Hook浏览器控件WebBrowser对WININET.dll的调用

此文章的代码可以从此处下载：http://www.codeproject.com/KB/shell/RetrieveHttponlyCookies.aspx

开发中经常使用到WebBrowser。WebBrowser控件编程控制起来很方面,好处不用说了。

但日前遇到一个问题，如何获取HTTP服务器页面返回的HTTP HEADER(不是DOM的head)?

比如说ASP.Net页面返回的SessionID，尝试通过DOM的 IHTMLDocument2::get_cookie 获取不到

浏览器控件并没有提供此类接口。那就HOOK吧。

HOOK winsock? HTTP协议不想去分析啊

通过Depends.exe查看mshtml.dll， 发现HTTP的时候使用了 WinInet.dll，WinInet.dll的升级版WinHttp.dll早出来了，不知M$怎么还在用WinInet.dll. 不过没关系，只要能够HOOK到 mshtml.dll 对 WinInet.dll 的调用，什么问题都解决了。HOOK WinInet.dll 还不需要去处理HTTP协议底层，多简单啊。

进程内HOOK是很简单的，不用考虑内存空间问题。HOOK一般分2种：inline hook和dispatch hook.

inline hook具有普适性，但dispatch hook具有robust性, (呃，这个词常被翻译成鲁棒性，健壮性就健壮性吧)

可爱的 SSDT GDT IDT HOOK都属于此类。那还是用后者吧。

扯远了，扯远了。在这里是HOOK IAT，IAT是导入函数表(Import Address Table)的缩写，对它的HOOK例子网上一抄一大把，原理就不细说了,废话都被说完了，看代码吧。

首先导入一些头文件和库文件，后面的代码要用

#include <WinInet.h> #pragma comment( lib, "WinInet.lib") #include <Dbghelp.h> #include <DelayImp.h> #pragma comment( lib, "Dbghelp.lib") #include <Psapi.h> #pragma comment( lib, "Psapi.lib")

如果你有DDK/WDK最好了，没有的话需要加入一点点定义,后面需要用到

typedef struct _STRING { USHORT Length; USHORT MaximumLength; PCHAR Buffer; } ANSI_STRING, *PANSI_STRING; typedef struct _LSA_UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; }LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING; typedef LONG NTSTATUS; #define STATUS_SUCCESS ((NTSTATUS)0x00000000L)

呃，为什么我要使用到一些内核中的结构？

一般的HOOK方式是HOOK Kernel32.dll 中的 LoadLibrar(Ex) 和 GetProcAddress 来检测动态加载的DLL以及通过函数指针方式的调用。

不过这里是HOOK NTDLL.DLL中的 LdrLoadDll 和 LdrGetProcedureAddress 。这2个API更彻底，LoadLibrar(Ex) 和 GetProcAddress 最终都是通过它们实现。NTDLL.DLL是Win32 SubSystem调用 Ring3 通往 Ring0 的最后一道门户，HOOK它更加彻底和保险。

所以这里要用到一点点内核中的结构。

现在最主要的问题是HOOK WinInet的调用，函数定义直接查MSDN就可以了。这里只HOOK的一部分的函数，根据需要你可以增加更多的函数。

首先定义函数指针

typedef NTSTATUS (WINAPI* PFN_LdrGetProcedureAddress)(IN HMODULE ModuleHandle, IN PANSI_STRING FunctionName OPTIONAL, IN WORD Oridinal OPTIONAL, OUT PVOID *FunctionAddress ); typedef NTSTATUS (WINAPI* PFN_LdrLoadDll)(IN PWCHAR PathToFile OPTIONAL, IN ULONG Flags OPTIONAL, IN PUNICODE_STRING ModuleFileName, OUT PHANDLE ModuleHandle); typedef BOOL (WINAPI* PFN_HttpSendRequestA)(HINTERNET hRequest, LPCSTR lpszHeaders, DWORD dwHeadersLength, LPVOID lpOptional, DWORD dwOptionalLength ); typedef BOOL (WINAPI* PFN_HttpSendRequestW)(HINTERNET hRequest, LPCWSTR lpszHeaders, DWORD dwHeadersLength, LPVOID lpOptional, DWORD dwOptionalLength ); typedef BOOL (WINAPI* PFN_HttpSendRequestExA)( __in HINTERNET hRequest, __in_opt LPINTERNET_BUFFERSA lpBuffersIn, __out_opt LPINTERNET_BUFFERSA lpBuffersOut, __in DWORD dwFlags, __in_opt DWORD_PTR dwContext); typedef BOOL (WINAPI* PFN_HttpSendRequestExW)( __in HINTERNET hRequest, __in_opt LPINTERNET_BUFFERSW lpBuffersIn, __out_opt LPINTERNET_BUFFERSW lpBuffersOut, __in DWORD dwFlags, __in_opt DWORD_PTR dwContext); typedef BOOL (WINAPI* PFN_HttpEndRequestA)( __in HINTERNET hRequest, __out_opt LPINTERNET_BUFFERSA lpBuffersOut, __in DWORD dwFlags, __in_opt DWORD_PTR dwContext); typedef BOOL (WINAPI* PFN_HttpEndRequestW)( __in HINTERNET hRequest, __out_opt LPINTERNET_BUFFERSW lpBuffersOut, __in DWORD dwFlags, __in_opt DWORD_PTR dwContext); typedef HINTERNET (WINAPI* PFN_HttpOpenRequestA)(__in HINTERNET hConnect,__in_opt LPCSTR lpszVerb, __in_opt LPCSTR lpszObjectName, __in_opt LPCSTR lpszVersion, __in_opt LPCSTR lpszReferrer, __in_z_opt LPCSTR FAR * lplpszAcceptTypes, __in DWORD dwFlags, __in_opt DWORD_PTR dwContext); typedef HINTERNET (WINAPI* PFN_HttpOpenRequestW)(__in HINTERNET hConnect,__in_opt LPCWSTR lpszVerb,__in_opt LPCWSTR lpszObjectName,__in_opt LPCWSTR lpszVersion,__in_opt LPCWSTR lpszReferrer,__in_z_opt LPCWSTR FAR * lplpszAcceptTypes,__in DWORD dwFlags, __in_opt DWORD_PTR dwContext); typedef HINTERNET (WINAPI* PFN_InternetConnectA)(__in HINTERNET hInternet,__in LPCSTR lpszServerName,__in INTERNET_PORT nServerPort,__in_opt LPCSTR lpszUserName,__in_opt LPCSTR lpszPassword,__in DWORD dwService,__in DWORD dwFlags,__in_opt DWORD_PTR dwContext); typedef HINTERNET (WINAPI* PFN_InternetConnectW)(__in HINTERNET hInternet,__in LPCWSTR lpszServerName,__in INTERNET_PORT nServerPort,__in_opt LPCWSTR lpszUserName,__in_opt LPCWSTR lpszPassword,__in DWORD dwService,__in DWORD dwFlags,__in_opt DWORD_PTR dwContext); typedef BOOL (WINAPI* PFN_HttpAddRequestHeadersA)(__in HINTERNET hRequest,__in_ecount(dwHeadersLength) LPCSTR lpszHeaders,__in DWORD dwHeadersLength,__in DWORD dwModifiers); typedef BOOL (WINAPI* PFN_HttpAddRequestHeadersW)(__in HINTERNET hRequest,__in_ecount(dwHeadersLength) LPCWSTR lpszHeaders,__in DWORD dwHeadersLength,__in DWORD dwModifiers);

变量定义起来：

class CHookWinHttp { public: CHookWinHttp(void); ~CHookWinHttp(void); private: // 保存真实的函数地址 static PFN_LdrLoadDll s_pfnLdrLoadDll; static PFN_LdrGetProcedureAddress s_pfnLdrGetProcedureAddress; static PFN_HttpSendRequestA s_pfnHttpSendRequestA; static PFN_HttpSendRequestW s_pfnHttpSendRequestW; static PFN_HttpSendRequestExA s_pfnHttpSendRequestExA; static PFN_HttpSendRequestExW s_pfnHttpSendRequestExW; static PFN_HttpEndRequestA s_pfnHttpEndRequestA; static PFN_HttpEndRequestW s_pfnHttpEndRequestW; static PFN_HttpOpenRequestA s_pfnHttpOpenRequestA; static PFN_HttpOpenRequestW s_pfnHttpOpenRequestW; static PFN_InternetConnectA s_pfnInternetConnectA; static PFN_InternetConnectW s_pfnInternetConnectW; static PFN_HttpAddRequestHeadersA s_pfnHttpAddRequestHeadersA; static PFN_HttpAddRequestHeadersW s_pfnHttpAddRequestHeadersW; // 加入的替换函数 static NTSTATUS WINAPI _LdrLoadDll(IN PWCHAR PathToFile OPTIONAL, IN ULONG Flags OPTIONAL, IN PUNICODE_STRING ModuleFileName, OUT PHANDLE ModuleHandle); static NTSTATUS WINAPI _LdrGetProcedureAddress(IN HMODULE ModuleHandle, IN PANSI_STRING FunctionName OPTIONAL, IN WORD Oridinal OPTIONAL, OUT PVOID *FunctionAddress ); static BOOL WINAPI _HttpSendRequestA(HINTERNET hRequest, LPCSTR lpszHeaders, DWORD dwHeadersLength, LPVOID lpOptional, DWORD dwOptionalLength ); static BOOL WINAPI _HttpSendRequestW(HINTERNET hRequest, LPCWSTR lpszHeaders, DWORD dwHeadersLength, LPVOID lpOptional, DWORD dwOptionalLength ); static BOOL WINAPI _HttpSendRequestExA( __in HINTERNET hRequest, __in_opt LPINTERNET_BUFFERSA lpBuffersIn, __out_opt LPINTERNET_BUFFERSA lpBuffersOut, __in DWORD dwFlags, __in_opt DWORD_PTR dwContext); static BOOL WINAPI _HttpSendRequestExW( __in HINTERNET hRequest, __in_opt LPINTERNET_BUFFERSW lpBuffersIn, __out_opt LPINTERNET_BUFFERSW lpBuffersOut, __in DWORD dwFlags, __in_opt DWORD_PTR dwContext); static BOOL WINAPI _HttpEndRequestA( __in HINTERNET hRequest, __out_opt LPINTERNET_BUFFERSA lpBuffersOut, __in DWORD dwFlags, __in_opt DWORD_PTR dwContext); static BOOL WINAPI _HttpEndRequestW( __in HINTERNET hRequest, __out_opt LPINTERNET_BUFFERSW lpBuffersOut, __in DWORD dwFlags, __in_opt DWORD_PTR dwContext); static HINTERNET WINAPI _HttpOpenRequestA(__in HINTERNET hConnect,__in_opt LPCSTR lpszVerb, __in_opt LPCSTR lpszObjectName, __in_opt LPCSTR lpszVersion, __in_opt LPCSTR lpszReferrer, __in_z_opt LPCSTR FAR * lplpszAcceptTypes, __in DWORD dwFlags, __in_opt DWORD_PTR dwContext); static HINTERNET WINAPI _HttpOpenRequestW(__in HINTERNET hConnect,__in_opt LPCWSTR lpszVerb,__in_opt LPCWSTR lpszObjectName,__in_opt LPCWSTR lpszVersion,__in_opt LPCWSTR lpszReferrer,__in_z_opt LPCWSTR FAR * lplpszAcceptTypes,__in DWORD dwFlags, __in_opt DWORD_PTR dwContext); static HINTERNET WINAPI _InternetConnectA(__in HINTERNET hInternet,__in LPCSTR lpszServerName,__in INTERNET_PORT nServerPort,__in_opt LPCSTR lpszUserName,__in_opt LPCSTR lpszPassword,__in DWORD dwService,__in DWORD dwFlags,__in_opt DWORD_PTR dwContext); static HINTERNET WINAPI _InternetConnectW(__in HINTERNET hInternet,__in LPCWSTR lpszServerName,__in INTERNET_PORT nServerPort,__in_opt LPCWSTR lpszUserName,__in_opt LPCWSTR lpszPassword,__in DWORD dwService,__in DWORD dwFlags,__in_opt DWORD_PTR dwContext); static BOOL WINAPI _HttpAddRequestHeadersA(__in HINTERNET hRequest,__in_ecount(dwHeadersLength) LPCSTR lpszHeaders,__in DWORD dwHeadersLength,__in DWORD dwModifiers); static BOOL WINAPI _HttpAddRequestHeadersW(__in HINTERNET hRequest,__in_ecount(dwHeadersLength) LPCWSTR lpszHeaders,__in DWORD dwHeadersLength,__in DWORD dwModifiers); };

初始化以及转接函数如下：

#include "StdAfx.h" #include "HookWinHttp.h" // 静态变量初始化 PFN_LdrLoadDll CHookWinHttp::s_pfnLdrLoadDll = NULL; PFN_LdrGetProcedureAddress CHookWinHttp::s_pfnLdrGetProcedureAddress = NULL; // 保存函数真实地址 PFN_HttpSendRequestA CHookWinHttp::s_pfnHttpSendRequestA = HttpSendRequestA; PFN_HttpSendRequestW CHookWinHttp::s_pfnHttpSendRequestW = HttpSendRequestW; PFN_HttpAddRequestHeadersA CHookWinHttp::s_pfnHttpAddRequestHeadersA = HttpAddRequestHeadersA; PFN_HttpAddRequestHeadersW CHookWinHttp::s_pfnHttpAddRequestHeadersW = HttpAddRequestHeadersW; PFN_HttpSendRequestExA CHookWinHttp::s_pfnHttpSendRequestExA = HttpSendRequestExA; PFN_HttpSendRequestExW CHookWinHttp::s_pfnHttpSendRequestExW = HttpSendRequestExW; PFN_HttpEndRequestA CHookWinHttp::s_pfnHttpEndRequestA = HttpEndRequestA; PFN_HttpEndRequestW CHookWinHttp::s_pfnHttpEndRequestW = HttpEndRequestW; PFN_HttpOpenRequestA CHookWinHttp::s_pfnHttpOpenRequestA = HttpOpenRequestA; PFN_HttpOpenRequestW CHookWinHttp::s_pfnHttpOpenRequestW = HttpOpenRequestW; PFN_InternetConnectA CHookWinHttp::s_pfnInternetConnectA = InternetConnectA; PFN_InternetConnectW CHookWinHttp::s_pfnInternetConnectW = InternetConnectW; CHookWinHttp::CHookWinHttp(void) { s_pfnLdrLoadDll = (PFN_LdrLoadDll)::GetProcAddress( ::GetModuleHandle(_T("NTDLL.DLL")), "LdrLoadDll"); s_pfnLdrGetProcedureAddress = (PFN_LdrGetProcedureAddress)::GetProcAddress( ::GetModuleHandle(_T("NTDLL.DLL")), "LdrGetProcedureAddress"); if( !s_pfnLdrLoadDll || !s_pfnLdrGetProcedureAddress ) return; // ReplaceIATEntryForAll 的定义在后面 ReplaceIATEntryForAll( "NTDLL.DLL", s_pfnLdrLoadDll, &CHookWinHttp::_LdrLoadDll); ReplaceIATEntryForAll( "NTDLL.DLL", s_pfnLdrGetProcedureAddress, &CHookWinHttp::_LdrGetProcedureAddress); ReplaceIATEntryForAll( "WININET.DLL", s_pfnHttpSendRequestA, &CHookWinHttp::_HttpSendRequestA); ReplaceIATEntryForAll( "WININET.DLL", s_pfnHttpSendRequestW, &CHookWinHttp::_HttpSendRequestW); ReplaceIATEntryForAll( "WININET.DLL", s_pfnHttpAddRequestHeadersA, &CHookWinHttp::_HttpAddRequestHeadersA); ReplaceIATEntryForAll( "WININET.DLL", s_pfnHttpAddRequestHeadersW, &CHookWinHttp::_HttpAddRequestHeadersW); ReplaceIATEntryForAll( "WININET.DLL", s_pfnHttpSendRequestExA, &CHookWinHttp::_HttpSendRequestExA); ReplaceIATEntryForAll( "WININET.DLL", s_pfnHttpSendRequestExW, &CHookWinHttp::_HttpSendRequestExW); ReplaceIATEntryForAll( "WININET.DLL", s_pfnHttpEndRequestA, &CHookWinHttp::_HttpEndRequestA); ReplaceIATEntryForAll( "WININET.DLL", s_pfnHttpSendRequestExW, &CHookWinHttp::_HttpSendRequestExW); ReplaceIATEntryForAll( "WININET.DLL", s_pfnHttpEndRequestA, &CHookWinHttp::_HttpEndRequestA); ReplaceIATEntryForAll( "WININET.DLL", s_pfnHttpEndRequestW, &CHookWinHttp::_HttpEndRequestW); ReplaceIATEntryForAll( "WININET.DLL", s_pfnHttpOpenRequestA, &CHookWinHttp::_HttpOpenRequestA); ReplaceIATEntryForAll( "WININET.DLL", s_pfnHttpOpenRequestW, &CHookWinHttp::_HttpOpenRequestW); ReplaceIATEntryForAll( "WININET.DLL", s_pfnInternetConnectA, &CHookWinHttp::_InternetConnectA); ReplaceIATEntryForAll( "WININET.DLL", s_pfnInternetConnectW, &CHookWinHttp::_InternetConnectW); } CHookWinHttp::~CHookWinHttp(void) { } static CHookWinHttp g_oHook; // // 下面都是转接函数，这里什么都不做。 // BOOL WINAPI CHookWinHttp::_HttpSendRequestA(HINTERNET hRequest, LPCSTR lpszHeaders, DWORD dwHeadersLength, LPVOID lpOptional, DWORD dwOptionalLength ) { return s_pfnHttpSendRequestA( hRequest, lpszHeaders, dwHeadersLength, lpOptional, dwOptionalLength); } BOOL WINAPI CHookWinHttp::_HttpSendRequestW(HINTERNET hRequest, LPCWSTR lpszHeaders, DWORD dwHeadersLength, LPVOID lpOptional, DWORD dwOptionalLength ) { return s_pfnHttpSendRequestW( hRequest, lpszHeaders, dwHeadersLength, lpOptional, dwOptionalLength); } BOOL WINAPI CHookWinHttp::_HttpAddRequestHeadersA(__in HINTERNET hRequest,__in_ecount(dwHeadersLength) LPCSTR lpszHeaders,__in DWORD dwHeadersLength,__in DWORD dwModifiers) { return s_pfnHttpAddRequestHeadersA( hRequest, lpszHeaders, dwHeadersLength, dwModifiers); } BOOL WINAPI CHookWinHttp::_HttpAddRequestHeadersW(__in HINTERNET hRequest,__in_ecount(dwHeadersLength) LPCWSTR lpszHeaders,__in DWORD dwHeadersLength,__in DWORD dwModifiers) { return s_pfnHttpAddRequestHeadersW( hRequest, lpszHeaders, dwHeadersLength, dwModifiers); } BOOL WINAPI CHookWinHttp::_HttpSendRequestExA( __in HINTERNET hRequest, __in_opt LPINTERNET_BUFFERSA lpBuffersIn, __out_opt LPINTERNET_BUFFERSA lpBuffersOut, __in DWORD dwFlags, __in_opt DWORD_PTR dwContext) { return s_pfnHttpSendRequestExA( hRequest, lpBuffersIn, lpBuffersOut, dwFlags, dwContext); } BOOL WINAPI CHookWinHttp::_HttpSendRequestExW( __in HINTERNET hRequest, __in_opt LPINTERNET_BUFFERSW lpBuffersIn, __out_opt LPINTERNET_BUFFERSW lpBuffersOut, __in DWORD dwFlags, __in_opt DWORD_PTR dwContext) { return s_pfnHttpSendRequestExW( hRequest, lpBuffersIn, lpBuffersOut, dwFlags, dwContext); } BOOL WINAPI CHookWinHttp::_HttpEndRequestA( __in HINTERNET hRequest, __out_opt LPINTERNET_BUFFERSA lpBuffersOut, __in DWORD dwFlags, __in_opt DWORD_PTR dwContext) { return s_pfnHttpEndRequestA( hRequest, lpBuffersOut, dwFlags, dwContext); } BOOL WINAPI CHookWinHttp::_HttpEndRequestW( __in HINTERNET hRequest, __out_opt LPINTERNET_BUFFERSW lpBuffersOut, __in DWORD dwFlags, __in_opt DWORD_PTR dwContext) { return s_pfnHttpEndRequestW( hRequest, lpBuffersOut, dwFlags, dwContext); } HINTERNET WINAPI CHookWinHttp::_HttpOpenRequestA(__in HINTERNET hConnect,__in_opt LPCSTR lpszVerb, __in_opt LPCSTR lpszObjectName, __in_opt LPCSTR lpszVersion, __in_opt LPCSTR lpszReferrer, __in_z_opt LPCSTR FAR * lplpszAcceptTypes, __in DWORD dwFlags, __in_opt DWORD_PTR dwContext) { return s_pfnHttpOpenRequestA( hConnect, lpszVerb, lpszObjectName, lpszVersion, lpszReferrer, lplpszAcceptTypes, dwFlags, dwContext); } HINTERNET WINAPI CHookWinHttp::_HttpOpenRequestW(__in HINTERNET hConnect,__in_opt LPCWSTR lpszVerb,__in_opt LPCWSTR lpszObjectName,__in_opt LPCWSTR lpszVersion,__in_opt LPCWSTR lpszReferrer,__in_z_opt LPCWSTR FAR * lplpszAcceptTypes,__in DWORD dwFlags, __in_opt DWORD_PTR dwContext) { return s_pfnHttpOpenRequestW( hConnect, lpszVerb, lpszObjectName, lpszVersion, lpszReferrer, lplpszAcceptTypes, dwFlags, dwContext); } HINTERNET WINAPI CHookWinHttp::_InternetConnectA(__in HINTERNET hInternet,__in LPCSTR lpszServerName,__in INTERNET_PORT nServerPort,__in_opt LPCSTR lpszUserName,__in_opt LPCSTR lpszPassword,__in DWORD dwService,__in DWORD dwFlags,__in_opt DWORD_PTR dwContext) { return s_pfnInternetConnectA( hInternet, lpszServerName, nServerPort, lpszUserName, lpszPassword, dwService, dwFlags, dwContext); } HINTERNET WINAPI CHookWinHttp::_InternetConnectW(__in HINTERNET hInternet,__in LPCWSTR lpszServerName,__in INTERNET_PORT nServerPort,__in_opt LPCWSTR lpszUserName,__in_opt LPCWSTR lpszPassword,__in DWORD dwService,__in DWORD dwFlags,__in_opt DWORD_PTR dwContext) { return s_pfnInternetConnectW( hInternet, lpszServerName, nServerPort, lpszUserName, lpszPassword, dwService, dwFlags, dwContext); }

终于到了最核心的部分了。

// 遍历进程所有模块，并依次查找相应模块的函数 void CHookWinHttp::ReplaceIATEntryForAll(LPCSTR lpszDllName, LPVOID pfnCurrent, LPVOID pfnNew) { HMODULE hMods[1024] = {0}; DWORD cbNeeded; HANDLE hProcess = ::GetCurrentProcess(); if( ::EnumProcessModules( hProcess, hMods, sizeof(hMods), &cbNeeded)) { for ( UINT i = 0; i < (cbNeeded / sizeof(HMODULE)); i++ ) { /* TCHAR szModName[MAX_PATH] = {0}; GetModuleFileNameEx( hProcess , hMods[i] , szModName , sizeof(szModName)/sizeof(TCHAR)) );*/ ReplaceIATEntryInImageImportTable( hMods[i] , lpszDllName , pfnCurrent , pfnNew ); } } } // 查找 IMAGE_IMPORT_DESCRIPTOR 中需要挂接的函数然后挂件 BOOL CHookWinHttp::ReplaceIATEntryInImageImportTable( HANDLE hBaseAddress , LPCSTR lpszDllName , LPVOID pfnCurrent , LPVOID pfnNew ) { ASSERT(hBaseAddress && lpszDllName && pfnCurrent && pfnNew ); // 获取 IMAGE_IMPORT_DESCRIPTOR DWORD dwSize = 0; PIMAGE_SECTION_HEADER pFoundHeader = NULL; PIMAGE_IMPORT_DESCRIPTOR pImgImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToDataEx( hBaseAddress , TRUE , IMAGE_DIRECTORY_ENTRY_IMPORT , &dwSize , &pFoundHeader ); if( pImgImportDescriptor == NULL ){ return FALSE; } while (pImgImportDescriptor->Name) { if ( _strcmpi((CHAR*)((PBYTE)hBaseAddress+pImgImportDescriptor->Name), lpszDllName) == 0 ) { break; // 找到 } ++pImgImportDescriptor; } // 这里需要特别注意!!!! // 如果在IMAGE_DIRECTORY_ENTRY_IMPORT找不到，这尝试在IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT中找 // mshtml.dll就是使用了延迟加载的。如果不这样会挂钩不上。 if( !pImgImportDescriptor->Name ) return ReplaceIATEntryInDelayImageImportTable( hBaseAddress, lpszDllName, pfnCurrent, pfnNew); // 获取 IAT PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)(((LPBYTE)hBaseAddress) + pImgImportDescriptor->FirstThunk); // 循环IAT查找 while(pThunk->u1.Function) { PDWORD lpAddr = (PDWORD)&(pThunk->u1.Function); if(*lpAddr == (DWORD)pfnCurrent) { // 找到并修改地址为转接函数 ::WriteProcessMemory(::GetCurrentProcess() , lpAddr , &pfnNew , sizeof(DWORD) , NULL ); return TRUE; } pThunk++; } return FALSE; } // 此函数 在延迟加载DLL节中查找 目标 BOOL CHookWinHttp::ReplaceIATEntryInDelayImageImportTable( HANDLE hBaseAddress , LPCSTR lpszDllName , LPVOID pfnCurrent , LPVOID pfnNew ) { ASSERT(hBaseAddress && lpszDllName && pfnCurrent && pfnNew ); // 获取 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT DWORD dwSize = 0; PIMAGE_SECTION_HEADER pFoundHeader = NULL; PImgDelayDescr pImgDelayDescr = (PImgDelayDescr)ImageDirectoryEntryToDataEx( hBaseAddress , TRUE , IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT , &dwSize , &pFoundHeader ); if( pImgDelayDescr == NULL ){ return FALSE; } while (pImgDelayDescr->rvaDLLName) { if ( _strcmpi((CHAR*)((PBYTE)hBaseAddress+pImgDelayDescr->rvaDLLName), lpszDllName) == 0 ) { break; } ++pImgDelayDescr; } // 找不到此模块 if( !pImgDelayDescr->rvaDLLName ) return FALSE; // 获取 IAT PIMAGE_THUNK_DATA pThunk = NULL; if( (pImgDelayDescr->grAttrs & dlattrRva) == 0 ) return FALSE; pThunk = (PIMAGE_THUNK_DATA)(((LPBYTE)hBaseAddress) + pImgDelayDescr->rvaIAT); // 循环IAT查找 while(pThunk->u1.Function) { PDWORD lpAddr = (PDWORD)&(pThunk->u1.Function); if(*lpAddr == (DWORD)pfnCurrent) { // 替换 ::WriteProcessMemory(::GetCurrentProcess() , lpAddr , &pfnNew , sizeof(DWORD) , NULL ); return TRUE; } pThunk++; } return FALSE; } // 所有动态加载的DLL，都需要对IAT处理一次 NTSTATUS WINAPI CHookWinHttp::_LdrLoadDll(IN PWCHAR PathToFile OPTIONAL, IN ULONG Flags OPTIONAL, IN PUNICODE_STRING ModuleFileName, OUT PHANDLE ModuleHandle) { NTSTATUS ntStatus = s_pfnLdrLoadDll( PathToFile, Flags, ModuleFileName, ModuleHandle); if( ntStatus == STATUS_SUCCESS && (Flags & LOAD_LIBRARY_AS_DATAFILE) == 0 ) { HANDLE hDll = *ModuleHandle; ReplaceIATEntryInImageImportTable( hDll, "NTDLL.DLL", s_pfnLdrLoadDll, &CHookWinHttp::_LdrLoadDll); ReplaceIATEntryInImageImportTable( hDll, "NTDLL.DLL", s_pfnLdrGetProcedureAddress, &CHookWinHttp::_LdrGetProcedureAddress); ReplaceIATEntryInImageImportTable( hDll, "WININET.DLL", s_pfnHttpSendRequestA, &CHookWinHttp::_HttpSendRequestA); ReplaceIATEntryInImageImportTable( hDll, "WININET.DLL", s_pfnHttpSendRequestW, &CHookWinHttp::_HttpSendRequestW); ReplaceIATEntryInImageImportTable( hDll, "WININET.DLL", s_pfnHttpAddRequestHeadersA, &CHookWinHttp::_HttpAddRequestHeadersA); ReplaceIATEntryInImageImportTable( hDll, "WININET.DLL", s_pfnHttpAddRequestHeadersW, &CHookWinHttp::_HttpAddRequestHeadersW); ReplaceIATEntryInImageImportTable( hDll, "WININET.DLL", s_pfnHttpSendRequestExA, &CHookWinHttp::_HttpSendRequestExA); ReplaceIATEntryInImageImportTable( hDll, "WININET.DLL", s_pfnHttpSendRequestExW, &CHookWinHttp::_HttpSendRequestExW); ReplaceIATEntryInImageImportTable( hDll, "WININET.DLL", s_pfnHttpEndRequestA, &CHookWinHttp::_HttpEndRequestA); ReplaceIATEntryInImageImportTable( hDll, "WININET.DLL", s_pfnHttpSendRequestExW, &CHookWinHttp::_HttpSendRequestExW); ReplaceIATEntryInImageImportTable( hDll, "WININET.DLL", s_pfnHttpEndRequestA, &CHookWinHttp::_HttpEndRequestA); ReplaceIATEntryInImageImportTable( hDll, "WININET.DLL", s_pfnHttpEndRequestW, &CHookWinHttp::_HttpEndRequestW); ReplaceIATEntryInImageImportTable( hDll, "WININET.DLL", s_pfnHttpOpenRequestA, &CHookWinHttp::_HttpOpenRequestA); ReplaceIATEntryInImageImportTable( hDll, "WININET.DLL", s_pfnHttpOpenRequestW, &CHookWinHttp::_HttpOpenRequestW); ReplaceIATEntryInImageImportTable( hDll, "WININET.DLL", s_pfnInternetConnectA, &CHookWinHttp::_InternetConnectA); ReplaceIATEntryInImageImportTable( hDll, "WININET.DLL", s_pfnInternetConnectW, &CHookWinHttp::_InternetConnectW); } return ntStatus; } // 如果是动态获取地址，则返回转接函数地址 NTSTATUS WINAPI CHookWinHttp::_LdrGetProcedureAddress(IN HMODULE ModuleHandle, IN PANSI_STRING FunctionName OPTIONAL, IN WORD Oridinal OPTIONAL, OUT PVOID *FunctionAddress ) { NTSTATUS ntStatus = s_pfnLdrGetProcedureAddress( ModuleHandle, FunctionName, Oridinal, FunctionAddress); if( ntStatus == STATUS_SUCCESS ) { TCHAR tszPath[MAX_PATH] = {0}; if( GetModuleFileName( ModuleHandle, tszPath, MAX_PATH) ) { CString strFile(tszPath); int nFind = strFile.ReverseFind('\\'); if( nFind > 0 ) strFile = strFile.Mid(nFind+1); if( strFile.CompareNoCase(_T("WININET.dll")) == 0 ) { CHAR szFunName[1024] = {0}; memcpy( szFunName, FunctionName->Buffer, FunctionName->Length ); if( strcmp( szFunName, "HttpSendRequestA") == 0 ) { if( !s_pfnHttpSendRequestA ) { s_pfnHttpSendRequestA = (PFN_HttpSendRequestA)(*FunctionAddress); } *FunctionAddress = s_pfnHttpSendRequestA; } else if( strcmp( szFunName, "HttpSendRequestW") == 0 ) { if( !s_pfnHttpSendRequestW ) { s_pfnHttpSendRequestW = (PFN_HttpSendRequestW)(*FunctionAddress); } *FunctionAddress = s_pfnHttpSendRequestW; } else if( strcmp( szFunName, "HttpAddRequestHeadersA") == 0 ) { if( !s_pfnHttpAddRequestHeadersA ) { s_pfnHttpAddRequestHeadersA = (PFN_HttpAddRequestHeadersA)(*FunctionAddress); } *FunctionAddress = s_pfnHttpAddRequestHeadersA; } else if( strcmp( szFunName, "HttpAddRequestHeadersW") == 0 ) { if( !s_pfnHttpAddRequestHeadersW ) { s_pfnHttpAddRequestHeadersW = (PFN_HttpAddRequestHeadersW)(*FunctionAddress); } *FunctionAddress = s_pfnHttpAddRequestHeadersW; } else if // 后面的好长啊， 应该用点设计把这段简化下， 后面就省略吧， } } } return ntStatus; }

唯一需要注意的事：挂接IAT需要到 IMAGE_IMPORT_DESCRIPTOR 和 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 两个地方查找。

此代码可以扩展用来在浏览器底层去做到网络方面很细节的控制。