例如:explore.exe正在加载一个名为BrowseUI.dll的DLL,它使用了使用Shell32.dll的ShDocVW.dll
所以我的问题是如何导入Shell32.dll的表地址(IAT)(在explorer.exe中)?
我已经知道如何获取正在运行的进程(explorer.exe)的IAT问题是我看不到shell32.dll函数..:|
编辑: 我的挂钩代码
/* =========================================================
* IATHooking Function *
* *
* Replacing windows API functions with my own functions *
* Return Value: True on success, False on failure. *
* ======================================================== */
bool CIAT_Hook::IAThooking(HMODULE hInstance,list<Hook_Data>& hookList)
{
bool flag=false;
PIMAGE_IMPORT_DESCRIPTOR importedModule;
PIMAGE_THUNK_DATA pFirstThunk,pOriginalFirstThunk;
PIMAGE_IMPORT_BY_NAME pFuncData;
importedModule=getImportTable(hInstance);
while(*(WORD*)importedModule!=0) //over on the modules (DLLs)
{
printf("\n%s - %x:\n---------\n",(char*)((PBYTE)hInstance+importedModule->Name));//printing Module Name
pFirstThunk=(PIMAGE_THUNK_DATA)((PBYTE)hInstance+ importedModule->FirstThunk);//pointing to its IAT
pOriginalFirstThunk=(PIMAGE_THUNK_DATA)((PBYTE)hInstance+ importedModule->OriginalFirstThunk);//pointing to OriginalThunk
pFuncData=(PIMAGE_IMPORT_BY_NAME)((PBYTE)hInstance+ pOriginalFirstThunk->u1.AddressOfData);// and to IMAGE_IMPORT_BY_NAME
while(*(WORD*)pFirstThunk!=0 && *(WORD*)pOriginalFirstThunk!=0) //moving over IAT and over names' table
{
printf("%X %s\n",pFirstThunk->u1.Function,pFuncData->Name);//printing function's name and addr
for (list<Hook_Data>::iterator it=hookList.begin(); it!=hookList.end(); ++it)
{
if(strcmp(it->getTargetFunction(),(char*)pFuncData->Name)==0)//checks if we are in the Target Function
{
printf("Hooking... \n");
if(rewriteThunk(pFirstThunk, &(*it)))
{
printf("Hooked %s successfully :)\n",it->getTargetFunction());
break;
}
}
}
pOriginalFirstThunk++; // next node (function) in the array
pFuncData=(PIMAGE_IMPORT_BY_NAME)((PBYTE)hInstance+ pOriginalFirstThunk->u1.AddressOfData);
pFirstThunk++;// next node (function) in the array
}
importedModule++; //next module (DLL)
}
return false;
}
PIMAGE_IMPORT_DESCRIPTOR CIAT_Hook::getImportTable(HMODULE hInstance)
{
PIMAGE_DOS_HEADER dosHeader;
IMAGE_OPTIONAL_HEADER optionalHeader;
PIMAGE_NT_HEADERS ntHeader;
IMAGE_DATA_DIRECTORY dataDirectory;
dosHeader=(PIMAGE_DOS_HEADER)hInstance;//cast hInstance to (IMAGE_DOS_HEADER *) - the MZ Header
ntHeader=(PIMAGE_NT_HEADERS)((PBYTE)dosHeader+dosHeader->e_lfanew);//The PE Header begin after the MZ Header (which has size of e_lfanew)
optionalHeader=(IMAGE_OPTIONAL_HEADER)(ntHeader->OptionalHeader); //Getting OptionalHeader
dataDirectory=(IMAGE_DATA_DIRECTORY)(optionalHeader.DataDirectory[IMPORT_TABLE_OFFSET]);//Getting the import table of DataDirectory
return (PIMAGE_IMPORT_DESCRIPTOR)((PBYTE)hInstance + dataDirectory.VirtualAddress);//ImageBase+RVA to import table
}
bool CIAT_Hook::rewriteThunk(PIMAGE_THUNK_DATA pThunk, Hook_Data* hd)
{
DWORD CurrentProtect;
DWORD junk;
VirtualProtect(pThunk,4096, PAGE_READWRITE, &CurrentProtect);//allow write to the page
hd->setSourceAddr(pThunk->u1.Function);
pThunk->u1.Function=(DWORD) hd->getNewFunc(); // rewrite the IAT to new function
VirtualProtect(pThunk,4096, CurrentProtect,&junk);//return previous premissions
return true;
}
修改
我调试了IATHooking函数,看起来崩溃了 当它到达 SHLWAPI.dll第3个函数......看起来像pFuncData变量是空的..为什么它很开心呢?
CMD.EXE中的ITS ONLY HAPPANS EXPLORER.EXE 它运行正常!
这是IATHooking输出: http://pastebin.com/LkK4QhYQ 或者这里:
ADVAPI32.dll - f4f8f817:
---------
7688BED4 RegCloseKey
76881CC0 RegCreateKeyW
768818CB RegGetValueW
7688BEC4 RegOpenKeyExW
773DA4CA GetTraceEnableFlags
773DA494 GetTraceEnableLevel
773DA42B GetTraceLoggerHandle
773D9627 RegisterTraceGuidsW
773E17AD UnregisterTraceGuids
7688B946 RegCreateKeyExW
7688BCD5 RegQueryValueExW
77415A12 EventRegister
77413614 EventUnregister
773CF5AB EventWrite
773DDD62 EventEnabled
7688B80C GetLengthSid
7688B7B4 GetTokenInformation
7688B7C4 OpenProcessToken
76881C82 RegSetValueExW
773E18F3 TraceMessage
76883129 RegOpenKeyW
7687D521 RegDeleteValueW
7688BB72 RegEnumValueW
7688BB42 RegQueryInfoKeyW
76892C32 ConvertStringSidToSidW
76889A61 CloseServiceHandle
7687D20D OpenServiceW
7687D1F5 OpenSCManagerW
76883A84 QueryServiceStatus
7688BB65 RegEnumKeyExW
7688BD6B CreateWellKnownSid
76878A9B StartServiceW
7687E5C2 CryptAcquireContextW
7687E552 CryptCreateHash
7687E53A CryptHashData
7687E582 CryptGetHashParam
7687E56A CryptDestroyHash
7687E74C CryptReleaseContext
7687F486 StartTraceW
76881338 EnableTraceEx
768814F8 StopTraceW
7689EEFB LsaLookupSids
76888CB9 IsValidSid
768818B3 GetSidSubAuthorityCount
768818E3 GetSidSubAuthority
76898D41 LsaOpenPolicy
76898CB2 LsaFreeMemory
76898E79 LsaClose
7688B79C OpenThreadToken
7688B83C ConvertSidToStringSidW
76882B9B ConvertStringSecurityDescriptorToSecurityDescriptorW
7687E4F4 CheckTokenMembership
KERNEL32.dll - f4f8f817:
---------
766ABC8B LoadLibraryExA
766801A4 DelayLoadFailureHook
766B0B5D CreateFileW
766A5D47 GetFileSize
766ADAA9 ReadFile
766AB69A RaiseException
766A6578 FlushInstructionCache
766AF17D SetLastError
766B0D8F OpenThread
766AFE44 GetSystemTimeAsFileTime
766B354A GetLocaleInfoW
766AE1A1 GetTimeFormatW
766AE49F GetDateFormatW
766ADB98 GetLocalTime
766AF23C InterlockedCompareExchange
65241285 FindFirstFileW
Hooking...
Hooked FindFirstFileW successfully :)
766ADB75 lstrcmpiW
65241082 FindNextFileW
Hooking...
Hooked FindNextFileW successfully :)
766B351A FindClose
766B13CE GetFileAttributesW
766B1844 GetSystemTime
766B2997 SystemTimeToFileTime
766AB606 ExpandEnvironmentStringsW
766AF188 InterlockedIncrement
766AF15B InterlockedDecrement
766AF176 GetLastError
766978A6 SetInformationJobObject
76697832 CreateJobObjectW
766923E7 GetPriorityClass
766A254D SetPriorityClass
766A73E4 OpenProcess
766AA7A8 SearchPathW
7669A2A8 GetSystemDefaultUILanguage
766B125E UnmapViewOfFile
766AC0D4 MapViewOfFile
7669E588 GetTimeZoneInformation
76693438 GetDynamicTimeZoneInformation
766C78F4 GetBinaryTypeW
766A5AAD QueryPerformanceFrequency
7669E0CB GetTickCount64
766AECC0 MulDiv
766B41D9 GetLongPathNameW
766AC68F GetThreadPriority
766B0E69 MultiByteToWideChar
766A2372 GlobalGetAtomNameW
766AFE5F GetCurrentThread
766A7407 SetThreadPriority
766A7394 QueueUserWorkItem
766AB6BF LoadLibraryExW
7669E269 GetProductInfo
766B2DE5 TerminateThread
7669E011 CreateIoCompletionPort
76696C94 GetQueuedCompletionStatus
766A656B DeleteFileW
766A9268 GetWindowsDirectoryW
7669BAF2 GetProcessId
766ACD40 CompareStringW
766A8BF0 QueryFullProcessImageNameW
766AF4B6 CompareFileTime
766A3A51 CreateFileMappingW
766AF224 ResetEvent
766B0F86 WideCharToMultiByte
766AD35C GlobalAlloc
766AD275 GlobalLock
766AD1BD GlobalUnlock
766AD374 GlobalFree
766B0636 DuplicateHandle
766B356F GetCurrentDirectoryW
766AF286 WaitForMultipleObjects
766A3D8A GetComputerNameW
766A911E DeactivateActCtx
766A90ED ActivateActCtx
766A91BD ReleaseActCtx
766A75A3 CreateActCtxW
766AA7EF FindResourceExW
766AD3B0 LoadResource
766A345C LockResource
766B05B7 CloseHandle
766B057C LocalFree
766B0594 LocalAlloc
766F6D0D QueryInformationJobObject
766AEF66 Sleep
766A3F14 ResumeThread
76697AD3 AssignProcessToJobObject
766B27FD CreateThread
7666202D CreateProcessW
766AEFA0 WaitForSingleObject
766B19E9 FreeLibrary
766B1837 GetProcAddress
766B28B2 LoadLibraryW
766A3CED GetUserDefaultUILanguage
766B0613 CreateEventW
766AFE37 lstrlenW
766AF198 HeapFree
7740209D HeapAlloc
766AF24C GetProcessHeap
766B060C GetCurrentProcess
766BC41A HeapSetInformation
766ACA61 GetVersionExW
77407B5B DeleteCriticalSection
7740F8BE InitializeCriticalSection
766A3E65 HeapDestroy
7669B5E0 GetPrivateProfileStringW
766B29F4 GetModuleFileNameW
766BECAB GetCommandLineW
766B1C98 GetSystemDirectoryW
766B2ACF ExitProcess
76695995 RegisterApplicationRestart
766AA89E SetProcessShutdownParameters
766B7CB5 GetStartupInfoW
766AEF88 ReleaseMutex
766A5F40 CreateMutexW
766B1297 SetErrorMode
766985A7 SetProcessDEPPolicy
766C86DA GetUserDefaultLangID
766AF26E SetEvent
773F6B40 LeaveCriticalSection
773F6B7E EnterCriticalSection
766AEF76 GetTickCount
766AB613 OpenEventW
766EFB87 SetTermsrvAppInstallMode
766B0D23 GetCurrentProcessId
766B19A1 GetModuleHandleW
766AF212 GetCurrentThreadId
766A509B TerminateProcess
766C2B35 UnhandledExceptionFilter
766A91A5 CompareStringOrdinal
766AF2A7 QueryPerformanceCounter
766B28D7 GetModuleHandleA
766B3142 SetUnhandledExceptionFilter
766AF25E InterlockedExchange
766B05F4 VirtualAlloc
766B0D35 VirtualFree
766B2864 LoadLibraryA
GDI32.dll - f4f8f817:
---------
75225DDB GetStockObject
75228336 SetWindowOrgEx
7522F418 StretchBlt
7522798F GetTextMetricsW
752282A5 LPtoDP
75230415 Polyline
7522C968 CreatePen
752290C6 GetTextColor
7522C575 ExtCreateRegion
75228D5B GetRegionData
7522A23F SetLayout
75227050 GetLayout
7522B535 GetTextExtentPoint32W
75228E01 CombineRgn
75225FC5 GetRgnBox
7522F234 OffsetViewportOrgEx
75225F33 GdiFlush
75228C20 OffsetRgn
75228053 ExtTextOutW
75229D1D SetDIBits
75226F63 CreateRectRgn
75227C93 GetClipRgn
75227CCA IntersectClipRect
752283CF GetViewportOrgEx
7522814F SetViewportOrgEx
75226D84 SelectClipRgn
75229115 GetBkColor
752266CD SetBkMode
75226803 CreateBitmap
75226055 PatBlt
75227322 CreateCompatibleBitmap
7522726D OffsetWindowOrgEx
75226758 SetBkColor
75226622 SetTextColor
7522AF7E GetTextExtentPointW
752281F2 GetClipBox
752285F0 CreateDIBSection
752274BF GetObjectW
75228DE0 CreateRectRgnIndirect
752268B4 DeleteObject
75226522 CreateCompatibleDC
752261D0 SelectObject
75227180 BitBlt
75226E03 GetDeviceCaps
7522A3FD CreateFontIndirectW
75226A2C DeleteDC
75228213 GdiAlphaBlend
USER32.dll - f4f8f817:
---------
758F4493 PtInRect
758F7450 GetWindowRect
758F3C3E GetWindow
758F764C SendMessageW
758F5261 EnumChildWindows
758F83A9 GetWindowLongW
758EDEED CharPrevW
758EF9CA CharNextW
758F0E51 CreateWindowExW
7591564A DialogBoxParamW
758F2E8A GetClassInfoW
758F2D26 GetClassInfoExW
758ED02A GetMenuItemInfoW
758ECF62 GetMenuItemCount
758F319D GetClassNameW
758F61DD GetKeyboardLayout
758E817D ActivateKeyboardLayout
758ECD2F IsChild
758E88E3 InsertMenuW
7591680C GetMenuStringW
758F2767 SetMenuItemInfoW
758ECA50 InsertMenuItemW
7591584A IsWinEventHookInstalled
758F3919 IsProcessDPIAware
75931621 GetNextDlgGroupItem
75916514 GetNextDlgTabItem
758ED9BD GetDlgCtrlID
758EA8C4 MoveWindow
758F7511 IsRectEmpty
758F5813 UnionRect
759112AC ChildWindowFromPointEx
758F394E GetGUIThreadInfo
758E65C9 SetClassLongW
758F5A28 GetClassLongW
758F42E4 WindowFromDC
75900C72 CharUpperW
758EE5D5 UnregisterClassW
75912603 FrameRect
758F68EA GetWindowDC
758F4DFC SendMessageCallbackW
758EC01F UpdateLayeredWindow
758F096C GetUserObjectInformationW
758FFB00 GetThreadDesktop
758F095A GetProcessWindowStation
758F4FA4 GetIconInfo
75944F4F ShowWindowAsync
759145A1 FlashWindowEx
7592FD8E EndTask
758EDB52 SetThreadDesktop
7591698E GetMenuState
758F6632 SetScrollInfo
758F5151 GetScrollInfo
75911BD0 SetScrollPos
75911B1D BringWindowToTop
75905AE5 DeregisterShellHookWindow
758F6BCA IsZoomed
758EDA87 CloseDesktop
758E5B5A OpenInputDesktop
758E4C1A RegisterShellHookWindow
758F68FE InternalGetWindowText
758F6A82 GetWindowInfo
75944F9F GetLayeredWindowAttributes
758EC382 SetLayeredWindowAttributes
758EFE12 GetCaretBlinkTime
758ECC7B UnhookWindowsHookEx
758ECC8F CallNextHookEx
758F210A SetWindowsHookExW
758EC265 GetUpdateRect
758F8409 GetSystemMetrics
758EEEE1 SystemParametersInfoW
758ECF04 FindWindowW
758F7055 ReleaseDC
758F7041 GetDC
758F8E8D DispatchMessageW
758F910F TranslateMessage
758F8F97 GetMessageW
758E8A8A DestroyMenu
758E8959 GetMenuDefaultItem
758E88D6 CreatePopupMenu
758F6225 PostMessageW
758EEC79 MsgWaitForMultipleObjectsEx
758F91B5 PeekMessageW
758F6614 SetWindowLongW
759307ED ShutdownBlockReasonCreate
758F5533 LoadStringW
758ED5EF DestroyWindow
758ED6D7 PostQuitMessage
758F3581 SetWindowPos
758F93BF KillTimer
758F77D5 SetTimer
758F7A64 SetPropW
758F147A ShowWindow
758F7915 MapWindowPoints
758F281B RegisterClassW
758EF283 LoadCursorW
758F53F9 SetActiveWindow
758EB5FA UpdateLayeredWindowIndirect
758F6D54 GetLastInputInfo
75914CFE SendDlgItemMessageW
7591555C EndDialog
758EE7A9 GetDesktopWindow
758F3508 GetShellWindow
758EC6AA DestroyIcon
758F55CD GetMonitorInfoW
758F69DC CopyRect
75915D86 ModifyMenuW
758E612E CheckMenuItem
758EC251 GhostWindowFromHungWindow
758E89EF EnableMenuItem
758E861C DeleteMenu
758EC49E ReleaseCapture
758EC198 GetCursorPos
758F724B DefWindowProcW
758F4C0C TrackMouseEvent
758ECF30 GetDoubleClickTime
758F7BC9 InvalidateRect
75900FAD LockWorkStation
7593BC38 TileWindows
758F2BD9 UpdateWindow
7593B994 CascadeWindows
758ED9F6 GetWindowTextW
75914B3B TrackPopupMenu
758F23CB ClientToScreen
75916D0C WindowFromPoint
758F272A AppendMenuW
758F7B73 EndPaint
758F452A DrawEdge
758F8308 FillRect
75916BE4 LockSetForegroundWindow
758F7080 InflateRect
758F6939 IsWindowVisible
758F565D GetForegroundWindow
758F7AB3 GetParent
758F93E7 WaitMessage
758EEDFD RegisterWindowMessageW
75915F72 TrackPopupMenuEx
758F74B1 GetClientRect
758EED89 MonitorFromRect
758F689A EqualRect
758E7FE7 SubtractRect
758F52A2 RedrawWindow
758F57FF EnumDisplayMonitors
758F8267 SetWindowTextW
758FF006 IntersectRect
75916BD0 GetWindowPlacement
758EEB65 SendNotifyMessageW
758F7A0E RemovePropW
758EC9CE SetWindowCompositionAttribute
759080F8 HungWindowFromGhostWindow
758ECBA9 SetFocus
758F313E SendMessageTimeoutW
758F5789 EnumWindows
758EC90D UnregisterHotKey
758EC8F9 RegisterHotKey
758F590A MonitorFromWindow
758F7756 IsWindow
758F52EA SetCursor
758EC09A GetAsyncKeyState
758ED3AE SetForegroundWindow
7592B6D2 ChildWindowFromPoint
7592C1D8 SetCursorPos
75916785 GetMessagePos
758F66E3 IsIconic
758F1431 LoadIconW
758EC338 DeferWindowPos
758FEFDD OffsetRect
758F2FE3 GetWindowThreadProcessId
758EC1F2 ScreenToClient
758F3D0F GetAncestor
758EB0D1 MonitorFromPoint
758F6A10 SetRectEmpty
758F524D ChangeWindowMessageFilterEx
758EAC45 LoadAcceleratorsW
758F9442 TranslateAcceleratorW
758F4FDA GetKeyState
758EB29A SetWindowRgn
758F406C GetWindowRgnBox
758F2323 LoadImageW
758F5A1B GetFocus
75915452 GetActiveWindow
759144F7 MessageBeep
758F7B87 BeginPaint
75916C16 SwitchToThisWindow
75916A4C GetLastActivePopup
758EC2EA EndDeferWindowPos
758EC316 BeginDeferWindowPos
758E8169 SetWindowPlacement
759170D3 IsHungAppWindow
758EEDFD RegisterClipboardFormatW
758F6A30 SetRect
758F2949 GetSysColorBrush
758F7829 GetPropW
758E7B61 AllowSetForegroundWindow
758F148E LoadMenuW
758EB71C GetSubMenu
758E8931 RemoveMenu
758E8945 SetMenuDefaultItem
758EBBB3 GetCapture
758F4C5D DrawIconEx
758ED9E2 GetMessageExtraInfo
758E469F SetGestureConfig
75908FFB AdjustWindowRect
75901034 CalculatePopupWindowPosition
758F8220 DrawTextW
75916B2A SetCapture
758F43DA CallWindowProcW
75910A67 CheckDlgButton
75909041 IsDlgButtonChecked
758EC921 IsWindowEnabled
75910B31 GetDlgItemInt
75914DB1 SetDlgItemInt
758E8510 GetDlgItem
758EA72E EnableWindow
758F507E SetWinEventHook
758F59DF MsgWaitForMultipleObjects
758F212B RegisterClassExW
75915A25 CopyIcon
758F64F8 AdjustWindowRectEx
758FFA99 GetSysColor
75914700 DrawFocusRect
758FF299 NotifyWinEvent
759306EF ExitWindowsEx
758F1702 GetSystemMenu
msvcrt.dll - f4f8f817:
---------
7583E1E1 _controlfp
758861CF ?terminate@@YAXXZ
7584112D _onexit
7583A449 _lock
7583F509 __dllonexit
7583A42D _unlock
75853E27 _except_handler4_common
75842804 __set_app_type
75839910 memcpy
75839E5A memmove
758559E4 _CIsin
75839BA1 _ftol2
7583EF16 _CIcos
7583C823 _wtoi
7583B05E wcsncmp
7583AAE3 _wcsnicmp
7583A9E9 _wcsicmp
7583B34A bsearch
758427CE __p__fmode
758427C3 __p__commode
758C77AD __setusermatherr
7589B2EF _amsg_exit
7583C151 _initterm
758D04DC _wcmdln
758436AA exit
7585DC75 _XcptFilter
7589B2C0 _exit
758437D4 _cexit
75844E7C __wgetmainargs
75839E3A _ftol2_sse
75839CEE malloc
7583EEC0 _CIsqrt
75840D74 ceil
7583B10D realloc
7583AA61 wcschr
7583C136 iswalpha
7583BF71 wcsstr
75839894 free
7583BBCE _vsnwprintf
75839790 memset
ntdll.dll - f4f8f817:
---------
773B86F5 WinSqmSetString
773F5490 NtQueryInformationProcess
773F5AC0 NtSetInformationProcess
774121D3 WinSqmIsOptedIn
773B9622 WinSqmAddToStreamEx
773F5260 NtOpenThreadToken
773F51E0 NtOpenProcessToken
773F5BD0 NtSetSystemInformation
773CADD5 WinSqmAddToStream
773D14BC WinSqmEventEnabled
773CF5AB EtwEventWrite
773DDD62 EtwEventEnabled
773CFF3C RtlGetProductInfo
773F4910 NtClose
773F54C0 NtQueryInformationToken
773CAEF4 WinSqmSetDWORD
SHLWAPI.dll - f4f8f817:
---------
7662E2EA SHStrDupA
76615AA1 StrCmpW
7660E230
答案 0 :(得分:0)
您可以调用LoadLibrary或GetModuleHandle(如果已经安装了Shell32.dll)。此函数将为您提供在进程中加载库的虚拟地址,以便您可以分析内存中的PE文件,以便在找到Shell32.dll的导出导入表之后。