APIHOOK
#include <stdio.h>
#include <windows.h>
#include <Dbghelp.h>
#pragma comment(lib,"Dbghelp.lib")
#pragma comment(lib,"User32.lib")
typedef int (__stdcall *OLD_MessageBox)( HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType );
OLD_MessageBox g_procOldMessageBox = NULL;
int __stdcall HOOK_MessageBox( HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType)
{
printf("%s\t%d\r\n",__FUNCTION__,__LINE__);
if (NULL != g_procOldMessageBox)
return g_procOldMessageBox(hWnd,lpText,TEXT("不好意思,hook到了!"),uType);
else
return MessageBox(hWnd,lpText,lpCaption,uType); ;
}
int replace_IAT(const char *pDllName,const char *pApiName,void ** OldApiAddr,void * NewApiAddr,bool bReplace)
{
HANDLE hProcess = ::GetModuleHandle (NULL);
DWORD dwSize = 0;
PIMAGE_IMPORT_DESCRIPTOR pImageImport = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hProcess,TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT,&dwSize);
if (NULL == pImageImport)
return 1;
PIMAGE_IMPORT_BY_NAME pImageImportByName = NULL;
PIMAGE_THUNK_DATA pImageThunkOriginal = NULL;
PIMAGE_THUNK_DATA pImageThunkReal = NULL;
while (pImageImport->Name)
{
if (0 == lstrcmpiA((char*)((PBYTE)hProcess+pImageImport->Name),pDllName))
{
break;
}
++pImageImport;
}
if (! pImageImport->Name)
return 2;
pImageThunkOriginal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->OriginalFirstThunk );
pImageThunkReal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->FirstThunk );
while (pImageThunkOriginal->u1.Function)
{
if ((pImageThunkOriginal->u1.Ordinal & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG)
{
pImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PBYTE)hProcess+pImageThunkOriginal->u1.AddressOfData );
if (0 == lstrcmpiA(pApiName,(char*)pImageImportByName->Name))
{
MEMORY_BASIC_INFORMATION mbi_thunk;
VirtualQuery(pImageThunkReal, &mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION));
VirtualProtect(mbi_thunk.BaseAddress,mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect);
if (true == bReplace)
{
*OldApiAddr = (void*)pImageThunkReal->u1.Function;
pImageThunkReal->u1.Function = (DWORD)(NewApiAddr);
}
else
{
pImageThunkReal->u1.Function = (DWORD)(*OldApiAddr);
*OldApiAddr = NULL;
}
DWORD dwOldProtect;
VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, mbi_thunk.Protect, &dwOldProtect);
break;
}
}
++pImageThunkOriginal;
++pImageThunkReal;
}
return 0;
}
int _tmain(int argc, _TCHAR* argv[])
{
replace_IAT("User32.dll","MessageBoxW",(void**)&g_procOldMessageBox,HOOK_MessageBox,true);
MessageBox(NULL,TEXT("EnumIAT User32.dll MessageBoxW true;"),TEXT(""),MB_OK);
replace_IAT("User32.dll","MessageBoxW",(void**)&g_procOldMessageBox,HOOK_MessageBox,false);
MessageBox(NULL,TEXT("EnumIAT User32.dll MessageBoxW false;"),TEXT("UnHook!"),MB_OK);
return getchar();
return 0;
}
最新文章
- asp.net 事件加载顺序
- Web Components是不是Web的未来
- quanpailie quanbianli
- SAP 物料基本单位与BOM单位
- Shell脚本编程——了解你的Linux系统必须掌握的20个命令
- 基于visual Studio2013解决算法导论之050强连通分支
- C 函数 strstr 的高效实现
- 实体处理模块IEntityModule
- springmvc初始化失败问题跟踪
- 常识判断-科技-day123
- step_by_step_CSRF/ XSRF_问题描述
- hdu-2087(kmp)
- P2279 [HNOI2003]消防局的设立
- CCNA
- RF
- Android学习之基础知识四-Activity活动1讲
- lesson2-cnn-fastai
- python 标准日志模块loging 及日志系统实例
- ruby lib文件夹作用
- omitTermFreqAndPositions设置,词频FQ在打分中默认为1