首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 付费问答
    3. 发新帖
[旧帖] [求助]求助一下在HOOK那个API时遇到的困惑 0.00雪花
发表于: 2011-3-20 12:51 1395

[旧帖] [求助]求助一下在HOOK那个API时遇到的困惑 0.00雪花

Justzhl 活跃值
2011-3-20 12:51
1395

#include "windows.h"
#include "stdio.h"
BOOL bMessage = 0;
typedef int (WINAPI *PFNMESSAGEBOX)(HWND,LPCSTR,LPCSTR,UINT);
PROC g_orgAddr = (PROC)MessageBoxA;
int MyMessageBox(HWND hWnd,LPCSTR lpContent,LPCSTR lpTitle,UINT uType);


int main()
{
	HMODULE hMod = GetModuleHandle(NULL);
	IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)(BYTE*)hMod;
	IMAGE_OPTIONAL_HEADER* pOptHeader = (IMAGE_OPTIONAL_HEADER*)(pDosHeader->e_lfanew + 24 + (BYTE*)hMod);
	IMAGE_IMPORT_DESCRIPTOR* pImportDesc = (IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)hMod + pOptHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); 
	while(pImportDesc->FirstThunk)
	{
		char* pszDllName = (char*)(pImportDesc->Name + (BYTE*)hMod);
		printf("Dll Name : %-10s \n",pszDllName);
		IMAGE_THUNK_DATA* pThunk = (IMAGE_THUNK_DATA*)((BYTE*)hMod + pImportDesc->OriginalFirstThunk);
		while(pThunk->u1.Function)
		{
			char* pszFuncName = (char*)((DWORD)pThunk->u1.AddressOfData + (BYTE*)hMod + 2);
			DWORD* pszFuncAddr = (DWORD*)(pThunk->u1.Function + (BYTE*)hMod);
			printf("\t函数名称:%-30s",pszFuncName);
			printf("函数地址:%-8x\n",pszFuncAddr);
			char* fnName = pszFuncName;
			if(strcmp(fnName,"MessageBoxA")==0)
			{
				bMessage = 1;
				DWORD* lpNewAddr = (DWORD*)MyMessageBox;
				printf("\t%-39s写新地址:%x \n","",lpNewAddr);
				VirtualProtect(pszFuncAddr,sizeof(DWORD),PAGE_READWRITE,NULL);
				BOOL bRet = ::WriteProcessMemory(GetCurrentProcess(),pszFuncAddr,lpNewAddr,sizeof(DWORD),NULL);
				DWORD* gpNewAddr = NULL;
				::ReadProcessMemory(GetCurrentProcess(),pszFuncAddr,gpNewAddr,sizeof(DWORD),NULL); 
				if(bRet)
					puts("\tWriteProcessMemory successfully");
				printf("\t函数名称:%-30s",fnName);
				printf("函数地址:%x\n",gpNewAddr);
			}
			pThunk++;
		}
		pImportDesc++;
	}
	if(bMessage)
		MessageBox(NULL,"当你看到这个,说明没有HOOK成功啊!","失败了!",0);
	getchar();
	return 0;
}




int WINAPI MyMessageBox(HWND hWnd,LPCSTR lpContent,LPCSTR lpTitle,UINT uType)
{
	return ((PFNMESSAGEBOX)g_orgAddr)(hWnd,"原函数退休了,我接管了!",lpTitle,uType);
}


这个代码编译通过了,运行结果有问题:我HOOK掉了MessageBoxA函数,这个结果说WriteProcessMemory是成功了的,但是最后弹出来的还是原来的没有被HOOk的函数!!我用ReadProcessMemory去验证到底写成功了没,结果是没有读出数据,不知道这是怎么回事!!!
请大家帮我看看,小弟先谢谢大家哦

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (1)
Justzhl
雪    币: 35
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2 
 
#include "windows.h"
#include "stdio.h"
PROC g_orgFunc = (PROC)MessageBoxA;
BOOL bMessage = 0;
typedef int (WINAPI *PFNMESSAGEBOX)(HWND,LPCSTR,LPCSTR,UINT);
int WINAPI MyMessageBox(HWND hWnd,LPCSTR lpContent,LPCSTR lpTitle,UINT uType);
int main()
{
 HMODULE hMod = GetModuleHandle(NULL);
 IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)(BYTE*)hMod;
 IMAGE_OPTIONAL_HEADER* pOptHeader = (IMAGE_OPTIONAL_HEADER*)((BYTE*)hMod + pDosHeader->e_lfanew + 24);
 IMAGE_IMPORT_DESCRIPTOR* pImportDesc = (IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)hMod + pOptHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
 while(pImportDesc->FirstThunk)
 {
  char* pDllName = (char*)(pImportDesc->Name + (BYTE*)hMod);
  if(strcmp(strupr(pDllName),"USER32.DLL") == 0)
  {
   puts("user32.dll find success");
   break;
  }
  pImportDesc++;
 }
 IMAGE_THUNK_DATA* pThunk = (IMAGE_THUNK_DATA*)(pImportDesc->FirstThunk + (BYTE*)hMod);
 while(pThunk->u1.Function)
 {
  DWORD* lpAddr = (DWORD*)&pThunk->u1.Function;
  if(*lpAddr == (DWORD)g_orgFunc)
  {
   bMessage = 1;
   DWORD* lpNewAddr = (DWORD*)MyMessageBox;
   BOOL bRet = ::WriteProcessMemory(GetCurrentProcess(),lpAddr,&lpNewAddr,sizeof(DWORD),NULL);
   if(bRet)
    puts("WriteProcessMemory success");
  }
  pThunk++;
 }
 if(bMessage) 
  MessageBoxA(NULL,"这是老函数!","提示!",0);
 getchar();
}

int WINAPI MyMessageBox(HWND hWnd,LPCSTR lpContent,LPCSTR lpTitle,UINT uType)
{
 return ((PFNMESSAGEBOX)g_orgFunc)(hWnd,"老函数退休了,今天我值班!",lpTitle,uType);
}
2011-3-20 16:48
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//