Visual leak Detact 模块导出函数替代

最新推荐文章于 2022-07-22 01:10:36 发布

KHacker_001

最新推荐文章于 2022-07-22 01:10:36 发布

阅读量735

点赞数

分类专栏： Windows核心编程 Memory leak

本文链接：https://blog.csdn.net/yinhaijing123/article/details/8914352

版权

Windows核心编程同时被 2 个专栏收录

24 篇文章 0 订阅

订阅专栏

Memory leak

6 篇文章 0 订阅

订阅专栏

1、将模块当中制定的函数通过自己定义的函数替代，主要学习如果通过IAT表查找系统函数，并将其替换为自己的函数。
BOOL PatchImport (HMODULE importmodule, moduleentry_t *module)

{

//参数1 - 模块的句柄，HMODULE kernel32 = GetModuleHandleW(L"kernel32.dll");

// 参数2 替代函数信息 moduleentry_t ntdllPatch [] = {
// "ntdll.dll", NULL, ldrLoadDllPatch,
// };

HMODULE exportmodule = (HMODULE)module->moduleBase;
if (exportmodule == NULL)

return FALSE;

IMAGE_IMPORT_DESCRIPTOR *idte;
IMAGE_SECTION_HEADER *section;
ULONG size;
// 为导入模块找到导出模块的IDT表，导入模块可能含有多个iat表，每个iat表含有对于的api地址再里面，遍历所有的iat表格，找到我们关心的函数，替换成我们想要hook的函数。
g_imageLock.Enter();
__try

{

// typedef struct _IMAGE_IMPORT_DESCRIPTOR {
// union {
// DWORD Characteristics; // 0 for terminating null import descriptor
// DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
// } DUMMYUNIONNAME;
// DWORD TimeDateStamp; // 0 if not bound,
// -1 if bound, and real date\time stamp
// in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
// O.W. date/time stamp of DLL bound to (Old BIND)
//DWORD ForwarderChain; // -1 if no forwarders
// DWORD Name;
// DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
//} IMAGE_IMPORT_DESCRIPTOR;
typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;

idte = (IMAGE_IMPORT_DESCRIPTOR*)ImageDirectoryEntryToDataEx((PVOID)importmodule, TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT, &size, &section);
}
__except(FilterFunction(GetExceptionCode()))
{
idte = NULL;
}
g_imageLock.Leave();
if (idte == NULL) {
// This module has no IDT (i.e. it imports nothing).
return FALSE;
}
int result = 0;
while (idte->FirstThunk != 0x0) {
PCHAR name = (PCHAR)R2VA(importmodule, idte->Name);
UNREFERENCED_PARAMETER(name);
//替换表当中包含我们所有想要替换的函数
patchentry_t *entry = module->patchTable;
int i = 0;
while(entry->importName)

{

//导入函数

LPCSTR importname = entry->importName;

// hook函数名

LPCVOID replacement = entry->replacement;
// Get the *real* address of the import. If we find this address in the IAT,
// then we've found the entry that needs to be patched.
FARPROC import2 = VisualLeakDetector::_RGetProcAddress(exportmodule, importname);
FARPROC import = GetProcAddress(exportmodule, importname);
if ( import2 )
import = import2;
// Perhaps the named export module does not actually export the named import?
if (import == NULL)
{
entry++; i++;
continue;
}
// Locate the import's IAT entry.
IMAGE_THUNK_DATA *iate = (IMAGE_THUNK_DATA*)R2VA(importmodule, idte->FirstThunk);
while (iate->u1.Function != 0x0)
{
if (iate->u1.Function != (DWORD_PTR)import)
{
iate++;
continue;
}
// Found the IAT entry. Overwrite the address stored in the IAT
// entry with the address of the replacement. Note that the IAT
// entry may be write-protected, so we must first ensure that it is
// writable.
if ( import != replacement )
{
if (entry->original != NULL)
*entry->original = (LPVOID)iate->u1.Function;
//亮点，这边hook我们想要的函数。
DWORD protect;
VirtualProtect(&iate->u1.Function, sizeof(iate->u1.Function), PAGE_EXECUTE_READWRITE, &protect);
iate->u1.Function = (DWORD_PTR)replacement;
VirtualProtect(&iate->u1.Function, sizeof(iate->u1.Function), protect, &protect);
}
// The patch has been installed in the import module.
result++;
iate++;
}
entry++; i++;
}
idte++;
}
// The import's IAT entry was not found. The importing module does not
// import the specified import.
return result > 0;
}

KHacker_001

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Visual leak Detact 模块导出函数替代

1、将模块当中制定的函数通过自己定义的函数替代，主要学习如果通过IAT表查找系统函数，并将其替换为自己的函数。BOOL PatchImport (HMODULE importmodule, moduleentry_t *module){//参数1 - 模块的句柄，HMODULE kernel32 = GetModuleHandleW(L"kernel32.dll");// 参数
复制链接

扫一扫