标题:谁写过HOOK IAT,请赐教!谢谢!
只看楼主
ioriliao
Rank: 7Rank: 7Rank: 7
来 自:广东
等 级:贵宾
威 望:32
帖 子:2829
专家分:647
注 册:2006-11-30
结帖率:78.95%
已结贴  问题点数:89 回复次数:17 
谁写过HOOK IAT,请赐教!谢谢!
我自己用Delphi写了个,可惜没hook成功,也不知道是哪出了问题,请各位帮忙看看咯。谢谢!
API HOOK.rar (344.51 KB)

程序代码:
unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls,TLHelp32,ImageHlp, ExtCtrls, ComCtrls,JwaWinNT;

type
  TForm1 = class(TForm)
    Panel1: TPanel;
    Button1: TButton;
    procedure Button1Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;


type
    pFunction=function(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;
var
  Form1: TForm1;
  pThunk:PIMAGE_THUNK_DATA;
  function MessageBoxB(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;
  procedure HookFunction(hFormModule:HMODULE; pStrFunctionModule,
                         pStrFunctionName:pchar;pNewFunction:Pointer);
implementation

{$R *.dfm}

procedure HookFunction(hFormModule:HMODULE; pStrFunctionModule,
                       pStrFunctionName:pchar;pNewFunction:Pointer);
var
    pid:PIMAGE_IMPORT_DESCRIPTOR;
    //pThunk:PIMAGE_THUNK_DATA;
    uSize:ULONG;
    dllName:String;
    originalProc,pFunc:FARPROC;
    memoryInfo:MEMORY_BASIC_INFORMATION;
    lpflOldProtect:DWord;
    error:DWORD;
    lpNumberOfBytesWritten,Protect: DWORD;
    msgbox:pFunction;
begin
    pid:=PIMAGE_IMPORT_DESCRIPTOR(ImageDirectoryEntryToData(Pointer(hFormModule),
                                  True,IMAGE_DIRECTORY_ENTRY_IMPORT,uSize));
    if pid=nil then exit;
    while pid<>nil do begin
          dllName:=PChar(hFormModule+pid^.Name);
          if dllName=pStrFunctionModule then break;
          inc(pid);
    end;
    if pid^.Name=0 then exit;
    pThunk:=PIMAGE_THUNK_DATA(hFormModule+pid^.FirstThunk);
    originalProc:=GetProcAddress(GetModuleHandle(pStrFunctionModule),'MessageBoxA');
    while pThunk^.Function_<>0 do begin
          if pThunk^.Function_=DWORD(originalProc) then break;
          inc(pThunk^.Function_);
    end;
    VirtualQuery(@pThunk^.Function_,memoryInfo,SizeOf(memoryInfo));
    if not VirtualProtect(memoryInfo.BaseAddress,memoryInfo.RegionSize,
                          PAGE_READWRITE,Pointer(@memoryInfo.Protect)) then begin
      exit;
    end;
    pThunk^.Function_:=DWORD(pNewFunction);
    //WriteProcessMemory(GetCurrentProcess,@pThunk^.Function_,@pNewFunction,4,lpNumberOfBytesWritten);
    //if not WriteProcessMemory(GetCurrentProcess,@pThunk^.Function_,
                              //@pNewFunction,4,lpNumberOfBytesWritten) then begin
        //exit;
    //end;
    if not VirtualProtect(memoryInfo.BaseAddress,memoryInfo.RegionSize,
           PAGE_READONLY,@Protect) then begin
        exit;
    end;
end;

function MessageBoxB(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;
begin
     exit;
end;

procedure TForm1.Button1Click(Sender: TObject);
begin
     HookFunction(hInstance,'user32.dll','MessageBoxA',@MessageBoxB);
     MessageBoxA(0,'xx','xx',mb_ok);
end;

end.


















(*function HookAPIFunction(hFromModule: HMODULE;pszFunctionModule: PAnsiChar;
  pszFunctionName: PAnsiChar;pfnNewProc: Pointer): Pointer;
var
  pfnOriginalProc: Pointer;
  pDosHeader: PImageDosHeader;
  pNTHeader: PImageNtHeaders;
  pImportDesc: PImage_Import_Descriptor;
  pThunk: PImageThunkData;
  dwProtectionFlags,dwScratch: DWORD;
  pszModName: PAnsiChar;
  memInfo:TMemoryBasicInformation;
  xxx:array[0..1024] of char;
  func:Pointer;
begin
  Result := nil;
  pfnOriginalProc := GetProcAddress(GetModuleHandle(pszFunctionModule),pszFunctionName);
  pDosHeader := PImageDosHeader(hFromModule);
  pNTHeader := PImageNTHeaders(DWORD(pDosHeader)+DWORD(pDosHeader^.e_lfanew));
  pImportDesc := PImage_Import_Descriptor(DWORD(pDosHeader)+
                                        DWORD(pNTHeader^.OptionalHeader.
                                        DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].
                                        VirtualAddress));
  while pImportDesc^.Name <> 0 do
  begin
    pszModName := PAnsiChar(Pointer(DWORD(pDosHeader) + DWORD(pImportDesc^.Name)));
    if LowerCase(pszModName) = LowerCase(pszFunctionModule) then Break;
    Inc(pImportDesc);
  end;
  if pImportDesc^.Name = 0 then Exit;
  pThunk := PImageThunkData(DWORD(pDosHeader) + DWORD(pImportDesc^.FirstThunk));
  while pThunk^.Function_ <> 0 do
  begin
    if (pThunk^.Function_ = DWORD(pfnOriginalProc)) then

    begin
      VirtualQuery(@pThunk^.Function_,memInfo,SizeOf(memInfo));
      if true then begin
      dwProtectionFlags := PAGE_READWRITE;
      if VirtualProtect(@pThunk^.Function_,4,PAGE_EXECUTE_READWRITE,@dwScratch) then
      pThunk^.Function_ := DWORD(pfnNewProc);
      //func:=@MessageBoxB;
      //WriteProcessMemory(GetCurrentProcess(), @pThunk^.Function_, @pfnNewProc, 4, dwScratch);
      Result := pfnOriginalProc ;
      Break;
      end;
    end;
    Inc(pThunk);
  end;
end;*)
搜索更多相关主题的帖子: IAT HOOK 
2010-10-17 16:43
ioriliao
Rank: 7Rank: 7Rank: 7
来 自:广东
等 级:贵宾
威 望:32
帖 子:2829
专家分:647
注 册:2006-11-30
得分:0 
进来,哼一声也好吧。。。

/images/2011/147787/2011051411021524.jpg" border="0" />
2010-10-17 18:47
火龙果
Rank: 2
等 级:论坛游民
帖 子:42
专家分:79
注 册:2010-6-26
得分:0 
竟然不是C语言,
2010-10-17 19:56
az9841682
Rank: 7Rank: 7Rank: 7
等 级:黑侠
威 望:5
帖 子:312
专家分:596
注 册:2009-9-11
得分:5 
说实话 WIN汇编里的函数个数 看的我蛋疼
我哼了声了哦
2010-10-17 20:12
ioriliao
Rank: 7Rank: 7Rank: 7
来 自:广东
等 级:贵宾
威 望:32
帖 子:2829
专家分:647
注 册:2006-11-30
得分:0 
用ollydbg调试了,调试过程如下
首先断在还没有hook之前的MessageBox,对应程序中的代码即是红色那句
procedure TForm1.Button1Click(Sender: TObject);
begin
     MessageBoxA(0,'original','original',mb_ok);
     HookFunction(hInstance,'user32.dll','MessageBoxA',@MessageBoxB);
     MessageBoxA(0,'xx','xx',mb_ok);
end;
反汇编代码是:

在call那里按F7进入到

双击黄色标示那句jmp代码,然后弹出一个窗口,很明显这句代码是jmp到地址4534CC处。
如果没理解错的话这个地方应该就是pThunk^.Function_的地址。   
接着当我获取pThunk^.Function_地址时却发现不是这个地址,而是004531B8这个地址,很明显这是跳到
user32.GetKeyt...的地址。难道我程序获取错了thunk function address。观察中。。。。


/images/2011/147787/2011051411021524.jpg" border="0" />
2010-10-17 21:18
flyue
Rank: 10Rank: 10Rank: 10
来 自:江南西道
等 级:贵宾
威 望:19
帖 子:3465
专家分:1563
注 册:2006-6-20
得分:10 
我写过,不过是WIN32 C的,而且只能钩住本程序的函数。
当然稍微修改下可以钩别的进程。
你需要?

天之道,损有余而补不足.人之道则不然,损不足以奉有余.孰能有余以奉天下,唯有道者.
2010-10-18 08:28
flyue
Rank: 10Rank: 10Rank: 10
来 自:江南西道
等 级:贵宾
威 望:19
帖 子:3465
专家分:1563
注 册:2006-6-20
得分:0 
微软有个官方开源库,是专门用来钩API的,你可以搜索看看

天之道,损有余而补不足.人之道则不然,损不足以奉有余.孰能有余以奉天下,唯有道者.
2010-10-18 08:30
ioriliao
Rank: 7Rank: 7Rank: 7
来 自:广东
等 级:贵宾
威 望:32
帖 子:2829
专家分:647
注 册:2006-11-30
得分:0 
回复 6楼 flyue
请flyue兄借来参考下,谢谢!呵呵。。。

/images/2011/147787/2011051411021524.jpg" border="0" />
2010-10-18 08:42
longlong89
Rank: 11Rank: 11Rank: 11Rank: 11
来 自:广州
等 级:小飞侠
威 望:6
帖 子:1043
专家分:2754
注 册:2009-8-18
得分:5 
Windows核心编程

想象力征服世界
2010-10-18 13:20
djxh77710
Rank: 2
来 自:中国
等 级:论坛游民
帖 子:71
专家分:88
注 册:2008-10-20
得分:69 
程序代码:
#include <windows.h>


typedef int (__stdcall* MYMESSAGEBOX)(
                       HWND hWnd,          // handle to owner window
                       LPCTSTR lpText,     // text in message box
                       LPCTSTR lpCaption,  // message box title
                       UINT uType          // message box style
                       );

PROC dwRealAddr = NULL;
MYMESSAGEBOX my = NULL;
int Fuck_MessageBox(  HWND hWnd,          // handle to owner window
                     LPCTSTR lpText,     // text in message box
                     LPCTSTR lpCaption,  // message box title
                     UINT uType  )
{
    my = (MYMESSAGEBOX)dwRealAddr;
    return  my( NULL, L"Fuck", L"fuck you", 1 );
}

BOOL HookIat( char* pModule,char* pName )
{
    BOOL bRetCode = FALSE;
    PIMAGE_DOS_HEADER pDosHeader = NULL;
    PIMAGE_NT_HEADERS pNtHeaders = NULL;
    PIMAGE_IMPORT_DESCRIPTOR  pImport = NULL;
    PIMAGE_THUNK_DATA          pThunk = NULL;
    PIMAGE_IMPORT_BY_NAME     pByName = NULL;

    HMODULE hMod = GetModuleHandle(0);//LoadLibraryExA( pModule, NULL, DONT_RESOLVE_DLL_REFERENCES );
    dwRealAddr = GetProcAddress( LoadLibraryA("user32.dll"), "MessageBoxA" );

    if ( hMod == NULL )
    {
        OutputDebugStringA( "加载失败!" );
        goto Exit0;
    }

    pDosHeader = (PIMAGE_DOS_HEADER)hMod;
    pNtHeaders = (PIMAGE_NT_HEADERS)(pDosHeader->e_lfanew + (DWORD)hMod);
    pImport = (PIMAGE_IMPORT_DESCRIPTOR)(pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (DWORD)hMod);

    do
    {
        if (pImport->FirstThunk)
        {
            pThunk = (PIMAGE_THUNK_DATA)(pImport->FirstThunk+(DWORD)hMod);
           
        }
        else
        {
            pThunk = (PIMAGE_THUNK_DATA)(pImport->OriginalFirstThunk+(DWORD)hMod);
        }
       
        printf("Dll Name: %s: \n",pImport->Name + (DWORD)hMod);

        do
        {
            pByName = (PIMAGE_IMPORT_BY_NAME)(pThunk->u1.AddressOfData);
            printf( "pThunk->u1.Function = 0x%x",pThunk->u1.Function);
            if ( dwRealAddr == (PROC)(pThunk->u1.Function))
            {
                printf( "相等\n" );
                MEMORY_BASIC_INFORMATION mbi = {0};
                VirtualQuery( pThunk,&mbi, sizeof(MEMORY_BASIC_INFORMATION) );
                VirtualProtect( mbi.BaseAddress, mbi.RegionSize, PAGE_READWRITE, &mbi.Protect);
                (pThunk->u1.Function) = (DWORD)Fuck_MessageBox;
                break;
            }
            printf("Api Name: %S \n Api Addr: 0x%08x",pByName->Name, pThunk->u1.Function);
            pThunk++;
        } while ( pThunk->u1.ForwarderString );
   
        pImport++;
    } while (pImport->Characteristics );

Exit0:

    return bRetCode;
}

int _tmain(int argc, _TCHAR* argv[])
{
    MessageBoxA( NULL, NULL, NULL,NULL);
    HookIat( "user32.dll","MessageBoxA" );
    MessageBoxA( NULL, NULL, NULL,NULL);
    system("pause");
    return 0;
}
上班无聊的时候写的

No Pains ,No Gains....
2010-10-18 13:44



参与讨论请移步原网站贴子:https://bbs.bccn.net/thread-323167-1-1.html




关于我们 | 广告合作 | 编程中国 | 清除Cookies | TOP | 手机版

编程中国 版权所有,并保留所有权利。
Powered by Discuz, Processed in 0.644467 second(s), 8 queries.
Copyright©2004-2024, BCCN.NET, All Rights Reserved