EAT/IAT Hook
生活随笔
收集整理的這篇文章主要介紹了
EAT/IAT Hook
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
標(biāo) 題:?EAT/IAT Hook
作 者: Y4ng
時 間: 2013-08-21
鏈 接:?http://www.cnblogs.com/Y4ng/p/EAT_IAT_HOOK.html?
#include <windows.h> #include <shlwapi.h> #include <wchar.h> DWORD MyZwGetContextThread(HANDLE Thread,LPCONTEXT lpContext) {memset(lpContext,0,sizeof(CONTEXT));return 0; } DWORD MyZwSetContextThread(HANDLE Thread,LPCONTEXT lpContext) {memset(lpContext,0,sizeof(CONTEXT));return 0; } /********************************************************** IAT Hook :掛鉤目標(biāo)輸入表中的函數(shù)地址 參數(shù): char *szDLLName 函數(shù)所在的DLL char *szName 函數(shù)名字 void *Addr 新函數(shù)地址 ***********************************************************/ DWORD IATHook(char *szDLLName,char *szName,void *Addr) {DWORD Protect;HMODULE hMod=LoadLibrary(szDLLName);DWORD RealAddr=(DWORD)GetProcAddress(hMod,szName);hMod=GetModuleHandle(NULL);IMAGE_DOS_HEADER * DosHeader =(PIMAGE_DOS_HEADER)hMod;IMAGE_OPTIONAL_HEADER * Opthdr =(PIMAGE_OPTIONAL_HEADER)((DWORD)hMod+DosHeader->e_lfanew+24);IMAGE_IMPORT_DESCRIPTOR *pImport =(IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)DosHeader+Opthdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); if(pImport==NULL){return FALSE;} IMAGE_THUNK_DATA32 *Pthunk=(IMAGE_THUNK_DATA32*)((DWORD)hMod+pImport->FirstThunk);while(Pthunk->u1.Function){if(RealAddr==Pthunk->u1.Function){VirtualProtect(&Pthunk->u1.Function,0x1000,PAGE_READWRITE,&Protect);Pthunk->u1.Function=(DWORD)Addr;break;}Pthunk++;}return TRUE; } /********************************************************** EAT Hook :掛鉤目標(biāo)輸出表中的函數(shù)地址 ***********************************************************/ BOOL EATHook(char *szDLLName,char *szFunName,DWORD NewFun) {DWORD addr=0;DWORD index=0;HMODULE hMod=LoadLibrary(szDLLName);DWORD Protect;IMAGE_DOS_HEADER * DosHeader =(PIMAGE_DOS_HEADER)hMod;IMAGE_OPTIONAL_HEADER * Opthdr =(PIMAGE_OPTIONAL_HEADER)((DWORD)hMod+DosHeader->e_lfanew+24);PIMAGE_EXPORT_DIRECTORY Export =(PIMAGE_EXPORT_DIRECTORY)((BYTE*)DosHeader+ Opthdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);PULONG pAddressOfFunctions =(ULONG*)((BYTE*)hMod+Export->AddressOfFunctions); PULONG pAddressOfNames =(ULONG*)((BYTE*)hMod+Export->AddressOfNames); PUSHORT pAddressOfNameOrdinals=(USHORT*)((BYTE*)hMod+Export->AddressOfNameOrdinals); for (int i=0;i <Export->NumberOfNames; i++) {index=pAddressOfNameOrdinals[i];char *pFuncName = (char*)( (BYTE*)hMod + pAddressOfNames[i]);if (_stricmp( (char*)pFuncName,szFunName) == 0){addr=pAddressOfFunctions[index];break;}}VirtualProtect(&pAddressOfFunctions[index],0x1000,PAGE_READWRITE,&Protect);pAddressOfFunctions[index] =(DWORD)NewFun - (DWORD)hMod;return TRUE; } BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved) {if (dwReason == DLL_PROCESS_ATTACH){DisableThreadLibraryCalls(hModule);IATHook("kernel32.dll","ExitProcess",MyZwGetContextThread);//GetProcAddress(LoadLibrary("ntdll.dll"),"NtSetInformationFile"); /** Test EAT HOOK **///ExitThread(0); /** Test IAT HOOK**/ }return TRUE; }轉(zhuǎn)自鄧韜
轉(zhuǎn)載于:https://www.cnblogs.com/Y4ng/p/EAT_IAT_HOOK.html
總結(jié)
以上是生活随笔為你收集整理的EAT/IAT Hook的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: EPSON ME office 700F
- 下一篇: 【课程总结】软件工程经济学简答题总结