📄 hookapi_iat.cpp

📁 《Windows应用程序捆绑核心编程》配套源码
💻 CPP
字号:
// HookApi_IAT.cpp:实现CHookApi_IAT类.
//
#include "stdafx.h"
#include "HookApi_IAT.h"
#include <tlhelp32.h>
#include <imagehlp.h>
#pragma comment (lib,"imagehlp.lib")

//---------------------------------------------------------------------------
CHookApi_IAT::CHookApi_IAT()
{
}

//---------------------------------------------------------------------------
CHookApi_IAT::~CHookApi_IAT()
{
}

//---------------------------------------------------------------------------
BOOL CHookApi_IAT::HookAllAPI(LPCTSTR ModuleName, PROC HookAPIAddr, PROC lpNewFunc)
{
	if (ModuleName == NULL||HookAPIAddr == NULL)
		return FALSE;

	HANDLE hSnapshot;
	MODULEENTRY32 hMod = {sizeof(hMod)}; 
	hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,NULL);
	
	// 取得所有模块列表中的指定的模块. 
	BOOL bMoreMods = Module32First(hSnapshot, &hMod); 
	if (bMoreMods == FALSE) return FALSE;
	
	// 循环取得想要的模块. 
	for (;bMoreMods; bMoreMods = Module32Next(hSnapshot, &hMod)) 
	{ 
		MEMORY_BASIC_INFORMATION mbi;
		// 获取本模块信息.
		VirtualQuery(this,&mbi,sizeof(mbi));
		// 不在自己的模块中挂钩函数.
		if (hMod.hModule != (HMODULE)mbi.AllocationBase)
		{
			//hMod.hModule:指向当前被挂钩进程的每一个模块. 
			HookOneAPI(	ModuleName,HookAPIAddr,
				lpNewFunc,hMod.hModule);
		}
	}
	
	return TRUE;  
}

//---------------------------------------------------------------------------
BOOL CHookApi_IAT::HookOneAPI(PCSTR   ModuleName, PROC HookAPIAddr, 
							  PROC    lpNewFunc, HMODULE hmodCaller) 
{
	DWORD size;
	
	PIMAGE_IMPORT_DESCRIPTOR pImportDesc = 
		(PIMAGE_IMPORT_DESCRIPTOR) ImageDirectoryEntryToData(
		hmodCaller,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&size);
	
    if(pImportDesc == NULL) return FALSE;
	
    for (;pImportDesc->Name;pImportDesc++)
    {
        LPSTR pszDllName = (LPSTR)((PBYTE)hmodCaller + pImportDesc->Name);
        if(lstrcmpiA(pszDllName,ModuleName) == 0) break;
    }
	
    if(pImportDesc->Name == NULL) return FALSE;
    PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)
		((PBYTE)hmodCaller + pImportDesc->FirstThunk);//IAT

    for(;pThunk->u1.Function;pThunk++)
    {
        PROC * ppfn= (PROC *)&pThunk->u1.Function;
		
		m_lpOldFunc = (PROC)pThunk->u1.Function;
		m_lpNewFunc =lpNewFunc;

        if (*ppfn == HookAPIAddr)
        {
	        MEMORY_BASIC_INFORMATION mbi;
			ZeroMemory(&mbi, sizeof(MEMORY_BASIC_INFORMATION));
			VirtualQuery(ppfn,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
			VirtualProtect(mbi.BaseAddress,mbi.RegionSize,
				                       PAGE_READWRITE,&mbi.Protect);
			*ppfn = *lpNewFunc;
			DWORD dwOldProtect;
			VirtualProtect(mbi.BaseAddress,mbi.RegionSize,
				                mbi.Protect,&dwOldProtect);
            return TRUE;
        }
    }
	
	return FALSE;
}

//---------------------------------------------------------------------------
BOOL CHookApi_IAT::HookOneAPI_OFF(PCSTR ModuleName, HMODULE hmodCaller) 
{
    return  HookOneAPI(ModuleName, m_lpNewFunc,m_lpOldFunc,hmodCaller); 
}
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -