HookIAT_MessageBoxW

1 #pragma once
2 #include <windows.h>
3 #include <tchar.h>
4
5
6 int HookIAT_MessageBoxW(char* strDllName, char* strFunNameOrOdinal, _Out_ DWORD& dwOldFunAddr, DWORD& dwNewFunAddr);
7
8 int WINAPI MyMessageBoxW(HWND hWnd, LPCWSTR wcsText, LPCWSTR wcsCaption, UINT uType);

  1 #include <stdio.h>
  2 #include "MainConsole.h"
  3 #include "PEData.h"
  4
  5
  6 int g_iIndexOfMessageBoxWInIAT = -1;
  7 DWORD g_dwOldFunAddr{};
  8
  9 void main()
 10 {
 11     MessageBoxW(0, L"", L"", 0);
 12
 13     DWORD dw1 = (DWORD)MyMessageBoxW;
 14     int iRes = HookIAT_MessageBoxW("USER32.dll", "MessageBoxW", g_dwOldFunAddr, dw1);
 15     if (iRes)
 16     {
 17         char strErrorText[MAX_PATH] = "HookIAT_MessageBoxW!";
 18         sprintf_s(strErrorText, MAX_PATH, "%s  %s%x", strErrorText, "ErrorCode:", iRes);
 19         MessageBoxA(GetConsoleWindow(), strErrorText, "Error:", MB_ICONERROR);
 20     }
 21
 22     MessageBoxW(0, L"", L"", 0);
 23
 24     return;
 25 }
 26
 27
 28 //****************************************************
 29 // Name: HookIAT_MessageBoxW
 30 // Func: hook指定函数(修改IAT中的地址)
 31 // Args: char * strDllName                DLL名
 32 // Args: char * strFunNameOrOdinal        函数名
 33 // Args: _Out_ DWORD & dwOldFunAddr        被HOOK的函数地址,调用函数后返回
 34 // Args: DWORD & dwNewFunAddr            HOOK后的地址
 35 // RetV: int
 36 // return 0; 成功
 37 // return 1; 没有找到同名DLL
 38 // return 2; 找到的(IAT & INT)RVA无效
 39 // return 3; VirtualProtect faild
 40 //****************************************************
 41 int HookIAT_MessageBoxW(char * strDllName, char * strFunNameOrOdinal, _Out_ DWORD & dwOldFunAddr, DWORD & dwNewFunAddr)
 42 {
 43     // 1.填充PE ************************************************************
 44     DWORD dwMod = (DWORD)GetModuleHandle(NULL);
 45     CPEData o((IMAGE_DOS_HEADER*)dwMod);
 46
 47     // 2.IAT INT ************************************************************
 48     IMAGE_IMPORT_DESCRIPTOR* pID = (IMAGE_IMPORT_DESCRIPTOR*)(o.m_pDDT[1].VirtualAddress + dwMod);
 49     //如果是找到相同dll
 50     BOOL bDllFound{};
 51     while (pID->Name)
 52     {
 53         char* strName = (char*)(pID->Name + dwMod);
 54         if (0 == strcmp(strDllName, strName))
 55         {
 56             bDllFound = TRUE;
 57             break;
 58         }
 59
 60         pID++;
 61     }
 62
 63     // return 1; 没有找到同名DLL
 64     if (!bDllFound) { return 1; }
 65
 66     // return 2; 找到的(IAT & INT)RVA无效
 67     if (!pID->FirstThunk || !pID->OriginalFirstThunk) { return 2; }
 68
 69     IMAGE_THUNK_DATA* pIAT = (IMAGE_THUNK_DATA*)(pID->FirstThunk + dwMod);
 70     IMAGE_THUNK_DATA* pINT = (IMAGE_THUNK_DATA*)(pID->OriginalFirstThunk + dwMod);
 71
 72     // 3.找到函数地址 ************************************************************
 73     BOOL bIsFunAddrFound{};
 74     g_iIndexOfMessageBoxWInIAT = 0;
 75     // 如果为0,循环退出,因为IAT结束了
 76     while ((pIAT+ g_iIndexOfMessageBoxWInIAT)->u1.Function)
 77     {
 78         // 最高位为0时,以名称导入
 79         if (0 == ((pIAT + g_iIndexOfMessageBoxWInIAT)->u1.Ordinal >> 0x1f))
 80         {
 81             IMAGE_IMPORT_BY_NAME* pIBN = (IMAGE_IMPORT_BY_NAME*)((pINT + g_iIndexOfMessageBoxWInIAT)->u1.AddressOfData + dwMod);
 82             if (0 == strcmp(strFunNameOrOdinal, pIBN->Name))    // 找到函数名
 83             {
 84                 bIsFunAddrFound = TRUE;
 85                 break;
 86             }
 87         }
 88
 89         g_iIndexOfMessageBoxWInIAT++;
 90     }
 91
 92     // 4.保存要修改的函数地址 ************************************************************
 93     dwOldFunAddr = (DWORD)(pIAT[g_iIndexOfMessageBoxWInIAT].u1.Function);
 94
 95     // 4.修改对应函数地址 ************************************************************
 96     DWORD dwOldProtect{};
 97     if (!VirtualProtect(&pIAT[g_iIndexOfMessageBoxWInIAT].u1.Function, 4, PAGE_READWRITE, &dwOldProtect))
 98     { return 3;}    // return 3; VirtualProtect faild
 99     pIAT[g_iIndexOfMessageBoxWInIAT].u1.Function = dwNewFunAddr;
100     if (!VirtualProtect(&pIAT[g_iIndexOfMessageBoxWInIAT].u1.Function, 4, dwOldProtect, &dwOldProtect))
101     { return 3;}    // return 3; VirtualProtect faild
102
103     // 收尾 **********************************************************************
104     return 0;
105 }
106
107 int WINAPI MyMessageBoxW(HWND hWnd, LPCWSTR wcsText, LPCWSTR wcsCaption, UINT uType)
108 {
109     // ::MessageBoxA(hWnd, "", "", uType);
110
111     _asm
112     {
113         push eax;
114
115         {
116             mov eax, [ebp + 0x14];
117             push eax;
118             mov eax, [ebp + 0x10];
119             push eax;
120             mov eax, [ebp + 0x0c];
121             push eax;
122             mov eax, [ebp + 0x8];
123             push eax;
124             call g_dwOldFunAddr;        // WINAPI --> __stdcall
125             // add esp, 0x10;
126         }
127
128         pop eax;
129     }
130
131     return 0;
132 }

时间： 2024-11-04 23:44:37

HookIAT_MessageBoxW

HookIAT_MessageBoxW的相关文章