zoukankan      html  css  js  c++  java

  • IATHook

    IATHookClass.h

     1 #pragma once
 2 
 3 #include <Windows.h>
 4 
 5 class IATHookClass
 6 {
 7 private:
 8     DWORD oldAddr;
 9     DWORD newAddr;
10 
11 public:
12     BOOL Hook(char *apiName, DWORD callfunc);
13     BOOL UnHook(void);
14 };

    IATHookClass.cpp

     1 #include "IATHookClass.h"
 2 
 3 BOOL IATHookClass::Hook(char *apiName, DWORD callfunc)
 4 {
 5     BOOL bOk = FALSE;
 6     HMODULE hMod = GetModuleHandle(NULL);
 7     IMAGE_DOS_HEADER *pDosHeader = (IMAGE_DOS_HEADER *)hMod;
 8     IMAGE_OPTIONAL_HEADER *pOptHeader = (IMAGE_OPTIONAL_HEADER *)((BYTE *)hMod + pDosHeader->e_lfanew + 24);
 9     IMAGE_IMPORT_DESCRIPTOR *pImportDesc = (IMAGE_IMPORT_DESCRIPTOR *)((BYTE *)hMod + pOptHeader->DataDirectory[1].VirtualAddress);
10 
11     while (pImportDesc->FirstThunk)
12     {
13         char *pszDllName = (char *)((BYTE *)hMod + pImportDesc->Name);
14         IMAGE_THUNK_DATA *pThunk = (IMAGE_THUNK_DATA *)((BYTE *)hMod + pImportDesc->FirstThunk);
15         IMAGE_THUNK_DATA *pThunkDesc = (IMAGE_THUNK_DATA *)((BYTE *)hMod + pImportDesc->OriginalFirstThunk);
16 
17         while (pThunkDesc->u1.Function)
18         {
19             if (!lstrcmpi(apiName, (char *)((BYTE *)hMod + (DWORD)pThunkDesc->u1.AddressOfData + 2)))
20             {
21                 IATHookClass::oldAddr = pThunk->u1.Function;
22                 IATHookClass::newAddr = (DWORD)callfunc;
23                 DWORD dwOldProtect = 0;
24 
25                 VirtualProtect((LPVOID)&pThunk->u1.Function, 4, PAGE_EXECUTE_READWRITE, &dwOldProtect);
26                 bOk = (pThunk->u1.Function = callfunc) ? TRUE : FALSE;
27                 VirtualProtect((LPVOID)&pThunk->u1.Function, 4, dwOldProtect, &dwOldProtect);
28                 CloseHandle(hMod);
29                 return bOk;
30             }
31             pThunk++;
32             pThunkDesc++;
33         }
34         pImportDesc++;
35     }
36     CloseHandle(hMod);
37     return bOk;
38 }
39 
40 BOOL IATHookClass::UnHook(void)
41 {
42     BOOL bOk = FALSE;
43     HMODULE hMod = GetModuleHandle(NULL);
44     IMAGE_DOS_HEADER *pDosHeader = (IMAGE_DOS_HEADER *)hMod;
45     IMAGE_OPTIONAL_HEADER *pOptHeader = (IMAGE_OPTIONAL_HEADER *)((BYTE *)hMod + pDosHeader->e_lfanew + 24);
46     IMAGE_IMPORT_DESCRIPTOR *pImportDesc = (IMAGE_IMPORT_DESCRIPTOR *)((BYTE *)hMod + pOptHeader->DataDirectory[1].VirtualAddress);
47 
48     while (pImportDesc->FirstThunk)
49     {
50         char *pszDllName = (char *)((BYTE *)hMod + pImportDesc->Name);
51         IMAGE_THUNK_DATA *pThunk = (IMAGE_THUNK_DATA *)((BYTE *)hMod + pImportDesc->FirstThunk);
52         while (pThunk->u1.Function)
53         {
54             if (IATHookClass::newAddr == pThunk->u1.Function)
55             {
56                 DWORD dwOldProtect = 0;
57                 VirtualProtect((LPVOID)&pThunk->u1.Function, 4, PAGE_EXECUTE_READWRITE, &dwOldProtect);
58                 bOk = (pThunk->u1.Function = IATHookClass::oldAddr) ? TRUE : FALSE;
59                 VirtualProtect((LPVOID)&pThunk->u1.Function, 4, dwOldProtect, &dwOldProtect);
60                 CloseHandle(hMod);
61                 if (bOk)
62                 {
63                     IATHookClass::newAddr = 0;
64                     IATHookClass::oldAddr = 0;
65                 }
66                 return bOk;
67             }
68         }
69     }
70     CloseHandle(hMod);
71     return bOk;
72 }
  • 相关阅读:
    一个很好的国外的算法网站
    Windows 2008 R2 强制删除Cluster
    .net 4.5 新特性 async await 一般处理程序实例
    基于RSA的加密/解密示例C#代码
    解决WCF 调用方未由服务器进行身份验证或消息包含无效或过期的安全上下文令牌
    SQL Server查看所有表大小,所占空间
    关于Latch
    关闭SQL Server 数据库所有使用连接
    MysqliDb 库的一些使用简单技巧(php)
    Linux 常用命令
  • 原文地址:https://www.cnblogs.com/biaoge140/p/8734239.html
Copyright © 2011-2022 走看看