APIHOOK

#include  < stdio.h >
#include  < windows.h >
#include  < Dbghelp.h >

#pragma comment(lib, " Dbghelp.lib " )
#pragma comment(lib, " User32.lib " )

typedef  int  (__stdcall  * OLD_MessageBox)( HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType );

OLD_MessageBox g_procOldMessageBox  =  NULL;

int  __stdcall HOOK_MessageBox( HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType)
{
    printf("%s\t%d\r\n",__FUNCTION__,__LINE__);
    if (NULL != g_procOldMessageBox)
        return g_procOldMessageBox(hWnd,lpText,TEXT("不好意思,hook到了!"),uType); 
    else
    return MessageBox(hWnd,lpText,lpCaption,uType); ;
}

int  replace_IAT( const   char   * pDllName, const   char   * pApiName, void   **  OldApiAddr, void   *  NewApiAddr, bool  bReplace)
{
    HANDLE hProcess = ::GetModuleHandle (NULL);
    DWORD dwSize = 0;
    PIMAGE_IMPORT_DESCRIPTOR pImageImport = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hProcess,TRUE,
        IMAGE_DIRECTORY_ENTRY_IMPORT,&dwSize);
    if (NULL == pImageImport)
        return 1;
    PIMAGE_IMPORT_BY_NAME pImageImportByName = NULL;
    PIMAGE_THUNK_DATA pImageThunkOriginal = NULL;
    PIMAGE_THUNK_DATA pImageThunkReal = NULL;
    while (pImageImport->Name)
    {
        if (0 == lstrcmpiA((char*)((PBYTE)hProcess+pImageImport->Name),pDllName))
        {
            break;
        }
        ++pImageImport;
    }
    if (! pImageImport->Name)
        return 2;
    pImageThunkOriginal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->OriginalFirstThunk );
    pImageThunkReal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->FirstThunk );
    while (pImageThunkOriginal->u1.Function)
    {
        if ((pImageThunkOriginal->u1.Ordinal & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG)
        {
            pImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PBYTE)hProcess+pImageThunkOriginal->u1.AddressOfData );
            if (0 == lstrcmpiA(pApiName,(char*)pImageImportByName->Name))
            {
                MEMORY_BASIC_INFORMATION mbi_thunk;
                VirtualQuery(pImageThunkReal, &mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION)); 
                VirtualProtect(mbi_thunk.BaseAddress,mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect); 
                if (true == bReplace)
                {
                    *OldApiAddr = (void*)pImageThunkReal->u1.Function; 
                    pImageThunkReal->u1.Function = (DWORD)(NewApiAddr);
                }
                else
                   {
                    pImageThunkReal->u1.Function = (DWORD)(*OldApiAddr);
                        *OldApiAddr  = NULL;
                    }
                DWORD dwOldProtect; 
                VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, mbi_thunk.Protect, &dwOldProtect); 
                break;
            }
        }
        ++pImageThunkOriginal;
        ++pImageThunkReal;
    }
    return 0;
}

int  _tmain( int  argc, _TCHAR *  argv[])
{
    
    replace_IAT("User32.dll","MessageBoxW",(void**)&g_procOldMessageBox,HOOK_MessageBox,true);
    MessageBox(NULL,TEXT("EnumIAT User32.dll MessageBoxW true;"),TEXT(""),MB_OK);
    replace_IAT("User32.dll","MessageBoxW",(void**)&g_procOldMessageBox,HOOK_MessageBox,false);
    MessageBox(NULL,TEXT("EnumIAT User32.dll MessageBoxW false;"),TEXT("UnHook!"),MB_OK);
    return getchar();

    return 0;
}

转载于:https://www.cnblogs.com/vcerror/p/4289244.html