防IAT检测方法:IAT在指定目标文件的PE结构里面指定了的,我们把自己内存里面做了修改,没有修改目标文件,只要不让目标文件被其他文件映射,读取PE结构和我们内存中修改过的比较,保证能反一切IAT检测。
用法:
代码
用法:
Code:
HookImage("ZwSetInformationFile",(DWORD)MyZwSetInformationFile); HookImage("NtTerminateProcess",(DWORD)MyNtTerminateProcess); HookImage("NtTerminateThread",(DWORD)MyNtTerminateThread); HookImport("KERNEL32.DLL","ExitProcess",(DWORD)MyNtTerminateProcess); RemoveImage("NtTerminateProcess");
Code:
/******************************************** 挂钩目标程序kernel32.dll里面输入的ntdll.dll的函数 ********************************************/ DWORD HookImage(char *szName,DWORD Newfunc) { HMODULE hMod=LoadLibrary("NTDLL"); DWORD RealAddr=(DWORD)GetProcAddress(hMod,szName); UINT Size=0; hMod=LoadLibrary("kernel32.dll"); PIMAGE_IMPORT_DESCRIPTOR pImport=(PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData (hMod,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&Size); if(pImport==NULL) { return FALSE; } IMAGE_THUNK_DATA32 *Pthunk=(IMAGE_THUNK_DATA32*)((DWORD)hMod+pImport->FirstThunk); MEMORY_BASIC_INFORMATION mbi; VirtualQuery(Pthunk,&mbi,sizeof(MEMORY_BASIC_INFORMATION)); VirtualProtect(mbi.BaseAddress,mbi.RegionSize,PAGE_READWRITE,&mbi.Protect); while(Pthunk->u1.Function) { if(RealAddr==Pthunk->u1.Function) { Pthunk->u1.Function=Newfunc; break; } Pthunk++; } DWORD protect; VirtualProtect(mbi.BaseAddress,mbi.RegionSize,mbi.Protect,&protect); return TRUE; } /******************************************** 挂钩目标程序输入表里面的函数 ********************************************/ DWORD HookImport(char *szDLL,char *szName,DWORD Newfunc) { DWORD protect; UINT Size=0; HMODULE hMod=GetModuleHandle(NULL); MEMORY_BASIC_INFORMATION mbi; PIMAGE_IMPORT_DESCRIPTOR pImport=(PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData (hMod,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&Size); 改写内存保护,以便转换大小写 VirtualQuery(pImport,&mbi,sizeof(MEMORY_BASIC_INFORMATION)); VirtualProtect(mbi.BaseAddress,mbi.RegionSize,PAGE_READWRITE,&mbi.Protect); while(pImport->Name) { char *pszModName=(char*)((PBYTE)hMod+pImport->Name); if(_stricmp(pszModName,szDLL)==0) { break; } pImport++; } VirtualProtect(mbi.BaseAddress,mbi.RegionSize,mbi.Protect,&protect); 改写内存保护结束,改回原来的保护 DWORD RealAddr=(DWORD)GetProcAddress(LoadLibrary(szDLL),szName); if(pImport==NULL) { return FALSE; } IMAGE_THUNK_DATA32 *Pthunk=(IMAGE_THUNK_DATA32*)((DWORD)hMod+pImport->FirstThunk); 改写内存保护,以便写入函数地址 VirtualQuery(Pthunk,&mbi,sizeof(MEMORY_BASIC_INFORMATION)); VirtualProtect(mbi.BaseAddress,mbi.RegionSize,PAGE_READWRITE,&mbi.Protect); while(Pthunk->u1.Function) { if(RealAddr==Pthunk->u1.Function) { Pthunk->u1.Function=Newfunc; break; } Pthunk++; } VirtualProtect(mbi.BaseAddress,mbi.RegionSize,mbi.Protect,&protect); 改写内存保护,改回原来的保护 return TRUE; } /******************************************** 清除目标程序的ntdll的函数名字 ********************************************/ BOOL RemoveImage(char *szName) { HMODULE hMod=LoadLibrary("kernel32.dll"); UINT Size=0; PIMAGE_IMPORT_DESCRIPTOR pImport=(PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData (hMod,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&Size); DWORD *pName=(DWORD*)((DWORD)hMod+pImport->OriginalFirstThunk); while(pName) { char *pAddr=(char*)(*pName+(DWORD)hMod+2); if(!(strcmp(pAddr,szName))) { DWORD Protect; VirtualProtect(pAddr,strlen(pAddr),PAGE_READWRITE,&Protect); memset(pAddr,0,strlen(pAddr)); VirtualProtect(pAddr,strlen(pAddr),Protect,pName); break; } pName++; } return TRUE; }