-
-
Ring3 EAT Hook
-
发表于:
2010-4-17 12:15
8179
-
// (c) Code By Extreme
// Description:Ring3 Api hook engine(by EAT)
// Last update:2010-4-16
#include <stdio.h>
#include <conio.h>
#include <windows.h>
#include <tlhelp32.h>
HANDLE WINAPI MyOpenProcess( DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId)
{
MessageBox(NULL, "Call!", "wonderful!", 0);
}
DWORD GetDllBaseAddr(char *DllName)
{
HANDLE hToolHelp;
MODULEENTRY32 ModEntry;
hToolHelp = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId());
if (hToolHelp == INVALID_HANDLE_VALUE)
{
return 0;
}
if (!Module32First(hToolHelp, &ModEntry))
{
return 0;
}
while (Module32Next(hToolHelp, &ModEntry))
{
if (!strcmp(ModEntry.szModule, DllName))
{
CloseHandle(hToolHelp);
return (DWORD)ModEntry.modBaseAddr;
}
}
return 0;
CloseHandle(hToolHelp);
}
PVOID GetEAT(char *DllName, char *ExpName)
{
PVOID Pointer;
DWORD DllBaseAddr;
PIMAGE_EXPORT_DIRECTORY ExpDir;
PDWORD AddrOfNames;
PDWORD AddrOfFuncs;
PUSHORT AddrOfOrdinals;
DWORD Cnt;
DWORD Max;
PDWORD AddrToWrite;
DWORD dwTmp;
BYTE DataToWrite[4];
DllBaseAddr = GetDllBaseAddr(DllName);
if (DllBaseAddr == 0)
{
return 0;
}
// IMAGE_DOS_HEADER
Pointer = (PVOID)DllBaseAddr;
if (Pointer == 0)
{
return 0;
}
// IMAGE_NT_HEADERS
Pointer = (PVOID)((DWORD)((PIMAGE_DOS_HEADER)Pointer)->e_lfanew + DllBaseAddr);
if (Pointer == 0)
{
return 0;
}
// IMAGE_EXPORT_DIRECTORY
ExpDir = (PIMAGE_EXPORT_DIRECTORY)((DWORD)(((PIMAGE_NT_HEADERS)(Pointer))->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) + DllBaseAddr);
AddrOfNames = (PDWORD)((DWORD)ExpDir->AddressOfNames + DllBaseAddr);
AddrOfFuncs = (PDWORD)((DWORD)ExpDir->AddressOfFunctions + DllBaseAddr);
AddrOfOrdinals = (PWORD)((DWORD)ExpDir->AddressOfNameOrdinals + DllBaseAddr);
Max = ExpDir->NumberOfNames;
for (Cnt = 0; Cnt < Max; ++Cnt)
{
if (!strcmp((PUCHAR)(AddrOfNames[Cnt] + DllBaseAddr), ExpName))
{
dwTmp = (DWORD)MyOpenProcess - DllBaseAddr;
memcpy(DataToWrite, &dwTmp, sizeof(DWORD));
AddrToWrite = &AddrOfFuncs[AddrOfOrdinals[Cnt]];
if (!VirtualProtect(AddrToWrite, sizeof(DWORD), PAGE_EXECUTE_READWRITE, &dwTmp))
{
return 0;
}
WriteProcessMemory(GetCurrentProcess(), (PDWORD)AddrToWrite, DataToWrite, sizeof(DWORD), &dwTmp);
if (dwTmp != sizeof(DWORD))
{
return 0;
}
return 0;
}
}
return 0;
}
int main()
{
PVOID Addr;
Addr = GetEAT("kernel32.dll", "OpenProcess");
Addr = (DWORD)OpenProcess;
return 0;
}
Hook 后内存写入成功,但获得的地址不变。看了《Windows 核心编程》中关于IAT Hook 的章节,自己按原方法改为Hook EAT,但为什么不起作用?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)