C 如何在运行进程的IAT内钩住Windows API函数,并用伪函数替换它?
我的目标是执行IAT挂钩。我想用我自己的函数C 如何在运行进程的IAT内钩住Windows API函数,并用伪函数替换它?,c,portable-executable,C,Portable Executable,我的目标是执行IAT挂钩。我想用我自己的函数ModifiedLLA替换LoadLibraryA(LLA) 我仔细研究了PE格式,找到了每个导入的DLL文件的函数名 考虑到这将是我的替代功能: DWORD ModifiedLLA(char* str){ printf("test\n"); return 0; } ... //IAT & ILTs have been assigned previously //Declare pointer to our own fun
ModifiedLLA
替换LoadLibraryA
(LLA)
我仔细研究了PE格式,找到了每个导入的DLL文件的函数名
考虑到这将是我的替代功能:
DWORD ModifiedLLA(char* str){
printf("test\n");
return 0;
}
...
//IAT & ILTs have been assigned previously
//Declare pointer to our own function
DWORD(WINAPI *procPtr)(char*);
procPtr = ModifiedLLA;
while(ilt->u1.AddressOfData){
namedata = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)imagebase +
(DWORD)ilt->u1.AddressOfData);
//We have found the LoadLibraryA function.
if(strcmp(namedata->Name, "LoadLibraryA") == 0){
//Here we must replace the original LoadLibraryA with procPtr;
break;
}
ilt++;
alt++;
}
...
考虑主函数中的以下代码:
DWORD ModifiedLLA(char* str){
printf("test\n");
return 0;
}
...
//IAT & ILTs have been assigned previously
//Declare pointer to our own function
DWORD(WINAPI *procPtr)(char*);
procPtr = ModifiedLLA;
while(ilt->u1.AddressOfData){
namedata = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)imagebase +
(DWORD)ilt->u1.AddressOfData);
//We have found the LoadLibraryA function.
if(strcmp(namedata->Name, "LoadLibraryA") == 0){
//Here we must replace the original LoadLibraryA with procPtr;
break;
}
ilt++;
alt++;
}
...
问题是“如何将procPtr
分配给LLA地址”
我读到当未设置IMAGE_ORDINAL_标志时,LoadLibraryA
的地址变为iat->u1.Function+namedata
但是,我不确定应该将(DWORD_PTR)namedata+(DWORD)iat->u1.Function
转换为什么数据类型。我试着将它转换成一个DWORD\u PTR
。当我尝试将procPtr分配给该地址时,会出现错误,例如:
一元'*'的类型参数无效(具有'DWORD_PTR'{aka'long unsigned int'})我找到了答案。显然,这就像iat->u1.Function=(ULONGLONG)procPtr一样简单
因此,代码变为:
//IAT & ILTs have been assigned previously
//Declare pointer to our own function
DWORD(WINAPI *procPtr)(char*);
procPtr = ModifiedLLA;
while(ilt->u1.AddressOfData){
namedata = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)imagebase +
(DWORD)ilt->u1.AddressOfData);
//We have found the LoadLibraryA function.
if(strcmp(namedata->Name, "LoadLibraryA") == 0){
iat->u1.Function = (ULONGLONG)procPtr;
break;
}
ilt++;
alt++;
}
...
我希望这也能帮助其他人。您是否试图操纵正在运行(或至少已挂起)的进程的IAT?或者您只是试图操纵PE文件的文件内容?@AndreasWenzel正在运行的进程。代码正在操作同一进程的IAT。ULONGLONG
在Microsoft Windows平台上为64位。但是,您的问题没有指定正在运行的进程是32位还是64位。因此,这个答案只适用于64位进程。@AndreasWenzel这是一个很好的观点。在32位iat->u1中,函数定义为DWORD。更好的方法是什么?好问题。我能想到的唯一答案是使用预处理器使用条件编译,这取决于宏是定义的,像这样的#ifdef\u WIN64
。还是只使用(DWORD\u PTR)
,如上所述。