- 注册时间
- 2011-3-10
- 最后登录
- 1970-1-1
该用户从未签到
|
绕过IAT Hook的方法。
处理一下可以恢复InlineHook。
- //获取函数的原始地址,以此绕过IAT Hook
- //原理:读取文件,从导出表里面弄偏移,然后加上加载基址即可。
- //参考文献:《加密与解密 第三版》,也就是我学习PE结构的书。
- #include <windows.h>
- #include <stdio.h>
- #include <imagehlp.h>
- #pragma comment(lib,"imagehlp")
- typedef int (WINAPI *pfnMessageBoxA)(
- HWND hWnd,
- LPCSTR lpText,
- LPCSTR lpCaption,
- UINT uType
- );//函数原型
- pfnMessageBoxA OrigMessageBoxA = NULL;//保存原始函数地址
- LPVOID RvaToPtr(PIMAGE_NT_HEADERS pNtH,LPVOID ImageBase,DWORD dwRVA);//转化成文件偏移
- DWORD GetOrigMessageBoxAAddress();//获取函数原始地址
- int main(int argc, char* argv[])
- {
- printf("AntiIATHook Demo\nBy XiaoWei[0GiNr]\n");
- printf("http://www.0GiNr.com\n");
- printf("http://0Gsns.com\n");
- printf("http://hi.baidu.com/zoo%%5F\n\n");
- OrigMessageBoxA = (pfnMessageBoxA)GetOrigMessageBoxAAddress();
- printf("OrigMessageBoxA = 0x%08lX\n",OrigMessageBoxA);
- OrigMessageBoxA(0,"0GiNr","0GiNr",0);
- getchar();
- return 0;
- }
- LPVOID RvaToPtr(PIMAGE_NT_HEADERS pNtH,LPVOID ImageBase,DWORD dwRVA)
- {
- return ImageRvaToVa(pNtH,ImageBase,dwRVA,NULL);
- }
- DWORD GetOrigMessageBoxAAddress()
- {
- LPVOID lpBass = NULL;
- HANDLE hMapFile = NULL;
- HANDLE hFile = NULL;
- PIMAGE_DOS_HEADER pDH = NULL;
- PIMAGE_NT_HEADERS pNH = NULL;
- PIMAGE_OPTIONAL_HEADER pOH = NULL;
- PIMAGE_EXPORT_DIRECTORY pED = NULL;
- DWORD dwDataStartRVA = 0;
- PDWORD pdwRvas, pdwNames;
- PWORD pwOrds;
- UINT iNumOfName;
- char *szFuncName;
- int i,j;
- HMODULE hUser32;
- DWORD dwRetAddr;
- //////////////////////////////////////////////////////////////////////////
- ::LoadLibraryA("user32.dll");//load一下。
- hUser32 = GetModuleHandleA("user32.dll");
- if (!hUser32) {
- printf("Get User32 Base Error..\n");
- goto __exit;
- }
- hFile = ::CreateFileA(
- "c:\\windows\\system32\\user32.dll",
- GENERIC_READ,
- FILE_SHARE_READ,
- NULL,
- OPEN_EXISTING,
- FILE_ATTRIBUTE_NORMAL,
- NULL);
- if ( hFile == INVALID_HANDLE_VALUE ) {
- printf("open file error..\n");
- goto __exit;
- }
- hMapFile = ::CreateFileMappingA(
- hFile,
- NULL,
- PAGE_READONLY,
- NULL,
- NULL,
- NULL);
- if ( hMapFile == INVALID_HANDLE_VALUE ) {
- printf("CreateFileMappingA error..\n");
- goto __exit;
- }
- lpBass = MapViewOfFile(
- hMapFile,
- FILE_MAP_READ,
- 0,
- 0,
- 0);
- if ( !lpBass ) {
- printf("CreateFileMappingA error..\n");
- goto __exit;
- }
- pDH = (PIMAGE_DOS_HEADER)lpBass;
- pNH = (PIMAGE_NT_HEADERS)((DWORD)pDH + pDH->e_lfanew);
- pOH = &pNH->OptionalHeader;
- dwDataStartRVA = pOH->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
- pED = (PIMAGE_EXPORT_DIRECTORY)RvaToPtr(pNH,lpBass,dwDataStartRVA);
- pwOrds = (PWORD)RvaToPtr(pNH, lpBass,pED->AddressOfNameOrdinals);
- pdwRvas = (PDWORD)RvaToPtr(pNH, lpBass,pED->AddressOfFunctions);
- pdwNames = (PDWORD)RvaToPtr(pNH, lpBass,pED->AddressOfNames);
- iNumOfName = pED->NumberOfNames;
- for (i = 0;i<pED->NumberOfFunctions;i++) {
- if (*pdwRvas) {
- for (j = 0;j<iNumOfName;j++) {
- if ( i == pwOrds[j] ) {
- szFuncName = (char*)RvaToPtr(pNH,lpBass,pdwNames[j]);
- break;
- }
- }
- if ( !strcmp(szFuncName,"MessageBoxA") ) {
- printf("*pdwRvas : 0x%08lX..\n",*pdwRvas);
- dwRetAddr = (DWORD)hUser32 + *pdwRvas;//文件偏移加上加载地址,得到原始函数地址。
- goto __exit;
- }
- pdwRvas++;
- }
- }
- __exit:
- if (lpBass)
- ::UnmapViewOfFile(lpBass);
- ::CloseHandle(hFile);
- ::CloseHandle(hMapFile);
- return dwRetAddr;
- }
|
|
发表于 2011-8-8 08:36:48
