如何挂钩延迟进口

时间:2018-06-21 16:07:22

标签: c++ winapi hook

我想在没有Microsoft弯路的情况下进行挂接,所以我去了IAT挂接,因为它是最简单的方法,但是我发现我要挂接的某些功能在延迟导入表中 我试图钩住它,就像钩住iat表一样:

HMODULE lib = GetModuleHandleA(0);
PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)lib;
PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((uintptr_t)lib + dos->e_lfanew);
PIMAGE_DELAYLOAD_DESCRIPTOR dload = (PIMAGE_DELAYLOAD_DESCRIPTOR)((uintptr_t)lib +
    nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress); 
while (dload->DllNameRVA)
{
    char *dll = (char*)((uintptr_t)lib + dload->DllNameRVA);
    if (!strcmp(dll,"mydll.dll")) {
        MessageBoxA(0,"found mydll","info",0);
        PIMAGE_THUNK_DATA firstthunk = (PIMAGE_THUNK_DATA)((uintptr_t)lib + dload->ImportNameTableRVA);
        while (firstthunk->u1.AddressOfData)
        {
        if (firstthunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) {}
        else {
            PIMAGE_IMPORT_BY_NAME byName = (PIMAGE_IMPORT_BY_NAME)((uintptr_t)lib + firstthunk->u1.AddressOfData);
            if (!strcmp((char*)byName->Name,"func")) {
                MessageBoxA(0,"found func","info",0);
                DWORD oldProtect;
                DWORD tmp;
                VirtualProtect(&firstthunk->u1.Function, sizeof(uintptr_t), PAGE_EXECUTE_READWRITE, &oldProtect);
                firstthunk->u1.Function = (uintptr_t)hControlService;
                VirtualProtect(&firstthunk->u1.Function, sizeof(uintptr_t), oldProtect, &tmp);
                MessageBoxA(0, "hooked func", "info", 0);
            }
        }
        firstthunk++;
        }
    }
    dload++;
}

但是程序在调用func时崩溃 我如何正确钩住它?

1 个答案:

答案 0 :(得分:0)

RbMm注释后的工作代码:

 HMODULE lib = GetModuleHandleA(0);
 PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)lib;
 PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((uintptr_t)lib + dos->e_lfanew);
 PIMAGE_DELAYLOAD_DESCRIPTOR dload = (PIMAGE_DELAYLOAD_DESCRIPTOR)((uintptr_t)lib +
      nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress); 
 while (dload->DllNameRVA)
 {
  char *dll = (char*)((uintptr_t)lib + dload->DllNameRVA);
  if (!strcmp(dll,"mydll.dll")) {
      MessageBoxA(0,"found mydll","info",0);
      PIMAGE_THUNK_DATA firstthunk = (PIMAGE_THUNK_DATA)((uintptr_t)lib + dload->ImportNameTableRVA);
      PIMAGE_THUNK_DATA functhunk = (PIMAGE_THUNK_DATA)((uintptr_t)lib + dload->ImportAddressTableRVA);
      while (firstthunk->u1.AddressOfData)
      {
      if (firstthunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) {}
      else {
          PIMAGE_IMPORT_BY_NAME byName = (PIMAGE_IMPORT_BY_NAME)((uintptr_t)lib + firstthunk->u1.AddressOfData);
          if (!strcmp((char*)byName->Name,"func")) {
              MessageBoxA(0,"found func","info",0);
              DWORD oldProtect;
              DWORD tmp;
              VirtualProtect(&functhunk->u1.Function, sizeof(uintptr_t), PAGE_EXECUTE_READWRITE, &oldProtect);
              functhunk->u1.Function = (uintptr_t)hControlService;
              VirtualProtect(&functhunk->u1.Function, sizeof(uintptr_t), oldProtect, &tmp);
              MessageBoxA(0, "hooked func", "info", 0);
          }
      }
      functhunk++;
      firstthunk++;
      }
  }
  dload++;
 }
相关问题
最新问题