码迷,mamicode.com
首页 > 其他好文 > 详细

IATHook

时间:2018-04-07 20:00:17      阅读:168      评论:0      收藏:0      [点我收藏+]

标签:==   write   hand   pop   dir   font   private   original   call   

IATHookClass.h

 

 1 #pragma once
 2 
 3 #include <Windows.h>
 4 
 5 class IATHookClass
 6 {
 7 private:
 8     DWORD oldAddr;
 9     DWORD newAddr;
10 
11 public:
12     BOOL Hook(char *apiName, DWORD callfunc);
13     BOOL UnHook(void);
14 };

 

 

 

IATHookClass.cpp

 

 1 #include "IATHookClass.h"
 2 
 3 BOOL IATHookClass::Hook(char *apiName, DWORD callfunc)
 4 {
 5     BOOL bOk = FALSE;
 6     HMODULE hMod = GetModuleHandle(NULL);
 7     IMAGE_DOS_HEADER *pDosHeader = (IMAGE_DOS_HEADER *)hMod;
 8     IMAGE_OPTIONAL_HEADER *pOptHeader = (IMAGE_OPTIONAL_HEADER *)((BYTE *)hMod + pDosHeader->e_lfanew + 24);
 9     IMAGE_IMPORT_DESCRIPTOR *pImportDesc = (IMAGE_IMPORT_DESCRIPTOR *)((BYTE *)hMod + pOptHeader->DataDirectory[1].VirtualAddress);
10 
11     while (pImportDesc->FirstThunk)
12     {
13         char *pszDllName = (char *)((BYTE *)hMod + pImportDesc->Name);
14         IMAGE_THUNK_DATA *pThunk = (IMAGE_THUNK_DATA *)((BYTE *)hMod + pImportDesc->FirstThunk);
15         IMAGE_THUNK_DATA *pThunkDesc = (IMAGE_THUNK_DATA *)((BYTE *)hMod + pImportDesc->OriginalFirstThunk);
16 
17         while (pThunkDesc->u1.Function)
18         {
19             if (!lstrcmpi(apiName, (char *)((BYTE *)hMod + (DWORD)pThunkDesc->u1.AddressOfData + 2)))
20             {
21                 IATHookClass::oldAddr = pThunk->u1.Function;
22                 IATHookClass::newAddr = (DWORD)callfunc;
23                 DWORD dwOldProtect = 0;
24 
25                 VirtualProtect((LPVOID)&pThunk->u1.Function, 4, PAGE_EXECUTE_READWRITE, &dwOldProtect);
26                 bOk = (pThunk->u1.Function = callfunc) ? TRUE : FALSE;
27                 VirtualProtect((LPVOID)&pThunk->u1.Function, 4, dwOldProtect, &dwOldProtect);
28                 CloseHandle(hMod);
29                 return bOk;
30             }
31             pThunk++;
32             pThunkDesc++;
33         }
34         pImportDesc++;
35     }
36     CloseHandle(hMod);
37     return bOk;
38 }
39 
40 BOOL IATHookClass::UnHook(void)
41 {
42     BOOL bOk = FALSE;
43     HMODULE hMod = GetModuleHandle(NULL);
44     IMAGE_DOS_HEADER *pDosHeader = (IMAGE_DOS_HEADER *)hMod;
45     IMAGE_OPTIONAL_HEADER *pOptHeader = (IMAGE_OPTIONAL_HEADER *)((BYTE *)hMod + pDosHeader->e_lfanew + 24);
46     IMAGE_IMPORT_DESCRIPTOR *pImportDesc = (IMAGE_IMPORT_DESCRIPTOR *)((BYTE *)hMod + pOptHeader->DataDirectory[1].VirtualAddress);
47 
48     while (pImportDesc->FirstThunk)
49     {
50         char *pszDllName = (char *)((BYTE *)hMod + pImportDesc->Name);
51         IMAGE_THUNK_DATA *pThunk = (IMAGE_THUNK_DATA *)((BYTE *)hMod + pImportDesc->FirstThunk);
52         while (pThunk->u1.Function)
53         {
54             if (IATHookClass::newAddr == pThunk->u1.Function)
55             {
56                 DWORD dwOldProtect = 0;
57                 VirtualProtect((LPVOID)&pThunk->u1.Function, 4, PAGE_EXECUTE_READWRITE, &dwOldProtect);
58                 bOk = (pThunk->u1.Function = IATHookClass::oldAddr) ? TRUE : FALSE;
59                 VirtualProtect((LPVOID)&pThunk->u1.Function, 4, dwOldProtect, &dwOldProtect);
60                 CloseHandle(hMod);
61                 if (bOk)
62                 {
63                     IATHookClass::newAddr = 0;
64                     IATHookClass::oldAddr = 0;
65                 }
66                 return bOk;
67             }
68         }
69     }
70     CloseHandle(hMod);
71     return bOk;
72 }

 

IATHook

标签:==   write   hand   pop   dir   font   private   original   call   

原文地址:https://www.cnblogs.com/biaoge140/p/8734239.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!