This article describes the C + + based on the hook Iat change MessageBox method, share for everyone to reference. The specific methods are as follows:
Steps:
1. Define the original function type
Copy Code code as follows:
Defining function prototypes
typedef int (WINAPI *pfnmessagebox) (HWND hwnd, LPCTSTR Lptext, LPCTSTR lpcaption, UINT utype);
Save the original MessageBox address, notice here
PROC G_orgproc = (PROC) MessageBox;
2. Find the DLL first, and then set the flag
Copy Code code as follows:
if (stricmp (Pszdllname, "user32.dll") = = 0)//if it is user32.dll
{
Bfinddll = TRUE;
Break
}
3. Find the function name after finding the DLL
Copy Code code as follows:
Here is the comparison of the function name
if (stricmp (Pszfuncname, "messageboxa") = = 0)
{
Get function Address
Pdword lpaddr = (dword*) ((byte*) hmodule + pimportdesc->firstthunk) + N; From the address of the first function, after each + 4 bytes
Here is the comparison of the function address
printf ("addrss:%x\n", lpaddr);
dword* Lpnewproc = (dword*) Mymessagebox;
:: WriteProcessMemory (GetCurrentProcess (), lpaddr, &lpnewproc, sizeof (DWORD), NULL);
Return
}
Of course, in 3, can also be based on the function address comparison
Copy Code code as follows:
#include <windows.h>
#include <stdio.h>
Defining function prototypes
typedef int (WINAPI *pfnmessagebox) (HWND hwnd, LPCTSTR Lptext, LPCTSTR lpcaption, UINT utype);
Save the original MessageBox address, notice here
PROC G_orgproc = (PROC) MessageBox;
int Mymessagebox (HWND hwnd, LPCTSTR Lptext, LPCTSTR lpcaption, UINT utype)
{
Return ((Pfnmessagebox) g_orgproc) (HWnd, "Mymessagebox", Lpcaption, Utype);
}
void Sethook ()
{
Hmodule hmodule =:: Getmodulehandlea (NULL);
image_dos_header* Pdosheader = (image_dos_header*) hmodule;
image_optional_header* Popntheader = (image_optional_header*) ((byte*) hmodule + pdosheader->e_lfanew + 24); Add 24 here.
image_import_descriptor* Pimportdesc = (image_import_descriptor*) ((byte*) hmodule + popntheader->datadirectory[ Image_directory_entry_import]. virtualaddress);
BOOL Bfinddll = FALSE;
while (Pimportdesc->firstthunk)
{
char* pszdllname = (char*) ((byte*) hmodule + pimportdesc->name);
printf ("Module name:%s\n", pszdllname);
if (stricmp (Pszdllname, "user32.dll") = = 0)//if it is user32.dll
{
Bfinddll = TRUE;
Break
}
pimportdesc++;
}
if (Bfinddll)
{
DWORD n = 0;
A image_thunk_data is an import function
image_thunk_data* Pthunk = (image_thunk_data*) ((byte*) hmodule + pimportdesc->originalfirstthunk);
while (PTHUNK->U1. Function)
{
Get function name
char* pszfuncname = (char*) (byte*) hmodule+pthunk->u1. ADDRESSOFDATA+2); The function name is preceded by two.
printf ("Function name:%-25s,", pszfuncname);
Here is the comparison of the function name
if (stricmp (Pszfuncname, "messageboxa") = = 0)
{
Get function Address
Pdword lpaddr = (dword*) ((byte*) hmodule + pimportdesc->firstthunk) + N; From the address of the first function, after each + 4 bytes
Here is the comparison of the function address
printf ("addrss:%x\n", lpaddr);
dword* Lpnewproc = (dword*) Mymessagebox;
:: WriteProcessMemory (GetCurrentProcess (), lpaddr, &lpnewproc, sizeof (DWORD), NULL);
Return
}
n++; Add one DWORD at a time
}
printf ("\ n");
}
}
int main (int argc, char* argv[])
{
:: MessageBoxA (NULL, "before Hook", "", MB_OK);
Sethook ();
:: MessageBoxA (NULL, "Aftere Hook", "", MB_OK);
return 0;
}
The following is a version of the comparison function address
Copy Code code as follows:
#include <windows.h>
#include <stdio.h>
Defining function prototypes
typedef int (WINAPI *pfnmessagebox) (HWND hwnd, LPCTSTR Lptext, LPCTSTR lpcaption, UINT utype);
Save the original MessageBox address, notice here
PROC G_orgproc = (PROC) MessageBox;
int Mymessagebox (HWND hwnd, LPCTSTR Lptext, LPCTSTR lpcaption, UINT utype)
{
Return ((Pfnmessagebox) g_orgproc) (HWnd, "Mymessagebox", Lpcaption, Utype);
}
void Sethook ()
{
Hmodule hmodule =:: Getmodulehandlea (NULL);
image_dos_header* Pdosheader = (image_dos_header*) hmodule;
image_optional_header* Popntheader = (image_optional_header*) ((byte*) hmodule + pdosheader->e_lfanew + 24); Add 24 here.
image_import_descriptor* Pimportdesc = (image_import_descriptor*) ((byte*) hmodule + popntheader->datadirectory[ Image_directory_entry_import]. virtualaddress);
BOOL Bfinddll = FALSE;
while (Pimportdesc->firstthunk)
{
char* pszdllname = (char*) ((byte*) hmodule + pimportdesc->name);
printf ("Module name:%s\n", pszdllname);
if (stricmp (Pszdllname, "user32.dll") = = 0)//if it is user32.dll
{
Bfinddll = TRUE;
Break
}
pimportdesc++;
}
if (Bfinddll)
{
DWORD n = 0;
A image_thunk_data is an import function
image_thunk_data* Pthunk = (image_thunk_data*) ((byte*) hmodule + pimportdesc->originalfirstthunk);
while (PTHUNK->U1. Function)
{
Get function name
char* pszfuncname = (char*) (byte*) hmodule+pthunk->u1. ADDRESSOFDATA+2); The function name is preceded by two.
printf ("Function name:%-25s,", pszfuncname);
Get function Address
Pdword lpaddr = (dword*) ((byte*) hmodule + pimportdesc->firstthunk) + N; From the address of the first function, after each + 4 bytes
printf ("addrss:%x\n", lpaddr);
Here is the comparison of the function address
if (*lpaddr = = (DWORD) g_orgproc)
{
dword* Lpnewproc = (dword*) Mymessagebox;
:: WriteProcessMemory (GetCurrentProcess (), lpaddr, &lpnewproc, sizeof (DWORD), NULL);
Return
}
n++; Add one DWORD at a time
}
printf ("\ n");
}
}
int main (int argc, char* argv[])
{
:: MessageBoxA (NULL, "before Hook", "", MB_OK);
Sethook ();
:: MessageBoxA (NULL, "Aftere Hook", "", MB_OK);
return 0;
}
Attach code to modify memory page protection properties:
Copy Code code as follows:
Modifying the protection properties of a memory page
:: VirtualQuery (lpaddr, &mbi, sizeof (memory_basic_information));
:: VirtualProtect (lpaddr, sizeof (DWORD), Page_readwrite, &dwoldprotect);
:: WriteProcessMemory (GetCurrentProcess (), lpaddr, &lpnewproc, sizeof (DWORD), NULL);
:: VirtualProtect (lpaddr, sizeof (DWORD), Dwoldprotect, NULL);
I hope this article will help you with the C + + program design.
