秀纳

  博客园 :: 首页 :: 新随笔 :: 联系 :: 订阅 :: 管理 ::
Hook Api (IAT法)

 

//---------------------------------------------------------------------------
#include <windows.h>
#include <imagehlp.h>
#pragma argsused
//---------------------------------------------------------------------------
typedef void WINAPI (*SLEEPFUCTION)(DWORD dwMilliseconds);
SLEEPFUCTION P_Sleep;
void WINAPI MySleep(DWORD dwMilliseconds)
{
    if(dwMilliseconds<20)
        P_Sleep(1);
    else
        P_Sleep(dwMilliseconds/20);
}
//---------------------------------------------------------------------------
void WINAPI HookOneAPI(LPCTSTR ModuleName,LPCTSTR ApiName,PROC NewFuction,PROC &OldFuction)
{
    DWORD size;
    HMODULE hInstance = GetModuleHandle(NULL);
    PROC HookAPIAddr = GetProcAddress(GetModuleHandle(ModuleName),ApiName);
    OldFuction = HookAPIAddr;
    PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hInstance,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&size);
    if(pImportDesc == NULL)
        return;
    for (;pImportDesc->Name;pImportDesc++)
    {
        LPSTR pszDllName = (LPSTR)((PBYTE)hInstance + pImportDesc->Name);
        if(lstrcmpiA(pszDllName,ModuleName) == 0)
            break;
    }
    if(pImportDesc->Name == NULL)
        return;
    PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((PBYTE)hInstance + pImportDesc->FirstThunk);//IAT
    for(;pThunk->u1.Function;pThunk++)
    {
        PROC * ppfn= (PROC *)&pThunk->u1.Function;
        if (*ppfn == HookAPIAddr)
        {
            MEMORY_BASIC_INFORMATION mbi;
            ZeroMemory(&mbi, sizeof(MEMORY_BASIC_INFORMATION));
            VirtualQuery(ppfn,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
            VirtualProtect(mbi.BaseAddress,mbi.RegionSize,PAGE_READWRITE,&mbi.Protect);
            *ppfn = *NewFuction;
            DWORD dwOldProtect;
            VirtualProtect(mbi.BaseAddress,mbi.RegionSize,mbi.Protect,&dwOldProtect);
            return;
        }
    }
}
//---------------------------------------------------------------------------
int WINAPI DllEntryPoint(HINSTANCE hinst, unsigned long reason, void* lpReserved)
{
    if(reason == DLL_PROCESS_ATTACH)
    {
        PROC SleepAddress = NULL;
        HookOneAPI("kernel32.dll","Sleep",(PROC)MySleep,(PROC)SleepAddress);
        P_Sleep = (SLEEPFUCTION)SleepAddress;
    }
    else if(reason == DLL_PROCESS_DETACH)
    {
    }
    return true;
}
posted on 2007-08-10 09:48  秀纳  阅读(705)  评论(0)    收藏  举报