如何在 运行 进程的 IAT 中挂钩 Windows API 函数并将其替换为虚拟函数?
how to hook a Windows API function inside the IAT of a running process and replace it with a dummy function?
我的目标是执行 IAT 挂钩。我想用我自己的函数 ModifiedLLA 替换 LoadLibraryA (LLA)。
我深入研究了 PE 格式,并且能够找到每个导入的 DLL 文件的函数名称。
考虑一下这将是我的替代函数:
DWORD ModifiedLLA(char* str){
printf("test\n");
return 0;
}
考虑主函数中的以下代码:
...
//IAT & ILTs have been assigned previously
//Declare pointer to our own function
DWORD(WINAPI *procPtr)(char*);
procPtr = ModifiedLLA;
while(ilt->u1.AddressOfData){
namedata = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)imagebase +
(DWORD)ilt->u1.AddressOfData);
//We have found the LoadLibraryA function.
if(strcmp(namedata->Name, "LoadLibraryA") == 0){
//Here we must replace the original LoadLibraryA with procPtr;
break;
}
ilt++;
alt++;
}
...
问题是"how I can assign procPtr to the LLA address"?
我读到当IMAGE_ORDINAL_FLAG没有设置时,LoadLibraryA的地址变成了iat->u1.Function + namedata。
但是,我不确定应该将 (DWORD_PTR)namedata + (DWORD)iat->u1.Function 转换为哪种数据类型。我试图将其转换为 DWORD_PTR。当我尝试将 procPtr 分配给地址时,出现错误,例如:
一元‘*’的无效类型参数(有‘DWORD_PTR’{又名‘long long unsigned int’})
我找到了答案。显然它就像 iat->u1.Function = (ULONGLONG)procPtr
一样简单
因此,代码变为:
//IAT & ILTs have been assigned previously
//Declare pointer to our own function
DWORD(WINAPI *procPtr)(char*);
procPtr = ModifiedLLA;
while(ilt->u1.AddressOfData){
namedata = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)imagebase +
(DWORD)ilt->u1.AddressOfData);
//We have found the LoadLibraryA function.
if(strcmp(namedata->Name, "LoadLibraryA") == 0){
iat->u1.Function = (ULONGLONG)procPtr;
break;
}
ilt++;
alt++;
}
...
我希望这对其他人也有帮助。
我的目标是执行 IAT 挂钩。我想用我自己的函数 ModifiedLLA 替换 LoadLibraryA (LLA)。
我深入研究了 PE 格式,并且能够找到每个导入的 DLL 文件的函数名称。
考虑一下这将是我的替代函数:
DWORD ModifiedLLA(char* str){
printf("test\n");
return 0;
}
考虑主函数中的以下代码:
...
//IAT & ILTs have been assigned previously
//Declare pointer to our own function
DWORD(WINAPI *procPtr)(char*);
procPtr = ModifiedLLA;
while(ilt->u1.AddressOfData){
namedata = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)imagebase +
(DWORD)ilt->u1.AddressOfData);
//We have found the LoadLibraryA function.
if(strcmp(namedata->Name, "LoadLibraryA") == 0){
//Here we must replace the original LoadLibraryA with procPtr;
break;
}
ilt++;
alt++;
}
...
问题是"how I can assign procPtr to the LLA address"?
我读到当IMAGE_ORDINAL_FLAG没有设置时,LoadLibraryA的地址变成了iat->u1.Function + namedata。
但是,我不确定应该将 (DWORD_PTR)namedata + (DWORD)iat->u1.Function 转换为哪种数据类型。我试图将其转换为 DWORD_PTR。当我尝试将 procPtr 分配给地址时,出现错误,例如:
一元‘*’的无效类型参数(有‘DWORD_PTR’{又名‘long long unsigned int’})
我找到了答案。显然它就像 iat->u1.Function = (ULONGLONG)procPtr
因此,代码变为:
//IAT & ILTs have been assigned previously
//Declare pointer to our own function
DWORD(WINAPI *procPtr)(char*);
procPtr = ModifiedLLA;
while(ilt->u1.AddressOfData){
namedata = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)imagebase +
(DWORD)ilt->u1.AddressOfData);
//We have found the LoadLibraryA function.
if(strcmp(namedata->Name, "LoadLibraryA") == 0){
iat->u1.Function = (ULONGLONG)procPtr;
break;
}
ilt++;
alt++;
}
...
我希望这对其他人也有帮助。