//修改IAT实现本进程API HOOK
//coded by robinh00d*inh4ss*<p0prxx@gmail.com>
//QQ:530222815
//MSN:Robinh00d@263.net
// 参考了《Hooking Windows API》By Holy_Father From 29A#7
#include <stdio.h>
#include <windows.h>
#include <Dbghelp.h>
#pragma comment(lib,"Dbghelp.lib")
/************************************************************/
char *szHookModName = "USER32.dll" ;
char *szHookFunName = "MessageBoxA" ;
char *szModName = NULL ;
char *szHacked = "MessageBoxA() has been hooked!" ;
DWORD dwHookFun ;
DWORD dwHookApiAddr ;
DWORD *dwCurAddr ;
DWORD dwOldProtect ;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc ;
PIMAGE_THUNK_DATA32 pImageThunkData ;
MEMORY_BASIC_INFORMATION mbi ;
ULONG uSize ;
/************************************************************/
void Hooked()
{
__asm
{
mov esp,ebp
push szHacked
pop DWORD PTR [ebp+12]
pop ebp
jmp dwHookApiAddr
}
}
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
HMODULE hUser32 = LoadLibrary(szHookModName) ;
if (hUser32 == NULL)
{
printf("Load User32.dll failed!\n") ;
return -1 ;
}
dwHookFun = (DWORD)Hooked ;
dwHookApiAddr = (DWORD)GetProcAddress(hUser32,szHookFunName) ;
pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hInstance,
TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT,
&uSize) ;
//找到要HOOK的函数所在的模块
while(pImportDesc->Name)
{
szModName = (char *)((PBYTE)hInstance+pImportDesc->Name) ;
if (strcmp(szModName,szHookModName)==0)
{
break ;
}
pImportDesc++ ;
}
pImageThunkData = (PIMAGE_THUNK_DATA32)((PBYTE)hInstance+pImportDesc->FirstThunk) ;
while(pImageThunkData->u1.Function)
{
dwCurAddr = &pImageThunkData->u1.Function ;
if (*dwCurAddr == dwHookApiAddr)
{
VirtualQuery(dwCurAddr,&mbi,sizeof(MEMORY_BASIC_INFORMATION)) ;
VirtualProtect(mbi.BaseAddress,mbi.RegionSize,PAGE_READWRITE,&mbi.Protect) ;
*dwCurAddr = dwHookFun ;
VirtualProtect(mbi.BaseAddress,mbi.RegionSize,mbi.Protect,&dwOldProtect) ;
break ;
}
pImageThunkData++ ;
}
//要hook这个API
MessageBoxA(0,"NOT HOOKED!","robinh00d/[Inh4ss]",0) ;
return 0 ;
}