啦啦啦啦啦啦
思路:
1.获取自身SizeOfImage ImageBase
2.远程申请注入进程SizeOfImage大小的内存 内存位置随机 获得内存位置:ProcessAddr
3.申请一段SizeOfImage大小缓冲区,写入自身程序 内存位置:ImageBase
4.修复Image重定位表(参数为:ProcessAddr)
5.写入缓冲区ProcessAddr,SizeOfImage
6.远程线程申请入口点为DWORD WINAPI(LPVOID lparameter)
7.入口点修复导入表,因为有的dll没有在进程里加载,有的dll入口点不对
//main下面的代码是自己写的函数,如果要复制粘贴记得整理
//注释写的不好后期加的不然里面都没有注释😓
#include "MyTools.h"
#include "MyTools2.h"
//IATHook测试是否注入成功 ImportTable修复是否成功
LPVOID pOldFunAddr = GetProcAddress(LoadLibrary("user32.dll"), "MessageBoxA");
INT WINAPI MyMessageBox(HWND hwnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) {
typedef INT(WINAPI *MESSAGEBOX) (HWND hwnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);
DWORD dwRet = ((MESSAGEBOX)pOldFunAddr)(hwnd, "HOOK SUCEESS", "WARNING", uType);
printf("parameter:%x %x %x %x return:%x\n", hwnd, lpText, lpCaption, uType, dwRet);
return 0;
}
VOID IATHook(LPVOID pOldFunAddr, LPVOID MyMessageBox,LPVOID lparameter) {
HMODULE imageBase = (HMODULE)lparameter;
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)imageBase;
PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((DWORD)pDosHeader + pDosHeader->e_lfanew);
PIMAGE_FILE_HEADER pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNtHeader + 4);
PIMAGE_OPTIONAL_HEADER32 pOptionalHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pFileHeader +
IMAGE_SIZEOF_FILE_HEADER);
PIMAGE_IMPORT_DESCRIPTOR pImportDes = (PIMAGE_IMPORT_DESCRIPTOR)(pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (DWORD)imageBase);
while (pImportDes->OriginalFirstThunk && pImportDes->FirstThunk) {
PDWORD pIATthunk = (PDWORD)(pImportDes->FirstThunk + (DWORD)imageBase);
while (*pIATthunk) {
if (*pIATthunk == (DWORD)pOldFunAddr) {
DWORD a = 0;
if (!VirtualProtect(pIATthunk,10, PAGE_EXECUTE_READWRITE,&a)) {
printf("VirtualProtectEx faild\n");
MessageBox(0, "VirtualProtectEx", 0, 0);
return;
}
*pIATthunk = (DWORD)MyMessageBox;
break;
}
pIATthunk++;
}
pImportDes
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
