Modify IAT rules for hookapi

Hook is a technology that has existed for a long time in windows.
Hook is generally divided into two types. Hook Message 2. Hook api this question is about hook api modification IAT. (If you are a hook expert, don't read it)
At first, HOOK-API was typically learned by overwriting the address and modifying the IAT method.
Through these two technologies, we can basically hook the API functions of this process. However, I'm a little sorry when I'm happy,
How can I hook APIs of other processes? How can I hook an API function globally?
The following is a simple implementation of "hook other process API functions. (Hook the messageboxa function of another process)

In fact, two technologies are used
1. Remote thread Injection
2. Modify IAT, HOOK-API

Okay, post it.CodeAs follows:
Three files in total
Install. C injectionProgram
Fundll. cpp DLL Program
Test. cpp Test Program

Code:

// ------------------------- Install. c --------------------------
//
// Install. c

# Include "windows. H"
# Include "tlhelp32.h"

# Pragma comment (Lib, "th32.lib ")

Const char * pkill = "fundll. dll"; // path of the DLL file

// This path is very interesting. It is relative to the target process, not its own process.
// Therefore, you must write an absolute path and a relative path relative to the target process.
// If writing a path relative to itself is troublesome, the DLL file cannot be found in this program.

Char * prosess = "test.exe"; // process name to be injected (target process name)

Int main ()
{

// variable declaration
handle hsnap;
handle hkernel32; // handle of the injected Process
processentry32 PE;
bool bnext;
handle htoken;
token_privileges TP;
luid;
lpvoid P;
farproc PFN;
// raise the process permission
If (! Openprocesstoken (getcurrentprocess (), token_adjust_privileges | token_query, & htoken)
{< br> return 1;
}

If (! Lookupprivilegevalue (null, se_debug_name, & luid ))
{
Return 1;
}

TP. privilegecount = 1;
TP. Privileges [0]. Attributes = se_privilege_enabled;
TP. Privileges [0]. luid = luid;

If (! Adjusttokenprivileges (htoken, 0, & TP, sizeof (token_privileges), null, null ))
{
Return 1;
}

// Enumeration process
PE. dwsize = sizeof (PE );
Hsnap = createconlhelp32snapshot (th32cs_snapprocess, 0 );
Bnext = process32first (hsnap, & PE );
While (bnext)
{
If (! Stricmp (PE. szexefile, prosess) // --->
{
Hkernel32 = OpenProcess (process_create_thread | process_vm_write | process_vm_operation, 1, PE. th32processid );
Break;
}
Bnext = process32next (hsnap, & PE );
}

Closehandle (hsnap );

// Injection, key!

// 1. The parameter space of the thread Function allocated to the target process
P = virtualallocex (hkernel32, null, strlen (pkill), mem_commit, page_readwrite );

// 2. Write the parameter to the space allocated by the target process.
Writeprocessmemory (hkernel32, P, pkill, strlen (pkill), null );

// 3. Obtain the address of the loadliabray function and call it as the thread function of the new thread.
PFN = getprocaddress (getmodulehandle ("kernel32.dll"), "loadlibrarya ");

// Create a new thread in the target space. The thread function address is PFn, and the function parameter address is P.
Createremotethread (hkernel32, null, 0, PFN, P, null, 0 );

Return 0;
}

// ---------------------- Fundll. cpp -----------------------------
//
// Fundll. cpp

# Include "windows. H"
# Include "process. H"
# Include "tlhelp32.h"
# Include "stdio. H"

# Pragma comment (Lib, "th32.lib ")

Pimage_dos_header pdosheader;
Pimage_nt_headers pntheaders;
Pimage_optional_header poptheader;
Pimage_import_descriptor pimportdescriptor;
Pimage_thunk_data pthunkdata;
Pimage_import_by_name pimportbyname;
Hmodule hmod;

// Define the messageboxa function prototype
Typedef int (winapi * pfnmessagebox) (hwnd, lpcstr, lpcstr, uint utype );
Int winapi messageboxproxy (in hwnd, in lpcstr lptext, In maid, in uint utype );

Int * ADDR = (int *) messageboxa; // The entry address for saving the Function
Int * myaddr = (int *) messageboxproxy;

Void threadproc (void * PARAM); // thread function

// ----------------------------------------------------------- Start of the Main Function

Bool winapi dllmain (hinstance hinstdll, DWORD fdwreason, lpvoid lpvreserved)
{
If (fdwreason = dll_process_attach)
_ Beginthread (threadproc, 0, null); // creates a thread and calls threadproc

Return true;
}

// Thread function, modify the IAT address

Void threadproc (void * PARAM)
{
// ------------ Hook api ----------------
Hmod = getmodulehandle (null );

Pdosheader = (pimage_dos_header) hmod;
Pntheaders = (pimage_nt_headers) (byte *) hmod + pdosheader-> e_lfanew );
Poptheader = (pimage_optional_header) & (pntheaders-> optionalheader );

Pimportdescriptor = (pimage_import_descriptor) (byte *) hmod + poptheader-> datadirectory [1]. virtualaddress );

While (pimportdescriptor-> firstthunk)
{
Char * dllname = (char *) (byte *) hmod + pimportdescriptor-> name );

Pthunkdata = (pimage_thunk_data) (byte *) hmod + pimportdescriptor-> originalfirstthunk );

Int NO = 1;
While (pthunkdata-> u1.function)
{
Char * funname = (char *) (byte *) hmod + (DWORD) pthunkdata-> u1.addressofdata + 2 );
Pdword lpaddr = (DWORD *) (byte *) hmod + (DWORD) pimportdescriptor-> firstthunk) + (no-1 );

// Modify the memory part
If (* lpaddr) = (INT) ADDR)
{
// Modify the attributes of the Memory Page
DWORD dwold;
Memory_basic_information MBI;
Virtualquery (lpaddr, & MBI, sizeof (MBI ));
Virtualprotect (lpaddr, sizeof (DWORD), page_readwrite, & dwold );

Writeprocessmemory (getcurrentprocess (),
Lpaddr, & myaddr, sizeof (DWORD), null); // here, the IAT address is changed to the address of our own function.
// Restore the attributes of the Memory Page
Virtualprotect (lpaddr, sizeof (DWORD), dwold, 0 );
}
//---------
No ++;
Pthunkdata ++;
}

Pimportdescriptor ++;
}
// ------------------- Hook end -----------------
}

// New MessageBox Function
Int winapi messageboxproxy (in hwnd, in lpcstr lptext, In maid, in uint utype)
{
Return (pfnmessagebox) ADDR) (null, "gxter_test", "gxter_title", 0 );
// Write the processing code for this API function.
}

// ---------------------------- Test. cpp ------------------------------------
// Test. cpp

# Include "stdio. H"
# Include "windows. H"

Int main ()
{
Printf ("test ---/N ");
While (1)
{
Getchar ();
Messageboxa (null, "original function", "09 hookdemo", 0 );
}
Return 0;
}

Test process: Run test first, do not close (set the target), and then run install (for injection ). But pay attention to the fundll and test file locations.

The above code is written to hook APIs of other processes.
However, there is another problem: "Global hook of API functions ". My idea is to inject all processes.
You just need to simply change the code above to implement it. It seems like the implementation process of the setwindowshookex function.
The above is my idea. If there is any error, correct it.

References:
Windows Programming
Windows core programming