恢复IATHook--Ring3
程序员文章站
2022-06-10 14:45:29
...
恢复Hook的思想就是:首先从目标模块的导出表中获得函数真正地址,从导入表的桥1中找到导入函数名称与当前函数名称匹配的结构之后,修改桥2中的函数地址为原函数地址。
附上关键代码:
DWORD RecoverIATHook(const char *ModuleName, const char * FindFunctionName)
{
BOOL IsFind = FALSE;
DWORD OldProtect;
HMODULE ModuleHandle = LoadLibraryA(ModuleName);
//从目标模块导出表中找到函数地址
DWORD OriginalAddress = (DWORD)GetProcAddress(ModuleHandle, FindFunctionName);
ModuleHandle = GetModuleHandle(NULL);//获得目标进程得模块基地址
IMAGE_DOS_HEADER* ImageDosHeader = (PIMAGE_DOS_HEADER)ModuleHandle;
IMAGE_NT_HEADERS* ImageNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)ModuleHandle + ImageDosHeader->e_lfanew);
IMAGE_IMPORT_DESCRIPTOR* ImageImportDescriptor =
(PIMAGE_IMPORT_DESCRIPTOR)((BYTE*)ImageDosHeader + ImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
if (ImageImportDescriptor == NULL)
{
return FALSE;
}
while (ImageImportDescriptor->FirstThunk)
{
//进行导入表模块的名字匹配检索
char* DllName = (char*)((BYTE*)ImageDosHeader + ImageImportDescriptor->Name);
if (lstrcmpiA(ModuleName, DllName) == 0)//忽略大小写比较
{
IsFind = TRUE;
break;
}
ImageImportDescriptor++;
}
if (IsFind == TRUE)
{
//进行函数名字匹配查找
IMAGE_THUNK_DATA* ImageThunkData = (PIMAGE_THUNK_DATA)((DWORD)ModuleHandle + ImageImportDescriptor->OriginalFirstThunk);
IMAGE_THUNK_DATA* ImageThunkAddressData = (PIMAGE_THUNK_DATA)((DWORD)ModuleHandle + ImageImportDescriptor->FirstThunk);
while (ImageThunkData->u1.AddressOfData)
{
char* FunctionName =
(char*)((DWORD)ModuleHandle +
((PIMAGE_IMPORT_BY_NAME)ImageThunkData->u1.AddressOfData)->Name);
if (lstrcmpiA(FunctionName, FindFunctionName) == 0)
{
//修改函数地址
VirtualProtect(&ImageThunkAddressData->u1.Function, 0x1000, PAGE_READWRITE, &OldProtect);
ImageThunkAddressData->u1.Function = (DWORD)OriginalAddress;//修改地址槽中的内容
VirtualProtect(&ImageThunkAddressData->u1.Function, 0x1000, OldProtect, &OldProtect);
break;
}
ImageThunkData++;
ImageThunkAddressData++;
}
}
return TRUE;
}
恢复钩子之后:
验证结果续上篇:https://blog.csdn.net/qq_42253797/article/details/105832350
上一篇: 前端JavaScript中的反射和代理
下一篇: 前端JavaScript中的class类