没什么好研究的,课上讲的问题原因是,IAT是管理虚拟4gb内函数的地址,messagebox就在其中,调用了就会无限循环递归,造成线程卡死
//IATHOOK测试函数
DWORD _stdcall NewFunction(DWORD par1, DWORD par2, DWORD par3, DWORD par4) {
HMODULE hModule = GetModuleHandleA("user32.dll");
if (!hModule) {
hModule = LoadLibraryA("user32.dll");
if (!hModule) {
printf("LoadLibraryA\n");
return 0;
}
}
typedef DWORD (__stdcall*OldFunction)(DWORD, DWORD, DWORD, DWORD);
OldFunction pOldFunction = GetProcAddress(hModule, "MessageBoxA");
pOldFunction(0, 0, 0, 0);
printf("LOVELY BASTARDS\n");
return 0;
}
//IAT hook
VOID IATHook(PBYTE pFunAddr) {
HMODULE hModule = GetModuleHandle(0);
PIMAGE_DOS_HEADER pDosHeader = hModule;
PIMAGE_NT_HEADERS pNTHeader = (DWORD)pDosHeader + pDosHeader->e_lfanew;
PIMAGE_OPTIONAL_HEADER pOpHeader = &pNTHeader->OptionalHeader;
PIMAGE_IMPORT_DESCRIPTOR pImport = pOpHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (DWORD)hModule;
while (pImport->FirstThunk) {
PDWORD pINT = pImport->OriginalFirstThunk + (DWORD)hModule;
PDWORD pIAT = pImport->FirstThunk + (DWORD)hModule;
while (*pINT) {
if (*pIAT == pFunAddr) {
DWORD dwOld;
//必须要改权限才能写入
if (!VirtualProtectEx(-1, pIAT, 4, PAGE_READWRITE, &dwOld)) {
printf("VirtualProtectEx\n");
return;
}
*pIAT = NewFunction;
//DWORD buffer = NewFunction;
//if (!WriteProcessMemory(-1, pIAT, &NewFunction, 4, 0)) {
// printf("WriteProcessMemory\n");
// return;
//}
return;
}
pINT++;
pIAT++;
}
pImport++;
}
}