http://www.cppblog.com/gezidan/archive/2011/08/08/152757.html
// IATHook.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include "IATHook.h" #include <windows.h> #include <imagehlp.h> #pragma comment(lib, "imagehlp.lib") #ifdef _DEBUG #define new DEBUG_NEW #endif // The one and only application object CWinApp theApp; using namespace std; // char * szModName = NULL ; char * szHacked = "不好意思hook到了!" ; DWORD dwHookFun ; DWORD dwHookApiAddr; ULONG uSize ; PIMAGE_IMPORT_DESCRIPTOR pImportDesc ; PIMAGE_THUNK_DATA32 pThunk; // void MYhook() { __asm { mov esp,ebp push szHacked pop DWORD PTR [ebp+12] pop ebp jmp dwHookApiAddr } } // int _tmain(int argc, TCHAR* argv[], TCHAR* envp[]) { int nRetCode = 0; // initialize MFC and print and error on failure if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0)) { // TODO: change error code to suit your needs _tprintf(_T("Fatal Error: MFC initialization failed\n")); nRetCode = 1; } else { // TODO: code your application's behavior here. } HMODULE hInstance = GetModuleHandle(NULL); dwHookFun = (DWORD)MYhook; dwHookApiAddr = (DWORD)GetProcAddress(LoadLibrary("USER32.dll"), "MessageBoxA") ; //通过函数)ImageDirectoryEntryToData获得IAT pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hInstance, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &uSize) ; //找到要HOOK的函数所在的模块 while (pImportDesc->Name) { szModName = (char *)((PBYTE)hInstance+pImportDesc->Name) ; if (strcmp(szModName, "USER32.dll")==0) break ; pImportDesc++ ; } //原始的THUNK信息指针 pThunk= (PIMAGE_THUNK_DATA32)((PBYTE)hInstance + pImportDesc->FirstThunk) ; for (; pThunk->u1.Function; pThunk++) { if (pThunk->u1.Function== dwHookApiAddr) { VirtualProtect(&pThunk->u1.Function, 4096, PAGE_READWRITE, 0); pThunk->u1.Function = (DWORD)dwHookFun; break ; } } //要hook下面这个API MessageBoxA(0, "这是正常的!", "xicao", 0); return nRetCode; }
扫一扫
492
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
