VC进程相关的学习(五)(API截获完美版)

通过IE测试发现,四中的方法只能获取用Depneds看到在上面加载的DLL,而后来加载的,以及DLL加载的DLL都是无法获得的。
这里补充一个可以截取所有DLL包括LoadLibrary的方法:

void MyHook::_writeProcessMemorySystem(LPVOID pDec, LPVOID pSrc, UINT nLength) { MEMORY_BASIC_INFORMATION mbi_thunk; VirtualQuery(pDec, &mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION)); // 查询页信息 VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect); // 改变页的保护信息为读写 memcpy(pDec, pSrc, nLength); DWORD dwOldProtect; VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, mbi_thunk.Protect, &dwOldProtect); // 恢复保护属性 } BOOL MyHook::_hookAPIInImageImportTable(HANDLE hBaseAddress, string strImportMod, HOOKAPI* pHookApi) { PIMAGE_DOS_HEADER pDosHeader = static_cast<PIMAGE_DOS_HEADER>(hBaseAddress); if(pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) { return NULL; } // 检查是否为NT程序 PIMAGE_NT_HEADERS pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + (DWORD)(pDosHeader->e_lfanew)); if(pNTHeader->Signature != IMAGE_NT_SIGNATURE) { return NULL; } // 检查是否有IAT if(pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress == 0) { return NULL; } // 定位第一个IAT PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)pDosHeader + (DWORD)(pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)); while(pImportDesc->Name) { // 如果有名字,获取其名字 PSTR szCurrMod = (PSTR)((DWORD)pDosHeader + (DWORD)(pImportDesc->Name)); if(stricmp(szCurrMod, strImportMod.c_str()) == 0) { // 找到了就停下来 break; } pImportDesc++; } if(pImportDesc->Name == NULL) { return _hookAPIInDelayImportTable(hBaseAddress, strImportMod, pHookApi); } /* PIMAGE_THUNK_DATA pOrigThunk = (PIMAGE_THUNK_DATA)((DWORD)hBaseAddress + (DWORD)(pImportDesc->OriginalFirstThunk)); // 第一个THUNK PIMAGE_THUNK_DATA pRealThunk = (PIMAGE_THUNK_DATA)((DWORD)hBaseAddress + (DWORD)(pImportDesc->FirstThunk)); // 第一个IAT的THUNK // 查找IAT,替换函数 while(pOrigThunk->u1.Function) { // 检查此THUNK是否为IAT项 if((pOrigThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG) { // 获取此IAT的函数名 PIMAGE_IMPORT_BY_NAME pByName = (PIMAGE_IMPORT_BY_NAME)((DWORD)hBaseAddress + (DWORD)(pOrigThunk->u1.AddressOfData)); if(pByName->Name[0] == '/0') { return FALSE; } // 检测是否为所找的函数 if(stricmp(pHookApi->strFunctionName.c_str(), (char*)pByName->Name) == 0) { pHookApi->pOldFunc = (PROC)pRealThunk->u1.Function; _writeProcessMemorySystem((LPVOID)&(pRealThunk->u1.Function), (LPVOID)&(pHookApi->pNewFunc), sizeof(DWORD)); Funs[pHookApi->strFunctionName] = *pHookApi; } } pOrigThunk++; pRealThunk++; } SetLastError(ERROR_SUCCESS); return TRUE; */ PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)(((LPBYTE)hBaseAddress) + pImportDesc->FirstThunk); // 循环IAT查找 while(pThunk->u1.Function) { PDWORD lpAddr = (PDWORD)&(pThunk->u1.Function); if(*lpAddr == (DWORD)pHookApi->pOldFunc) { // 找到并修改地址为转接函数 _writeProcessMemorySystem((LPVOID)&(pThunk->u1.Function), (LPVOID)&(pHookApi->pNewFunc), sizeof(DWORD)); Funs[pHookApi->strFunctionName] = *pHookApi; return TRUE; } pThunk++; } return FALSE; } BOOL MyHook::_hookAPIInDelayImportTable(HANDLE hBaseAddress, std::string strImportMod, MyHook::HOOKAPI *pHookApi) { DWORD dwSize = 0; PIMAGE_SECTION_HEADER pFoundHeader = NULL; PImgDelayDescr pImgDelayDescr = (PImgDelayDescr)ImageDirectoryEntryToDataEx(hBaseAddress , TRUE , IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT , &dwSize , &pFoundHeader ); if(pImgDelayDescr == NULL) { return FALSE; } while (pImgDelayDescr->rvaDLLName) { if (_strcmpi((CHAR*)((PBYTE)hBaseAddress+pImgDelayDescr->rvaDLLName), strImportMod.c_str())== 0) { break; } ++pImgDelayDescr; } // 找不到此模块 if(!pImgDelayDescr->rvaDLLName) return FALSE; // 获取 IAT PIMAGE_THUNK_DATA pThunk = NULL; if( (pImgDelayDescr->grAttrs & dlattrRva) == 0 ) return FALSE; pThunk = (PIMAGE_THUNK_DATA)(((LPBYTE)hBaseAddress) + pImgDelayDescr->rvaIAT); // 循环IAT查找 while(pThunk->u1.Function) { PDWORD lpAddr = (PDWORD)&(pThunk->u1.Function); if(*lpAddr == (DWORD)pHookApi->pOldFunc) { // 替换 _writeProcessMemorySystem((LPVOID)&(pThunk->u1.Function), (LPVOID)&(pHookApi->pNewFunc), sizeof(DWORD)); Funs[pHookApi->strFunctionName] = *pHookApi; return TRUE; } pThunk++; } return FALSE; } BOOL MyHook::hookAPIForAll(string strImportMod, HOOKAPI* pHookApi) { HMODULE hMods[1024] = {0}; DWORD cbNeeded; pHookApi->pOldFunc = (PROC)(::GetProcAddress(::GetModuleHandleA(strImportMod.c_str()), pHookApi->strFunctionName.c_str())); HANDLE h = GetCurrentProcess(); // 获取一个伪句柄 if( ::EnumProcessModules(h, hMods, sizeof(hMods), &cbNeeded)) { for ( UINT i = 0; i < (cbNeeded / sizeof(HMODULE)); i++ ) { _hookAPIInImageImportTable(hMods[i], strImportMod, pHookApi); } } return TRUE; }

你可能感兴趣的:(VC进程相关的学习(五)(API截获完美版))