15,471
社区成员
发帖
与我相关
我的任务
分享HOOK API后,主线程LoadLibrary加载DLL,这时需要重新HOOKLoadLibrary加载的DLL,难道又复制一个函数。有没有什么简便的方法。
#include "afxwin.h"
typedef struct _HOOK_ITEM {
DWORD dwAddr; //IAT项所在地址
DWORD dwOldValue; //IAT项的原始函数地址
DWORD dwNewValue; //IAT项的新函数地址
}HOOK_ITEM, *PHOOK_ITEM;
BOOL WINAPI RedirectApi(HMODULE HaHmodule, PCHAR DaDLL, PCHAR DaFunction, DWORD DaNewFunction, PHOOK_ITEM DaHookItem ){
//检查参数是否合法
if ( DaDLL == NULL || DaFunction == NULL || !DaNewFunction || !DaHookItem ) return FALSE ;
//检测目标模块是否存在
char DaTemeDLL[256] = {0};
DWORD DaBaseImage = (DWORD)HaHmodule;
if ( DaBaseImage == 0 ) return FALSE ;
// 取得PE文件头信息指针
PIMAGE_DOS_HEADER HaDosHeader = (PIMAGE_DOS_HEADER)DaBaseImage ;
PIMAGE_NT_HEADERS HaNtHeader = (PIMAGE_NT_HEADERS)(DaBaseImage + (HaDosHeader->e_lfanew)) ;
PIMAGE_OPTIONAL_HEADER32 HaOptionalHeader = &(HaNtHeader->OptionalHeader) ;
PIMAGE_SECTION_HEADER HaSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)HaNtHeader + 0x18 + HaNtHeader->FileHeader.SizeOfOptionalHeader ) ;
//遍历导入表
PIMAGE_THUNK_DATA HaThunk, HaIat ;
PIMAGE_IMPORT_DESCRIPTOR HaIid = (PIMAGE_IMPORT_DESCRIPTOR)(DaBaseImage+HaOptionalHeader->DataDirectory[1].VirtualAddress ) ;
while ( HaIid->FirstThunk ){
//检测是否目标模块
if ( strcmp ( ((CString)(PCHAR)(DaBaseImage+HaIid->Name)).MakeUpper(), ((CString)DaDLL).MakeUpper() ) ){
HaIid++;
continue;
}
HaIat = (PIMAGE_THUNK_DATA)( DaBaseImage + HaIid->FirstThunk ) ;
if ( HaIid->OriginalFirstThunk )
HaThunk = (PIMAGE_THUNK_DATA)( DaBaseImage + HaIid->OriginalFirstThunk ) ;
else
HaThunk = HaIat ;
//遍历IAT
DWORD HaThunkValue = 0 ;
while ( ( HaThunkValue = *((DWORD*)HaThunk) ) != 0 ){
if ( ( HaThunkValue & IMAGE_ORDINAL_FLAG32 ) == 0 ){
//检测是否目标函数
if ( strcmp ( (PCHAR)(DaBaseImage+HaThunkValue+2), DaFunction ) == 0 ){
//填充函数重定向信息
DaHookItem->dwAddr = (DWORD)HaIat ;
DaHookItem->dwOldValue = *((DWORD*)HaIat) ;
DaHookItem->dwNewValue = DaNewFunction;
//修改IAT项
DWORD DaOldProtect = 0 ;
VirtualProtect ( HaIat, 4, PAGE_READWRITE, &DaOldProtect ) ;
*((DWORD*)HaIat) = DaNewFunction ;
VirtualProtect ( HaIat, 4, PAGE_READWRITE, &DaOldProtect ) ;
return TRUE ;
}
}
HaThunk ++ ;
HaIat ++ ;
}
HaIid ++ ;
}
return FALSE ;
}
BOOL WINAPI RedirectApi(PCHAR DaDLL, PCHAR DaFunction, DWORD DaNewFunction, PHOOK_ITEM DaHookItem ){
return RedirectApi(GetModuleHandle(NULL), DaDLL, DaFunction, DaNewFunction, DaHookItem);
}
HOOK_ITEM HookItem_LoadLibraryA = {0};
typedef HMODULE (WINAPI* PFN_LoadLibraryA)(LPCTSTR lpFileName);
HMODULE WINAPI NEW_LoadLibraryA(LPCTSTR lpFileName){
HMODULE Result = ((PFN_LoadLibraryA)HookItem_LoadLibraryA.dwOldValue)(lpFileName);
//这里需要重新HOOK API,但是NEW_LoadLibraryA和HookItem_LoadLibraryA指针是相同的,就会BUG
//KEEP_LoadLibraryA(Result);
return Result;
}
void WINAPI KEEP_LoadLibraryA(HMODULE BaHmodule){
RedirectApi(BaHmodule, "KERNEL32.dll", "LoadLibraryA", (DWORD)NEW_LoadLibraryA, &HookItem_LoadLibraryA);
}
BOOL APIENTRY DllMain(HANDLE hModule, DWORD reason, LPVOID lpReserved){
switch ( reason ) {
case DLL_PROCESS_ATTACH: {
KEEP_LoadLibraryA(GetModuleHandle(NULL));
}
default: {
return TRUE;
}
}
}
...全文
请发表友善的回复…
发表回复
mashang 2009-11-20
- 打赏
- 举报
不晓得,试试jmp法。
StarsunYzL 2009-11-20
- 打赏
- 举报
爱莫能助,接分
wllllll 2009-11-20
- 打赏
- 举报
求回复送分
wllllll 2009-11-19
- 打赏
- 举报
看来只能靠死拷了。。。。我可怜的娃
wllllll 2009-11-19
- 打赏
- 举报
- -
