IAT Hook

• IAT Hook 工作原理

  IAT Hook是通过修改IAT中保存的API地址来钩取某个API函数。

  在进程中调用某个API函数，是在目标进程中的导入表中查找函数地址来进行调用，不同于GetProcAddress函数。此函数是在模块的导出表中进行查找函数地址的。

  所以我们可以注入动态库到目标进程，来实现对目标API的钩取。关于动态库的注入可以参考其他博文。

• 代码实现

  // include
  #include "stdio.h"
  #include "wchar.h"
  #include "windows.h"
  
  
  // typedef
  typedef BOOL (WINAPI *PFSETWINDOWTEXTW)(HWND hWnd, LPWSTR lpString);
  
  
  
  FARPROC OldFunction = NULL;
  
  
  // 修改后再显示
  BOOL WINAPI MySetWindowTextW(HWND hWnd, LPWSTR lpString)
  {
      wchar_t* pNum = L"康老捞伙荤坷腊磨迫备"; 
      wchar_t temp[2] = {0,};
      int i = 0, nLen = 0, nIndex = 0;
  
      nLen = wcslen(lpString);
      for(i = 0; i < nLen; i++)
      {
          
          if( L'0' <= lpString[i] && lpString[i] <= L'9' )
          {
              temp[0] = lpString[i];
              nIndex = _wtoi(temp);
              lpString[i] = pNum[nIndex];
          }
      }
  
     
      return ((PFSETWINDOWTEXTW)OldFunction)(hWnd, lpString);
  }
  
  
  // hook_iat
  //   泅犁 橇肺技胶狼 IAT 甫 八祸秦辑
  //   pfnOrg 蔼阑 pfnNew 蔼栏肺 函版矫糯
  BOOL HOOKIAT(LPCSTR szDllName, PROC OldFunction, PROC NewFunction)
  {
      HMODULE ModuleHandle;
      LPCSTR szLibName;
      PIMAGE_IMPORT_DESCRIPTOR pImportDesc; 
      PIMAGE_THUNK_DATA pThunk;
      DWORD dwOldProtect, dwRVA;
      PBYTE AddressOfImage;
  
      // DOSHeader
      ModuleHandle = GetModuleHandle(NULL);
      AddressOfImage = (PBYTE)ModuleHandle;
  
      // AddressOfImage = VA to PE signature (IMAGE_NT_HEADERS)
      AddressOfImage += *((DWORD*)&AddressOfImage[0x3C]);
  
      // dwRVA = RVA to IMAGE_IMPORT_DESCRIPTOR Table
      dwRVA = *((DWORD*)&AddressOfImage[0x80]);
  
      // pImportDesc = VA to IMAGE_IMPORT_DESCRIPTOR Table
      pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)ModuleHandle +dwRVA);
  
      for( ; pImportDesc->Name; pImportDesc++ )
      {
          // szLibName = VA to IMAGE_IMPORT_DESCRIPTOR.Name
          szLibName = (LPCSTR)((DWORD)ModuleHandle + pImportDesc->Name);
          if( !_stricmp(szLibName, szDllName) )
          {
              // pThunk = IMAGE_IMPORT_DESCRIPTOR.FirstThunk
              //        = VA to IAT(Import Address Table)
              pThunk = (PIMAGE_THUNK_DATA)((DWORD)ModuleHandle +
                                           pImportDesc->FirstThunk);
  
              // pThunk->u1.Function API函数的虚拟地址
              for( ; pThunk->u1.Function; pThunk++ )
              {
                  if( pThunk->u1.Function == (DWORD)OldFunction)
                  {
                      // 修改内存页为可读可写可执行
                      VirtualProtect((LPVOID)&pThunk->u1.Function, 
                                     4, 
                                     PAGE_EXECUTE_READWRITE, 
                                     &dwOldProtect);
  
                      // 修改函数地址
                      pThunk->u1.Function = (DWORD)NewFunction;
                  
                      VirtualProtect((LPVOID)&pThunk->u1.Function, 
                                     4, 
                                     dwOldProtect, 
                                     &dwOldProtect);                        
  
                      return TRUE;
                  }
              }
          }
      }
  
      return FALSE;
  }
  
  
  
  BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
  {
      switch( fdwReason )
      {
          case DLL_PROCESS_ATTACH : 
            
                 OldFunction = GetProcAddress(GetModuleHandle(L"user32.dll"), 
                                          "SetWindowTextW");
  
              //HOOK
              HOOKIAT("user32.dll", OldFunction, (PROC)MySetWindowTextW);
              break;
  
          case DLL_PROCESS_DETACH :
              //UNHOOK
              HOOKIAT("user32.dll", (PROC)MySetWindowTextW, OldFunction);
              break;
      }
  
      return TRUE;
  }

  参考《逆向工程核心原理》