好友 阅读权限 10
听众 最后登录 1970-1-1
那位大哥可以看一下问题出现在哪里吗?// IAT_DLL.cpp : Defines the entry point for the DLL application. // #include "stdafx.h" DWORD g_dwIATHookFlag = 0; //HOOK 状态 1 HOOK 0 未HOOK DWORD g_dwOldAddr; //原始函数地址 DWORD g_dwNewAddr; //HOOK函数地址 BOOL SetIATHook(DWORD dwOldAddr,DWORD dwNewAddr) { BOOL bFlag = FALSE; DWORD dwImageBase = 0; PDWORD pFuncAddr = NULL; PIMAGE_NT_HEADERS pNtHeader = NULL; PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = NULL; DWORD dwOldProtect = 0; //得到模块基地址 dwImageBase = (DWORD)::GetModuleHandle(NULL); pNtHeader = (PIMAGE_NT_HEADERS)(dwImageBase + ((PIMAGE_DOS_HEADER)dwImageBase)->e_lfanew); pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(dwImageBase + pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress ); //遍历IAT表 找到这个函数的地址 while(pImportDescriptor->FirstThunk != 0 && bFlag == FALSE) { pFuncAddr = (PDWORD)(dwImageBase + pImportDescriptor->FirstThunk); while(*pFuncAddr) { if(dwOldAddr == *pFuncAddr) { //如果找到被HOOK的函数,先修改内存页的属性 VirtualProtect(pFuncAddr,sizeof(DWORD),PAGE_READWRITE,&dwOldProtect); *pFuncAddr = dwNewAddr; //恢复内存页属性 VirtualProtect(pFuncAddr,sizeof(DWORD),dwOldProtect,0); bFlag = TRUE; break; } pFuncAddr++; } pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)pImportDescriptor + sizeof(PIMAGE_IMPORT_DESCRIPTOR)); } g_dwIATHookFlag = 1; g_dwOldAddr = dwOldAddr; g_dwNewAddr = dwNewAddr; return bFlag; } BOOL UnIATHooK() { BOOL bFlag = FALSE; DWORD dwImageBase = 0; PDWORD pFuncAddr = NULL; PIMAGE_NT_HEADERS pNtHeader = NULL; PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = NULL; DWORD dwOldProtect = 0; //判断是否Hook if(!g_dwIATHookFlag) { OutputDebugString("UnIATHook失败 尚未进行"); return bFlag; } //得到模块基址 dwImageBase = (DWORD)::GetModuleHandle(NULL); pNtHeader = (PIMAGE_NT_HEADERS)(dwImageBase + ((PIMAGE_DOS_HEADER)dwImageBase)->e_lfanew); pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(dwImageBase + pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress ); //遍历IAT表 找到这个函数的地址 while(pImportDescriptor->FirstThunk != 0 && bFlag == FALSE) { pFuncAddr = (PDWORD)(dwImageBase + pImportDescriptor->FirstThunk); while(*pFuncAddr) { if(g_dwNewAddr == *pFuncAddr) { //如果找到被HOOK的函数 VirtualProtect(pFuncAddr,sizeof(DWORD),PAGE_READWRITE,&dwOldProtect); *pFuncAddr = g_dwOldAddr; //恢复内存页属性 VirtualProtect(pFuncAddr,sizeof(DWORD),dwOldProtect,0); bFlag = TRUE; break; } pFuncAddr++; } pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)pImportDescriptor + sizeof(PIMAGE_IMPORT_DESCRIPTOR)); } g_dwIATHookFlag = 0; g_dwOldAddr = 0; g_dwNewAddr = 0; return bFlag; } int WINAPI MyMessageBox( HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType ) { char lpNewText[] = "*******已hook***********"; //定义Messagebox函数指针 typedef int (WINAPI *PFNMESSAGEBOX)(HWND ,LPCSTR,LPCSTR,UINT); //执行真正的函数 int ret = ((PFNMESSAGEBOX)g_dwOldAddr)(hWnd,lpNewText,lpCaption,uType); return ret; } DWORD WINAPI ThreadProc(LPVOID lpParameter) { //保存原始函数地址 DWORD pOLdFuncAddr = (DWORD)GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA"); //安装或卸载HOOK if(!g_dwIATHookFlag) { SetIATHook(pOLdFuncAddr,(DWORD)MyMessageBox); }else{ UnIATHooK(); } return 0; } BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch(ul_reason_for_call) { case DLL_PROCESS_ATTACH: CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)ThreadProc,NULL,0,NULL); break; case DLL_PROCESS_DETACH: break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; } return TRUE; }
发帖前要善用【论坛搜索 】 功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。
发表于 2019-11-12 17:07
