- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
防IAT检测方法:IAT在指定目标文件的PE结构里面指定了的,我们把自己内存里面做了修改,没有修改目标文件,只要不让目标文件被其他文件映射,读取PE结构和我们内存中修改过的比较,保证能反一切IAT检测。
用法:
Code:
HookImage("ZwSetInformationFile",(DWORD)MyZwSetInformationFile);
HookImage("NtTerminateProcess",(DWORD)MyNtTerminateProcess);
HookImage("NtTerminateThread",(DWORD)MyNtTerminateThread);
HookImport("KERNEL32.DLL","ExitProcess",(DWORD)MyNtTerminateProcess);
RemoveImage("NtTerminateProcess");
[/code]
代码
Code:
/********************************************
挂钩目标程序kernel32.dll里面输入的ntdll.dll的函数
********************************************/
DWORDHookImage(char*szName,DWORDNewfunc)
{
HMODULEhMod=LoadLibrary("NTDLL");
DWORDRealAddr=(DWORD)GetProcAddress(hMod,szName);
UINTSize=0;
hMod=LoadLibrary("kernel32.dll");
PIMAGE_IMPORT_DESCRIPTORpImport=(PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData
(hMod,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&Size);
if(pImport==NULL)
{
returnFALSE;
}
IMAGE_THUNK_DATA32*Pthunk=(IMAGE_THUNK_DATA32*)((DWORD)hMod+pImport->FirstThunk);
MEMORY_BASIC_INFORMATIONmbi;
VirtualQuery(Pthunk,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
VirtualProtect(mbi.BaseAddress,mbi.RegionSize,PAGE_READWRITE,&mbi.Protect);
while(Pthunk->u1.Function)
{
if(RealAddr==Pthunk->u1.Function)
{
Pthunk->u1.Function=Newfunc;
break;
}
Pthunk++;
}
DWORDprotect;
VirtualProtect(mbi.BaseAddress,mbi.RegionSize,mbi.Protect,&protect);
returnTRUE;
}
/********************************************
挂钩目标程序输入表里面的函数
********************************************/
DWORDHookImport(char*szDLL,char*szName,DWORDNewfunc)
{
DWORDprotect;
UINTSize=0;
HMODULEhMod=GetModuleHandle(NULL);
MEMORY_BASIC_INFORMATIONmbi;
PIMAGE_IMPORT_DESCRIPTORpImport=(PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData
(hMod,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&Size);
////改写内存保护,以便转换大小写
VirtualQuery(pImport,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
VirtualProtect(mbi.BaseAddress,mbi.RegionSize,PAGE_READWRITE,&mbi.Protect);
while(pImport->Name)
{
char*pszModName=(char*)((PBYTE)hMod+pImport->Name);
if(_stricmp(pszModName,szDLL)==0)
{
break;
}
pImport++;
}
VirtualProtect(mbi.BaseAddress,mbi.RegionSize,mbi.Protect,&protect);
////改写内存保护结束,改回原来的保护
DWORDRealAddr=(DWORD)GetProcAddress(LoadLibrary(szDLL),szName);
if(pImport==NULL)
{
returnFALSE;
}
IMAGE_THUNK_DATA32*Pthunk=(IMAGE_THUNK_DATA32*)((DWORD)hMod+pImport->FirstThunk);
////改写内存保护,以便写入函数地址
VirtualQuery(Pthunk,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
VirtualProtect(mbi.BaseAddress,mbi.RegionSize,PAGE_READWRITE,&mbi.Protect);
while(Pthunk->u1.Function)
{
if(RealAddr==Pthunk->u1.Function)
{
Pthunk->u1.Function=Newfunc;
break;
}
Pthunk++;
}
VirtualProtect(mbi.BaseAddress,mbi.RegionSize,mbi.Protect,&protect);
////改写内存保护,改回原来的保护
returnTRUE;
}
/********************************************
清除目标程序的ntdll的函数名字
********************************************/
BOOLRemoveImage(char*szName)
{
HMODULEhMod=LoadLibrary("kernel32.dll");
UINTSize=0;
PIMAGE_IMPORT_DESCRIPTORpImport=(PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData
(hMod,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&Size);
DWORD*pName=(DWORD*)((DWORD)hMod+pImport->OriginalFirstThunk);
while(pName)
{
char*pAddr=(char*)(*pName+(DWORD)hMod+2);
if(!(strcmp(pAddr,szName)))
{
DWORDProtect;
VirtualProtect(pAddr,strlen(pAddr),PAGE_READWRITE,& rotect);
memset(pAddr,0,strlen(pAddr));
VirtualProtect(pAddr,strlen(pAddr),Protect,pName);
break;
}
pName++;
}
returnTRUE;
}
[/code] |
|
发表于 2017-6-1 17:20:50