如何挂钩延迟导入
how to hook delay imports
我想做hook不走微软的弯路所以我就用了IAT hook因为这是最简单的方法,但是我发现我想hook的一些函数在delay import里面table
我试着像挂钩 iat table 一样挂钩它:
HMODULE lib = GetModuleHandleA(0);
PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)lib;
PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((uintptr_t)lib + dos->e_lfanew);
PIMAGE_DELAYLOAD_DESCRIPTOR dload = (PIMAGE_DELAYLOAD_DESCRIPTOR)((uintptr_t)lib +
nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress);
while (dload->DllNameRVA)
{
char *dll = (char*)((uintptr_t)lib + dload->DllNameRVA);
if (!strcmp(dll,"mydll.dll")) {
MessageBoxA(0,"found mydll","info",0);
PIMAGE_THUNK_DATA firstthunk = (PIMAGE_THUNK_DATA)((uintptr_t)lib + dload->ImportNameTableRVA);
while (firstthunk->u1.AddressOfData)
{
if (firstthunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) {}
else {
PIMAGE_IMPORT_BY_NAME byName = (PIMAGE_IMPORT_BY_NAME)((uintptr_t)lib + firstthunk->u1.AddressOfData);
if (!strcmp((char*)byName->Name,"func")) {
MessageBoxA(0,"found func","info",0);
DWORD oldProtect;
DWORD tmp;
VirtualProtect(&firstthunk->u1.Function, sizeof(uintptr_t), PAGE_EXECUTE_READWRITE, &oldProtect);
firstthunk->u1.Function = (uintptr_t)hControlService;
VirtualProtect(&firstthunk->u1.Function, sizeof(uintptr_t), oldProtect, &tmp);
MessageBoxA(0, "hooked func", "info", 0);
}
}
firstthunk++;
}
}
dload++;
}
但是程序在调用 func 时崩溃了
我怎样才能正确挂钩?
RbMm 注释后的工作代码:
HMODULE lib = GetModuleHandleA(0);
PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)lib;
PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((uintptr_t)lib + dos->e_lfanew);
PIMAGE_DELAYLOAD_DESCRIPTOR dload = (PIMAGE_DELAYLOAD_DESCRIPTOR)((uintptr_t)lib +
nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress);
while (dload->DllNameRVA)
{
char *dll = (char*)((uintptr_t)lib + dload->DllNameRVA);
if (!strcmp(dll,"mydll.dll")) {
MessageBoxA(0,"found mydll","info",0);
PIMAGE_THUNK_DATA firstthunk = (PIMAGE_THUNK_DATA)((uintptr_t)lib + dload->ImportNameTableRVA);
PIMAGE_THUNK_DATA functhunk = (PIMAGE_THUNK_DATA)((uintptr_t)lib + dload->ImportAddressTableRVA);
while (firstthunk->u1.AddressOfData)
{
if (firstthunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) {}
else {
PIMAGE_IMPORT_BY_NAME byName = (PIMAGE_IMPORT_BY_NAME)((uintptr_t)lib + firstthunk->u1.AddressOfData);
if (!strcmp((char*)byName->Name,"func")) {
MessageBoxA(0,"found func","info",0);
DWORD oldProtect;
DWORD tmp;
VirtualProtect(&functhunk->u1.Function, sizeof(uintptr_t), PAGE_EXECUTE_READWRITE, &oldProtect);
functhunk->u1.Function = (uintptr_t)hControlService;
VirtualProtect(&functhunk->u1.Function, sizeof(uintptr_t), oldProtect, &tmp);
MessageBoxA(0, "hooked func", "info", 0);
}
}
functhunk++;
firstthunk++;
}
}
dload++;
}
我想做hook不走微软的弯路所以我就用了IAT hook因为这是最简单的方法,但是我发现我想hook的一些函数在delay import里面table 我试着像挂钩 iat table 一样挂钩它:
HMODULE lib = GetModuleHandleA(0);
PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)lib;
PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((uintptr_t)lib + dos->e_lfanew);
PIMAGE_DELAYLOAD_DESCRIPTOR dload = (PIMAGE_DELAYLOAD_DESCRIPTOR)((uintptr_t)lib +
nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress);
while (dload->DllNameRVA)
{
char *dll = (char*)((uintptr_t)lib + dload->DllNameRVA);
if (!strcmp(dll,"mydll.dll")) {
MessageBoxA(0,"found mydll","info",0);
PIMAGE_THUNK_DATA firstthunk = (PIMAGE_THUNK_DATA)((uintptr_t)lib + dload->ImportNameTableRVA);
while (firstthunk->u1.AddressOfData)
{
if (firstthunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) {}
else {
PIMAGE_IMPORT_BY_NAME byName = (PIMAGE_IMPORT_BY_NAME)((uintptr_t)lib + firstthunk->u1.AddressOfData);
if (!strcmp((char*)byName->Name,"func")) {
MessageBoxA(0,"found func","info",0);
DWORD oldProtect;
DWORD tmp;
VirtualProtect(&firstthunk->u1.Function, sizeof(uintptr_t), PAGE_EXECUTE_READWRITE, &oldProtect);
firstthunk->u1.Function = (uintptr_t)hControlService;
VirtualProtect(&firstthunk->u1.Function, sizeof(uintptr_t), oldProtect, &tmp);
MessageBoxA(0, "hooked func", "info", 0);
}
}
firstthunk++;
}
}
dload++;
}
但是程序在调用 func 时崩溃了 我怎样才能正确挂钩?
RbMm 注释后的工作代码:
HMODULE lib = GetModuleHandleA(0);
PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)lib;
PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((uintptr_t)lib + dos->e_lfanew);
PIMAGE_DELAYLOAD_DESCRIPTOR dload = (PIMAGE_DELAYLOAD_DESCRIPTOR)((uintptr_t)lib +
nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress);
while (dload->DllNameRVA)
{
char *dll = (char*)((uintptr_t)lib + dload->DllNameRVA);
if (!strcmp(dll,"mydll.dll")) {
MessageBoxA(0,"found mydll","info",0);
PIMAGE_THUNK_DATA firstthunk = (PIMAGE_THUNK_DATA)((uintptr_t)lib + dload->ImportNameTableRVA);
PIMAGE_THUNK_DATA functhunk = (PIMAGE_THUNK_DATA)((uintptr_t)lib + dload->ImportAddressTableRVA);
while (firstthunk->u1.AddressOfData)
{
if (firstthunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) {}
else {
PIMAGE_IMPORT_BY_NAME byName = (PIMAGE_IMPORT_BY_NAME)((uintptr_t)lib + firstthunk->u1.AddressOfData);
if (!strcmp((char*)byName->Name,"func")) {
MessageBoxA(0,"found func","info",0);
DWORD oldProtect;
DWORD tmp;
VirtualProtect(&functhunk->u1.Function, sizeof(uintptr_t), PAGE_EXECUTE_READWRITE, &oldProtect);
functhunk->u1.Function = (uintptr_t)hControlService;
VirtualProtect(&functhunk->u1.Function, sizeof(uintptr_t), oldProtect, &tmp);
MessageBoxA(0, "hooked func", "info", 0);
}
}
functhunk++;
firstthunk++;
}
}
dload++;
}