我想HOOK CreateToolhelp32Snapshot 这个API
可是在kernel32.dll里面找不到,而其它像CreateProcess等就可以找到...很不明白..期待高手~
下面是代码:extern "C" BOOL SetCreateToolhelp32SnapshotHook(HMODULE hMod)
{
IMAGE_DOS_HEADER* pDosHeader=(IMAGE_DOS_HEADER*)hMod;
IMAGE_OPTIONAL_HEADER * pOptHeader=(IMAGE_OPTIONAL_HEADER *)((BYTE*)hMod+pDosHeader->e_lfanew+24);
IMAGE_IMPORT_DESCRIPTOR* pImportDesc=(IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)hMod+pOptHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); //在导入表中查找kernel32.dll模块,
while(pImportDesc->FirstThunk)
{
char* pszDllName=(char*)((BYTE*)hMod+pImportDesc->Name);
if(lstrcmpiA(pszDllName,"kernel32.dll")==0)
{
break;
}
pImportDesc++;
}
if(pImportDesc->FirstThunk)
{
//一个IMAGE_THUNK_DATA 结构就是一个双字,它指定了一个导入函数
//调入地址表其实是IMAGE_THUNK_DATA结构的数组,也就是DWORD数组
IMAGE_THUNK_DATA* pThunk=(IMAGE_THUNK_DATA*)((BYTE*)hMod+pImportDesc->FirstThunk);
while(pThunk->u1.Function)
{
//lpAddr指向的内存保存了函数的地址
DWORD* lpAddr=(DWORD*)&(pThunk->u1.Function);
if(*lpAddr==(DWORD)((PROC)CreateToolhelp32Snapshot))//这里找不到..其它函数可以~
{
::MessageBox(NULL,"找到了!","00000",MB_OK);
return TRUE;
//修改IAT表项,使其指向我们自定义的函数
DWORD* lpNewProc=(DWORD*)MyProcs;//自定义的函数
//修改页保护属性
DWORD dwOldProtect;
MEMORY_BASIC_INFORMATION mbi;
VirtualQuery(lpAddr,&mbi,sizeof(mbi));
VirtualProtect(lpAddr,sizeof(DWORD),PAGE_READWRITE,&dwOldProtect);
//写内存
BOOL a =::WriteProcessMemory(GetCurrentProcess(),lpAddr,&lpNewProc,sizeof(DWORD),NULL);
//恢复页的保扩属性
VirtualProtect(lpAddr,sizeof(DWORD),dwOldProtect,0);
return TRUE;
}
pThunk++;
}
}
return FALSE;
}
可是在kernel32.dll里面找不到,而其它像CreateProcess等就可以找到...很不明白..期待高手~
下面是代码:extern "C" BOOL SetCreateToolhelp32SnapshotHook(HMODULE hMod)
{
IMAGE_DOS_HEADER* pDosHeader=(IMAGE_DOS_HEADER*)hMod;
IMAGE_OPTIONAL_HEADER * pOptHeader=(IMAGE_OPTIONAL_HEADER *)((BYTE*)hMod+pDosHeader->e_lfanew+24);
IMAGE_IMPORT_DESCRIPTOR* pImportDesc=(IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)hMod+pOptHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); //在导入表中查找kernel32.dll模块,
while(pImportDesc->FirstThunk)
{
char* pszDllName=(char*)((BYTE*)hMod+pImportDesc->Name);
if(lstrcmpiA(pszDllName,"kernel32.dll")==0)
{
break;
}
pImportDesc++;
}
if(pImportDesc->FirstThunk)
{
//一个IMAGE_THUNK_DATA 结构就是一个双字,它指定了一个导入函数
//调入地址表其实是IMAGE_THUNK_DATA结构的数组,也就是DWORD数组
IMAGE_THUNK_DATA* pThunk=(IMAGE_THUNK_DATA*)((BYTE*)hMod+pImportDesc->FirstThunk);
while(pThunk->u1.Function)
{
//lpAddr指向的内存保存了函数的地址
DWORD* lpAddr=(DWORD*)&(pThunk->u1.Function);
if(*lpAddr==(DWORD)((PROC)CreateToolhelp32Snapshot))//这里找不到..其它函数可以~
{
::MessageBox(NULL,"找到了!","00000",MB_OK);
return TRUE;
//修改IAT表项,使其指向我们自定义的函数
DWORD* lpNewProc=(DWORD*)MyProcs;//自定义的函数
//修改页保护属性
DWORD dwOldProtect;
MEMORY_BASIC_INFORMATION mbi;
VirtualQuery(lpAddr,&mbi,sizeof(mbi));
VirtualProtect(lpAddr,sizeof(DWORD),PAGE_READWRITE,&dwOldProtect);
//写内存
BOOL a =::WriteProcessMemory(GetCurrentProcess(),lpAddr,&lpNewProc,sizeof(DWORD),NULL);
//恢复页的保扩属性
VirtualProtect(lpAddr,sizeof(DWORD),dwOldProtect,0);
return TRUE;
}
pThunk++;
}
}
return FALSE;
}
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货