API hook principle and Windows hook application

// Iatapihook. cpp: defines the entry point for the console application.
//

# Include "stdafx. H"
# Include "windows. H"

Bool testfunctioniniat (hmodule, ulong functionaddress)
{
Bool breturn = false;
Unsigned char * pbaseaddr = reinterpret_cast <unsigned char *> (hmodule );

// Obtain the position of the DOS Header
Pimage_dos_header pdosheader = reinterpret_cast <pimage_dos_header> (pbaseaddr );

// Obtain the ntimage header position
Pimage_nt_headers pntheader = reinterpret_cast <pimage_nt_headers> (
Pbaseaddr + pdosheader-> e_lfanew );

// Obtain the position of the PE option Header
Pimage_optional_header ppeoptionheader = & pntheader-> optionalheader;

// Obtain the directory structure of the import table
Pimage_data_directory piatdatadirectory = & (ppeoptionheader-> datadirectory [image_directory_entry_import]);

// Obtain the import table Descriptor
Pimage_import_descriptor pimportdescriptor = reinterpret_cast <pimage_import_descriptor> (
Pbaseaddr + piatdatadirectory-> virtualaddress );

// From pimportdescriptor, there are a bunch of import tables, one after the other
// When the name of the import table is null, it is actually a DLL corresponding to Windows. If there are several tables, it indicates
// This module depends on several DLL export functions. The name field is the relative virtual address of the DLL name.
While (pimportdescriptor-> name! = 0)
{
// Thunk data indicates the function description of the imported DLL.
Pimage_thunk_data pthunkdata = reinterpret_cast <pimage_thunk_data> (
Pbaseaddr + pimportdescriptor-> firstthunk );
While (pthunkdata-> u1.function! = 0)
{
Ulong * PPFN = (ulong *) & pthunkdata-> u1.function;
If (* PPFN = functionaddress)
{

Breturn = true;
Break;
}
++ Pthunkdata;
}
++ Pimportdescriptor;
}

Return breturn;
}

Proc g_createfunc = NULL;

Typedef bool (winapi * pcreateprocessw )(
_ In_opt lpcwstr lpapplicationname,
_ Inout_opt lpwstr lpcommandline,
_ In_opt lpsecurity_attributes lpprocessattributes,
_ In_opt lpsecurity_attributes lpthreadattributes,
_ In bool binherithandles,
_ In DWORD dwcreationflags,
_ In_opt lpvoid lpenvironment,
_ In_opt maid directory,
_ In lpstartupinfow lpstartupinfo,
_ Out lpprocess_information lpprocessinformation );

Bool winapi mycreateprocessw (
_ In_opt lpcwstr lpapplicationname,
_ Inout_opt lpwstr lpcommandline,
_ In_opt lpsecurity_attributes lpprocessattributes,
_ In_opt lpsecurity_attributes lpthreadattributes,
_ In bool binherithandles,
_ In DWORD dwcreationflags,
_ In_opt lpvoid lpenvironment,
_ In_opt maid directory,
_ In lpstartupinfow lpstartupinfo,
_ Out lpprocess_information lpprocessinformation)
{

Messageboxw (null, lpcommandline, l "createprocessw", mb_ OK );

Return (pcreateprocessw) g_createfunc )(
Lpapplicationname,
Lpcommandline,
Lpprocessattributes,
Lpthreadattributes,
Binherithandles,
Dwcreationflags,
Lpenvironment,
Lpcurrentdirectory,
Lpstartupinfo,
Lpprocessinformation );
}

Proc install_api_hook (
Hmodule hhookmodule,
Const char * szdllname,
Proc pfnhookfunaddr,
Proc pfnnewfundaddr
)
{
Proc porigfunc = NULL;

Unsigned char * pbaseaddr =
Reinterpret_cast <unsigned char *> (hhookmodule );

Pimage_dos_header pdosheader =
Reinterpret_cast <pimage_dos_header> (pbaseaddr );

Pimage_nt_headers pntheader =
Reinterpret_cast <pimage_nt_headers> (
Pbaseaddr + pdosheader-> e_lfanew );

Pimage_optional_header ppeoptionheader =
& Pntheader-> optionalheader;

Pimage_data_directory piatdatadirectory =
& (Ppeoptionheader-> datadirectory [image_directory_entry_import]);

Pimage_import_descriptor pimportdescriptor =
Reinterpret_cast <pimage_import_descriptor> (
Pbaseaddr + piatdatadirectory-> virtualaddress );

For (; pimportdescriptor-> name; pimportdescriptor ++)
{
Const char * pszmodname =
Reinterpret_cast <const char *> (
Pbaseaddr + pimportdescriptor-> name );
If (0 = lstrcmpia (pszmodname, szdllname ))
{
Break;
}
}

If (0 = pimportdescriptor-> name)
{
Return porigfunc;
}

Pimage_thunk_data pthunkdata =
Reinterpret_cast <pimage_thunk_data> (
Pbaseaddr + pimportdescriptor-> firstthunk );
While (pthunkdata-> u1.function! = 0)
{
Proc * ppfunc = reinterpret_cast <proc *> (
& Pthunkdata-> u1.function );
If (* ppfunc = pfnhookfunaddr)
{
DWORD dwoldprotect = 0;
Virtualprotect (ppfunc, sizeof (Proc), page_readwrite, & dwoldprotect );

Porigfunc = * ppfunc;
Copymemory (ppfunc, & pfnnewfundaddr, sizeof (Proc ));
// Size_t stmemorysize = 0;
// Writeprocessmemory (
// Getcurrentprocess (),
// Ppfunc,
// & Unewfundaddr,
// Sizeof (* ppfunc ),
// & Stmemorysize );
Virtualprotect (ppfunc, sizeof (Proc), dwoldprotect, 0 );
Break;
}
Pthunkdata ++;
}

Return porigfunc;
}

Int _ tmain (INT argc, _ tchar * argv [])
{
Hmodule = NULL;
Getmodulehandleex (
Get_module_handle_ex_flag_from_address,
(Lpctstr) testfunctioniniat,
& Hmodule );
Bool breturn = testfunctioniniat (hmodule, (ulong_ptr) createprocessw );
If (breturn)
{
Printf ("found address createprocessw! \ N ");
}
Else
{
Printf ("found failed! \ N ");
}

G_createfunc = install_api_hook (hmodule, "kernel32.dll", (Proc) createprocessw, (Proc) mycreateprocessw );

Wchar_t szprocessname [] = l "notepad.exe ";
Startupinfo Si = {sizeof (SI )};
Process_information PI;
Createprocessw (null,
Szprocessname,
Null,
Null,
False,
0,
Null,
Null,
& Si,
& PI );

Return 0;
}