导入地址表:Import Address Table由于导入函数就是被程序调用但其执行代码又不在程序中的函数.这些函数的代码位于一个或者多个DLL中.当PE文件被装入内存的时候.Windows装载器才将DLL装入.并将调用导入函数的指令和函数实际所处的地址联系起来.这操作就需要导入表完成.其中导入地址表就指示函数实际地址. typedef BOOL (WINAPI* PEEKMESSAGE) ( LPMSG lpMsg, HWND hWnd, UINT wMsgFilterMin, UINT wMsgFilterMax, UINT wRemoveMsg ); PEEKMESSAGE FakePeekMessage=(PEEKMESSAGE)PeekMessageA; BOOL WINAPI MinePeekMessage ( LPMSG lpMsg, HWND hWnd, UINT wMsgFilterMin, UINT wMsgFilterMax, UINT wRemoveMsg ) { AfxMessageBox(_T("你TM是不是调用我啦?")); return ((PEEKMESSAGE)FakePeekMessage)(lpMsg,hWnd,wMsgFilterMin,wMsgFilterMax,wRemoveMsg); } BOOL ImportAddressTableHook ( HMODULE ModuleAddress, LPCTSTR Library, LPCVOID TargetAddress, LPCVOID ReplaceAddress ) { IMAGE_DOS_HEADER* ImageDosHearderPointer=NULL; IMAGE_OPTIONAL_HEADER* ImageOptionalHeaderPointer=NULL; IMAGE_IMPORT_DESCRIPTOR* ImageImportDescriptorPointer=NULL; IMAGE_THUNK_DATA* ImageThunkDataPointer=NULL; CString TargetLibraryName; DWORD Value=0; LPDWORD FunctionAddress=NULL; MEMORY_BASIC_INFORMATION InforMation; DWORD BeforeProtect=0; ImageDosHearderPointer= (IMAGE_DOS_HEADER*)ModuleAddress; ImageOptionalHeaderPointer= (IMAGE_OPTIONAL_HEADER*)((DWORD)ModuleAddress+ImageDosHearderPointer->e_lfanew+24); ImageImportDescriptorPointer= (IMAGE_IMPORT_DESCRIPTOR*) ((DWORD)ModuleAddress+ ImageOptionalHeaderPointer->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); while(ImageImportDescriptorPointer->FirstThunk!=0) { TargetLibraryName=(LPCTSTR)((DWORD)ModuleAddress+ImageImportDescriptorPointer->Name); if(TargetLibraryName.Compare(Library)==0) { Value=(DWORD)ModuleAddress+ImageImportDescriptorPointer->FirstThunk; break; } ImageImportDescriptorPointer++; } if (Value==0) { AfxMessageBox(_T("获取导入地址表失败!")); return FALSE; } ImageThunkDataPointer=(IMAGE_THUNK_DATA*)Value; while(ImageThunkDataPointer->u1.Function) { FunctionAddress=(LPDWORD)&(ImageThunkDataPointer->u1.Function); if(*FunctionAddress==(DWORD)TargetAddress) { VirtualQuery(FunctionAddress,&InforMation,sizeof(InforMation)); VirtualProtect(FunctionAddress, sizeof(DWORD),PAGE_READWRITE,&BeforeProtect); if(WriteProcessMemory((HANDLE)-1,FunctionAddress,&ReplaceAddress,4,NULL)==FALSE) { AfxMessageBox(_T("修改导入地址表失败!")); return FALSE; } VirtualProtect(FunctionAddress,sizeof(DWORD),BeforeProtect,0); return TRUE; } ImageThunkDataPointer++; } return FALSE; }