标题:谁写过HOOK IAT,请赐教!谢谢!
只看楼主
ioriliao
Rank: 7Rank: 7Rank: 7
来 自:广东
等 级:贵宾
威 望:32
帖 子:2829
专家分:647
注 册:2006-11-30
得分:0 
源码:
API HOOK.rar (344.63 KB)

终于解决问题了,原来是我对输入表结构不太熟悉的原因,搞错了个判断。
程序代码:
while pThunk^.Function_<>0 do begin
          if pThunk^.Function_=DWORD(originalProc) then break;
          inc(pThunk^.Function_);
end;
上面这代码改为下面这样
while pThunk<>nil do begin
          if pThunk^.Function_=DWORD(originalProc) then break;
          inc(DWORD(pThunk), SizeOf(IMAGE_THUNK_DATA));
    end;

完整的修改:
程序代码:
unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls,TLHelp32,ImageHlp, ExtCtrls, ComCtrls,JwaWinNT;

type
  TForm1 = class(TForm)
    Panel1: TPanel;
    Button1: TButton;
    Button2: TButton;
    procedure Button1Click(Sender: TObject);
    procedure Button2Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;


type
    pFunction=function(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;
var
  Form1: TForm1;
  pThunk:PIMAGE_THUNK_DATA;
  function MessageBoxB(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;
  procedure HookFunction(hFormModule:HMODULE; pStrFunctionModule,
                         pStrFunctionName:pchar;pNewFunction:Pointer);
implementation

{$R *.dfm}

procedure HookFunction(hFormModule:HMODULE; pStrFunctionModule,
                       pStrFunctionName:pchar;pNewFunction:Pointer);
type
    pDword=^DWORD;
var
    pid:PIMAGE_IMPORT_DESCRIPTOR;
    //pThunk:PIMAGE_THUNK_DATA;
    uSize:ULONG;
    dllName:String;
    originalProc,pFunc:FARPROC;
    memoryInfo:MEMORY_BASIC_INFORMATION;
    lpflOldProtect:DWord;
    error:DWORD;
    lpNumberOfBytesWritten,Protect: DWORD;
    msgbox:pFunction;
begin
    pid:=PIMAGE_IMPORT_DESCRIPTOR(ImageDirectoryEntryToData(Pointer(hFormModule),
                                  True,IMAGE_DIRECTORY_ENTRY_IMPORT,uSize));
    if pid=nil then exit;
    while pid<>nil do begin
          dllName:=PChar(hFormModule+pid^.Name);
          //if dllName=pStrFunctionModule then break;
          if StrIComp(PCHAR(dllName),pStrFunctionModule)=0 then break;
          inc(DWORD(pid), SizeOf(IMAGE_IMPORT_DESCRIPTOR));
    end;
    if pid^.Name=0 then exit;
    pThunk:=PIMAGE_THUNK_DATA(hFormModule+pid^.FirstThunk);
    originalProc:=GetProcAddress(GetModuleHandle(pStrFunctionModule),'MessageBoxW');
    while pThunk<>nil do begin
          if pThunk^.Function_=DWORD(originalProc) then break;
          inc(DWORD(pThunk), SizeOf(IMAGE_THUNK_DATA));
    end;
    VirtualQuery(@pThunk^.Function_,memoryInfo,SizeOf(memoryInfo));
    if not VirtualProtect(memoryInfo.BaseAddress,memoryInfo.RegionSize,
                          PAGE_READWRITE,Pointer(@memoryInfo.Protect)) then begin
      exit;
    end;
    pThunk^.Function_:=DWORD(pNewFunction);
    if not VirtualProtect(memoryInfo.BaseAddress,memoryInfo.RegionSize,
           PAGE_READONLY,@Protect) then begin
        exit;
    end;
end;

function MessageBoxB(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;
begin
     Form1.Caption:='hook ok';
end;

procedure TForm1.Button1Click(Sender: TObject);
begin
     MessageBoxW(0,'original','original',mb_ok);
     HookFunction(hInstance,'user32.dll','MessageBoxW',@MessageBoxB);
     //MessageBoxW(0,'xx','xx',mb_ok);
end;

procedure TForm1.Button2Click(Sender: TObject);
begin
     MessageBoxW(0,'xx','xx',mb_ok);
end;

end.


















(*function HookAPIFunction(hFromModule: HMODULE;pszFunctionModule: PAnsiChar;
  pszFunctionName: PAnsiChar;pfnNewProc: Pointer): Pointer;
var
  pfnOriginalProc: Pointer;
  pDosHeader: PImageDosHeader;
  pNTHeader: PImageNtHeaders;
  pImportDesc: PImage_Import_Descriptor;
  pThunk: PImageThunkData;
  dwProtectionFlags,dwScratch: DWORD;
  pszModName: PAnsiChar;
  memInfo:TMemoryBasicInformation;
  xxx:array[0..1024] of char;
  func:Pointer;
begin
  Result := nil;
  pfnOriginalProc := GetProcAddress(GetModuleHandle(pszFunctionModule),pszFunctionName);
  pDosHeader := PImageDosHeader(hFromModule);
  pNTHeader := PImageNTHeaders(DWORD(pDosHeader)+DWORD(pDosHeader^.e_lfanew));
  pImportDesc := PImage_Import_Descriptor(DWORD(pDosHeader)+
                                        DWORD(pNTHeader^.OptionalHeader.
                                        DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].
                                        VirtualAddress));
  while pImportDesc^.Name <> 0 do
  begin
    pszModName := PAnsiChar(Pointer(DWORD(pDosHeader) + DWORD(pImportDesc^.Name)));
    if LowerCase(pszModName) = LowerCase(pszFunctionModule) then Break;
    Inc(pImportDesc);
  end;
  if pImportDesc^.Name = 0 then Exit;
  pThunk := PImageThunkData(DWORD(pDosHeader) + DWORD(pImportDesc^.FirstThunk));
  while pThunk^.Function_ <> 0 do
  begin
    if (pThunk^.Function_ = DWORD(pfnOriginalProc)) then

    begin
      VirtualQuery(@pThunk^.Function_,memInfo,SizeOf(memInfo));
      if true then begin
      dwProtectionFlags := PAGE_READWRITE;
      if VirtualProtect(@pThunk^.Function_,4,PAGE_EXECUTE_READWRITE,@dwScratch) then
      pThunk^.Function_ := DWORD(pfnNewProc);
      //func:=@MessageBoxB;
      //WriteProcessMemory(GetCurrentProcess(), @pThunk^.Function_, @pfnNewProc, 4, dwScratch);
      Result := pfnOriginalProc ;
      Break;
      end;
    end;
    Inc(pThunk);
  end;
end;*)


/images/2011/147787/2011051411021524.jpg" border="0" />
2010-10-18 14:44
ioriliao
Rank: 7Rank: 7Rank: 7
来 自:广东
等 级:贵宾
威 望:32
帖 子:2829
专家分:647
注 册:2006-11-30
得分:0 
以下是引用djxh77710在2010-10-18 13:44:11的发言:

#include  
 
 
typedef int (__stdcall* MYMESSAGEBOX)(
                       HWND hWnd,          // handle to owner window
                       LPCTSTR lpText,     // text in message box
                       LPCTSTR lpCaption,  // message box title
                       UINT uType          // message box style
                       );
 
PROC dwRealAddr = NULL;
MYMESSAGEBOX my = NULL;
int Fuck_MessageBox(  HWND hWnd,          // handle to owner window
                     LPCTSTR lpText,     // text in message box
                     LPCTSTR lpCaption,  // message box title
                     UINT uType  )
{
    my = (MYMESSAGEBOX)dwRealAddr;
    return  my( NULL, L"Fuck", L"fuck you", 1 );
}
 
BOOL HookIat( char* pModule,char* pName )
{
    BOOL bRetCode = FALSE;
    PIMAGE_DOS_HEADER pDosHeader = NULL;
    PIMAGE_NT_HEADERS pNtHeaders = NULL;
    PIMAGE_IMPORT_DESCRIPTOR  pImport = NULL;
    PIMAGE_THUNK_DATA          pThunk = NULL;
    PIMAGE_IMPORT_BY_NAME     pByName = NULL;
 
    HMODULE hMod = GetModuleHandle(0);//LoadLibraryExA( pModule, NULL, DONT_RESOLVE_DLL_REFERENCES );
    dwRealAddr = GetProcAddress( LoadLibraryA("user32.dll"), "MessageBoxA" );
 
    if ( hMod == NULL )
    {
        OutputDebugStringA( "加载失败!" );
        goto Exit0;
    }
 
    pDosHeader = (PIMAGE_DOS_HEADER)hMod;
    pNtHeaders = (PIMAGE_NT_HEADERS)(pDosHeader->e_lfanew + (DWORD)hMod);
    pImport = (PIMAGE_IMPORT_DESCRIPTOR)(pNtHeaders->OptionalHeader.DataDirectory.VirtualAddress + (DWORD)hMod);
 
    do
    {
        if (pImport->FirstThunk)
        {
            pThunk = (PIMAGE_THUNK_DATA)(pImport->FirstThunk+(DWORD)hMod);
            
        }
        else
        {
            pThunk = (PIMAGE_THUNK_DATA)(pImport->OriginalFirstThunk+(DWORD)hMod);
        }
        
        printf("Dll Name: %s: \n",pImport->Name + (DWORD)hMod);
 
        do
        {
            pByName = (PIMAGE_IMPORT_BY_NAME)(pThunk->u1.AddressOfData);
            printf( "pThunk->u1.Function = 0x%x",pThunk->u1.Function);
            if ( dwRealAddr == (PROC)(pThunk->u1.Function))
            {
                printf( "相等\n" );
                MEMORY_BASIC_INFORMATION mbi = {0};
                VirtualQuery( pThunk,&mbi, sizeof(MEMORY_BASIC_INFORMATION) );
                VirtualProtect( mbi.BaseAddress, mbi.RegionSize, PAGE_READWRITE, &mbi.Protect);
                (pThunk->u1.Function) = (DWORD)Fuck_MessageBox;
                break;
            }
            printf("Api Name: %S \n Api Addr: 0x%08x",pByName->Name, pThunk->u1.Function);
            pThunk++;
        } while ( pThunk->u1.ForwarderString );
   
        pImport++;
    } while (pImport->Characteristics );
 
Exit0:
 
    return bRetCode;
}
 
int _tmain(int argc, _TCHAR* argv[])
{
    MessageBoxA( NULL, NULL, NULL,NULL);
    HookIat( "user32.dll","MessageBoxA" );
    MessageBoxA( NULL, NULL, NULL,NULL);
    system("pause");
    return 0;
}上班无聊的时候写的
学习了。

/images/2011/147787/2011051411021524.jpg" border="0" />
2010-10-18 14:45
hahayezhe
Rank: 15Rank: 15Rank: 15Rank: 15Rank: 15
来 自:湖南张家界
等 级:贵宾
威 望:24
帖 子:1386
专家分:6999
注 册:2010-3-8
得分:0 
Microsoft Research.rar (360.2 KB)

给你个微软的库
2010-10-18 16:38
ioriliao
Rank: 7Rank: 7Rank: 7
来 自:广东
等 级:贵宾
威 望:32
帖 子:2829
专家分:647
注 册:2006-11-30
得分:0 
以下是引用hahayezhe在2010-10-18 16:38:20的发言:


给你个微软的库
谢谢hahayezhe兄,请多多指教哦。

/images/2011/147787/2011051411021524.jpg" border="0" />
2010-10-18 17:13
hahayezhe
Rank: 15Rank: 15Rank: 15Rank: 15Rank: 15
来 自:湖南张家界
等 级:贵宾
威 望:24
帖 子:1386
专家分:6999
注 册:2010-3-8
得分:0 
呵呵 这个库 可以动态截获API哦!

函数注入代码 或者 任意的函数哦!

很强大的库!
2010-10-18 17:15
ioriliao
Rank: 7Rank: 7Rank: 7
来 自:广东
等 级:贵宾
威 望:32
帖 子:2829
专家分:647
注 册:2006-11-30
得分:0 
回复 15楼 hahayezhe
我更感兴趣的是这个库的实现,呵呵。。。

/images/2011/147787/2011051411021524.jpg" border="0" />
2010-10-18 18:27
你们都要疼我哦
Rank: 11Rank: 11Rank: 11Rank: 11
来 自:火星
等 级:贵宾
威 望:49
帖 子:1296
专家分:2746
注 册:2008-7-13
得分:0 
Detour

小妹,哥哥看你骨骼清奇,绝非凡人,将来必成大业,不如这样,你先把裤裤脱了,待哥哥为你开启灵窍,然后我们一起努力钻研如何
2010-10-21 23:10
你们都要疼我哦
Rank: 11Rank: 11Rank: 11Rank: 11
来 自:火星
等 级:贵宾
威 望:49
帖 子:1296
专家分:2746
注 册:2008-7-13
得分:0 
才看到13楼发的就是。

小妹,哥哥看你骨骼清奇,绝非凡人,将来必成大业,不如这样,你先把裤裤脱了,待哥哥为你开启灵窍,然后我们一起努力钻研如何
2010-10-21 23:29



参与讨论请移步原网站贴子:https://bbs.bccn.net/thread-323167-1-1.html




关于我们 | 广告合作 | 编程中国 | 清除Cookies | TOP | 手机版

编程中国 版权所有,并保留所有权利。
Powered by Discuz, Processed in 0.186975 second(s), 8 queries.
Copyright©2004-2024, BCCN.NET, All Rights Reserved