IAT表

A、初识IAT

    B、IAT表相关结构

    C、读出IAT项

    D、编写代码测试分析  

    E、HOOK IAT

    F、测试分析

A、认识IAT表 导入函数表

B、IAT表相关结构

PIMAGE_DOS_HEADER

//->e_lfanew //PE文件头偏移值

PIMAGE_NT_HEADERS //->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress

PIMAGE_IMPORT_DESCRIPTOR

//.FirstThunk //IAT偏移

PIMAGE_THUNK_DATA

// u1.Function

//文件名 IAT.H

#include

VOID __stdcall mySleep(DWORD m)

{

    MessageBoxA(0,"Hook 成功","IAT hook",MB_OK);

}

PVOID EnumAPI() 

{ 

PBYTE ImageBase;

PIMAGE_THUNK_DATA r;  

PIMAGE_NT_HEADERS pNtHeader;  

PIMAGE_IMPORT_DESCRIPTOR pImport;  

//取得DOS头基址

ImageBase=(PBYTE)GetModuleHandle(NULL);//0x400000

//PE头=ImageBase+[ImageBase+3c]

pNtHeader = (PIMAGE_NT_HEADERS) (ImageBase + ((PIMAGE_DOS_HEADER) ImageBase)->e_lfanew);  

//IMAGE_DIRECTORY_ENTRY_IMPORT值为1 表示import tabale

pImport = (PIMAGE_IMPORT_DESCRIPTOR)

(ImageBase + pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);  

 ////遍历整个 输入表

for (; pImport->Name; pImport++)  

{     

     printf("导入模块:%s\n",ImageBase+pImport->Name);  

       //遍历IAT信息  PIMAGE_THUNK_DATA基址

        for (r = (PIMAGE_THUNK_DATA) (ImageBase + pImport->FirstThunk); r->u1.Function; r++)   //枚举函数地址

        {  if (Sleep==(PVOID)r->u1.Function)

        {   DWORD pSleep=(DWORD)(&r->u1.Function);

            __asm

            {

                    mov ebx,pSleep /// mov ebx,0x42A190

                    lea eax,mySleep

                    mov [ebx],eax      

        }

        }

            printf("Function=%x \n", &(r->u1.Function));          

        }  

}  

return NULL;  

}  

int main(int argc, char* argv[])  

{   //MessageBoxA(0,NULL,NULL,MB_OK) ;

    //MessageBoxW(0,NULL,NULL,MB_OK);

    EnumAPI();

    Sleep(111);

    return 0;  

}