[C] IAT Hooker ( not the bad kind )

Nytro · January 29, 2012

[C] IAT Hooker ( not the bad kind )

Author:

[h=3]Kazan[/h]

So basically I got interested in the PE file structure and came up with this, a local function hooker.

It basically finds the address of the a function from a specific loaded module and changes the address to a function defined by the user.

This is interesting and fun with DLL injections and the like.Plus, it's just one call to the the whole work :

FARPROC WINAPI ReplaceIATEntry( HMODULE hModuleHookFrom ,
                                const char * szModuleFileName ,
                                const char * szFunctionName   ,
                                FARPROC frNewProc);

#include <stdio.h>
#include <windows.h>

LPVOID IsDosStub(LPVOID Data);
FARPROC WINAPI ReplaceIATEntry( HMODULE hModuleHookFrom ,
                                const char * szModuleFileName ,
                                const char * szFunctionName   ,
                                FARPROC frNewProc);

FARPROC Original_MessageBox=0;/*original address*/

FARPROC MessageBox_B ( HWND h_wind,LPCSTR lp_mess ,LPCSTR lp_cap,UINT i_ses )
{
    FARPROC a=Original_MessageBox;
    FARPROC b = a(h_wind, lp_mess,"Hooked etc.",0);
    /* return Original_MessageBox ( h_wind, lp_mess,"hooked etc.", 0 );*/
    return b;
}

int main()
{
    Original_MessageBox = ReplaceIATEntry(GetModuleHandle(0),"user32.dll","MessageBoxA",MessageBox_;
    if ( Original_MessageBox != 0 )  MessageBox(0,"Success",0,0);
    else return GetLastError();
}

LPVOID IsDosStub(LPVOID data)
{
    IMAGE_DOS_HEADER*Doshdr=data;
    if (IsBadReadPtr(Doshdr,sizeof(IMAGE_DOS_HEADER)))
        return 0;
    if (Doshdr->e_magic != IMAGE_DOS_SIGNATURE)
        return 0;
    return (data +Doshdr->e_lfanew);
}

FARPROC WINAPI ReplaceIATEntry( HMODULE hModuleHookFrom ,
                                const char * szModuleFileName ,
                                const char * szFunctionName   ,
                                FARPROC frNewProc)
{
    FARPROC frOriginalProc                       ;
    IMAGE_DOS_HEADER        * Doshdr             ;
    IMAGE_NT_HEADERS        * ImageNt            ;
    IMAGE_IMPORT_DESCRIPTOR * ImageImpDescriptor ;
    IMAGE_THUNK_DATA        * ImageThunk         ;

    DWORD dwRet , dwOld , dw;
    BOOLEAN bModuleFound=FALSE;

    if ( hModuleHookFrom == NULL)
        return 0;

    if ( IsBadCodePtr(frNewProc ) )
    {
#ifdef DEBUG
        printf("Invalid code pointer %08X\r\n",frNewProc);
#endif
        return 0;
    }

    frOriginalProc = GetProcAddress ( GetModuleHandle ( szModuleFileName ) , szFunctionName );

    if (!frOriginalProc)
    {
#ifdef DEBUG
        puts("Function inexistant in module");
#endif
        return 0;
    }
#ifdef DEBUG
    printf("Original function address %08X\r\n",frOriginalProc);
#endif
    Doshdr = (unsigned char*)hModuleHookFrom;

    if ( IsBadReadPtr(Doshdr, sizeof(IMAGE_DOS_HEADER)) ) /* is valid image*/
        return 0;

    ImageNt = IsDosStub(Doshdr);

    if ( ImageNt == 0 )
        return 0;

    if ( IsBadReadPtr(ImageNt, sizeof(IMAGE_NT_HEADERS)) ) /* is valid image*/
        return 0;

    if ( ImageNt->Signature != IMAGE_NT_SIGNATURE )
        return 0;

    ImageImpDescriptor = (unsigned char*)Doshdr+ImageNt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;

    if (ImageImpDescriptor == 0 )
        return 0;

    while ( ImageImpDescriptor->Name )
    {
        char * szModuleName =  (unsigned char*) Doshdr + ImageImpDescriptor->Name;
#ifdef DEBUG
        printf("Current Module : %s\r\n",pszModName );
#endif
        if ( stricmp(szModuleName, szModuleFileName) == 0 )
        {
            bModuleFound++;
            break;
        }

        ImageImpDescriptor++;
    }

    if ( !bModuleFound )
        return 0;

    ImageThunk = (unsigned char*)Doshdr + ImageImpDescriptor->FirstThunk ;

    while ( ImageThunk->u1.Function )
    {
#ifdef DEBUG
        printf(" Current Function address %08X\r\n", ImageThunk->u1.Function );
#endif

        if ( (unsigned char*)ImageThunk->u1.Function == (unsigned char*)frOriginalProc )
        {
#ifdef DEBUG
            printf(" Original function address call found ( %08X ) \r\n" , frOriginalProc );
#endif
            if (IsBadWritePtr( &ImageThunk->u1.Function, 4) )/*unacceptable if checks are run*/
            {
                dwRet = VirtualProtect( &ImageThunk->u1.Function, 4,
                                        PAGE_EXECUTE_READWRITE, &dwOld ); /*make writable*/

                ImageThunk->u1.Function = (DWORD)(unsigned char*)frOriginalProc;

                dwRet = VirtualProtect( &ImageThunk->u1.Function, 4,
                                        dwOld, &dw );
            }
            else ImageThunk->u1.Function = (DWORD)(unsigned char*)frNewProc;/*damn typecasts*/
            return frOriginalProc;
        }
        ImageThunk++;
    }
    return 0;
}

Sursa: IAT Hooker ( not the bad kind ) - rohitab.com - Forums

Sign In

[C] IAT Hooker ( not the bad kind )

Recommended Posts

Nytro

Join the conversation

Browse

Activity

Pages