IAThook失败
将dll注入到release版exe中,用xuetr发现MessageboxA已经被挂钩但是hook失败,注入到debug版中hook成功,为啥呢?@小甲鱼 @人造人
dll代码:
#include <windows.h>
#include <imagehlp.h>
#include <stdio.h>
#include "process.h"
#pragma comment(lib,"IMAGEHLP.lib")
/*
pDllName - 要HOOK的API所在的DLL
pApiName - 要HOOK的API的名称
iNewApi - 新的API入口地址
pOldApi - 用于输出源API入口地址,
*/
int ReplaceIAT(const char *pDllName, const char *pApiName, INT_PTR iNewApi, INT_PTR *pOldApi)
{
HANDLE hProcess = ::GetModuleHandle (NULL);
DWORD dwSize = 0;
PIMAGE_IMPORT_DESCRIPTOR pImageImport = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hProcess,TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT,&dwSize);
if (NULL == pImageImport)
return 1;
PIMAGE_IMPORT_BY_NAME pImageImportByName = NULL;
PIMAGE_THUNK_DATA pImageThunkOriginal = NULL;
PIMAGE_THUNK_DATA pImageThunkReal= NULL;
while (pImageImport->Name)
{
char *pName = (char*)(PBYTE)hProcess+pImageImport->Name;
if (0 == strcmpi((char*)((PBYTE)hProcess+pImageImport->Name),pDllName))
{
break;
}
++pImageImport;
}
if (!pImageImport->Name) return 2;
pImageThunkOriginal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->OriginalFirstThunk);
pImageThunkReal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->FirstThunk);
while (pImageThunkOriginal->u1.Function)
{
if ((pImageThunkOriginal->u1.Ordinal & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG)
{
pImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PBYTE)hProcess+pImageThunkOriginal->u1.AddressOfData);
if (0 == strcmpi(pApiName,(char*)pImageImportByName->Name))
{
MEMORY_BASIC_INFORMATION mbi_thunk;
VirtualQuery(pImageThunkReal, &mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION));
VirtualProtect(mbi_thunk.BaseAddress,mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect);
*pOldApi =(INT_PTR) pImageThunkReal->u1.Function;
pImageThunkReal->u1.Function = (DWORD)iNewApi;
DWORD dwOldProtect;
VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, mbi_thunk.Protect, &dwOldProtect);
break;
}
}
++pImageThunkOriginal;
++pImageThunkReal;
}
return 0;
}
//自己想hook函数这里
typedef int (WINAPI *MESSAGEBOXA)(HWND, LPCWSTR, LPCWSTR, UINT);
// Pointer for calling original MessageBoxW.
MESSAGEBOXA fpMessageBoxA = NULL;
// Detour function which overrides MessageBoxW.
int WINAPI DetourMessageBoxA(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType)
{
return fpMessageBoxA(hWnd, L"Hookedbybybyby!", lpCaption, uType);
}
void ThreadProc(void *param)
{
ReplaceIAT("user32.dll","MessageBoxA", (INT_PTR)DetourMessageBoxA, (INT_PTR*)&fpMessageBoxA);
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
WinExec("notepad",SW_NORMAL);
_beginthread(ThreadProc,0,NULL); //创建线程,调用ThreadProc
//SetHook();
//ReplaceIAT("user32.dll","MessageBoxA", (INT_PTR)DetourMessageBoxA, (INT_PTR*)&fpMessageBoxA);
break;
case DLL_PROCESS_DETACH:
// Code to run when the DLL is freed
break;
case DLL_THREAD_ATTACH:
// Code to run when a thread is created during the DLL's lifetime
break;
case DLL_THREAD_DETACH:
// Code to run when a thread ends normally.
break;
}
return TRUE;
}
exe代码:
#include "stdafx.h"
#include "stdio.h"
#include "windows.h"
int _tmain(int argc, _TCHAR* argv[])
{
printf("test---/n");
while(1)
{
getchar();
MessageBoxA(NULL, "原函数", "09HookDemo", 0);
}
return 0;
}
Windows SDK 我还没有学
页:
[1]