下面轉自網上的，給讀者共享，本來自己寫點的，但是一直在講課，沒有時間，姑且先復制粘貼下）

========================================================================================

?

?

結合網上資料、使用IAT?HOOK截獲MessageBox函數、、、

步驟如下

1..寫一個自己的MessageBox函數注意調用約定為__stdcall、、

2..定義一MessageBox函數指針如下

?????typedef int (__stdcall *pOldMBox)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType);

3..遍歷本進程的導入表尋找MessageBox的地址、、

4..修改MessageBox所在THUNK的地址為自己寫的函數地址、、代碼如下:

?

#include <windows.h>

?

HANDLE pBegin = GetModuleHandle(NULL);

PBYTE??pBegin2 = (PBYTE)pBegin;

?

PIMAGE_DOS_HEADER DOS = PIMAGE_DOS_HEADER(pBegin2);

PIMAGE_NT_HEADERS NT = PIMAGE_NT_HEADERS(pBegin2+DOS->e_lfanew);

PIMAGE_OPTIONAL_HEADER OPTION = &(NT->OptionalHeader);

PIMAGE_IMPORT_DESCRIPTOR IMPORT = PIMAGE_IMPORT_DESCRIPTOR(OPTION->DataDirectory[1].VirtualAddress + pBegin2);

?

typedef int (__stdcall *pOldMBox)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType);

pOldMBox pMBox = NULL;

?

int __stdcall HookMBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType)

{

???????if (NULL == pMBox)

???????{

??????????????return MessageBox(hWnd,lpText,lpCaption,uType);

???????}

????else

???????{

?????????????return pMBox(NULL,"哈哈! IAT??HOOK到了","HOOK",MB_OK);

???????}

}

?

int ReAPI(const char* DllName, const char* FunName)

{

???????while (IMPORT->Name)

???????{

??????????????char* OurDllName = (char*)(IMPORT->Name + pBegin2);

??????????????if (0 == strcmpi(DllName , OurDllName))

??????????????{

?????????????????????break;

??????????????}

?????IMPORT++;

???????}

?

????????PIMAGE_IMPORT_BY_NAME ?pImportByName = NULL;

???????PIMAGE_THUNK_DATA???pOriginalThunk = NULL;

???????PIMAGE_THUNK_DATA???pFirstThunk = NULL;

?

???????pOriginalThunk = (PIMAGE_THUNK_DATA)(IMPORT->OriginalFirstThunk + pBegin2);

???????pFirstThunk = (PIMAGE_THUNK_DATA)(IMPORT->FirstThunk + pBegin2);

?

???????while (pOriginalThunk->u1.Function) //記住是Function

???????{

??????????????DWORD u1 =?pOriginalThunk->u1.Ordinal;??//記住是Ordinal

??????????????if ((u1 & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG)??//說明MSB不是1??不是以序號導入

??????????????{

?????????????????????pImportByName = (PIMAGE_IMPORT_BY_NAME)((DWORD)pOriginalThunk->u1.AddressOfData + pBegin2);

?????????????????????char* OurFunName = (char*)(pImportByName->Name); //下邊的計算也可以

?????????????????????//char* OurFunName2 = (char*)((DWORD)pOriginalThunk->u1.AddressOfData + pBegin2 + 2);

????????????????????if (0 == strcmpi(FunName,OurFunName))

????????????????????{

??????????????????????//獲取以pFirstThunk開始的內存的信息并將其保存到MEMORY_BASIC_INFORMATION結構中

??????????????????????MEMORY_BASIC_INFORMATION mbi_thunk;

??????????????????????VirtualQuery(pFirstThunk, &mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION));

??????????????????????//VirtualProtect(mbi_thunk.BaseAddress,mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect);

??????????????????????//修改以pFirstThunk開始的內存的的保護屬性為PAGE_READWRITE并將原保護屬性保存到&dwOLD中

??????????????????????DWORD dwOLD;

???????????????????????VirtualProtect(pFirstThunk,sizeof(DWORD),PAGE_READWRITE,&dwOLD);

???????????????????????//更改真正MessageBoxA的地址為自己寫的HookMBox函數的地址、、

??????????????????????//將真正的地址付給先前定義的函數指針

???????????????????????//結果正確的話就是當本程序調用messagebox的時候程序轉去執行咱的HookMBox函數

??????????????????????//并且在咱的HookMBox函數中咱還調用了真正的messagebox函數、、

??????????????????????pMBox =(pOldMBox)(pFirstThunk->u1.Function);

??????????????????????pFirstThunk->u1.Function = (PDWORD)HookMBox;

??????????????????????//恢復之前更改的內存的保護屬性為人家自己的、、????????????

?????????????????????VirtualProtect(pFirstThunk,sizeof(DWORD),dwOLD,0);

?????????????????????break;

??????????????}

??????????????}

??????????????pOriginalThunk++;

??????????????pFirstThunk++;

???????}

???????

???????return 0;

}

int main()

{

??ReAPI("User32.dll","MessageBoxA");

??MessageBox(NULL,"沒有HOOK到","HOOK",MB_OK);

}

總結

以上是生活随笔為你收集整理的HOOK -- IAT HOOK 本进程MessageBox的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。