ReadProcessMemory(hProcess, (LPVOID)(ImageImportDescriptor.OriginalFirstThunk + ImageBase + all * sizeof(INT)), &INT, sizeof(INT), NULL)) {
					cout << "INT读取失败";
					CloseHandle(hProcess);
					return 0;
				}
				if (INT.u1.AddressOfData == NULL) {
					break;
				}
				char INTContent[30];
				if (!ReadProcessMemory(hProcess, (LPVOID)(INT.u1.AddressOfData + ImageBase), &INTContent, sizeof(INTContent), NULL)) {
					cout << "funcName读取失败";
					CloseHandle(hProcess);
					return 0;
				}
				if (!strcmp(WantToHookFunName, INTContent + 2)) {
					IMAGE_THUNK_DATA IAT;
					if (!ReadProcessMemory(hProcess, (LPVOID)(ImageImportDescriptor.FirstThunk + ImageBase + all * sizeof(IAT)), &IAT, sizeof(IAT), NULL)) {
						cout << "IAT读取失败";
						CloseHandle(hProcess);
						return 0;
					}
					if (IAT.u1.Function != (DWORD)GetProcAddress(LoadLibraryA(WantToHookDllName), WantToHookFunName))
					{
						cout << "已经被修改啦";
						return 0;
					}
					OriginalHookedFunAddress = IAT.u1.Function;
					HookedIATAddress = (LPVOID)(ImageImportDescriptor.FirstThunk + ImageBase + all * sizeof(IAT));
				}
				all++;
			}
		}
	}
	return 1;
}
int main() {
	hProcess = GetProcessHandleByName(EXE_NAME);
	if (!hProcess) {
		cout << "没有该进程";
		return 0;
	}
	if (!GetOriginalFuncAddress()) {
		cout << "获取Func地址失败";
		return 0;
	}

	BYTE SHELLCODE2[] = "\x6a\x00\x6a\x00\x6a\x00\x6a\x00\xb8\x70\x36\x76\x76\xff\xd0\xc2\x10\x00";
	LPVOID start_address = VirtualAllocEx(hProcess, 0, sizeof(SHELLCODE2), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (!start_address) {
		cout << "分配失败";
		CloseHandle(hProcess);
		return 0;
	}
	if (!WriteProcessMemory(hProcess, start_address, SHELLCODE2, sizeof(SHELLCODE2), NULL)) {
		cout << "写入失败";
		CloseHandle(hProcess);
		return 0;
	}

	DWORD oldProtect;
	if (!VirtualProtectEx(hProcess, HookedIATAddress, 4, PAGE_EXECUTE_READWRITE, &oldProtect)) {
		cout << "IAT权限更改失败";
		CloseHandle(hProcess);
		return 0;
	}
	if (!WriteProcessMemory(hProcess, HookedIATAddress, &start_address, 4, NULL)) {
		cout << "写入失败";
		CloseHandle(hProcess);
		return 0;
	}
	cout << "Hook成功";
	CloseHandle(hProcess);
	return 0;
}

这里面比较关键的就是SHELLCODE2,这里我就push了4个0,然后硬写了原函数的地址,因为kernel32.dll,user32.dll,ntdll这三个的函数地址都是固定不变的,如果你启用了aslr(Address space layout randomization), 他们会在每次重新启动系统的时候随机化一次,但对于所有进程来说,运行时地址一样

DLL IAT HOOK

测试代码

#include<windows.h>
#include<iostream>
using namespace std;

typedef DWORD (WINAPI*lpInstallIATHook)(LPVOID lpParameter);
int main() {
	HMODULE hModule=LoadLibraryA("DllProject.dll");
	int i = 0;
	while (true) {
		i++;
		MessageBoxA(0, "ok", 0, 0);
		if (i == 10) {
			FreeLibrary(hModule);
		}
	}
	return 0;
}

现在大概优化了代码,首先是主代码

#include "Process.h"
int main() {
	hProcess = GetProcessHandleByName(EXE_NAME);
	if (!hProcess) {
		cout << "没有该进程";
		return 0;
	}
	if (!GetOriginalFuncAddress()) {
		return 0;
	}
	CHAR lpText[] = "hacked by bbs";
	LPVOID TextAddress = VirtualAllocEx(hProcess, 0, sizeof(lpText), MEM_COMMIT, PAGE_READWRITE);
	if (!TextAddress) {
		CloseHandle(hProcess);
		return 0;
	}
	if (!WriteProcessMemory(hProcess, TextAddress, lpText, sizeof(lpText), NULL)) {
		CloseHandle(hProcess);
		return 0;
	}
	CHAR lpTitle[] = "bbs nb";
	LPVOID TitleAddress = VirtualAllocEx(hProcess, 0, sizeof(lpTitle), MEM_COMMIT, PAGE_READWRITE);
	if (!TextAddress) {
		CloseHandle(hProcess);
		return 0;
	}
	if (!WriteProcessMemory(hProcess, TitleAddress, lpTitle, sizeof(lpTitle), NULL)) {
		CloseHandle(hProcess);
		return 0;
	}

	int i = 100;
	SHELLCODE shellcode(100);
	shellcode.push(MB_OKCANCEL);
	shellcode.push((DWORD)TitleAddress);
	shellcode.push((DWORD)TextAddress);
	shellcode.push(0);
	shellcode.moveax(OriginalHookedFunAddress);
	shellcode.calleax();
	shellcode.ret(0x10);
	LPVOID start_address = VirtualAllocEx(hProcess, 0, shellcode.now_point, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (!start_address) {
		CloseHandle(hProcess);
		return 0;
	}
	if (!WriteProcessMemory(hProcess, start_address, shellcode.shellcode, shellcode.now_point, NULL)) {
		CloseHandle(hProcess);
		return 0;
	}

	DWORD oldProtect;
	if (!VirtualProtectEx(hProcess, HookedIATAddress, 4, PAGE_EXECUTE_READWRITE, &oldProtect)) {
		CloseHandle(hProcess);
		return 0;
	}
	if (!WriteProcessMemory(hProcess, HookedIATAddress, &start_address, 4, NULL)) {
		CloseHandle(hProcess);
		return 0;
	}
	cout << "Hook成功";
	CloseHandle(hProcess);
	return 0;

}

Process.h

#pragma once
#ifndef __Process_HEADER
#define __Process_HEADER
#include<windows.h>
#include<iostream>
#include<TlHelp32.h>
using namespace std;
extern WCHAR EXE_NAME[];
extern CHAR  WantToHookDllName[];
extern CHAR WantToHookFunName[];
extern DWORD OriginalHookedFunAddress;
extern LPVOID HookedIATAddress;
extern HANDLE hProcess;
extern DWORD ImageBase;
DWORD GetProcessIdByName(WCHAR* FileName);
HANDLE GetProcessHandleById(DWORD ProcessId);
HANDLE GetProcessHandleByName(WCHAR* FileName);
BOOL  GetOriginalFuncAddress();
class SHELLCODE {
public:
	int size;
	int now_point;
	BYTE* shellcode;
	SHELLCODE(int size);
	void append(BYTE payload);
	void append(WORD payload);
	void append(DWORD payload);
	void push(LONG payload);
	void moveax(DWORD payload);
	void jmpeax();
	void jmp_eax_();
	void jmp_address_(DWORD payload);
	void calleax();
	void call_eax_();
	void call_address_(DWORD payload);
	void ret(BYTE payload);
};
#endif

Process.c

#include "Process.h"
WCHAR EXE_NAME[] = L"1.exe";
CHAR  WantToHookDllName[] = "USER32.dll";
CHAR WantToHookFunName[] = "MessageBoxA";
DWORD OriginalHookedFunAddress = 0;
LPVOID HookedIATAddress = 0;
HANDLE hProcess = NULL;
DWORD ImageBase = 0;
DWORD GetProcessIdByName(WCHAR* FileName) {
	if (!FileName) {
		return 0;
	}
	HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
	if (INVALID_HANDLE_VALUE == hSnapShot) {
		return 0;
	}
	PROCESSENTRY32 p32;
	p32.dwSize = sizeof(p32);
	DWORD ProcessId = 0;
	Process32First(hSnapShot, &p32);
	do {
		if (!wcscmp(p32.szExeFile, FileName)) {
			ProcessId = p32.th32ProcessID;
			break;
		}
	} while (Process32Next(hSnapShot, &p32));
	CloseHandle(hSnapShot);
	return ProcessId;
}
HANDLE GetProcessHandleById(DWORD ProcessId) {
	if (!ProcessId) {
		return 0;
	}
	return OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
}
HANDLE GetProcessHandleByName(WCHAR* FileName) {
	return GetProcessHandleById(GetProcessIdByName(FileName));
}
VOID GetImageBase() {
	BYTE SHELLCODE[] = "\x64\xA1\x30\x00\x00\x00\x8b\x40\x08\xc2\x04\x00";
	LPVOID base_address = VirtualAllocEx(hProcess, NULL, sizeof(SHELLCODE), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (!base_address) {
		cout << "分配失败";
		CloseHandle(hProcess);
	}
	if (!WriteProcessMemory(hProcess, base_address, SHELLCODE, sizeof(SHELLCODE), NULL)) {
		cout << "写入失败";
		CloseHandle(hProcess);
	}
	HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)base_address, NULL, 0, NULL);
	if (!hThread) {
		cout << "线程创建失败";
		CloseHandle(hProcess);
	}
	WaitForSingleObject(hThread, INFINITE);
	GetExitCodeThread(hThread, &ImageBase);
	CloseHandle(hThread);
}
DWORD GetImageImportDescriptorRVA() {
	GetImageBase();
	if (!ImageBase) {
		return 0;
	}
	char header[1000];
	if (!ReadProcessMemory(hProcess, (LPCVOID)ImageBase, header, sizeof(header), NULL)) {
		cout << "获取文件内容失败";
		CloseHandle(hProcess);
		return 0;
	}
	PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)header;
	if (pDosHeader->e_magic != 0x5a4d) {
		cout << "不符合Dos文件头";
		CloseHandle(hProcess);
		return 0;
	}
	PIMAGE_NT_HEADERS pPeHeader = (PIMAGE_NT_HEADERS)(header + pDosHeader->e_lfanew);
	if (pPeHeader->Signature != 0x4550) {
		cout << "不是PE文件";
		CloseHandle(hProcess);
		return 0;
	}
	IMAGE_OPTIONAL_HEADER ImageOptionalHeader = (IMAGE_OPTIONAL_HEADER)pPeHeader->OptionalHeader;
	IMAGE_DATA_DIRECTORY ImportTableDataDirectroy = ImageOptionalHeader.DataDirectory[1];
	//这个是RVA
	return  ImportTableDataDirectroy.VirtualAddress;
}
BOOL  GetOriginalFuncAddress() {
	BOOL flag = 0;
	DWORD IIDRVA=GetImageImportDescriptorRVA();
	if (!IIDRVA) {
		return 0;
	}
	IMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor;
	int sum = 0;
	while (true) {
		if (!ReadProcessMemory(hProcess, (LPVOID)(IIDRVA + ImageBase + sum * sizeof(ImageImportDescriptor)), &ImageImportDescriptor, sizeof(ImageImportDescriptor), NULL)) {
			cout << "读取IID失败";
			CloseHandle(hProcess);
			return 0;
		}
		if (ImageImportDescriptor.FirstThunk == NULL) {
			break;
		}
		sum++;
		char DllName[100];
		if (!ReadProcessMemory(hProcess, (LPVOID)(ImageImportDescriptor.Name + ImageBase), DllName, sizeof(DllName), NULL)) {
			cout << "DllName读取失败";
			CloseHandle(hProcess);
			return 0;
		}
		if (!strcmp(DllName, WantToHookDllName)) {
			IMAGE_THUNK_DATA INT;
			int all = 0;
			while (true) {
				if (!ReadProcessMemory(hProcess, (LPVOID)(ImageImportDescriptor.OriginalFirstThunk + ImageBase + all * sizeof(INT)), &INT, sizeof(INT), NULL)) {
					cout << "INT读取失败";
					CloseHandle(hProcess);
					return 0;
				}
				if (INT.u1.AddressOfData == NULL) {
					break;
				}
				char INTContent[30];
				if (!ReadProcessMemory(hProcess, (LPVOID)(INT.u1.AddressOfData + ImageBase), &INTContent, sizeof(INTContent), NULL)) {
					cout << "funcName读取失败";
					CloseHandle(hProcess);
					return 0;
				}
				if (!strcmp(WantToHookFunName, INTContent + 2)) {
					IMAGE_THUNK_DATA IAT;
					if (!ReadProcessMemory(hProcess, (LPVOID)(ImageImportDescriptor.FirstThunk + ImageBase + all * sizeof(IAT)), &IAT, sizeof(IAT), NULL)) {
						cout << "IAT读取失败";
						CloseHandle(hProcess);
						return 0;
					}
					if (IAT.u1.Function != (DWORD)GetProcAddress(LoadLibraryA(WantToHookDllName), WantToHookFunName))
					{
						cout << "已经被修改啦";
						break;
					}
					flag = 1;
					OriginalHookedFunAddress = IAT.u1.Function;
					HookedIATAddress = (LPVOID)(ImageImportDescriptor.FirstThunk + ImageBase + all * sizeof(IAT));
					break;
				}
				all++;
			}
		}
		if (flag) {
			break;
		}
	}
	return flag;
}
SHELLCODE::SHELLCODE(int size) {
	this->size = size;
	this->now_point = 0;
	this->shellcode = (BYTE*)malloc(sizeof(BYTE)*size);
}
void SHELLCODE::append(BYTE payload) {
	this->shellcode[now_point] = payload;
	this->now_point++;
}
void SHELLCODE::append(WORD payload) {
	this->append(*((BYTE*)&payload));
	this->append(*((BYTE*)&payload + 1));
}
void SHELLCODE::append(DWORD payload) {
	this->append(*((WORD*)&payload));
	this->append(*((WORD*)&payload + 1));
}
void SHELLCODE::push(LONG payload) {
	if (payload >= -128 && payload <= 127) {
		this->append((BYTE)0x6a);
		this->append((BYTE)payload);
	}
	else {
		this->append((BYTE)0x68);
		this->append((DWORD)payload);
	};
}
void SHELLCODE::moveax(DWORD payload) {
	this->append((BYTE)0xb8);
	this->append(payload);
}
void SHELLCODE::jmpeax() {
	this->append((WORD)0xe0ff);
}
void SHELLCODE::jmp_eax_() {
	this->append((WORD)0x20ff);
}
void SHELLCODE::jmp_address_(DWORD payload) {
	this->append((WORD)0x25ff);
	this->append(payload);
}
void SHELLCODE::calleax() {
	this->append((WORD)0xd0ff);
}
void SHELLCODE::call_eax_() {
	this->append((WORD)0x10ff);
}
void SHELLCODE::call_address_(DWORD payload) {
	this->append((WORD)0x15ff);
	this->append(payload);
}
void SHELLCODE::ret(BYTE payload) {
	this->append((BYTE)0xc2);
	this->append(payload);
	this->append((BYTE)0x00);
}

hook之前

在这里插入图片描述

hook之后

在这里插入图片描述
运行环境
在这里插入图片描述

dll代码

dll生命周期 是LoadLibrary和FreeLibrary之间,一般就是下图的结构,一定要注意break break break vs2022默认没有break不知道为啥,不然你每个状态都会卸载,我当时看了半天不知道为啥
在这里插入图片描述

dllmain.h

#pragma once
#include<windows.h>
#include<iostream>
#include<TlHelp32.h>
using  namespace std;
WCHAR EXE_NAME[] = L"1.exe";
CHAR  WantToHookDllName[] = "USER32.dll";
CHAR WantToHookFunName[] = "MessageBoxA";
DWORD OriginalHookedFunAddress = 0;
LPVOID HookedIATAddress = 0;
HANDLE hProcess = NULL;
DWORD ImageBase = 0;
DWORD oldProtect = 0;
int WINAPI MyMessageBoxA(
    _In_opt_ HWND hWnd,
    _In_opt_ LPCSTR lpText,
    _In_opt_ LPCSTR lpCaption,
    _In_ UINT uType);
typedef int (WINAPI *lpMessageBoxA)(
    _In_opt_ HWND hWnd,
    _In_opt_ LPCSTR lpText,
    _In_opt_ LPCSTR lpCaption,
    _In_ UINT uType);
BOOL  GetOriginalFuncAddress(DWORD IIDRVA);
DWORD WINAPI InstallIATHook(LPVOID lpParameter);
DWORD WINAPI UnInstallIATHook(LPVOID lpParameter);

#include "pch.h"
#include <stdio.h>
#include "dllmain.h"
int WINAPI MyMessageBoxA(
    _In_opt_ HWND hWnd,
    _In_opt_ LPCSTR lpText,
    _In_opt_ LPCSTR lpCaption,
    _In_ UINT uType) {
    lpMessageBoxA OldmessageBox = (lpMessageBoxA )OriginalHookedFunAddress;
    OldmessageBox(0, "bbs真可爱", "哈哈", MB_OKCANCEL);
    return 0;
}
BOOL  GetOriginalFuncAddress(DWORD IIDRVA) {
    BOOL flag = 0;
    if (!IIDRVA) {
        return 0;
    }
    int sum = 0;
    while (true) {
        PIMAGE_IMPORT_DESCRIPTOR   pImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(IIDRVA + ImageBase + sum * sizeof(IMAGE_IMPORT_DESCRIPTOR));
        if (pImageImportDescriptor->FirstThunk == NULL || flag) {
            break;
        }
        sum++;
        char*  DllName = (char*)(pImageImportDescriptor->Name + ImageBase);
        if (!strcmp(DllName, WantToHookDllName)) {
            int all = 0;
            while (true) {
                PIMAGE_THUNK_DATA pINT =(PIMAGE_THUNK_DATA) (pImageImportDescriptor->OriginalFirstThunk + ImageBase + all * sizeof(IMAGE_THUNK_DATA));
                if (pINT->u1.AddressOfData == NULL) {
                    break;
                }
                char* INTContent = (char*)(pINT->u1.AddressOfData + ImageBase+2);
                if (!strcmp(WantToHookFunName, INTContent)) {
                    PIMAGE_THUNK_DATA pIAT = (PIMAGE_THUNK_DATA)(pImageImportDescriptor->FirstThunk + ImageBase + all * sizeof(IMAGE_THUNK_DATA));
                    if (pIAT->u1.Function != (DWORD)GetProcAddress(LoadLibraryA(WantToHookDllName), WantToHookFunName))
                    {
                        cout << "已经被修改啦";
                        break;
                    }
                    flag = 1;
                    OriginalHookedFunAddress = pIAT->u1.Function;
                    HookedIATAddress = (LPVOID)(pImageImportDescriptor->FirstThunk + ImageBase + all * sizeof(IMAGE_THUNK_DATA));
                    break;
                }
                all++;
            }
        }
    }
    return flag;
}

DWORD WINAPI InstallIATHook(LPVOID lpParameter){
    __asm {
        mov eax, fs: [0x30]
        mov eax, [eax + 0x8]
        mov ImageBase, eax
    }
    PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)ImageBase;
    if (pDosHeader->e_magic != 0x5a4d) {
        cout << "不符合Dos文件头";
        return 0;
    }
    PIMAGE_NT_HEADERS pPeHeader = (PIMAGE_NT_HEADERS)(ImageBase + pDosHeader->e_lfanew);
    if (pPeHeader->Signature != 0x4550) {
        cout << "不是PE文件";
        return 0;
    }
    PIMAGE_OPTIONAL_HEADER pImageOptionalHeader = &pPeHeader->OptionalHeader;
    PIMAGE_DATA_DIRECTORY pImportTableDataDirectroy =& pImageOptionalHeader->DataDirectory[1];
    if (!GetOriginalFuncAddress(pImportTableDataDirectroy->VirtualAddress)) {
        cout << "获取函数地址失败";
        return 0;
    }

    hProcess = GetCurrentProcess();
    if (!hProcess) {
        cout << "打开失败";
        return 0;
    }
 

    if (!VirtualProtect( HookedIATAddress, 4, PAGE_EXECUTE_READWRITE, &oldProtect)) {
        cout << "IAT权限更改失败";
        CloseHandle(hProcess);
        return 0;
    }
    DWORD tmp = (DWORD) & MyMessageBoxA;
    if (!WriteProcessMemory(hProcess, HookedIATAddress,&tmp, 4, NULL)) {
        cout << "IAT写入失败";
        CloseHandle(hProcess);
        return 0;
    }
    cout << "Hook成功";
    CloseHandle(hProcess);
    return 0;
}

DWORD WINAPI UnInstallIATHook(LPVOID lpParameter) {
    hProcess = GetCurrentProcess();
    if (!hProcess) {
        cout << "打开失败";
        return 0;
    }
    if (!WriteProcessMemory(hProcess, HookedIATAddress, &OriginalHookedFunAddress, 4, NULL)) {
        cout << "ok";
        cout << "IAT写入失败";
        CloseHandle(hProcess);
        return 0;
    }
    if (!VirtualProtectEx(hProcess, HookedIATAddress, 4, oldProtect, &oldProtect)) {
        cout << "IAT权限更改失败";
        CloseHandle(hProcess);
        return 0;
    }
    cout << "Hook结束";
    CloseHandle(hProcess);
    return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        InstallIATHook(0);
        break;
    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;
    case DLL_PROCESS_DETACH:
     UnInstallIATHook(0);
        break;
    }
    return TRUE;
}

可以看出dll舒服很多不用担心进程之间内存问题,当然可以通过进程共享内存解决,这个我之后试试看

azraelxuemo
关注
  • 2
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
IAT Hook
Tandy12356_的博客
05-26 1803
本文介绍了如何使用IAT HOOK技术来实现反向支持giegie的目的。
API钩取技术研究(一)—— IAT Hook
m0_55220082的博客
07-12 652
通过修改IAT的方式实现对Notepad的WriteFile()函数钩取,使得保存的文件中所有小写字母变成大写字母。
4.3 IAT Hook 挂钩技术
最新发布
CSDN
09-15 1万+
IAT(Import Address Table)Hook是一种针对Windows操作系统的API Hooking 技术,用于修改应用程序对动态链接库(DLL)中导入函数的调用。IAT是一个数据结构,其中包含了应用程序在运行时使用的导入函数的地址。 IAT Hook的原理是通过修改IAT中的函数指针,将原本要调用的函数指向另一个自定义的函数。这样,在应用程序执行时,当调用被钩子的函数时,实际上会执行自定义的函数。通过IAT Hook,我们可以拦截和修改应用程序的函数调用,以实现一些自定义的行为,比如记录日
IAT HOOK教程.zip
09-25
IAT HOOK教程.zip
IAT hook与inline hook的区别
yshshx的博客
11-24 1782
IAT hook 导入表hook原理:修改导入表中某函数的地址到自己的补丁函数。IATHook 通过GetProcAddress获取目标函数地址 在程序内存中找到所在dll的导入表 查找目标函数地址保存的位置 把地址修改为自己补丁函数 问题:当该函数递归调用时,不会被hook 为解决这个问题,可以使用inline hook inline hook 需要一个代理函数ProxyFunction,调...
基于 IAT hook 的文件隐藏功能 完整代码+报告
01-12
通过 IAT Hook 的方法篡改它们的导入表,使这两个程序查看不到文件系统中指定名称的文件。 三 实验过程 1、主程序 (1)功能:将自己编写的包含有攻击代码的 dll 文件注入到目标进程(本实验选择注入到“cmd.exe”...
C++封装IATHOOK类实例
09-04
在C++编程中,IATHOOK(Import Address Table Hook)是一种技术,用于在运行时拦截和替换函数调用。这通常用于调试、性能分析、插件系统或恶意软件中,以便在程序执行过程中控制或修改特定函数的行为。下面将详细...
VC实现IAT hook例子
10-05
IAT hook是通过修改IAT来实现hook API的方法。本示例展示了完整的IAT hook例子
Hook IAT hookdll资源表
11-21
`IATHook.cpp`是实现部分,而`IATHook.h`是头文件,包含接口声明和必要的类型定义。 4. **API HOOK IAT方法**: 实现Hook IAT有多种方法,包括: - **原地替换法**:直接修改目标进程的IAT,用钩子函数的地址替换...
Native API 和一般 API 的 IAT Hook
09-03
标题中的“Native API 和一般 API 的 IAT Hook”是指在编程中使用钩子技术来拦截和修改系统调用或库函数的行为。IAT(Import Address Table)是Windows操作系统中的一个概念,它存储了程序在运行时如何访问导入的...
Hook进程IAT
u011569253的博客
05-10 633
这两天研究下IAT表的hook,看来很多帖子,也试过很多代码,但是都会遇到一些问题。下面我结合被人的东西还有一些自己修改,写了一个简单的hook IAT表。首先自己写一个IAThook,要先对PE有一定的了解,知道IAT做什么的,IAT在PE文件中的位置,当你有了这些知识之后就可以对IAThook了。这里我就不对IAT表做什么的和PE文件做介绍了。下面介绍一下hook原理,当你要hook一个函数...
系统本身的dll之间也有一大堆iat hook
爱杀之爪的矩阵
08-23 613
<br /><br /> <br />kernel32.dll里面好多的函数其实都是直接转向ntdll.dll里面的<br />这样导致假如一个程序里面使用HeapFree这个函数了,然后在IAT表中这个函数对应的地址并不是在kernel.32中,<br />而是在ntdll.dll 里面的RtlFreeHeap这个函数<br /> <br />没啥意思
检测IAT HOOK----进程内存中的IAT
草原Song
06-01 1244
检测IAT HOOK----进程内存中的IAT        昨天写的是磁盘的IAT.现在是内存的IAT.接着进行比较就可以得到IAT HOOK了用OpenProcess和ReadProcessMemory读取你想读的进程..然后按照PE文件格式来解释读到的数据,lpBase就是读
IAT随便HOOK+反检测方法
kingswb的博客
06-15 3968
IAT检测方法:IAT在指定目标文件的PE结构里面指定了的,我们把自己内存里面做了修改,没有修改目标文件,只要不让目标文件被其他文件映射,读取PE结构和我们内存中修改过的比较,保证能反一切IAT检测。 用法: Code:     HookImage("ZwSetInformationFile",(DWORD)MyZwSetInformationFile);     HookImage(
C# API-Hook / x86
10-15 765
API-Hook是拦截或改变API函数执行的结果技术,百度百 科上有不少注解 但却是IAT-Hook,与本文的Inline-Hook不是 太一至,但是本质作用是相同的 而两种Hook都有各自的优势 与劣势、那么下面我们开始了解什么是Inline-Hook它的原理又 是如何 当然你可以变通的试试(Mem-Hook)内存挂钩 当然我希 望观摩过本帖的开发人员 可以告别EasyHook   
运用Detours库hook API
Gary's Blog --- A C++ programmer
03-23 1298
本文来自CSDN博客:http://blog.csdn.net/vcPlayer/archive/2008/07/20/2681758.aspx  一、Detours库的来历及下载:        Detours库类似于WTL的来历,是由Galen Hunt and Doug Brubacher自己开发出来,于99年7月发表在一篇名为《Detours: Binary Intercept
detours介绍与使用
热门推荐
liujiayu2的专栏
12-23 1万+
Detours是微软开发的一个函数库,可用于捕获系统API。在用其进行程序开发之前,得做一些准备工作: 一.下载Detours      在http://research.microsoft.com/sn/detours 可免费下载Detours 二.安装Detours         一路NEXT 三.生成Detours库         在安装后的文件夹下找不到直接可以拿来用的
memcpy hook
08-27
其中,修改函数代码的方式可以通过Inline hook实现,而修改函数地址的方式可以通过IAT hook、SSDT hook、IRP hook、IDT hook等方法实现。引用中给出了一个使用memcpy函数进行hook的示例代码。在这个示例中,先定义了...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值