EAT/IAT Hook-白红宇

EAT/IAT Hook

阅读量：5126 次

发布时间：2019-06-13

本文共 3286 字，大约阅读时间需要 10 分钟。

标题: EAT/IAT Hook

作者: Y4ng

时间: 2013-08-21

链接:

#include 
     
      #include 
      
       #include 
       
        DWORD MyZwGetContextThread(HANDLE Thread,LPCONTEXT lpContext){  memset(lpContext,0,sizeof(CONTEXT));  return 0;}DWORD MyZwSetContextThread(HANDLE Thread,LPCONTEXT lpContext){  memset(lpContext,0,sizeof(CONTEXT));  return 0;}/**********************************************************IAT Hook :挂钩目标输入表中的函数地址参数:char *szDLLName 函数所在的DLLchar *szName    函数名字void *Addr      新函数地址***********************************************************/DWORD IATHook(char *szDLLName,char *szName,void *Addr){  DWORD Protect;  HMODULE hMod=LoadLibrary(szDLLName);  DWORD RealAddr=(DWORD)GetProcAddress(hMod,szName);  hMod=GetModuleHandle(NULL);    IMAGE_DOS_HEADER * DosHeader   =(PIMAGE_DOS_HEADER)hMod;    IMAGE_OPTIONAL_HEADER * Opthdr =(PIMAGE_OPTIONAL_HEADER)((DWORD)hMod+DosHeader->e_lfanew+24);    IMAGE_IMPORT_DESCRIPTOR *pImport =(IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)DosHeader+Opthdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);                                               if(pImport==NULL)    {        return FALSE;    }     IMAGE_THUNK_DATA32 *Pthunk=(IMAGE_THUNK_DATA32*)((DWORD)hMod+pImport->FirstThunk);  while(Pthunk->u1.Function)  {    if(RealAddr==Pthunk->u1.Function)    {      VirtualProtect(&Pthunk->u1.Function,0x1000,PAGE_READWRITE,&Protect);      Pthunk->u1.Function=(DWORD)Addr;      break;    }    Pthunk++;  }  return TRUE;}/**********************************************************EAT Hook :挂钩目标输出表中的函数地址***********************************************************/BOOL EATHook(char *szDLLName,char *szFunName,DWORD NewFun){  DWORD addr=0;  DWORD index=0;  HMODULE hMod=LoadLibrary(szDLLName);    DWORD Protect;    IMAGE_DOS_HEADER * DosHeader   =(PIMAGE_DOS_HEADER)hMod;    IMAGE_OPTIONAL_HEADER * Opthdr =(PIMAGE_OPTIONAL_HEADER)((DWORD)hMod+DosHeader->e_lfanew+24);    PIMAGE_EXPORT_DIRECTORY Export =(PIMAGE_EXPORT_DIRECTORY)((BYTE*)DosHeader+ Opthdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);    PULONG pAddressOfFunctions     =(ULONG*)((BYTE*)hMod+Export->AddressOfFunctions);     PULONG pAddressOfNames         =(ULONG*)((BYTE*)hMod+Export->AddressOfNames);     PUSHORT  pAddressOfNameOrdinals=(USHORT*)((BYTE*)hMod+Export->AddressOfNameOrdinals);     for (int i=0;i 
        
         NumberOfNames; i++)     {        index=pAddressOfNameOrdinals[i];        char *pFuncName = (char*)( (BYTE*)hMod + pAddressOfNames[i]);        if (_stricmp( (char*)pFuncName,szFunName) == 0)        {            addr=pAddressOfFunctions[index];            break;        }    }  VirtualProtect(&pAddressOfFunctions[index],0x1000,PAGE_READWRITE,&Protect);    pAddressOfFunctions[index] =(DWORD)NewFun - (DWORD)hMod;  return TRUE;}BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved){  if (dwReason == DLL_PROCESS_ATTACH)  {    DisableThreadLibraryCalls(hModule);    IATHook("kernel32.dll","ExitProcess",MyZwGetContextThread);    //GetProcAddress(LoadLibrary("ntdll.dll"),"NtSetInformationFile");         /** Test EAT HOOK **/    //ExitThread(0);                                                           /** Test IAT HOOK**/  }  return TRUE;}