IATHook

Posted BiaoGe

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了IATHook相关的知识,希望对你有一定的参考价值。

IATHookClass.h

 

 1 #pragma once
 2 
 3 #include <Windows.h>
 4 
 5 class IATHookClass
 6 {
 7 private:
 8     DWORD oldAddr;
 9     DWORD newAddr;
10 
11 public:
12     BOOL Hook(char *apiName, DWORD callfunc);
13     BOOL UnHook(void);
14 };

 

 

 

IATHookClass.cpp

 

 1 #include "IATHookClass.h"
 2 
 3 BOOL IATHookClass::Hook(char *apiName, DWORD callfunc)
 4 {
 5     BOOL bOk = FALSE;
 6     HMODULE hMod = GetModuleHandle(NULL);
 7     IMAGE_DOS_HEADER *pDosHeader = (IMAGE_DOS_HEADER *)hMod;
 8     IMAGE_OPTIONAL_HEADER *pOptHeader = (IMAGE_OPTIONAL_HEADER *)((BYTE *)hMod + pDosHeader->e_lfanew + 24);
 9     IMAGE_IMPORT_DESCRIPTOR *pImportDesc = (IMAGE_IMPORT_DESCRIPTOR *)((BYTE *)hMod + pOptHeader->DataDirectory[1].VirtualAddress);
10 
11     while (pImportDesc->FirstThunk)
12     {
13         char *pszDllName = (char *)((BYTE *)hMod + pImportDesc->Name);
14         IMAGE_THUNK_DATA *pThunk = (IMAGE_THUNK_DATA *)((BYTE *)hMod + pImportDesc->FirstThunk);
15         IMAGE_THUNK_DATA *pThunkDesc = (IMAGE_THUNK_DATA *)((BYTE *)hMod + pImportDesc->OriginalFirstThunk);
16 
17         while (pThunkDesc->u1.Function)
18         {
19             if (!lstrcmpi(apiName, (char *)((BYTE *)hMod + (DWORD)pThunkDesc->u1.AddressOfData + 2)))
20             {
21                 IATHookClass::oldAddr = pThunk->u1.Function;
22                 IATHookClass::newAddr = (DWORD)callfunc;
23                 DWORD dwOldProtect = 0;
24 
25                 VirtualProtect((LPVOID)&pThunk->u1.Function, 4, PAGE_EXECUTE_READWRITE, &dwOldProtect);
26                 bOk = (pThunk->u1.Function = callfunc) ? TRUE : FALSE;
27                 VirtualProtect((LPVOID)&pThunk->u1.Function, 4, dwOldProtect, &dwOldProtect);
28                 CloseHandle(hMod);
29                 return bOk;
30             }
31             pThunk++;
32             pThunkDesc++;
33         }
34         pImportDesc++;
35     }
36     CloseHandle(hMod);
37     return bOk;
38 }
39 
40 BOOL IATHookClass::UnHook(void)
41 {
42     BOOL bOk = FALSE;
43     HMODULE hMod = GetModuleHandle(NULL);
44     IMAGE_DOS_HEADER *pDosHeader = (IMAGE_DOS_HEADER *)hMod;
45     IMAGE_OPTIONAL_HEADER *pOptHeader = (IMAGE_OPTIONAL_HEADER *)((BYTE *)hMod + pDosHeader->e_lfanew + 24);
46     IMAGE_IMPORT_DESCRIPTOR *pImportDesc = (IMAGE_IMPORT_DESCRIPTOR *)((BYTE *)hMod + pOptHeader->DataDirectory[1].VirtualAddress);
47 
48     while (pImportDesc->FirstThunk)
49     {
50         char *pszDllName = (char *)((BYTE *)hMod + pImportDesc->Name);
51         IMAGE_THUNK_DATA *pThunk = (IMAGE_THUNK_DATA *)((BYTE *)hMod + pImportDesc->FirstThunk);
52         while (pThunk->u1.Function)
53         {
54             if (IATHookClass::newAddr == pThunk->u1.Function)
55             {
56                 DWORD dwOldProtect = 0;
57                 VirtualProtect((LPVOID)&pThunk->u1.Function, 4, PAGE_EXECUTE_READWRITE, &dwOldProtect);
58                 bOk = (pThunk->u1.Function = IATHookClass::oldAddr) ? TRUE : FALSE;
59                 VirtualProtect((LPVOID)&pThunk->u1.Function, 4, dwOldProtect, &dwOldProtect);
60                 CloseHandle(hMod);
61                 if (bOk)
62                 {
63                     IATHookClass::newAddr = 0;
64                     IATHookClass::oldAddr = 0;
65                 }
66                 return bOk;
67             }
68         }
69     }
70     CloseHandle(hMod);
71     return bOk;
72 }

 

以上是关于IATHook的主要内容,如果未能解决你的问题,请参考以下文章

PE格式:分析IatHook并实现

从hook开始聊聊那些windows内核数据结构

IAT HOOK

fdgfwwwkkw6060com实现安装HOOK19908836661

「winds平台」IATHook&原理与实现

IATHook