// 03 IATHook远程线程注入器.cpp : 定义控制台应用程序的入口点。 // #include "stdafx.h" #include <windows.h> int _tmain(int argc, _TCHAR* argv[]) { //1 得到要被注入进程的句柄 HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 3812); //2 将要注入的DLL的路径写入进程空间 //2.1 先申请一块空间 LPVOID pMem = VirtualAllocEx(hProcess, NULL, 50, MEM_COMMIT, PAGE_READWRITE); //2.2 开始写入 SIZE_T Num = 0; WriteProcessMemory(hProcess, pMem, "D:\Project\Win原理第八天\Debug\IATHook.dll", strlen("D:\Project\Win原理第八天\Debug\IATHook.dll") + 1, &Num); LPVOID pLoadLibrary = GetProcAddress( GetModuleHandle(L"Kernel32.dll"), "LoadLibraryA" ); CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)pLoadLibrary, pMem, NULL, NULL ); return 0; }
// dllmain.cpp : 定义 DLL 应用程序的入口点。 #include "stdafx.h" #include "stdio.h" DWORD g_oldAddress = 0; typedef int (WINAPI*MYMESSAGE)( _In_opt_ HWND hWnd, _In_opt_ LPCSTR lpText, _In_opt_ LPCSTR lpCaption, _In_ UINT uType); int WINAPI MyMessageBoxA( _In_opt_ HWND hWnd, _In_opt_ LPCSTR lpText, _In_opt_ LPCSTR lpCaption, _In_ UINT uType) { //截获一下MessageBox的信息 lpText = new char[10]; memset((void*)lpText, 0, 10); sprintf_s((char*)lpText, 10, "hehe"); int Result = MYMESSAGE(g_oldAddress)(hWnd, lpText, lpCaption, uType); return Result; } void HookIAT(char* szModule,char* szDllName, char* szFunName, DWORD dwNewFunSize, DWORD& OldFunSize) { //1 得到模块的加载基址 PBYTE pBuf= (PBYTE)GetModuleHandleA(szModule); //2 得到模块的导入表 //2.1 找到dos头 PIMAGE_DOS_HEADER pDos = PIMAGE_DOS_HEADER(pBuf); //2.2 找到nt头 PIMAGE_NT_HEADERS pNt = PIMAGE_NT_HEADERS(pBuf + pDos->e_lfanew); //2.3 找到扩展头 PIMAGE_OPTIONAL_HEADER pOption = &(pNt->OptionalHeader); //2.4 找到数据目录表 PIMAGE_DATA_DIRECTORY pDataDirectory = pOption->DataDirectory; //2.5 找到导入表的数据目录 PIMAGE_DATA_DIRECTORY pExportDirectory = (pDataDirectory + 1); //2.6 解析导入表的数据目录 PIMAGE_IMPORT_DESCRIPTOR pImport = (PIMAGE_IMPORT_DESCRIPTOR)(pExportDirectory->VirtualAddress + pBuf); //3 在导入表中遍历寻找szDllName BOOL bFind = FALSE; while (pImport->OriginalFirstThunk != 0 && bFind== FALSE) { //得到本dll的IAT PIMAGE_THUNK_DATA pIat = (PIMAGE_THUNK_DATA)(pImport->FirstThunk + pBuf); //得到本dll的INT PIMAGE_THUNK_DATA pInt = (PIMAGE_THUNK_DATA)(pImport->OriginalFirstThunk+ pBuf); //4 导入名称表中找到szFunName while (true) { if ((pInt->u1.Ordinal & 80000000) >> 31 != 1) { //此函数的名字 PIMAGE_IMPORT_BY_NAME pNameAndOrder = (PIMAGE_IMPORT_BY_NAME) (pInt->u1.AddressOfData + pBuf); //看一下是否匹配到函数名 找到对应的IAT if (strcmp(pNameAndOrder->Name, szFunName) == 0) { //匹配到开始Hook OldFunSize = pIat->u1.Function; DWORD old = 0; VirtualProtect(&(pIat->u1.Function), 4, PAGE_EXECUTE_READWRITE, &old); pIat->u1.Function = dwNewFunSize; VirtualProtect(&(pIat->u1.Function), 4, old, &old); bFind = TRUE; break; } } pIat++; pInt++; } pImport++; } } BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: HookIAT(NULL, "USER32.dll", "MessageBoxA", (DWORD)MyMessageBoxA, g_oldAddress); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }