IAT Hook

Posted 半程烟沙

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了IAT Hook相关的知识,希望对你有一定的参考价值。

  • IAT Hook 工作原理

    IAT Hook是通过修改IAT中保存的API地址来钩取某个API函数。

     

    在进程中调用某个API函数,是在目标进程中的导入表中查找函数地址来进行调用,不同于GetProcAddress函数。此函数是在模块的导出表中进行查找函数地址的。

     

    所以我们可以注入动态库到目标进程,来实现对目标API的钩取。关于动态库的注入可以参考其他博文。

  • 代码实现
      1 // include
      2 #include "stdio.h"
      3 #include "wchar.h"
      4 #include "windows.h"
      5 
      6 
      7 // typedef
      8 typedef BOOL (WINAPI *PFSETWINDOWTEXTW)(HWND hWnd, LPWSTR lpString);
      9 
     10 
     11 
     12 FARPROC OldFunction = NULL;
     13 
     14 
     15 // 修改后再显示
     16 BOOL WINAPI MySetWindowTextW(HWND hWnd, LPWSTR lpString)
     17 {
     18     wchar_t* pNum = L"康老捞伙荤坷腊磨迫备"; 
     19     wchar_t temp[2] = {0,};
     20     int i = 0, nLen = 0, nIndex = 0;
     21 
     22     nLen = wcslen(lpString);
     23     for(i = 0; i < nLen; i++)
     24     {
     25         
     26         if( L0 <= lpString[i] && lpString[i] <= L9 )
     27         {
     28             temp[0] = lpString[i];
     29             nIndex = _wtoi(temp);
     30             lpString[i] = pNum[nIndex];
     31         }
     32     }
     33 
     34    
     35     return ((PFSETWINDOWTEXTW)OldFunction)(hWnd, lpString);
     36 }
     37 
     38 
     39 // hook_iat
     40 //   泅犁 橇肺技胶狼 IAT 甫 八祸秦辑
     41 //   pfnOrg 蔼阑 pfnNew 蔼栏肺 函版矫糯
     42 BOOL HOOKIAT(LPCSTR szDllName, PROC OldFunction, PROC NewFunction)
     43 {
     44     HMODULE ModuleHandle;
     45     LPCSTR szLibName;
     46     PIMAGE_IMPORT_DESCRIPTOR pImportDesc; 
     47     PIMAGE_THUNK_DATA pThunk;
     48     DWORD dwOldProtect, dwRVA;
     49     PBYTE AddressOfImage;
     50 
     51     // DOSHeader
     52     ModuleHandle = GetModuleHandle(NULL);
     53     AddressOfImage = (PBYTE)ModuleHandle;
     54 
     55     // AddressOfImage = VA to PE signature (IMAGE_NT_HEADERS)
     56     AddressOfImage += *((DWORD*)&AddressOfImage[0x3C]);
     57 
     58     // dwRVA = RVA to IMAGE_IMPORT_DESCRIPTOR Table
     59     dwRVA = *((DWORD*)&AddressOfImage[0x80]);
     60 
     61     // pImportDesc = VA to IMAGE_IMPORT_DESCRIPTOR Table
     62     pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)ModuleHandle +dwRVA);
     63 
     64     for( ; pImportDesc->Name; pImportDesc++ )
     65     {
     66         // szLibName = VA to IMAGE_IMPORT_DESCRIPTOR.Name
     67         szLibName = (LPCSTR)((DWORD)ModuleHandle + pImportDesc->Name);
     68         if( !_stricmp(szLibName, szDllName) )
     69         {
     70             // pThunk = IMAGE_IMPORT_DESCRIPTOR.FirstThunk
     71             //        = VA to IAT(Import Address Table)
     72             pThunk = (PIMAGE_THUNK_DATA)((DWORD)ModuleHandle +
     73                                          pImportDesc->FirstThunk);
     74 
     75             // pThunk->u1.Function API函数的虚拟地址
     76             for( ; pThunk->u1.Function; pThunk++ )
     77             {
     78                 if( pThunk->u1.Function == (DWORD)OldFunction)
     79                 {
     80                     // 修改内存页为可读可写可执行
     81                     VirtualProtect((LPVOID)&pThunk->u1.Function, 
     82                                    4, 
     83                                    PAGE_EXECUTE_READWRITE, 
     84                                    &dwOldProtect);
     85 
     86                     // 修改函数地址
     87                     pThunk->u1.Function = (DWORD)NewFunction;
     88                 
     89                     VirtualProtect((LPVOID)&pThunk->u1.Function, 
     90                                    4, 
     91                                    dwOldProtect, 
     92                                    &dwOldProtect);                        
     93 
     94                     return TRUE;
     95                 }
     96             }
     97         }
     98     }
     99 
    100     return FALSE;
    101 }
    102 
    103 
    104 
    105 BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
    106 {
    107     switch( fdwReason )
    108     {
    109         case DLL_PROCESS_ATTACH : 
    110           
    111                OldFunction = GetProcAddress(GetModuleHandle(L"user32.dll"), 
    112                                         "SetWindowTextW");
    113 
    114             //HOOK
    115             HOOKIAT("user32.dll", OldFunction, (PROC)MySetWindowTextW);
    116             break;
    117 
    118         case DLL_PROCESS_DETACH :
    119             //UNHOOK
    120             HOOKIAT("user32.dll", (PROC)MySetWindowTextW, OldFunction);
    121             break;
    122     }
    123 
    124     return TRUE;
    125 }

    参考《逆向工程核心原理》

 

以上是关于IAT Hook的主要内容,如果未能解决你的问题,请参考以下文章

IAT HOOK 简单实现

IAT HOOK DEMO win32/win64

IAT HOOK DEMO win32/win64

PE基础6_远程线程注入-HOOK(消息-InLine-IAT)

rootkit检测之检测hook——iat hookinline hookeat hookidt hookirp hookssdt

Inline Hook