15,471
社区成员
发帖
与我相关
我的任务
分享我想HOOK模块的IAT的函数,请问该怎么做?(不是EXE的,是DLL的)
我想HOOK模块的IAT的函数,请问该怎么做?(不是EXE的,是DLL的)
...全文
请发表友善的回复…
发表回复
猫已经找不回了 2009-04-22
- 打赏
- 举报
http://bbs.pediy.com/showthread.php?t=60778
rootkit hook 之[七]--- IAT Hook
rootkit hook 之[七]--- IAT Hook
stjay 2009-04-22
- 打赏
- 举报
去看雪混混保有收获
获取DLL的句柄后和EXE操的一样了
HMODULE hDll = GetModuleHandle(DllName);//LoadLibrary
if (!hDll)
return;
PIMAGE_DOS_HEADER pdh = PIMAGE_DOS_HEADER(hDll);
PIMAGE_NT_HEADERS pnh = PIMAGE_NT_HEADERS((LPSTR)hDll + pdh->e_lfanew);
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)((LPSTR)hDll + pnh->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
if (!pImportDesc)
return;
for (; pImportDesc->Name; pImportDesc ++)
{
LPSTR pszName = (LPSTR)((LPSTR)hDll + pImportDesc->Name);
if (!lstrcmpi(pszName, FuncName))//比较函数名
break;
}
if (!pImportDesc->Name)
return;
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((LPSTR)hDll + pImportDesc->FirstThunk);
for (; pThunk->u1.Function; pThunk++)
{
DWORD *ppfn = (DWORD *)&pThunk->u1.Function;
DWORD oldProtect;
if (VirtualProtectEx(g_hCurProcess, ppfn, sizeof(dwNewProc), PAGE_EXECUTE_READWRITE, &oldProtect))
{
*ppfn = (DWORD)NewProc;//改成想要的地址
VirtualProtectEx(g_hCurProcess, ppfn, sizeof(dwNewProc), oldProtect, &oldProtect);
}
}
获取DLL的句柄后和EXE操的一样了
HMODULE hDll = GetModuleHandle(DllName);//LoadLibrary
if (!hDll)
return;
PIMAGE_DOS_HEADER pdh = PIMAGE_DOS_HEADER(hDll);
PIMAGE_NT_HEADERS pnh = PIMAGE_NT_HEADERS((LPSTR)hDll + pdh->e_lfanew);
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)((LPSTR)hDll + pnh->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
if (!pImportDesc)
return;
for (; pImportDesc->Name; pImportDesc ++)
{
LPSTR pszName = (LPSTR)((LPSTR)hDll + pImportDesc->Name);
if (!lstrcmpi(pszName, FuncName))//比较函数名
break;
}
if (!pImportDesc->Name)
return;
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((LPSTR)hDll + pImportDesc->FirstThunk);
for (; pThunk->u1.Function; pThunk++)
{
DWORD *ppfn = (DWORD *)&pThunk->u1.Function;
DWORD oldProtect;
if (VirtualProtectEx(g_hCurProcess, ppfn, sizeof(dwNewProc), PAGE_EXECUTE_READWRITE, &oldProtect))
{
*ppfn = (DWORD)NewProc;//改成想要的地址
VirtualProtectEx(g_hCurProcess, ppfn, sizeof(dwNewProc), oldProtect, &oldProtect);
}
}
zyhfut 2009-04-22
- 打赏
- 举报
windows核心编程上有实例
cnzdgs 2009-04-22
- 打赏
- 举报
PE格式都是一样的,DLL句柄就是模块的开始地址。
