求个IAT HOOK的源码. 网上找了好多HOOK IAT的源码,基本参数都是(DLL名,源地址,目标地址)类型的IAT HOOK想找个用函数名HOOK的源码. 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 // h//本地版本,指定模块基地址和IAT表函数的地址,修改IAT的函数地址为dwHookedProc,返回原来函数名字//如果dwHookingProc指定为0,结果仅为查询//dwProcLoadAddress为内存加载的地址,通过GetProcAddress获取 const char* __stdcall IATHook_ByProcAddress(__in HMODULE hModule,__in DWORD dwProcLoadAddress,__in DWORD dwHookingProc,__out_opt LPDWORD lpdwOrigianlIATAddress);//本地版本,指定模块及地址和IAT表函数的名字,修改IAT的函数地址为dwHookedProc,返回原来函数地址//如果dwHookingProc指定为0,结果仅为查询DWORD __stdcall IATHook_ByProcName(__in HMODULE hModule,__in const char* pszProcName,__in DWORD dwHookingProc);//////////////////////////////////////////////////////////cpp//本地版本,指定模块基地址和IAT表函数的地址,修改IAT的函数地址为dwHookedProc,返回原来函数名字//如果dwHookingProc指定为0,结果仅为查询//dwOriginalProcAddress为内存加载的地址,通过GetProcAddress获取const char* __stdcall IATHook_ByProcAddress(__in HMODULE hModule,__in DWORD dwProcLoadAddress,__in DWORD dwHookingProc,__out_opt LPDWORD lpdwOrigianlIATAddress){ PIMAGE_IMPORT_DESCRIPTOR pImpDtp=NULL; PIMAGE_THUNK_DATA pThunkOgnData=NULL; PIMAGE_THUNK_DATA pThunkData=NULL; PIMAGE_IMPORT_BY_NAME pImpName=NULL; DWORD dwFindProc=0; MEMORY_BASIC_INFORMATION mbi; DWORD dwOldPtc=0; if(!hModule) return NULL; __asm {mov eax,hModulemov ebx,eaxadd ebx,0x3cmov ebx,[ebx]add ebx,eaxadd eax,[ebx+0x80]mov pImpDtp,eax } while(pImpDtp->FirstThunk){ pThunkOgnData=(PIMAGE_THUNK_DATA)((DWORD)hModule+pImpDtp->OriginalFirstThunk); pThunkData=(PIMAGE_THUNK_DATA)((DWORD)hModule+pImpDtp->FirstThunk); while(pThunkOgnData->u1.Function){ dwFindProc=pThunkData->u1.Function; if(dwFindProc==dwProcLoadAddress){ if(lpdwOrigianlIATAddress) *lpdwOrigianlIATAddress=pThunkData->u1.Function; if(dwHookingProc){ VirtualQuery(mbi.AllocationBase,&mbi,sizeof(mbi)); VirtualProtect((LPVOID)dwFindProc,mbi.RegionSize,PAGE_READWRITE,&dwOldPtc); pThunkData->u1.Function=dwHookingProc; VirtualProtect(mbi.AllocationBase,mbi.RegionSize,dwOldPtc,&dwOldPtc); } pImpName=(PIMAGE_IMPORT_BY_NAME)((DWORD)hModule+pThunkOgnData->u1.AddressOfData); return (char*)pImpName->Name; } pThunkOgnData++; pThunkData++; } pImpDtp++; } return NULL;}//本地版本,指定模块及地址和IAT表函数的名字,修改IAT的函数地址为dwHookedProc,返回原来函数地址//如果dwHookingProc指定为0,结果仅为查询DWORD __stdcall IATHook_ByProcName(__in HMODULE hModule,__in const char* pszProcName,__in DWORD dwHookingProc){ PIMAGE_IMPORT_DESCRIPTOR pImpDtp=NULL; PIMAGE_THUNK_DATA pThunkOgnData=NULL; PIMAGE_THUNK_DATA pThunkData=NULL; PIMAGE_IMPORT_BY_NAME pImpName=NULL; DWORD dwFindProc=0; MEMORY_BASIC_INFORMATION mbi; DWORD dwOldPtc=0; if(!hModule) return NULL; __asm {mov eax,hModulemov ebx,eaxadd ebx,0x3cmov ebx,[ebx]add ebx,eaxadd eax,[ebx+0x80]mov pImpDtp,eax } while(pImpDtp->FirstThunk){ pThunkOgnData=(PIMAGE_THUNK_DATA)((DWORD)hModule+pImpDtp->OriginalFirstThunk); pThunkData=(PIMAGE_THUNK_DATA)((DWORD)hModule+pImpDtp->FirstThunk); while(pThunkOgnData->u1.Function){ pImpName=(PIMAGE_IMPORT_BY_NAME)((DWORD)hModule+pThunkOgnData->u1.AddressOfData); if(0==lstrcmpiA((char*)pImpName->Name,pszProcName)){ dwFindProc=pThunkData->u1.Function; if(dwHookingProc){ VirtualQuery((LPVOID)dwFindProc,&mbi,sizeof(mbi)); VirtualProtect(mbi.AllocationBase,mbi.RegionSize,PAGE_READWRITE,&dwOldPtc); pThunkData->u1.Function=dwHookingProc; VirtualProtect(mbi.AllocationBase,mbi.RegionSize,dwOldPtc,&dwOldPtc); } return dwFindProc; } pThunkOgnData++; pThunkData++; } pImpDtp++; } return 0;}///////////////////////////////////////////////////////////////////////////*对进程模块导入表函数地址进行hook --------IAT,并不实用对模块导入表 函数地址进行修改,仅对模块导入表内的地址有效,如果使用LoadLibrary GetProcAddress,那么HOOK IAT 不会起作用*//*用法HMODULE __stdcall Fake_OpenProcess(LPSTR lpName){MessageBoxA(0,lpName,0,0);return NULL;}//byname查询DWORD dwfun= IATHook_ByProcName(GetModuleHandle(NULL),"LoadLibraryA",(DWORD)0);LoadLibraryA("kernel32");修改 dwfun=IATHook_ByProcName(GetModuleHandle(NULL),"LoadLibraryA",(DWORD)Fake_OpenProcess); LoadLibraryA("kernel32");//byaddress 查询 DWORD dwOgn=0; DWORD dwp=(DWORD)GetProcAddress(GetModuleHandleA("kernel32"),"LoadLibraryA"); char* pname=(char*) IATHook_ByProcAddress(GetModuleHandle(NULL),dwp,(DWORD)0,&dwOgn); LoadLibraryA("kernel32"); 修改 pname=(char*)IATHook_ByProcAddress(GetModuleHandle(NULL),dwp,(DWORD)Fake_OpenProcess,&dwOgn); LoadLibraryA("kernel32");*/修改字节的API hook 实用些 error C2065: “CTextDoc”: 子线程中,父子窗口消息传递问题。 def 文件是做什么用的?是系统自己生成 还是需要手写? CSliderCtrl::SetPos如何使用? FTP上传问题!!! 哪位大哥知道用程序修改DNS服务的A记录等? vc.net中用dao连接sql数据库的问题? ReBar 请教高手 我问个小问题,关于字符串 如何使用CFile打开一个txt文件, VC中用CMarkup操作文件异常,不能保存
//如果dwHookingProc指定为0,结果仅为查询
//dwProcLoadAddress为内存加载的地址,通过GetProcAddress获取
const char* __stdcall IATHook_ByProcAddress(__in HMODULE hModule,__in DWORD dwProcLoadAddress,__in DWORD dwHookingProc,__out_opt LPDWORD lpdwOrigianlIATAddress);
//本地版本,指定模块及地址和IAT表函数的名字,修改IAT的函数地址为dwHookedProc,返回原来函数地址
//如果dwHookingProc指定为0,结果仅为查询
DWORD __stdcall IATHook_ByProcName(__in HMODULE hModule,__in const char* pszProcName,__in DWORD dwHookingProc);//////////////////////////////////////////////////////////cpp//本地版本,指定模块基地址和IAT表函数的地址,修改IAT的函数地址为dwHookedProc,返回原来函数名字
//如果dwHookingProc指定为0,结果仅为查询
//dwOriginalProcAddress为内存加载的地址,通过GetProcAddress获取
const char* __stdcall IATHook_ByProcAddress(__in HMODULE hModule,__in DWORD dwProcLoadAddress,__in DWORD dwHookingProc,__out_opt LPDWORD lpdwOrigianlIATAddress)
{
PIMAGE_IMPORT_DESCRIPTOR pImpDtp=NULL;
PIMAGE_THUNK_DATA pThunkOgnData=NULL;
PIMAGE_THUNK_DATA pThunkData=NULL;
PIMAGE_IMPORT_BY_NAME pImpName=NULL;
DWORD dwFindProc=0;
MEMORY_BASIC_INFORMATION mbi;
DWORD dwOldPtc=0;
if(!hModule) return NULL;
__asm
{
mov eax,hModule
mov ebx,eax
add ebx,0x3c
mov ebx,[ebx]
add ebx,eax
add eax,[ebx+0x80]
mov pImpDtp,eax
}
while(pImpDtp->FirstThunk){
pThunkOgnData=(PIMAGE_THUNK_DATA)((DWORD)hModule+pImpDtp->OriginalFirstThunk);
pThunkData=(PIMAGE_THUNK_DATA)((DWORD)hModule+pImpDtp->FirstThunk);
while(pThunkOgnData->u1.Function){
dwFindProc=pThunkData->u1.Function;
if(dwFindProc==dwProcLoadAddress){
if(lpdwOrigianlIATAddress) *lpdwOrigianlIATAddress=pThunkData->u1.Function;
if(dwHookingProc){
VirtualQuery(mbi.AllocationBase,&mbi,sizeof(mbi));
VirtualProtect((LPVOID)dwFindProc,mbi.RegionSize,PAGE_READWRITE,&dwOldPtc);
pThunkData->u1.Function=dwHookingProc;
VirtualProtect(mbi.AllocationBase,mbi.RegionSize,dwOldPtc,&dwOldPtc);
}
pImpName=(PIMAGE_IMPORT_BY_NAME)((DWORD)hModule+pThunkOgnData->u1.AddressOfData);
return (char*)pImpName->Name;
}
pThunkOgnData++;
pThunkData++;
}
pImpDtp++;
}
return NULL;
}
//本地版本,指定模块及地址和IAT表函数的名字,修改IAT的函数地址为dwHookedProc,返回原来函数地址
//如果dwHookingProc指定为0,结果仅为查询
DWORD __stdcall IATHook_ByProcName(__in HMODULE hModule,__in const char* pszProcName,__in DWORD dwHookingProc)
{
PIMAGE_IMPORT_DESCRIPTOR pImpDtp=NULL;
PIMAGE_THUNK_DATA pThunkOgnData=NULL;
PIMAGE_THUNK_DATA pThunkData=NULL;
PIMAGE_IMPORT_BY_NAME pImpName=NULL;
DWORD dwFindProc=0;
MEMORY_BASIC_INFORMATION mbi;
DWORD dwOldPtc=0;
if(!hModule) return NULL;
__asm
{
mov eax,hModule
mov ebx,eax
add ebx,0x3c
mov ebx,[ebx]
add ebx,eax
add eax,[ebx+0x80]
mov pImpDtp,eax
}
while(pImpDtp->FirstThunk){
pThunkOgnData=(PIMAGE_THUNK_DATA)((DWORD)hModule+pImpDtp->OriginalFirstThunk);
pThunkData=(PIMAGE_THUNK_DATA)((DWORD)hModule+pImpDtp->FirstThunk);
while(pThunkOgnData->u1.Function){
pImpName=(PIMAGE_IMPORT_BY_NAME)((DWORD)hModule+pThunkOgnData->u1.AddressOfData);
if(0==lstrcmpiA((char*)pImpName->Name,pszProcName)){
dwFindProc=pThunkData->u1.Function;
if(dwHookingProc){
VirtualQuery((LPVOID)dwFindProc,&mbi,sizeof(mbi));
VirtualProtect(mbi.AllocationBase,mbi.RegionSize,PAGE_READWRITE,&dwOldPtc);
pThunkData->u1.Function=dwHookingProc;
VirtualProtect(mbi.AllocationBase,mbi.RegionSize,dwOldPtc,&dwOldPtc);
}
return dwFindProc;
}
pThunkOgnData++;
pThunkData++;
}
pImpDtp++;
}
return 0;
}///////////////////////////////////////////////////////////////////////////*对进程模块导入表函数地址进行hook --------IAT,并不实用对模块导入表 函数地址进行修改,仅对模块导入表内的地址有效,如果使用LoadLibrary GetProcAddress,那么HOOK IAT 不会起作用*//*用法HMODULE __stdcall Fake_OpenProcess(LPSTR lpName){
MessageBoxA(0,lpName,0,0);
return NULL;
}
//byname
查询
DWORD dwfun= IATHook_ByProcName(GetModuleHandle(NULL),"LoadLibraryA",(DWORD)0);
LoadLibraryA("kernel32");
修改
dwfun=IATHook_ByProcName(GetModuleHandle(NULL),"LoadLibraryA",(DWORD)Fake_OpenProcess);
LoadLibraryA("kernel32");//byaddress
查询
DWORD dwOgn=0;
DWORD dwp=(DWORD)GetProcAddress(GetModuleHandleA("kernel32"),"LoadLibraryA");
char* pname=(char*) IATHook_ByProcAddress(GetModuleHandle(NULL),dwp,(DWORD)0,&dwOgn);
LoadLibraryA("kernel32");
修改
pname=(char*)IATHook_ByProcAddress(GetModuleHandle(NULL),dwp,(DWORD)Fake_OpenProcess,&dwOgn);
LoadLibraryA("kernel32");
*/修改字节的API hook 实用些