65,186
社区成员
发帖
与我相关
我的任务
分享关于HOOK gethostbyname的问题
大家好,我最近在研究怎样HOOK到gethostbyname被进程调用的情况,现在初步是想做到当该函数被调用时,记录调用的时间。
使用的方法是通过修改IAT表,并用远程线程注入的办法。
注入程序很简单,没有问题;现在不知道HOOK那一块儿出了什么问题。把代码贴出来,恳请高手指点!!!
使用的方法是通过修改IAT表,并用远程线程注入的办法。
注入程序很简单,没有问题;现在不知道HOOK那一块儿出了什么问题。把代码贴出来,恳请高手指点!!!
HookIAT.cpp:使用IAT法挂钩.
//
#include "stdafx.h"
#include <afxdllx.h>
#include "HookApi_IAT.h"
#include <windows.h>
#include <time.h>
#include <winsock2.h>
#include<iostream>
#include<fstream>
using namespace std;
void WINAPI ExampleIAT();
void WINAPI ExampleIAT_OFF();
static AFX_EXTENSION_MODULE HookIATDLL = { NULL, NULL };
//extern "C" int APIENTRY
extern "C" __declspec(dllexport) struct hostent* FAR IATgethostbyname(const char* name );
int DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
// Remove this if you use lpReserved
UNREFERENCED_PARAMETER(lpReserved);
if (dwReason == DLL_PROCESS_ATTACH)
{
ExampleIAT();
}
else if (dwReason == DLL_PROCESS_DETACH)
{
ExampleIAT_OFF();
TRACE0("HOOKIAT.DLL Terminating!\n");
// Terminate the library before destructors are called
AfxTermExtensionModule(HookIATDLL);
}
return 1;
}
//---------------------------------------------------------------------------
CHookApi_IAT myIAT;
struct hostent* FAR IATgethostbyname( const char* name ) {
struct hostent* tmp = NULL;
CStdioFile file;
__time32_t nNow = 0;
tm stNow = {0};
_time32(&nNow);
_localtime32_s(&stNow,&nNow);
char buff[255] = {0};
_snprintf(buff,sizeof(buff)-1,"%d.%d.%d.%d.%d.%d",
stNow.tm_year + 1900,
stNow.tm_mon + 1,
stNow.tm_mday,
stNow.tm_hour,
stNow.tm_min,
stNow.tm_sec);
ofstream outfile("gethostbyname.txt",ios::app); //写入文件
for(int i=0;i<255;i++)
outfile<<buff[i];
tmp = gethostbyname(name);
return tmp;
}
//---------------------------------------------------------------------------
// 通过IAT挂钩API
void WINAPI ExampleIAT()
{
PROC HookAPIAddr =(FARPROC)
GetProcAddress(GetModuleHandle("wsock32.dll"), "gethostbyname");
HMODULE hModule= GetModuleHandle(NULL);
// 挂钩所有模块,备用调用.
// myIAT.HookAllAPI("user32.dll",HookAPIAddr,(PROC)IATMessageBoxA);
// 挂钩单个模块.
myIAT.HookOneAPI("wsock32.dll",HookAPIAddr,(PROC)IATgethostbyname,hModule);
}
//---------------------------------------------------------------------------
// 卸载IAT挂钩API
void WINAPI ExampleIAT_OFF()
{
HMODULE hModule= GetModuleHandle(NULL);
myIAT.HookOneAPI_OFF("wsock32.dll",hModule);
}
// HookApi_IAT.cpp:实现CHookApi_IAT类.
//
#include "stdafx.h"
#include "HookApi_IAT.h"
#include <tlhelp32.h>
#include <imagehlp.h>
#pragma comment (lib,"imagehlp.lib")
//---------------------------------------------------------------------------
CHookApi_IAT::CHookApi_IAT()
{
}
//---------------------------------------------------------------------------
CHookApi_IAT::~CHookApi_IAT()
{
}
//---------------------------------------------------------------------------
BOOL CHookApi_IAT::HookAllAPI(LPCTSTR ModuleName, PROC HookAPIAddr, PROC lpNewFunc)
{
if (ModuleName == NULL||HookAPIAddr == NULL)
return FALSE;
HANDLE hSnapshot;
MODULEENTRY32 hMod = {sizeof(hMod)};
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,NULL);
// 取得所有模块列表中的指定的模块.
BOOL bMoreMods = Module32First(hSnapshot, &hMod);
if (bMoreMods == FALSE) return FALSE;
// 循环取得想要的模块.
for (;bMoreMods; bMoreMods = Module32Next(hSnapshot, &hMod))
{
MEMORY_BASIC_INFORMATION mbi;
// 获取本模块信息.
VirtualQuery(this,&mbi,sizeof(mbi));
// 不在自己的模块中挂钩函数.
if (hMod.hModule != (HMODULE)mbi.AllocationBase)
{
//hMod.hModule:指向当前被挂钩进程的每一个模块.
HookOneAPI( ModuleName,HookAPIAddr,
lpNewFunc,hMod.hModule);
}
}
return TRUE;
}
//---------------------------------------------------------------------------
BOOL CHookApi_IAT::HookOneAPI(PCSTR ModuleName, PROC HookAPIAddr,
PROC lpNewFunc, HMODULE hmodCaller)
{
DWORD size;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc =
(PIMAGE_IMPORT_DESCRIPTOR) ImageDirectoryEntryToData(
hmodCaller,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&size);
if(pImportDesc == NULL) return FALSE;
for (;pImportDesc->Name;pImportDesc++)
{
LPSTR pszDllName = (LPSTR)((PBYTE)hmodCaller + pImportDesc->Name);
if(lstrcmpiA(pszDllName,ModuleName) == 0) break;
}
if(pImportDesc->Name == NULL) return FALSE;
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)
((PBYTE)hmodCaller + pImportDesc->FirstThunk);//IAT
for(;pThunk->u1.Function;pThunk++)
{
PROC * ppfn= (PROC *)&pThunk->u1.Function;
m_lpOldFunc = (PROC)pThunk->u1.Function;
m_lpNewFunc =lpNewFunc;
if (*ppfn == HookAPIAddr)
{
MEMORY_BASIC_INFORMATION mbi;
ZeroMemory(&mbi, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQuery(ppfn,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
VirtualProtect(mbi.BaseAddress,mbi.RegionSize,
PAGE_READWRITE,&mbi.Protect);
*ppfn = *lpNewFunc;
DWORD dwOldProtect;
VirtualProtect(mbi.BaseAddress,mbi.RegionSize,
mbi.Protect,&dwOldProtect);
return TRUE;
}
}
return FALSE;
}
//---------------------------------------------------------------------------
BOOL CHookApi_IAT::HookOneAPI_OFF(PCSTR ModuleName, HMODULE hmodCaller)
{
return HookOneAPI(ModuleName, m_lpNewFunc,m_lpOldFunc,hmodCaller);
}
...全文
请发表友善的回复…
发表回复
tushu 2012-10-24
- 打赏
- 举报
这个代码是我根据《Windows核心编程》随书源码改的,本来是HOOK MessageBox的,当时也调试成功了。现在改成gethostbyname,结果不尽人意,急!!!!求帮助!!!!
赵4老师 2012-10-24
- 打赏
- 举报
换非IE浏览器试试。
tushu 2012-10-24
- 打赏
- 举报
这会儿居然无法访问http://www.codeproject.com,天啊,这是什么情况啊
tushu 2012-10-24
- 打赏
- 举报
[Quote=引用 1 楼 的回复:]
在http://www.codeproject.com搜Hook
[/Quote]
高手帮忙看看吧,小弟是新手,还请多多指教!
在http://www.codeproject.com搜Hook
[/Quote]
高手帮忙看看吧,小弟是新手,还请多多指教!
赵4老师 2012-10-24
- 打赏
- 举报
