-
-
[原创]垃圾代码垃圾代码
-
发表于:
2011-12-16 23:02
4446
-
#include <windows.h>
#include <shlwapi.h>
#include <wchar.h>
DWORD MyZwGetContextThread(HANDLE Thread,LPCONTEXT lpContext)
{
memset(lpContext,0,sizeof(CONTEXT));
return 0;
}
DWORD MyZwSetContextThread(HANDLE Thread,LPCONTEXT lpContext)
{
memset(lpContext,0,sizeof(CONTEXT));
return 0;
}
/**********************************************************
IAT Hook :挂钩目标输入表中的函数地址
参数:
char *szDLLName 函数所在的DLL
char *szName 函数名字
void *Addr 新函数地址
***********************************************************/
DWORD IATHook(char *szDLLName,char *szName,void *Addr)
{
DWORD Protect;
HMODULE hMod=LoadLibrary(szDLLName);
DWORD RealAddr=(DWORD)GetProcAddress(hMod,szName);
hMod=GetModuleHandle(NULL);
IMAGE_DOS_HEADER * DosHeader =(PIMAGE_DOS_HEADER)hMod;
IMAGE_OPTIONAL_HEADER * Opthdr =(PIMAGE_OPTIONAL_HEADER)((DWORD)hMod+DosHeader->e_lfanew+24);
IMAGE_IMPORT_DESCRIPTOR *pImport =(IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)DosHeader+Opthdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
if(pImport==NULL)
{
return FALSE;
}
IMAGE_THUNK_DATA32 *Pthunk=(IMAGE_THUNK_DATA32*)((DWORD)hMod+pImport->FirstThunk);
while(Pthunk->u1.Function)
{
if(RealAddr==Pthunk->u1.Function)
{
VirtualProtect(&Pthunk->u1.Function,0x1000,PAGE_READWRITE,&Protect);
Pthunk->u1.Function=(DWORD)Addr;
break;
}
Pthunk++;
}
return TRUE;
}
/**********************************************************
EAT Hook :挂钩目标输出表中的函数地址
***********************************************************/
BOOL EATHook(char *szDLLName,char *szFunName,DWORD NewFun)
{
DWORD addr=0;
DWORD index=0;
HMODULE hMod=LoadLibrary(szDLLName);
DWORD Protect;
IMAGE_DOS_HEADER * DosHeader =(PIMAGE_DOS_HEADER)hMod;
IMAGE_OPTIONAL_HEADER * Opthdr =(PIMAGE_OPTIONAL_HEADER)((DWORD)hMod+DosHeader->e_lfanew+24);
PIMAGE_EXPORT_DIRECTORY Export =(PIMAGE_EXPORT_DIRECTORY)((BYTE*)DosHeader+ Opthdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
PULONG pAddressOfFunctions =(ULONG*)((BYTE*)hMod+Export->AddressOfFunctions);
PULONG pAddressOfNames =(ULONG*)((BYTE*)hMod+Export->AddressOfNames);
PUSHORT pAddressOfNameOrdinals=(USHORT*)((BYTE*)hMod+Export->AddressOfNameOrdinals);
for (int i=0;i <Export->NumberOfNames; i++)
{
index=pAddressOfNameOrdinals[i];
char *pFuncName = (char*)( (BYTE*)hMod + pAddressOfNames[i]);
if (_stricmp( (char*)pFuncName,szFunName) == 0)
{
addr=pAddressOfFunctions[index];
break;
}
}
VirtualProtect(&pAddressOfFunctions[index],0x1000,PAGE_READWRITE,&Protect);
pAddressOfFunctions[index] =(DWORD)NewFun - (DWORD)hMod;
return TRUE;
}
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved)
{
if (dwReason == DLL_PROCESS_ATTACH)
{
DisableThreadLibraryCalls(hModule);
IATHook("kernel32.dll","ExitProcess",MyZwGetContextThread);
//GetProcAddress(LoadLibrary("ntdll.dll"),"NtSetInformationFile"); /** Test EAT HOOK **/
//ExitThread(0); /** Test IAT HOOK**/
}
return TRUE;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
