Shulou(Shulou.com)06/01 Report--

Combined with online data, using IAT HOOK to intercept MessageBox function,

The steps are as follows

1.。 Write your own MessageBox function. Note that the calling convention is _ _ stdcall,

2.. Define a MessageBox function pointer as follows

Typedef int (_ _ stdcall * pOldMBox) (HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType)

3.。 Go through the import table of this process to find the address of MessageBox,

4.。 Modify the address of the THUNK where MessageBox resides to the function address, and code written by yourself as follows:

# include

HANDLE pBegin = GetModuleHandle (NULL)

PBYTE pBegin2 = (PBYTE) pBegin

PIMAGE_DOS_HEADER DOS = PIMAGE_DOS_HEADER (pBegin2)

PIMAGE_NT_HEADERS NT = PIMAGE_NT_HEADERS (pBegin2+DOS- > e_lfanew)

PIMAGE_OPTIONAL_HEADER OPTION = & (NT- > OptionalHeader)

PIMAGE_IMPORT_DESCRIPTOR IMPORT = PIMAGE_IMPORT_DESCRIPTOR (OPTION- > DataDirectory [1] .VirtualAddress + pBegin2)

Typedef int (_ _ stdcall * pOldMBox) (HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType)

POldMBox pMBox = NULL

Int _ _ stdcall HookMBox (HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType)

{

If (NULL = = pMBox)

{

Return MessageBox (hWnd,lpText,lpCaption,uType)

}

Else

{

Return pMBox (NULL, "! IAT HOOK is here", "HOOK", MB_OK)

}

}

Int ReAPI (const char* DllName, const char* FunName)

{

/ * * find the same DLL * * /

While (IMPORT- > Name)

{

Char* OurDllName = (char*) (IMPORT- > Name + pBegin2)

If (0 = = strcmpi (DllName, OurDllName))

{

Break

}

IMPORT++

}

/ * /

/ * find the same API function * * /

PIMAGE_IMPORT_BY_NAME pImportByName = NULL

PIMAGE_THUNK_DATA pOriginalThunk = NULL

PIMAGE_THUNK_DATA pFirstThunk = NULL

POriginalThunk = (PIMAGE_THUNK_DATA) (IMPORT- > OriginalFirstThunk + pBegin2)

PFirstThunk = (PIMAGE_THUNK_DATA) (IMPORT- > FirstThunk + pBegin2)

While (pOriginalThunk- > u1.Function) / / remember it is Function

{

DWORD U1 = pOriginalThunk- > u1.ordinary; / / remember it is Ordinal

If ((U1 & IMAGE_ORDINAL_FLAG)! = IMAGE_ORDINAL_FLAG) / / indicates that MSB is not 1 and is not imported by serial number

{

PImportByName = (PIMAGE_IMPORT_BY_NAME) ((DWORD) pOriginalThunk- > u1.AddressOfData + pBegin2)

Char* OurFunName = (char*) (pImportByName- > Name); / / the following calculation is also possible

/ / char* OurFunName2 = (char*) ((DWORD) pOriginalThunk- > u1.AddressOfData + pBegin2 + 2)

If (0 = = strcmpi (FunName,OurFunName))

{

/ / get the memory information starting with pFirstThunk and save it to the MEMORY_BASIC_INFORMATION structure

MEMORY_BASIC_INFORMATION mbi_thunk

VirtualQuery (pFirstThunk, & mbi_thunk, sizeof (MEMORY_BASIC_INFORMATION))

/ / VirtualProtect (mbi_thunk.BaseAddress,mbi_thunk.RegionSize, PAGE_READWRITE, & mbi_thunk.Protect)

/ / modify the protection property of memory starting with pFirstThunk to PAGE_READWRITE and save the original protection attribute to & dwOLD

DWORD dwOLD

VirtualProtect (pFirstThunk,sizeof (DWORD), PAGE_READWRITE,&dwOLD)

/ / change the address of the real MessageBoxA to the address of the HookMBox function written by yourself,

/ / pay the real address to the previously defined function pointer

/ / if the result is correct, the program transfers to execute our HookMBox function when the program calls messagebox

/ / and in my HookMBox function, I also call the real messagebox function,

PMBox = (pOldMBox) (pFirstThunk- > u1.Function)

PFirstThunk- > u1.Function = (PDWORD) HookMBox

/ / restore the protection properties of the previously changed memory to others' own,

VirtualProtect (pFirstThunk,sizeof (DWORD), dwOLD,0)

Break

}

}

POriginalThunk++

PFirstThunk++

}

/ * /

Return 0

}

Int main ()

{

ReAPI ("User32.dll", "MessageBoxA")

MessageBox (NULL, "No HOOK to", "HOOK", MB_OK)

}

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.