• EAT/IAT Hook


    标 题: EAT/IAT Hook

    作 者: Y4ng

    时 间: 2013-08-21

    链 接: http://www.cnblogs.com/Y4ng/p/EAT_IAT_HOOK.html 

    #include <windows.h>
    #include <shlwapi.h>
    #include <wchar.h>
    DWORD MyZwGetContextThread(HANDLE Thread,LPCONTEXT lpContext)
    {
      memset(lpContext,0,sizeof(CONTEXT));
      return 0;
    }
    DWORD MyZwSetContextThread(HANDLE Thread,LPCONTEXT lpContext)
    {
      memset(lpContext,0,sizeof(CONTEXT));
      return 0;
    }
    /**********************************************************
    IAT Hook :挂钩目标输入表中的函数地址
    参数:
    char *szDLLName 函数所在的DLL
    char *szName    函数名字
    void *Addr      新函数地址
    ***********************************************************/
    DWORD IATHook(char *szDLLName,char *szName,void *Addr)
    {
      DWORD Protect;
      HMODULE hMod=LoadLibrary(szDLLName);
      DWORD RealAddr=(DWORD)GetProcAddress(hMod,szName);
      hMod=GetModuleHandle(NULL);
        IMAGE_DOS_HEADER * DosHeader   =(PIMAGE_DOS_HEADER)hMod;
        IMAGE_OPTIONAL_HEADER * Opthdr =(PIMAGE_OPTIONAL_HEADER)((DWORD)hMod+DosHeader->e_lfanew+24);
        IMAGE_IMPORT_DESCRIPTOR *pImport =(IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)DosHeader+Opthdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);                                           
        if(pImport==NULL)
        {
            return FALSE;
        } 
        IMAGE_THUNK_DATA32 *Pthunk=(IMAGE_THUNK_DATA32*)((DWORD)hMod+pImport->FirstThunk);
      while(Pthunk->u1.Function)
      {
        if(RealAddr==Pthunk->u1.Function)
        {
          VirtualProtect(&Pthunk->u1.Function,0x1000,PAGE_READWRITE,&Protect);
          Pthunk->u1.Function=(DWORD)Addr;
          break;
        }
        Pthunk++;
      }
      return TRUE;
    }
    /**********************************************************
    EAT Hook :挂钩目标输出表中的函数地址
    ***********************************************************/
    BOOL EATHook(char *szDLLName,char *szFunName,DWORD NewFun)
    {
      DWORD addr=0;
      DWORD index=0;
      HMODULE hMod=LoadLibrary(szDLLName);
        DWORD Protect;
        IMAGE_DOS_HEADER * DosHeader   =(PIMAGE_DOS_HEADER)hMod;
        IMAGE_OPTIONAL_HEADER * Opthdr =(PIMAGE_OPTIONAL_HEADER)((DWORD)hMod+DosHeader->e_lfanew+24);
        PIMAGE_EXPORT_DIRECTORY Export =(PIMAGE_EXPORT_DIRECTORY)((BYTE*)DosHeader+ Opthdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
        PULONG pAddressOfFunctions     =(ULONG*)((BYTE*)hMod+Export->AddressOfFunctions); 
        PULONG pAddressOfNames         =(ULONG*)((BYTE*)hMod+Export->AddressOfNames); 
        PUSHORT  pAddressOfNameOrdinals=(USHORT*)((BYTE*)hMod+Export->AddressOfNameOrdinals); 
        for (int i=0;i <Export->NumberOfNames; i++) 
        {
            index=pAddressOfNameOrdinals[i];
            char *pFuncName = (char*)( (BYTE*)hMod + pAddressOfNames[i]);
            if (_stricmp( (char*)pFuncName,szFunName) == 0)
            {
                addr=pAddressOfFunctions[index];
                break;
            }
        }
      VirtualProtect(&pAddressOfFunctions[index],0x1000,PAGE_READWRITE,&Protect);
        pAddressOfFunctions[index] =(DWORD)NewFun - (DWORD)hMod;
      return TRUE;
    }
    BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved)
    {
      if (dwReason == DLL_PROCESS_ATTACH)
      {
        DisableThreadLibraryCalls(hModule);
        IATHook("kernel32.dll","ExitProcess",MyZwGetContextThread);
        //GetProcAddress(LoadLibrary("ntdll.dll"),"NtSetInformationFile");         /** Test EAT HOOK **/
        //ExitThread(0);                                                           /** Test IAT HOOK**/
      }
      return TRUE;
    } 

    转自邓韬

  • 相关阅读:
    源码分析:Java对象的内存分配
    源码分析:Java堆的创建
    Java Main如何被执行?
    HotSpot模板解释器目标代码生成过程源码分析
    Java常量池解析与字符串intern简介
    Java类的连接与初始化 (及2013阿里初始化笔试题解析)
    css中对position的几种定位方式的最佳诠释
    DB2学习笔记
    three.js:Failed to execute 'texImage2D' on 'WebGLRenderingContext解决方案
    线程隔离ThreadLocal
  • 原文地址:https://www.cnblogs.com/Y4ng/p/EAT_IAT_HOOK.html
Copyright © 2020-2023  润新知