S.l.e!ep.¢%

像打了激速一样,以四倍的速度运转,开心的工作
简单、开放、平等的公司文化;尊重个性、自由与个人价值;
posts - 1098, comments - 335, trackbacks - 0, articles - 1
  C++博客 :: 首页 :: 新随笔 :: 联系 :: 聚合  :: 管理

修改IAT实现API HOOK

Posted on 2010-07-01 14:57 S.l.e!ep.¢% 阅读(671) 评论(0)  编辑 收藏 引用 所属分类: RootKit
Robinh00d @ 2006-05-10 16:35

//修改IAT实现本进程API HOOK
//coded by robinh00d*inh4ss*<p0prxx@gmail.com>
//QQ:530222815
//MSN:Robinh00d@263.net
// 参考了《Hooking Windows API》By Holy_Father From 29A#7
#include <stdio.h>
#include <windows.h>
#include <Dbghelp.h>

#pragma comment(lib,"Dbghelp.lib")

/************************************************************/
char *szHookModName = "USER32.dll" ;
char *szHookFunName = "MessageBoxA" ;
char *szModName = NULL ;
char *szHacked = "MessageBoxA() has been hooked!" ;
DWORD dwHookFun ;
DWORD dwHookApiAddr ;
DWORD *dwCurAddr ;
DWORD dwOldProtect ;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc ;
PIMAGE_THUNK_DATA32 pImageThunkData ;
MEMORY_BASIC_INFORMATION mbi ;
ULONG uSize ;
/************************************************************/

void Hooked()
{
 __asm
 {
  mov  esp,ebp
  push szHacked
  pop  DWORD PTR [ebp+12]
  pop  ebp
  jmp dwHookApiAddr
 }
}

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
 HMODULE hUser32 = LoadLibrary(szHookModName) ;
 
 if (hUser32 == NULL)
 {
  printf("Load User32.dll failed!\n") ;
  return -1 ;
 }
 dwHookFun = (DWORD)Hooked ;

 dwHookApiAddr = (DWORD)GetProcAddress(hUser32,szHookFunName) ;

 pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hInstance,
                 TRUE,
                 IMAGE_DIRECTORY_ENTRY_IMPORT,
                 &uSize) ;
 //找到要HOOK的函数所在的模块
 while(pImportDesc->Name)
 {
  szModName = (char *)((PBYTE)hInstance+pImportDesc->Name) ;
  if (strcmp(szModName,szHookModName)==0)
  {
   break ; 
  }
  pImportDesc++ ;
 }
 pImageThunkData = (PIMAGE_THUNK_DATA32)((PBYTE)hInstance+pImportDesc->FirstThunk) ;
 
 while(pImageThunkData->u1.Function)
 {
  dwCurAddr = &pImageThunkData->u1.Function ;
  if (*dwCurAddr == dwHookApiAddr)
  {
   VirtualQuery(dwCurAddr,&mbi,sizeof(MEMORY_BASIC_INFORMATION)) ;
   VirtualProtect(mbi.BaseAddress,mbi.RegionSize,PAGE_READWRITE,&mbi.Protect) ;
   
   *dwCurAddr = dwHookFun ;
   VirtualProtect(mbi.BaseAddress,mbi.RegionSize,mbi.Protect,&dwOldProtect) ;
   break ;
  }
  pImageThunkData++ ;
 }
 //要hook这个API
 MessageBoxA(0,"NOT HOOKED!","robinh00d/[Inh4ss]",0) ;

 return 0 ;
}


只有注册用户登录后才能发表评论。
网站导航: 博客园   IT新闻   BlogJava   博问   Chat2DB   管理