#include
<
stdio.h
>
#include
<
windows.h
>
#include
<
Dbghelp.h
>
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
#pragma comment(lib,
"
Dbghelp.lib
"
)
#pragma comment(lib,
"
User32.lib
"
)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
typedef
int
(__stdcall
*
OLD_MessageBox)( HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType );
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
OLD_MessageBox g_procOldMessageBox
=
NULL;
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
int
__stdcall HOOK_MessageBox( HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType)
{
printf("%s\t%d\r\n",__FUNCTION__,__LINE__);
if (NULL != g_procOldMessageBox)
return g_procOldMessageBox(hWnd,lpText,TEXT("不好意思,hook到了!"),uType);
else
return MessageBox(hWnd,lpText,lpCaption,uType); ;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
int
replace_IAT(
const
char
*
pDllName,
const
char
*
pApiName,
void
**
OldApiAddr,
void
*
NewApiAddr,
bool
bReplace)
{
HANDLE hProcess = ::GetModuleHandle (NULL);
DWORD dwSize = 0;
PIMAGE_IMPORT_DESCRIPTOR pImageImport = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hProcess,TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT,&dwSize);
if (NULL == pImageImport)
return 1;
PIMAGE_IMPORT_BY_NAME pImageImportByName = NULL;
PIMAGE_THUNK_DATA pImageThunkOriginal = NULL;
PIMAGE_THUNK_DATA pImageThunkReal = NULL;
while (pImageImport->Name)
{
if (0 == lstrcmpiA((char*)((PBYTE)hProcess+pImageImport->Name),pDllName))
{
break;
}
++pImageImport;
}
if (! pImageImport->Name)
return 2;
pImageThunkOriginal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->OriginalFirstThunk );
pImageThunkReal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->FirstThunk );
while (pImageThunkOriginal->u1.Function)
{
if ((pImageThunkOriginal->u1.Ordinal & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG)
{
pImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PBYTE)hProcess+pImageThunkOriginal->u1.AddressOfData );
if (0 == lstrcmpiA(pApiName,(char*)pImageImportByName->Name))
{
MEMORY_BASIC_INFORMATION mbi_thunk;
VirtualQuery(pImageThunkReal, &mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION));
VirtualProtect(mbi_thunk.BaseAddress,mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect);
if (true == bReplace)
{
*OldApiAddr = (void*)pImageThunkReal->u1.Function;
pImageThunkReal->u1.Function = (DWORD)(NewApiAddr);
}
else
{
pImageThunkReal->u1.Function = (DWORD)(*OldApiAddr);
*OldApiAddr = NULL;
}
DWORD dwOldProtect;
VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, mbi_thunk.Protect, &dwOldProtect);
break;
}
}
++pImageThunkOriginal;
++pImageThunkReal;
}
return 0;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
int
_tmain(
int
argc, _TCHAR
*
argv[])
{
replace_IAT("User32.dll","MessageBoxW",(void**)&g_procOldMessageBox,HOOK_MessageBox,true);
MessageBox(NULL,TEXT("EnumIAT User32.dll MessageBoxW true;"),TEXT(""),MB_OK);
replace_IAT("User32.dll","MessageBoxW",(void**)&g_procOldMessageBox,HOOK_MessageBox,false);
MessageBox(NULL,TEXT("EnumIAT User32.dll MessageBoxW false;"),TEXT("UnHook!"),MB_OK);
return getchar();
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
return 0;
}
转载于:https://www.cnblogs.com/vcerror/p/4289244.html