IATHOOK

没什么好研究的,课上讲的问题原因是,IAT是管理虚拟4gb内函数的地址,messagebox就在其中,调用了就会无限循环递归,造成线程卡死

//IATHOOK测试函数
DWORD _stdcall NewFunction(DWORD par1, DWORD par2, DWORD par3, DWORD par4) {
	HMODULE hModule = GetModuleHandleA("user32.dll");
	if (!hModule) {
		hModule = LoadLibraryA("user32.dll");
		if (!hModule) {
			printf("LoadLibraryA\n");
			return 0;
		}
	}
	typedef DWORD (__stdcall*OldFunction)(DWORD, DWORD, DWORD, DWORD);
	OldFunction pOldFunction = GetProcAddress(hModule, "MessageBoxA");
	pOldFunction(0, 0, 0, 0);
	printf("LOVELY BASTARDS\n");
	return 0;
}
//IAT hook
VOID IATHook(PBYTE pFunAddr) {
	HMODULE hModule = GetModuleHandle(0);
	PIMAGE_DOS_HEADER pDosHeader = hModule;
	PIMAGE_NT_HEADERS pNTHeader = (DWORD)pDosHeader + pDosHeader->e_lfanew;
	PIMAGE_OPTIONAL_HEADER pOpHeader = &pNTHeader->OptionalHeader;
	PIMAGE_IMPORT_DESCRIPTOR pImport = pOpHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (DWORD)hModule;
	while (pImport->FirstThunk) {
		PDWORD pINT = pImport->OriginalFirstThunk + (DWORD)hModule;
		PDWORD pIAT = pImport->FirstThunk + (DWORD)hModule;
		while (*pINT) {
			if (*pIAT == pFunAddr) {
				DWORD dwOld;
				//必须要改权限才能写入
				if (!VirtualProtectEx(-1, pIAT, 4, PAGE_READWRITE, &dwOld)) {
					printf("VirtualProtectEx\n");
					return;
				}
				*pIAT = NewFunction;
				//DWORD buffer = NewFunction;
				//if (!WriteProcessMemory(-1, pIAT, &NewFunction, 4, 0)) {
				//	printf("WriteProcessMemory\n");
				//	return;
				//}
				return;
			}
			pINT++;
			pIAT++;
		}
		pImport++;
	}
}
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值