本文實例講述了C++基于hook iat改變Messagebox的方法,分享給大家供大家參考���。具體方法如下:
步驟:
1. 定義原始函數類型的寫法
//定義函數原型
typedef int (WINAPI *PFNMESSAGEBOX)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
//保存原始的MessageBox地址,注意這里
PROC g_orgProc = (PROC)MessageBox;
2. 先找到dll���,找到后設置標志
if (stricmp(pszDllName, "user32.dll") == 0)//如果是user32.dll
{
bFindDll = TRUE;
break;
}
3. 找到dll后�,查找函數名稱
//在這里是比較的函數名稱
if (stricmp(pszFuncName, "MessageBoxA") == 0)
{
//取得函數地址
PDWORD lpAddr = (DWORD*)((BYTE*)hModule + pImportDesc->FirstThunk) + n; //從第一個函數的地址���,以后每次+4字節
//在這里是比較的函數地址
printf("addrss:%X/n", lpAddr);
DWORD* lpNewProc = (DWORD*)MyMessageBox;
::WriteProcessMemory(GetCurrentProcess(), lpAddr, &lpNewProc, sizeof(DWORD), NULL);
return;
}
當然 在3.中�����,也可以根據函數地址比較
#include <windows.h>
#include <stdio.h>
//定義函數原型
typedef int (WINAPI *PFNMESSAGEBOX)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
//保存原始的MessageBox地址,注意這里
PROC g_orgProc = (PROC)MessageBox;
int MyMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType)
{
return ((PFNMESSAGEBOX)g_orgProc)(hWnd, "mymessagebox", lpCaption, uType);
}
void SetHook()
{
HMODULE hModule = ::GetModuleHandleA(NULL);
IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)hModule;
IMAGE_OPTIONAL_HEADER* pOpNtHeader = (IMAGE_OPTIONAL_HEADER*)((BYTE*)hModule + pDosHeader->e_lfanew + 24); //這里加24
IMAGE_IMPORT_DESCRIPTOR* pImportDesc = (IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)hModule + pOpNtHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
BOOL bFindDll = FALSE;
while (pImportDesc->FirstThunk)
{
char* pszDllName = (char*)((BYTE*)hModule + pImportDesc->Name);
printf("模塊名稱:%s/n", pszDllName);
if (stricmp(pszDllName, "user32.dll") == 0)//如果是user32.dll
{
bFindDll = TRUE;
break;
}
pImportDesc++;
}
if (bFindDll)
{
DWORD n = 0;
//一個IMAGE_THUNK_DATA就是一個導入函數
IMAGE_THUNK_DATA* pThunk = (IMAGE_THUNK_DATA*)((BYTE*)hModule + pImportDesc->OriginalFirstThunk);
while (pThunk->u1.Function)
{
//取得函數名稱
char* pszFuncName = (char*)((BYTE*)hModule+pThunk->u1.AddressOfData+2); //函數名前面有兩個..
printf("function name:%-25s, ", pszFuncName);
//在這里是比較的函數名稱
if (stricmp(pszFuncName, "MessageBoxA") == 0)
{
//取得函數地址
PDWORD lpAddr = (DWORD*)((BYTE*)hModule + pImportDesc->FirstThunk) + n; //從第一個函數的地址�,以后每次+4字節
//在這里是比較的函數地址
printf("addrss:%X/n", lpAddr);
DWORD* lpNewProc = (DWORD*)MyMessageBox;
::WriteProcessMemory(GetCurrentProcess(), lpAddr, &lpNewProc, sizeof(DWORD), NULL);
return;
}
n++; //每次增加一個DWORD
}
printf("/n");
}
}
int main(int argc, char* argv[])
{
::MessageBoxA(NULL, "before hook", "", MB_OK);
SetHook();
::MessageBoxA(NULL, "AFTERE hook", "", MB_OK);
return 0;
}
下面這個是比較函數地址的版本
#include <windows.h>
#include <stdio.h>
//定義函數原型
typedef int (WINAPI *PFNMESSAGEBOX)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
//保存原始的MessageBox地址,注意這里
PROC g_orgProc = (PROC)MessageBox;
int MyMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType)
{
return ((PFNMESSAGEBOX)g_orgProc)(hWnd, "mymessagebox", lpCaption, uType);
}
void SetHook()
{
HMODULE hModule = ::GetModuleHandleA(NULL);
IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)hModule;
IMAGE_OPTIONAL_HEADER* pOpNtHeader = (IMAGE_OPTIONAL_HEADER*)((BYTE*)hModule + pDosHeader->e_lfanew + 24); //這里加24
IMAGE_IMPORT_DESCRIPTOR* pImportDesc = (IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)hModule + pOpNtHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
BOOL bFindDll = FALSE;
while (pImportDesc->FirstThunk)
{
char* pszDllName = (char*)((BYTE*)hModule + pImportDesc->Name);
printf("模塊名稱:%s/n", pszDllName);
if (stricmp(pszDllName, "user32.dll") == 0)//如果是user32.dll
{
bFindDll = TRUE;
break;
}
pImportDesc++;
}
if (bFindDll)
{
DWORD n = 0;
//一個IMAGE_THUNK_DATA就是一個導入函數
IMAGE_THUNK_DATA* pThunk = (IMAGE_THUNK_DATA*)((BYTE*)hModule + pImportDesc->OriginalFirstThunk);
while (pThunk->u1.Function)
{
//取得函數名稱
char* pszFuncName = (char*)((BYTE*)hModule+pThunk->u1.AddressOfData+2); //函數名前面有兩個..
printf("function name:%-25s, ", pszFuncName);
//取得函數地址
PDWORD lpAddr = (DWORD*)((BYTE*)hModule + pImportDesc->FirstThunk) + n; //從第一個函數的地址�����,以后每次+4字節
printf("addrss:%X/n", lpAddr);
//在這里是比較的函數地址
if (*lpAddr == (DWORD)g_orgProc)
{
DWORD* lpNewProc = (DWORD*)MyMessageBox;
::WriteProcessMemory(GetCurrentProcess(), lpAddr, &lpNewProc, sizeof(DWORD), NULL);
return;
}
n++; //每次增加一個DWORD
}
printf("/n");
}
}
int main(int argc, char* argv[])
{
::MessageBoxA(NULL, "before hook", "", MB_OK);
SetHook();
::MessageBoxA(NULL, "AFTERE hook", "", MB_OK);
return 0;
}
附上修改內存頁保護屬性的代碼:
//修改內存頁的保護屬性
::VirtualQuery(lpAddr, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
::VirtualProtect(lpAddr, sizeof(DWORD), PAGE_READWRITE, &dwOldProtect);
::WriteProcessMemory(GetCurrentProcess(), lpAddr, &lpNewProc, sizeof(DWORD), NULL);
::VirtualProtect(lpAddr, sizeof(DWORD), dwOldProtect, NULL);
希望本文所述對大家的C++程序設計有所幫助�。
