I rely on, this time, I have been depressed for the longest time for a long time. I don't know how long it is, I will look at it every day, and I asked, and I asked, I was forced myself to PE format and Compilation has a good understanding, and it is also a good thing :) Finally, I finally didn't solve it. It is a busy bodies called dumb English in vchelp. Thank you !!! At present, the concept of Module is still unclear. Now look back in the programs in Liang Xinshu and Windows core programming, the Windows core programming means, first use CreateToolhelp32Snapshot (TH32CS_SNAPMODULE, 0) to get all Module, Each Module has a lot of DLLs, and then uses the hook program to mount Messageboxa in these DLLs, and change the MessageBoxa THUNK items in other modules's IAT. Point to your mymessagebox, and he inserts a DLL inserted (insert, how to insert, wait for learning), mymessagebox is here. This will be turned to insert when other processes call MessageBoxa In the DLL, MyMessagebox, but the program, but the program did not hook his own module, that is, calling MessageBoxa is unaffected, and the meaning of the beam is not the case (I put the book , The specific record is not clear), it is clear that he is copying, it seems that it has not been understood, (Tian, this is true?), He and the procedures in the core programming of Windows are almost the same. , He also hangs all other Module Messageboxa, did not hang your own, then I thought I would turn to mymessagebox when I use MessageBoxa, I mean to him, because he is in that program. There is no way to insert a DLL, and it is necessary to save the address of the function first with proc lpadder = messageboxa; if you have a loop when you use your program, it is useless. There is no such Module's IAT, the entrance address of Messageboxa will never change! Of course, I am mainly depressed here. Because I will see the WriteProcessMemory function, and point to Thunk The content of the address is changed to his address of MyMessageBox, but I don't know that Module is not mine, and I will see it from the value of the address, my module I. AT is about 0x00040000, and it is changed to 0x77 ******, and because those Module's baseaddress is 0x77 *******, it is obviously not the IAT of this program. So in your own procedure, IAT is not affected, but other module's IAT is indeed changed, ha, and wrong here, understand this, and the program can follow your own ideas. Executed :) Two programs are full, to this __imp__messageboxa @ 16: 00425324 05 10 40 00 32 Add Eax, 32004010H00425329 12 E1 AH, CL0042532B 77 00 JA USER32_NULL_THUNK_DATA 1 (0042532d) 0042532d 00 00 Add byte PTR [EAX], Al
Don't think that it is really a compilation statement, and it is not available. It works just those 16-based number, and the back assembly statement is the translation of the VC self-finance, and it will give him a blind, and Now I don't understand the principle of compilation, but I'm probably putting the entire procedure all the procedures to the virtual space. In addition, my own c power is poor, and a few pointers, I am dizzy, this part must pass !!!!!!!!!!!!!!!!!!
#include "stdio.h" #include "windows.h" #include "imagehlp.h" #include "tlhelp32.h"
#pragma comment (lib, "imagehlp.lib") # pragma comment (lib, "kernel32.lib") typedef struct _APIHOOK32_ENTRY {LPCTSTR pszAPINAme; LPCTSTR pszCAllerModuleNAme; PROC pfnOriginApiAddress; PROC pfnDummyFuncAddress; HMODULE hModCAllerModule;} APIHOOK32_ENTRY, * PAPIHOOK32_ENTRY;
typedef int (WINAPI * PFNMSGA) (HWND, LPCTSTR, LPCTSTR, UINT); BOOL _SetApiHookUp (PAPIHOOK32_ENTRY phk) {PIMAGE_THUNK_DATA pThunk, pThunk1; ULONG size; PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR) ImageDirectoryEntryToData (phk-> hModCAllerModule, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, & size );
IF (PimportDesc == Null) {Return False;}
// Traverse the DLL, the first layer cycle for (; pimportDesc-> name; pimportDesc ) {pstr pszdllname = ((pbyte) phk-> hmodcallermodule pimportDesc-> name);
IF (pszdllname, phk-> pszcallermodulen) == 0) Break; // Found}
IF (pimportdesc-> name == 0) {return false;}
PRINTF ("***************************************************** / N "); /
pThunk = (PIMAGE_THUNK_DATA) ((PBYTE) phk-> hModCAllerModule pImportDesc-> FirstThunk); // IAT pThunk1 = (PIMAGE_THUNK_DATA) ((PBYTE) phk-> hModCAllerModule pImportDesc-> OriginalFirstThunk); // INT
For (; pthunk1-> u1 .function; pthunk1 ) {Proc * PPFN1 = (Proc *) ((DWORD) phk-> hmodcallermodule (dword) pthunk1-> u1 .function 2); Printf ("% s / n" , PPFN1); // hint is a word called 2 :)} for (; pthunk-> u1 .function; pthunk ) {proc LP; proc * ppfn = (proc *) & pthunk-> u1 .function; printf ("% X / N ", pthunk-> u1 .function); Printf ("% x / n ", phk-> hmodcallermodule); // is compared, see if it is the function you want, if,, put the address rewriting if (* ppfn == phk-> pfnOriginApiAddress) {WriteProcessMemory (GetCurrentProcess (), ppfn, & (phk-> pfnDummyFuncAddress), sizeof (phk-> pfnDummyFuncAddress), NULL); lp = MessageBoxA;
Return true;}}}}} printf ("/ n / n"); / return true;} // -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- Bool setWindowsapihook (PapiHook32_entry phk) {
Memory_basic_information minfo;
HModule HmodHOKDLL; Handle Hsnapshot; Bool Bok;
ModuleEntry32 me = {sizeof (moduleEntry32)};
IF (phk-> pszapiname == null || phk-> pszcallermodulen) == null || phk-> pfnoriginapiaddress == null) {return false;}
_Setapihookup (PhK); Return False;} // ---------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------- Bool UnHookWindowsapihook (Papihook32_entry lphk) {proc temp; Temp = lpHk-> pfnOriginApiAddress; lpHk-> pfnOriginApiAddress = lpHk-> pfnDummyFuncAddress; lpHk-> pfnDummyFuncAddress = temp; return SetWindowsAPIHook (lpHk);} // ------------------ -------------------------------------------------- -------- // Preserve the original address proc lpadder; // proc LPadder1; int WinAPI MyMessageBoxa (HWND HWND, LPCTSTR LPTEXT, LPCTSTSTR LPCAPTION, UINT UTYPE) {Return ((PFNMSGA) LPADDER) (NULL, "new", "new", mb_ok);} // -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------- int main (void) {APIHOOK32_ENTRY PE LPADDER = (proc) MessageBoxa; // lpadder = getProcaddress ("User32.dll"), "MessageBoxa"); // Printf ("% x% x / n", lpadder1, lpadder;
pe.pszAPINAme = "MessageBoxA"; pe.pszCAllerModuleNAme = "USER32.dll"; // case sensitive pe.pfnOriginApiAddress = lpAdder; pe.pfnDummyFuncAddress = (PROC) MyMessAgeBoxA; pe.hModCAllerModule = GetModuleHandle (NULL);
// MessageBoxw (NULL, L "hi", l "hi", mb_ok); SetWindowsapihook (& PE); MessageBoxa (NULL, "OLD", "OLD", MB_OK);
UnHookWindowsapihooks (& PE); MessageBoxa (NULL, "OLD", "OLD", MB_OK);
This is a change, HOOK yourself, you can play yourself :) setWindowsapihook is almost useless, and there is no use of hook own procedures
#include "stdio.h" #include "windows.h" #include "imagehlp.h" #include "tlhelp32.h"
#pragma comment (lib, "imagehlp.lib") # pragma comment (lib, "kernel32.lib") PROC lpAdder; typedef struct _APIHOOK32_ENTRY {LPCTSTR pszAPINAme; LPCTSTR pszCAllerModuleNAme; PROC pfnOriginApiAddress; PROC pfnDummyFuncAddress; HMODULE hModCAllerModule;} APIHOOK32_ENTRY, * PapiHook32_ENTRY;
BOOL _SetApiHookUp (PAPIHOOK32_ENTRY phk) {PIMAGE_THUNK_DATA pThunk, pThunk1; ULONG size; PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR) ImageDirectoryEntryToData (phk-> hModCAllerModule, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, & size);
IF (PimportDesc == Null) {Return False;}
// Traverse the DLL, the first layer cycle for (; pimportDesc-> name; pimportDesc ) {pstr pszdllname = ((pbyte) phk-> hmodcallermodule pimportDesc-> name);
// IF (pszdllname, phk-> pszcallermodulen) == 0) Break; // Found //}
IF (pimportdesc-> name == 0) {return false;}
PRINTF ("***************************************************** / N "); /
pThunk = (PIMAGE_THUNK_DATA) ((PBYTE) phk-> hModCAllerModule pImportDesc-> FirstThunk); // IAT pThunk1 = (PIMAGE_THUNK_DATA) ((PBYTE) phk-> hModCAllerModule pImportDesc-> OriginalFirstThunk); // INT
// for (; pthunk1-> u1 .function; pthunk1 ) {// proc * PPFN1 = (proc *) ((DWORD) phk-> hmodcallermodule (dword) pthunk1-> u1 .Function 2); // IF ( Strcmp ((char *) PPFN1, "MessageBoxw") == 0) {// printf ("% S / N", PPFN1); // printf ("% s / n", pszdllname); //} // }
For (; pthunk-> u1 .function; pthunk ) {proc * ppfn = (proc *) & pthunk-> u1 .function; proc * ppfn1 = (proc *) ((dword) phk-> hmodcallermodule (dword) pthunk1-> U1 .Function 2); if (1) {// strcmp ((char *) PPFN1, "MessageBoxW") == 0) {PrintF ("% S / N", PPFN1); Printf ("% S / N) ", pszdllname); Printf ("% x / n ", phk-> hmodcallermodule);} Pthunk1 ; // printf ("% x / n ", pthunk-> u1 .function); // is compared, see if It is the function you want to find. Pfndummyfuncaddress, sizeof (phk-> pfndummyfuncaddress), null); lp = messageboxw; return true;}} printf ("/// Return True;} // ------ -------------------------------------------------- --------------------- Bool setWindowsapihook (papihook32_entry phk) {memory_basic_information minfo;
HModule HmodHOKDLL; Handle Hsnapshot; Bool Bok;
ModuleEntry32 me = {sizeof (moduleEntry32)};
IF (phk-> pszapiname == null || phk-> pszcallermodulenAme == null || phk-> pfnoriginapiaddress == null) {return false;} if (phk-> hmodcallermodule == null) {
// Get the information VirtualQuery a page starting from _SetApiHookUp address (_SetApiHookUp, & mInfo, sizeof (mInfo)); hModHookDll = (HMODULE) mInfo.AllocationBase; hSnApShot = CreateToolhelp32Snapshot (TH32CS_SNAPMODULE, 0); bOk = Module32First (hSnApShot, & me WHILE (bok) {
if (me.hModule = hModHookDll!) {phk-> hModCAllerModule = me.hModule; _SetApiHookUp (phk);} bOk = Module32Next (hSnApShot, & me);} phk-> hModCAllerModule = NULL; return FALSE;} else {return _SetApiHookUp (phk);} Return False;} // --------------------------------------- --------------------------------------- Bool UnHookWindowsapihook (Papihook32_entry lphk) {// proc Temp ; // temp = lpHk-> pfnOriginApiAddress; // lpHk-> pfnOriginApiAddress = lpHk-> pfnDummyFuncAddress; // lpHk-> pfnDummyFuncAddress = temp; return SetWindowsAPIHook (lpHk);} // ---------- -------------------------------------------------- ------------------ // Preserve the original address // proc LPadder1; int WinAPI MyMessageBoxa (HWND HWND, LPCTSTSTEXT, LPCTSTSTR LPCAPTION, UINT UTYPE) {Return LPADER (NULL, "new", "new", mb_ok);} // -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------- int main (void) {APIHOOK32_ENTRY PE ;
LPADDER = MessageBoxw; // lpadder = getProcaddress ("User32.dll"), "MessageBoxa"); // Printf ("% x% x / n", lpadder1, lpadder);
pe.pszAPINAme = "MessageBoxW"; pe.pszCAllerModuleNAme = "USER32.DLL"; // case sensitive pe.pfnOriginApiAddress = lpAdder; pe.pfnDummyFuncAddress = MyMessAgeBoxA; pe.hModCAllerModule = GetModuleHandle (NULL); // printf ( "% x / n ", pe.hmodcallermodule); // 400000
Setwindowsapihook (& PE); MessageBoxa (NULL, "OLD", "OLD", MB_OK;
UnHookWindowsapihooks (& PE); MessageBoxa (NULL, "OLD", "OLD", MB_OK);} // ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- -
This is the original, and you can hook all hooks with a little change :)
