主要参考这个文章,但是修改了x64上的bug

https://blog.csdn.net/yao_yu_126/article/details/12388779?utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-10.no_search_link&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-10.no_search_link


#include <stdio.h>
#include <Windows.h>/*
* Copyright 2011 kubtek <kubtek@mail.com>
*
* This file is part of StarDict.
*
* StarDict is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* StarDict is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with StarDict.  If not, see <http://www.gnu.org/licenses/>.
*/
#pragma warning(disable: 4996)
#include <tlhelp32.h>// These code come from: http://dev.csdn.net/article/2/2786.shtm
// I fixed a bug in it and improved it to hook all the modules of a program.#define MakePtr(cast, ptr, AddValue) (cast)((size_t)(ptr)+(size_t)(AddValue))static PIMAGE_IMPORT_DESCRIPTOR GetNamedImportDescriptor(HMODULE hModule, LPCSTR szImportModule)
{PIMAGE_DOS_HEADER pDOSHeader;PIMAGE_NT_HEADERS pNTHeader;PIMAGE_IMPORT_DESCRIPTOR pImportDesc;if ((szImportModule == NULL) || (hModule == NULL))return NULL;pDOSHeader = (PIMAGE_DOS_HEADER)hModule;if (IsBadReadPtr(pDOSHeader, sizeof(IMAGE_DOS_HEADER)) || (pDOSHeader->e_magic != IMAGE_DOS_SIGNATURE)) {return NULL;}pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDOSHeader, pDOSHeader->e_lfanew);if (IsBadReadPtr(pNTHeader, sizeof(IMAGE_NT_HEADERS)) || (pNTHeader->Signature != IMAGE_NT_SIGNATURE))return NULL;if (pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress == 0)return NULL;pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, pDOSHeader, pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);while (pImportDesc->Name) {PSTR szCurrMod = MakePtr(PSTR, pDOSHeader, pImportDesc->Name);if (_stricmp(szCurrMod, szImportModule) == 0)break;pImportDesc++;}if (pImportDesc->Name == (DWORD)0)return NULL;return pImportDesc;
}static BOOL IsNT()
{OSVERSIONINFO stOSVI;BOOL bRet;memset(&stOSVI, 0, sizeof(OSVERSIONINFO));stOSVI.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);bRet = GetVersionEx(&stOSVI);if (FALSE == bRet) return FALSE;return (VER_PLATFORM_WIN32_NT == stOSVI.dwPlatformId);
}static BOOL HookImportFunction(HMODULE hModule, LPCSTR szImportModule, LPCSTR szFunc, PROC paHookFuncs, PROC* paOrigFuncs)
{PIMAGE_IMPORT_DESCRIPTOR pImportDesc;PIMAGE_THUNK_DATA pOrigThunk;PIMAGE_THUNK_DATA pRealThunk;if (!IsNT() && ((size_t)hModule >= 0x80000000))return FALSE;pImportDesc = GetNamedImportDescriptor(hModule, szImportModule);if (pImportDesc == NULL)return FALSE;pOrigThunk = MakePtr(PIMAGE_THUNK_DATA, hModule, pImportDesc->OriginalFirstThunk);pRealThunk = MakePtr(PIMAGE_THUNK_DATA, hModule, pImportDesc->FirstThunk);while (pOrigThunk->u1.Function) {if (IMAGE_ORDINAL_FLAG != (pOrigThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)) {PIMAGE_IMPORT_BY_NAME pByName = MakePtr(PIMAGE_IMPORT_BY_NAME, hModule, pOrigThunk->u1.AddressOfData);BOOL bDoHook;// When hook EditPlus, read pByName->Name[0] will case this dll terminate, so call IsBadReadPtr() here.if (IsBadReadPtr(pByName, sizeof(IMAGE_IMPORT_BY_NAME))) {pOrigThunk++;pRealThunk++;continue;}if ('\0' == pByName->Name[0]) {pOrigThunk++;pRealThunk++;continue;}bDoHook = FALSE;if ((szFunc[0] == pByName->Name[0]) && (_strcmpi(szFunc, (char*)pByName->Name) == 0)) {if (paHookFuncs)bDoHook = TRUE;}if (bDoHook) {MEMORY_BASIC_INFORMATION mbi_thunk;DWORD dwOldProtect;VirtualQuery(pRealThunk, &mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION));VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect);if (paOrigFuncs)*paOrigFuncs = (PROC)pRealThunk->u1.Function;
#ifdef _WIN64pRealThunk->u1.Function = (ULONGLONG)paHookFuncs;
#elsepRealThunk->u1.Function = (DWORD)paHookFuncs;
#endif              VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, mbi_thunk.Protect, &dwOldProtect);return TRUE;}}pOrigThunk++;pRealThunk++;}return FALSE;
}BOOL HookAPI(LPCSTR szImportModule, LPCSTR szFunc, PROC paHookFuncs, PROC* paOrigFuncs)
{HANDLE hSnapshot;MODULEENTRY32 me = { sizeof(MODULEENTRY32) };BOOL bOk;if ((szImportModule == NULL) || (szFunc == NULL)) {return FALSE;}hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, 0);bOk = Module32First(hSnapshot, &me);while (bOk) {HookImportFunction(me.hModule, szImportModule, szFunc, paHookFuncs, paOrigFuncs);bOk = Module32Next(hSnapshot, &me);}return TRUE;
}//钩子函数
int WINAPI MessageBoxCallBackProc(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType);//定义MessageBoxA函数原型
typedef int(WINAPI *MessageBoxNextHook_t)(HWND, LPCSTR, LPCSTR, UINT);
//保存原函数指针
MessageBoxNextHook_t MessageBoxNextHook = NULL;//MessageBox回调函数
int WINAPI MessageBoxCallBackProc(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType)
{return (*MessageBoxNextHook)(NULL, "被我给逮到了", "我是钩子", MB_OK | MB_ICONINFORMATION);
}
int main(int argc, char* argv[])
{   HookAPI("user32.dll", "MessageBoxA", (PROC)MessageBoxCallBackProc, (PROC*)&MessageBoxNextHook);MessageBoxA(NULL, "1", "2", MB_OK);if (MessageBoxNextHook)HookAPI("user32.dll", "MessageBoxA", (PROC)MessageBoxNextHook, NULL);MessageBoxA(NULL, "1", "2", MB_OK);return 0;
}

IAT HOOK DEMO win32/win64相关推荐

  1. 应用层勾子IAT HOOK(源码)

    //www.yjxsoft.com 2010.6.26 //文件名 IAT.H #include <windows.h> VOID __stdcall mySleep(DWORD m) { ...

  2. HOOK -- IAT HOOK 本进程MessageBox

    下面转自网上的,给读者共享,本来自己写点的,但是一直在讲课,没有时间,姑且先复制粘贴下) ======================================================= ...

  3. EAT/IAT Hook

    标 题: EAT/IAT Hook 作 者: Y4ng 时 间: 2013-08-21 链 接: http://www.cnblogs.com/Y4ng/p/EAT_IAT_HOOK.html #in ...

  4. C/C++:Windows编程—IAT Hook实例(程序启动拦截)

    C/C++:Windows编程-IAT Hook实例(程序启动拦截) 前言+思路 本文默认读者有IAT Hook的相关的基础知识了哈,记录笔者在IAT Hook实战中遇到到问题以及解决思路. 笔者想实 ...

  5. 深入IAT HOOK

    在上一篇文章手动打造一个弹窗程序中,我们自己手写了一份导入表,在调用函数的时候,我们CALL的是导入地址表的一个地址,为什么要调用这里,而且在构造导入表的时候,导入名称表(INT)和导入地址表(IAT ...

  6. Hook技术:IAT Hook详细讨论修改IAT地址和恢复

    IAT Hook是Ring3层常用的Hook之一,主要思路大家都知道,就是修改IAT中的函数地址. 之前写过讨论IAT的帖子:<PE结构:导入表中的双桥结构>:https://blog.c ...

  7. 二、C++反作弊对抗实战 (进阶篇 —— 14.利用内存加载+重定向绕过inline iat hook)

    下面是成功绕过inline hook的运行效果: 一.前言 在前面的章节中讲述了inline hook.iat hook.seh/veh hook等原理以及代码实现,也在讲述inline hook时顺 ...

  8. IBM.SPSS.Statistics.v23 win32+win64 MacOSX (统计分析工具)

    IBM.SPSS.Statistics.v23 win32+win64 MacOSX (统计分析工具) 一个划时代的统计分析产品-SPSS Statistics 隆重登场!              ...

  9. IAT hook与inline hook的区别

    IAT hook 导入表hook原理:修改导入表中某函数的地址到自己的补丁函数.IATHook 通过GetProcAddress获取目标函数地址 在程序内存中找到所在dll的导入表 查找目标函数地址保 ...

最新文章

  1. 本人常用的一些编码小Tips(虽然不多,但很好用)
  2. 单独部署activemq-web-console (转载)
  3. 语音增强原理之噪声估计
  4. 操作系统(九)进程控制
  5. C++使用二个栈实现queue(附完整源码)
  6. dy之xgorgon0404参数
  7. 论两大数学家是如何撕破脸的!
  8. javascript编译压缩
  9. html播放七牛云视频,直传七牛云视频播放商业版【价值199元】
  10. 使用gdb进行程序调试1-在GDB中运行程序
  11. 伯克利:serverless是下一代计算范式
  12. linux安装qq_一分钟,轻松上手 Linux 安装QQ,让你简单开启聊天办公新环境
  13. 8.3实例程序:平面阴影
  14. 黑苹果长期维护机型整理清单
  15. 大众点评全球吃货地图 五一海外游神器
  16. Android通讯录管理(获取联系人、通话记录、短信消息)(一)
  17. 楚留香冰最新服务器,楚留香3.30更新公告 新增雕像功能
  18. 迅为-4418开发板-驱动-PWM输出实验
  19. 动态RAM(64K*1)INTEL2164简介(抄自原理图)
  20. 前端开发使用的 安卓模拟器_7个最佳的Android模拟器

热门文章

  1. uniCloud - 云存储及文件上传
  2. 为高尔夫比赛砍树2022-05-23每日一题 hard
  3. 如果气缸盖垫片失效,该如何用虹科Pico示波器诊断?
  4. iOS证书可以删除吗,到期怎么更新
  5. Appium+python自动化23-Android夜神模拟器操作app(2)
  6. 微软fte_当最大单位为0或0% 时,资源计划 FTE 不会按预期计算
  7. LVGL v7移植到ARM平台
  8. 9.15蚂蚁集团算法岗笔试
  9. 基于SYD8801的蓝牙遥控器设计方案
  10. Java中的CAS以及AQS实现原理