我创建了一个MFC Dialog工程,在初始化函数中做如下操作HMODULE hModule = ::GetModuleHandle(NULL);
LPVOID pModuleAddr = (LPVOID)hModule ;IMAGE_DOS_HEADER* pImageDOSHeader = (IMAGE_DOS_HEADER*)pModuleAddr;
IMAGE_NT_HEADERS* pImageNTHeader = (IMAGE_NT_HEADERS *)((DWORD)pModuleAddr + pImageDOSHeader->e_lfanew);IMAGE_IMPORT_DESCRIPTOR* pImageImportDescriptor = (IMAGE_IMPORT_DESCRIPTOR*)((DWORD)pModuleAddr +
pImageNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);IMAGE_EXPORT_DIRECTORY* pImageExportDirctory = (IMAGE_EXPORT_DIRECTORY*)((DWORD)pModuleAddr +
pImageNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);do{ LPSTR pModuleName = (LPSTR)((DWORD)pModuleAddr + pImageImportDescriptor->Name) ;
OutputDebugStringA("-------DLL:");
OutputDebugStringA(pModuleName);
OutputDebugStringA("-------\n");
if(strcmp("USER32.dll",pModuleName)==0)
{
IMAGE_THUNK_DATA* pImageThunkData = (IMAGE_THUNK_DATA *)((DWORD)pModuleAddr + pImageImportDescriptor->OriginalFirstThunk);
IMAGE_THUNK_DATA* pImageThunkData2 = (IMAGE_THUNK_DATA *)((DWORD)pModuleAddr + pImageImportDescriptor->FirstThunk);
do {
IMAGE_IMPORT_BY_NAME* piibn = (IMAGE_IMPORT_BY_NAME *)((DWORD)pModuleAddr + pImageThunkData->u1.AddressOfData); OutputDebugStringA((char *)piibn->Name);
OutputDebugStringA("\n"); if(strcmp("MessageBoxA",(char *)piibn->Name)==0)
{
DWORD addr = (DWORD)MyMessageBoxA;
DWORD written = 0;
DWORD oldAccess;
VirtualProtect(&pImageThunkData2->u1.Function,sizeof(DWORD),PAGE_WRITECOPY,&oldAccess);
DWORD APIAddress = (DWORD)&pImageThunkData2->u1.Function;
if(!WriteProcessMemory(GetCurrentProcess(),&pImageThunkData2->u1.Function, &addr,sizeof(DWORD), &written))
{
::MessageBoxW(NULL,L"WriteProcessMemory",L"ERROR",MB_OK | MB_ICONINFORMATION);
} } pImageThunkData++; }
while(pImageThunkData->u1.Function) ;
}
pImageImportDescriptor++ ;
}
while(pImageImportDescriptor->FirstThunk + pImageImportDescriptor->OriginalFirstThunk);
//然后我调用MessageBoxA,并没有进入我的MyMessageBoxA函数,还是执行的系统的API
::MessageBoxA(NULL,"MessageBoxA","MessageBoxA",MB_OK | MB_ICONINFORMATION);
我跟过代码,代码是正确执行的,并且我确信新的函数地址是写入到了导入表里的。还是重定向失败了。这是为什么呢?
LPVOID pModuleAddr = (LPVOID)hModule ;IMAGE_DOS_HEADER* pImageDOSHeader = (IMAGE_DOS_HEADER*)pModuleAddr;
IMAGE_NT_HEADERS* pImageNTHeader = (IMAGE_NT_HEADERS *)((DWORD)pModuleAddr + pImageDOSHeader->e_lfanew);IMAGE_IMPORT_DESCRIPTOR* pImageImportDescriptor = (IMAGE_IMPORT_DESCRIPTOR*)((DWORD)pModuleAddr +
pImageNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);IMAGE_EXPORT_DIRECTORY* pImageExportDirctory = (IMAGE_EXPORT_DIRECTORY*)((DWORD)pModuleAddr +
pImageNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);do{ LPSTR pModuleName = (LPSTR)((DWORD)pModuleAddr + pImageImportDescriptor->Name) ;
OutputDebugStringA("-------DLL:");
OutputDebugStringA(pModuleName);
OutputDebugStringA("-------\n");
if(strcmp("USER32.dll",pModuleName)==0)
{
IMAGE_THUNK_DATA* pImageThunkData = (IMAGE_THUNK_DATA *)((DWORD)pModuleAddr + pImageImportDescriptor->OriginalFirstThunk);
IMAGE_THUNK_DATA* pImageThunkData2 = (IMAGE_THUNK_DATA *)((DWORD)pModuleAddr + pImageImportDescriptor->FirstThunk);
do {
IMAGE_IMPORT_BY_NAME* piibn = (IMAGE_IMPORT_BY_NAME *)((DWORD)pModuleAddr + pImageThunkData->u1.AddressOfData); OutputDebugStringA((char *)piibn->Name);
OutputDebugStringA("\n"); if(strcmp("MessageBoxA",(char *)piibn->Name)==0)
{
DWORD addr = (DWORD)MyMessageBoxA;
DWORD written = 0;
DWORD oldAccess;
VirtualProtect(&pImageThunkData2->u1.Function,sizeof(DWORD),PAGE_WRITECOPY,&oldAccess);
DWORD APIAddress = (DWORD)&pImageThunkData2->u1.Function;
if(!WriteProcessMemory(GetCurrentProcess(),&pImageThunkData2->u1.Function, &addr,sizeof(DWORD), &written))
{
::MessageBoxW(NULL,L"WriteProcessMemory",L"ERROR",MB_OK | MB_ICONINFORMATION);
} } pImageThunkData++; }
while(pImageThunkData->u1.Function) ;
}
pImageImportDescriptor++ ;
}
while(pImageImportDescriptor->FirstThunk + pImageImportDescriptor->OriginalFirstThunk);
//然后我调用MessageBoxA,并没有进入我的MyMessageBoxA函数,还是执行的系统的API
::MessageBoxA(NULL,"MessageBoxA","MessageBoxA",MB_OK | MB_ICONINFORMATION);
我跟过代码,代码是正确执行的,并且我确信新的函数地址是写入到了导入表里的。还是重定向失败了。这是为什么呢?
问题已经得到解决啦。
Debug下失败,换成Release就行了。不知道为什么!
pImageThunkData2++; //加这句