#include <stdio.h>
#include <windows.h>
typedef VOID (WINAPI *proc_ExitProcess)(IN UINT uExitCode);
proc_ExitProcess g_ExitProcess;
VOID WINAPI Hook_ExitProcess(IN UINT uExitCode)
{
MessageBox(0, "Hook_ExitProcess", "hello hook", 0);
g_ExitProcess(uExitCode);
}
int main(int argc, char* argv[])
{
PIMAGE_DOS_HEADER imgDosHdr = (PIMAGE_DOS_HEADER)GetModuleHandle(NULL);
PIMAGE_NT_HEADERS imgNtHdr = (PIMAGE_NT_HEADERS)((PBYTE)imgDosHdr + imgDosHdr->e_lfanew);
PIMAGE_IMPORT_DESCRIPTOR importDes = (PIMAGE_IMPORT_DESCRIPTOR)((PBYTE)imgDosHdr + imgNtHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
//对导入表进行检索
printf("import table %8x %d\n", importDes, imgNtHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size);
for (; importDes->Name; importDes++)
{
//加载模块列表
PCHAR modName = (PCHAR)imgDosHdr + importDes->Name;
printf("%s %08x\n", modName, (PCHAR)imgDosHdr + importDes->OriginalFirstThunk);
if (strnicmp(modName, "kernel32", 8) == 0)
{
//指向一个IMAGE_THUNK_DATA的数据表
PIMAGE_THUNK_DATA orgTHunkData = (PIMAGE_THUNK_DATA)((PCHAR)imgDosHdr + importDes->OriginalFirstThunk);
PIMAGE_THUNK_DATA imgThunkData = (PIMAGE_THUNK_DATA)((PCHAR)imgDosHdr + importDes->FirstThunk);
for (; imgThunkData->u1.Function; imgThunkData++, orgTHunkData++)
{
//注意是imgThunkData是一个DWORD的联合数据结构
PIMAGE_IMPORT_BY_NAME impName = (PIMAGE_IMPORT_BY_NAME)((PCHAR)imgDosHdr + orgTHunkData->u1.AddressOfData);
if (strnicmp((PCHAR)impName->Name, "ExitProcess", 11) == 0)
{
printf("%08x %d %s\n", imgThunkData->u1.Function, impName->Hint, impName->Name);
g_ExitProcess = (proc_ExitProcess)imgThunkData->u1.Function;
*(PULONG)(&imgThunkData->u1.Function) = (ULONG)Hook_ExitProcess;
}
}
}
}
ExitProcess(0); //测试HOOK_API
return 0;
}
[课程]Android-CTF解题方法汇总!
