HOOK IAT的代码与例子，备忘

阅读更多

#include 

PVOID HookAPI(PBYTE pbModule, PCSTR pszName, PVOID pvOrg, PVOID pvNew)
{
	PIMAGE_THUNK_DATA r;
	PIMAGE_NT_HEADERS p;
	PIMAGE_IMPORT_DESCRIPTOR q;

	p = (PIMAGE_NT_HEADERS) (pbModule + ((PIMAGE_DOS_HEADER) pbModule)->e_lfanew);
	q = (PIMAGE_IMPORT_DESCRIPTOR) (pbModule + 
		p->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);

	for (; q->Name; q++)
	{
		if (lstrcmpiA(pszName, (PCSTR) (pbModule + q->Name)) == 0)
		{
			for (r = (PIMAGE_THUNK_DATA) (pbModule + q->FirstThunk); r->u1.Function; r++)
			{
				if ((PVOID) r->u1.Function == pvOrg) 
				{
					WriteProcessMemory(GetCurrentProcess(), 
						&r->u1.Function, &pvNew, sizeof(PVOID), NULL);
					return pvOrg;
				}
			}
		}
	}
	return NULL;
}



typedef VOID (__stdcall* SleepType)(DWORD);

SleepType OldSleep;



VOID __stdcall NewSleep(DWORD dwMilliseconds)
{
	OldSleep(dwMilliseconds/100);
}


int main(int argc, char* argv[])
{
	OldSleep = (SleepType)
		HookAPI((PBYTE)GetModuleHandle(NULL), "Kernel32.dll", Sleep, NewSleep);

	Sleep(20000);
	Sleep(20000);
	Sleep(20000);
	return 0;
}