IAT的API Hook都已经烂大街了,我丢一个非主流的EAT Hook函数。
就是不走寻常路。
#pragma once
//////////////////////////////////////////////////////////////////////////
/*Eat hook
参数:szDllName DLL路径
szApiName hook函数名
lpHookNew 新函数地址
返回:lpOldAddr 老函数地址
*/
LPVOID EatHook(char *szDllName,char *szApiName,LPVOID lpHookNew)
{
HMODULE hMod = NULL;
LPVOID lpOldAddr = NULL;//Old func address
DWORD index=0;
DWORD dwOldProtect;
if((hMod = GetModuleHandle(szDllName)) == NULL )//get dll HMODULE
if((hMod = LoadLibrary(szDllName)) == NULL)
return NULL;
__try
{
IMAGE_DOS_HEADER * DosHeader =(PIMAGE_DOS_HEADER)hMod;
IMAGE_OPTIONAL_HEADER * Opthdr =(PIMAGE_OPTIONAL_HEADER)((DWORD)hMod+DosHeader->e_lfanew+24);
if(Opthdr)
{
PIMAGE_EXPORT_DIRECTORY Export =(PIMAGE_EXPORT_DIRECTORY)((BYTE*)DosHeader+ Opthdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
if(Export)
{
PULONG pAddressOfFunctions = (ULONG*)((BYTE*)hMod+Export->AddressOfFunctions);
PULONG pAddressOfNames = (ULONG*)((BYTE*)hMod+Export->AddressOfNames);
PUSHORT pAddressOfNameOrdinals = (USHORT*)((BYTE*)hMod+Export->AddressOfNameOrdinals);
if(pAddressOfFunctions && pAddressOfNames && pAddressOfNameOrdinals)
{
for (int i=0;i <Export->NumberOfNames; i++)
{
index=pAddressOfNameOrdinals[i];
if(index >= 0 )
{
char *pFuncName = (char*)( (BYTE*)hMod + pAddressOfNames[i]);
if (_stricmp( (char*)pFuncName,szApiName) == 0)
{
lpOldAddr = (LPVOID)((DWORD)hMod + pAddressOfFunctions[index]);
break;
}
}
}
if(!VirtualProtectEx(GetCurrentProcess(),&pAddressOfFunctions[index],sizeof(DWORD),PAGE_EXECUTE_READWRITE,&dwOldProtect))
return NULL;
pAddressOfFunctions[index] =(DWORD)lpHookNew - (DWORD)hMod;
}
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return NULL;
}
return lpOldAddr;
}
//////////////////////////////////////////////////////////////////////////