修改IAT实现API HOOK

修改IAT实现API HOOK

Robinh00d @ 2006-05-10 16:35

//修改IAT实现本进程API HOOK
//coded by robinh00d*inh4ss*<[email protected]>
//QQ:530222815
//MSN:[email protected]
// 参考了《Hooking Windows API》By Holy_Father From 29A#7
#include <stdio.h>
#include <windows.h>
#include <Dbghelp.h>

#pragma comment(lib,"Dbghelp.lib")

/************************************************************/
char *szHookModName = "USER32.dll" ;
char *szHookFunName = "MessageBoxA" ;
char *szModName = NULL ;
char *szHacked = "MessageBoxA() has been hooked!" ;
DWORD dwHookFun ;
DWORD dwHookApiAddr ;
DWORD *dwCurAddr ;
DWORD dwOldProtect ;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc ;
PIMAGE_THUNK_DATA32 pImageThunkData ;
MEMORY_BASIC_INFORMATION mbi ;
ULONG uSize ;
/************************************************************/

void Hooked()
{
 __asm
 {
  mov  esp,ebp
  push szHacked
  pop  DWORD PTR [ebp+12]
  pop  ebp
  jmp dwHookApiAddr
 }
}

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
 HMODULE hUser32 = LoadLibrary(szHookModName) ;
 
 if (hUser32 == NULL)
 {
  printf("Load User32.dll failed!\n") ;
  return -1 ;
 }
 dwHookFun = (DWORD)Hooked ;

 dwHookApiAddr = (DWORD)GetProcAddress(hUser32,szHookFunName) ;

 pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hInstance,
                 TRUE,
                 IMAGE_DIRECTORY_ENTRY_IMPORT,
                 &uSize) ;
 //找到要HOOK的函数所在的模块
 while(pImportDesc->Name)
 {
  szModName = (char *)((PBYTE)hInstance+pImportDesc->Name) ;
  if (strcmp(szModName,szHookModName)==0)
  {
   break ; 
  }
  pImportDesc++ ;
 }
 pImageThunkData = (PIMAGE_THUNK_DATA32)((PBYTE)hInstance+pImportDesc->FirstThunk) ;
 
 while(pImageThunkData->u1.Function)
 {
  dwCurAddr = &pImageThunkData->u1.Function ;
  if (*dwCurAddr == dwHookApiAddr)
  {
   VirtualQuery(dwCurAddr,&mbi,sizeof(MEMORY_BASIC_INFORMATION)) ;
   VirtualProtect(mbi.BaseAddress,mbi.RegionSize,PAGE_READWRITE,&mbi.Protect) ;
   
   *dwCurAddr = dwHookFun ;
   VirtualProtect(mbi.BaseAddress,mbi.RegionSize,mbi.Protect,&dwOldProtect) ;
   break ;
  }
  pImageThunkData++ ;
 }
 //要hook这个API
 MessageBoxA(0,"NOT HOOKED!","robinh00d/[Inh4ss]",0) ;

 return 0 ;
}