|
小伟的小伟 荣誉版主
  
用户禁止访问
|
1楼
大 中
小 发表于 2008-8-20 23:20 只看该作者
【原创】科普一下如何对抗IAT Hook
绕过IAT Hook的方法。
处理一下可以恢复InlineHook。
 引用://0GiNr.com 小伟的小伟
//转载请保留出处。
//获取函数的原始地址,以此绕过IAT Hook
//原理:读取文件,从导出表里面弄偏移,然后加上加载基址即可。
//参考文献:《加密与解密 第三版》,也就是我学习PE结构的书。
//当初通过潜龙收购,可惜。。。。。。。。
#include <windows.h>
#include <stdio.h>
#include <imagehlp.h>
#pragma comment(lib,"imagehlp")
typedef int (WINAPI *pfnMessageBoxA)(
HWND hWnd,
LPCSTR lpText,
LPCSTR lpCaption,
UINT uType
);//函数原型
pfnMessageBoxA OrigMessageBoxA = NULL;//保存原始函数地址
LPVOID RvaToPtr(PIMAGE_NT_HEADERS pNtH,LPVOID ImageBase,DWORD dwRVA);//转化成文件偏移
DWORD GetOrigMessageBoxAAddress();//获取函数原始地址
int main(int argc, char* argv[])
{
printf("AntiIATHook Demo\nBy XiaoWei[0GiNr]\n");
printf("http://www.0GiNr.com\n");
printf("http://0Gsns.com\n");
printf("http://hi.baidu.com/zoo%%5F\n\n");
OrigMessageBoxA = (pfnMessageBoxA)GetOrigMessageBoxAAddress();
printf("OrigMessageBoxA = 0x%08lX\n",OrigMessageBoxA);
OrigMessageBoxA(0,"0GiNr","0GiNr",0);
getchar();
return 0;
}
LPVOID RvaToPtr(PIMAGE_NT_HEADERS pNtH,LPVOID ImageBase,DWORD dwRVA)
{
return ImageRvaToVa(pNtH,ImageBase,dwRVA,NULL);
}
DWORD GetOrigMessageBoxAAddress()
{
LPVOID lpBass = NULL;
HANDLE hMapFile = NULL;
HANDLE hFile = NULL;
PIMAGE_DOS_HEADER pDH = NULL;
PIMAGE_NT_HEADERS pNH = NULL;
PIMAGE_OPTIONAL_HEADER pOH = NULL;
PIMAGE_EXPORT_DIRECTORY pED = NULL;
DWORD dwDataStartRVA = 0;
PDWORD pdwRvas, pdwNames;
PWORD pwOrds;
UINT iNumOfName;
char *szFuncName;
int i,j;
HMODULE hUser32;
DWORD dwRetAddr;
//////////////////////////////////////////////////////////////////////////
::LoadLibraryA("user32.dll");//load一下。
hUser32 = GetModuleHandleA("user32.dll");
if (!hUser32) {
printf("Get User32 Base Error..\n");
goto __exit;
}
hFile = ::CreateFileA(
"c:\\windows\\system32\\user32.dll",
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if ( hFile == INVALID_HANDLE_VALUE ) {
printf("open file error..\n");
goto __exit;
}
hMapFile = ::CreateFileMappingA(
hFile,
NULL,
PAGE_READONLY,
NULL,
NULL,
NULL);
if ( hMapFile == INVALID_HANDLE_VALUE ) {
printf("CreateFileMappingA error..\n");
goto __exit;
}
lpBass = MapViewOfFile(
hMapFile,
FILE_MAP_READ,
0,
0,
0);
if ( !lpBass ) {
printf("CreateFileMappingA error..\n");
goto __exit;
}
pDH = (PIMAGE_DOS_HEADER)lpBass;
pNH = (PIMAGE_NT_HEADERS)((DWORD)pDH + pDH->e_lfanew);
pOH = &pNH->OptionalHeader;
dwDataStartRVA = pOH->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
pED = (PIMAGE_EXPORT_DIRECTORY)RvaToPtr(pNH,lpBass,dwDataStartRVA);
pwOrds = (PWORD)RvaToPtr(pNH, lpBass,pED->AddressOfNameOrdinals);
pdwRvas = (PDWORD)RvaToPtr(pNH, lpBass,pED->AddressOfFunctions);
pdwNames = (PDWORD)RvaToPtr(pNH, lpBass,pED->AddressOfNames);
iNumOfName = pED->NumberOfNames;
for (i = 0;i<pED->NumberOfFunctions;i++) {
if (*pdwRvas) {
for (j = 0;j<iNumOfName;j++) {
if ( i == pwOrds[j] ) {
szFuncName = (char*)RvaToPtr(pNH,lpBass,pdwNames[j]);
break;
}
}
if ( !strcmp(szFuncName,"MessageBoxA") ) {
printf("*pdwRvas : 0x%08lX..\n",*pdwRvas);
dwRetAddr = (DWORD)hUser32 + *pdwRvas;//文件偏移加上加载地址,得到原始函数地址。
goto __exit;
}
pdwRvas++;
}
}
__exit:
if (lpBass)
::UnmapViewOfFile(lpBass);
::CloseHandle(hFile);
::CloseHandle(hMapFile);
return dwRetAddr;
} [ 本帖最后由 Liangent 于 2008-9-15 01:38 编辑 ] 附件: 您所在的用户组无法下载或查看附件
|
