主要参考这个文章,但是修改了x64上的bug

https://blog.csdn.net/yao_yu_126/article/details/12388779?utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-10.no_search_link&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-10.no_search_link


#include <stdio.h>
#include <Windows.h>/*
* Copyright 2011 kubtek <kubtek@mail.com>
*
* This file is part of StarDict.
*
* StarDict is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* StarDict is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with StarDict.  If not, see <http://www.gnu.org/licenses/>.
*/
#pragma warning(disable: 4996)
#include <tlhelp32.h>// These code come from: http://dev.csdn.net/article/2/2786.shtm
// I fixed a bug in it and improved it to hook all the modules of a program.#define MakePtr(cast, ptr, AddValue) (cast)((size_t)(ptr)+(size_t)(AddValue))static PIMAGE_IMPORT_DESCRIPTOR GetNamedImportDescriptor(HMODULE hModule, LPCSTR szImportModule)
{PIMAGE_DOS_HEADER pDOSHeader;PIMAGE_NT_HEADERS pNTHeader;PIMAGE_IMPORT_DESCRIPTOR pImportDesc;if ((szImportModule == NULL) || (hModule == NULL))return NULL;pDOSHeader = (PIMAGE_DOS_HEADER)hModule;if (IsBadReadPtr(pDOSHeader, sizeof(IMAGE_DOS_HEADER)) || (pDOSHeader->e_magic != IMAGE_DOS_SIGNATURE)) {return NULL;}pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDOSHeader, pDOSHeader->e_lfanew);if (IsBadReadPtr(pNTHeader, sizeof(IMAGE_NT_HEADERS)) || (pNTHeader->Signature != IMAGE_NT_SIGNATURE))return NULL;if (pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress == 0)return NULL;pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, pDOSHeader, pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);while (pImportDesc->Name) {PSTR szCurrMod = MakePtr(PSTR, pDOSHeader, pImportDesc->Name);if (_stricmp(szCurrMod, szImportModule) == 0)break;pImportDesc++;}if (pImportDesc->Name == (DWORD)0)return NULL;return pImportDesc;
}static BOOL IsNT()
{OSVERSIONINFO stOSVI;BOOL bRet;memset(&stOSVI, 0, sizeof(OSVERSIONINFO));stOSVI.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);bRet = GetVersionEx(&stOSVI);if (FALSE == bRet) return FALSE;return (VER_PLATFORM_WIN32_NT == stOSVI.dwPlatformId);
}static BOOL HookImportFunction(HMODULE hModule, LPCSTR szImportModule, LPCSTR szFunc, PROC paHookFuncs, PROC* paOrigFuncs)
{PIMAGE_IMPORT_DESCRIPTOR pImportDesc;PIMAGE_THUNK_DATA pOrigThunk;PIMAGE_THUNK_DATA pRealThunk;if (!IsNT() && ((size_t)hModule >= 0x80000000))return FALSE;pImportDesc = GetNamedImportDescriptor(hModule, szImportModule);if (pImportDesc == NULL)return FALSE;pOrigThunk = MakePtr(PIMAGE_THUNK_DATA, hModule, pImportDesc->OriginalFirstThunk);pRealThunk = MakePtr(PIMAGE_THUNK_DATA, hModule, pImportDesc->FirstThunk);while (pOrigThunk->u1.Function) {if (IMAGE_ORDINAL_FLAG != (pOrigThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)) {PIMAGE_IMPORT_BY_NAME pByName = MakePtr(PIMAGE_IMPORT_BY_NAME, hModule, pOrigThunk->u1.AddressOfData);BOOL bDoHook;// When hook EditPlus, read pByName->Name[0] will case this dll terminate, so call IsBadReadPtr() here.if (IsBadReadPtr(pByName, sizeof(IMAGE_IMPORT_BY_NAME))) {pOrigThunk++;pRealThunk++;continue;}if ('\0' == pByName->Name[0]) {pOrigThunk++;pRealThunk++;continue;}bDoHook = FALSE;if ((szFunc[0] == pByName->Name[0]) && (_strcmpi(szFunc, (char*)pByName->Name) == 0)) {if (paHookFuncs)bDoHook = TRUE;}if (bDoHook) {MEMORY_BASIC_INFORMATION mbi_thunk;DWORD dwOldProtect;VirtualQuery(pRealThunk, &mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION));VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect);if (paOrigFuncs)*paOrigFuncs = (PROC)pRealThunk->u1.Function;
#ifdef _WIN64pRealThunk->u1.Function = (ULONGLONG)paHookFuncs;
#elsepRealThunk->u1.Function = (DWORD)paHookFuncs;
#endif              VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, mbi_thunk.Protect, &dwOldProtect);return TRUE;}}pOrigThunk++;pRealThunk++;}return FALSE;
}BOOL HookAPI(LPCSTR szImportModule, LPCSTR szFunc, PROC paHookFuncs, PROC* paOrigFuncs)
{HANDLE hSnapshot;MODULEENTRY32 me = { sizeof(MODULEENTRY32) };BOOL bOk;if ((szImportModule == NULL) || (szFunc == NULL)) {return FALSE;}hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, 0);bOk = Module32First(hSnapshot, &me);while (bOk) {HookImportFunction(me.hModule, szImportModule, szFunc, paHookFuncs, paOrigFuncs);bOk = Module32Next(hSnapshot, &me);}return TRUE;
}//钩子函数
int WINAPI MessageBoxCallBackProc(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType);//定义MessageBoxA函数原型
typedef int(WINAPI *MessageBoxNextHook_t)(HWND, LPCSTR, LPCSTR, UINT);
//保存原函数指针
MessageBoxNextHook_t MessageBoxNextHook = NULL;//MessageBox回调函数
int WINAPI MessageBoxCallBackProc(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType)
{return (*MessageBoxNextHook)(NULL, "被我给逮到了", "我是钩子", MB_OK | MB_ICONINFORMATION);
}
int main(int argc, char* argv[])
{   HookAPI("user32.dll", "MessageBoxA", (PROC)MessageBoxCallBackProc, (PROC*)&MessageBoxNextHook);MessageBoxA(NULL, "1", "2", MB_OK);if (MessageBoxNextHook)HookAPI("user32.dll", "MessageBoxA", (PROC)MessageBoxNextHook, NULL);MessageBoxA(NULL, "1", "2", MB_OK);return 0;
}

IAT HOOK DEMO win32/win64相关推荐

  1. 应用层勾子IAT HOOK(源码)

    //www.yjxsoft.com 2010.6.26 //文件名 IAT.H #include <windows.h> VOID __stdcall mySleep(DWORD m) { ...

  2. HOOK -- IAT HOOK 本进程MessageBox

    下面转自网上的,给读者共享,本来自己写点的,但是一直在讲课,没有时间,姑且先复制粘贴下) ======================================================= ...

  3. EAT/IAT Hook

    标 题: EAT/IAT Hook 作 者: Y4ng 时 间: 2013-08-21 链 接: http://www.cnblogs.com/Y4ng/p/EAT_IAT_HOOK.html #in ...

  4. C/C++:Windows编程—IAT Hook实例(程序启动拦截)

    C/C++:Windows编程-IAT Hook实例(程序启动拦截) 前言+思路 本文默认读者有IAT Hook的相关的基础知识了哈,记录笔者在IAT Hook实战中遇到到问题以及解决思路. 笔者想实 ...

  5. 深入IAT HOOK

    在上一篇文章手动打造一个弹窗程序中,我们自己手写了一份导入表,在调用函数的时候,我们CALL的是导入地址表的一个地址,为什么要调用这里,而且在构造导入表的时候,导入名称表(INT)和导入地址表(IAT ...

  6. Hook技术:IAT Hook详细讨论修改IAT地址和恢复

    IAT Hook是Ring3层常用的Hook之一,主要思路大家都知道,就是修改IAT中的函数地址. 之前写过讨论IAT的帖子:<PE结构:导入表中的双桥结构>:https://blog.c ...

  7. 二、C++反作弊对抗实战 (进阶篇 —— 14.利用内存加载+重定向绕过inline iat hook)

    下面是成功绕过inline hook的运行效果: 一.前言 在前面的章节中讲述了inline hook.iat hook.seh/veh hook等原理以及代码实现,也在讲述inline hook时顺 ...

  8. IBM.SPSS.Statistics.v23 win32+win64 MacOSX (统计分析工具)

    IBM.SPSS.Statistics.v23 win32+win64 MacOSX (统计分析工具) 一个划时代的统计分析产品-SPSS Statistics 隆重登场!              ...

  9. IAT hook与inline hook的区别

    IAT hook 导入表hook原理:修改导入表中某函数的地址到自己的补丁函数.IATHook 通过GetProcAddress获取目标函数地址 在程序内存中找到所在dll的导入表 查找目标函数地址保 ...

最新文章

  1. UWP Windows10开发获取设备位置(经纬度)
  2. 动态管理配置文件扩展接口EnvironmentPostProcessor
  3. dos中特殊符号命令的应用
  4. ubuntu下各个目录的含义
  5. Consul-template+nginx实现自动负载均衡
  6. maven project module 依赖项目创建 ---转
  7. 求一个序列中最大的子序列_最大的斐波那契子序列
  8. 普通人赚大钱,做好这一点,才是真正的捷径
  9. 百度云的云推送中的Native liberary not found 问题
  10. 判断移动终端是安卓还是iOS
  11. Siebel_CRM
  12. 北航计算机学院王静远,北京航空航天大学计算机学院导师教师师资介绍简介-李帅...
  13. golang做php的中间件,Golang 之 中间件
  14. Python:实现binomial coefficient二项式系数算法(附完整源码)
  15. 超详细!!vue、vue-cli脚手架项目使用prerender-spa-plugin,解决SEO并为其添加title,keyWords,descript
  16. Python17_项目实操关卡-人机PK
  17. Windows 7 彻底退出历史舞台
  18. win7系统设置电脑自动开机的操作方法
  19. 用英雄联盟的方式讲解JavaScript设计模式!
  20. 【Java多线程并发编程】面试知识点总结

热门文章

  1. java笔试题2014_Java笔试题 2014唯品会校招
  2. Python基础学习(二)-条件,循环语句
  3. 版权登记保护的是什么?
  4. WebSphere MQ FTE 中的资源监控功能
  5. 微信公众号开发——微信获取、操作公众号文章
  6. 全球卫星定位系统 GNSS(Global Navigation Satellite System)
  7. TPshop开源商城如何搭建环境(在虚拟机linux中)
  8. window.open一个新网页显示,已拦截此网页上的弹出式窗口
  9. 导图解文 从梦想到财富(33)说服他的脑袋,不如挪动他的“屁股”
  10. php隐蔽电话号码,隐藏电话号码和字符串省略处理