1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159
| #include "windows.h" #include <stdio.h> #include <stdlib.h> #include <tlhelp32.h>
BOOL HookIAT(LPCSTR szDllName, PROC pfnOrg, PROC pfnNew); BOOL WINAPI HookedReadFile( HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped ); BOOL WINAPI HookedWriteFile( HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped );
typedef BOOL (WINAPI *PFSETWINDOWTEXTW)(HWND hWnd, LPWSTR lpString); #define BUF_SIZE 4096
LPVOID g_readProc = NULL; LPVOID g_writeProc = NULL;
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch( fdwReason ) { case DLL_PROCESS_ATTACH :
g_readProc = (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ReadFile"); g_writeProc = (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "WriteFile"); if (g_readProc) { HookIAT("kernel32.dll", (PROC)g_readProc, (PROC)HookedReadFile); HookIAT("kernel32.dll", (PROC)g_writeProc, (PROC)HookedWriteFile); } break; case DLL_PROCESS_DETACH: break; }
return TRUE; }
BOOL WINAPI HookedReadFile( HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped ){ int status = ReadFile(hFile, lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped); HANDLE hMapFile = OpenFileMapping(FILE_MAP_ALL_ACCESS,NULL,"myhack"); if(hMapFile){ LPVOID lpBase = MapViewOfFile(hMapFile,FILE_MAP_ALL_ACCESS,0,0,0); char szBuffer[BUF_SIZE] = "ReadFile: "; strncat(szBuffer, (char*)lpBuffer, (*lpNumberOfBytesRead)); strcat(szBuffer, "\n"); strcpy((char*)lpBase,szBuffer); UnmapViewOfFile(lpBase); CloseHandle(hMapFile); } return status; }
BOOL WINAPI HookedWriteFile( HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped ) { HANDLE hMapFile = OpenFileMapping(FILE_MAP_ALL_ACCESS,NULL,"myhack"); if(hMapFile){ LPVOID lpBase = MapViewOfFile(hMapFile,FILE_MAP_ALL_ACCESS,0,0,0); char szBuffer[BUF_SIZE] = "WriteFile: "; strncat(szBuffer, (char*)lpBuffer, nNumberOfBytesToWrite); strcat(szBuffer, "\n"); strcpy((char*)lpBase,szBuffer); UnmapViewOfFile(lpBase); CloseHandle(hMapFile); } return WriteFile(hFile, lpBuffer, nNumberOfBytesToWrite, lpNumberOfBytesWritten, lpOverlapped); }
BOOL HookIAT(LPCSTR szDllName, PROC pfnOrg, PROC pfnNew) { HMODULE hMod; LPCSTR szLibName; PIMAGE_IMPORT_DESCRIPTOR pImportDesc; PIMAGE_THUNK_DATA pThunk; DWORD dwOldProtect, dwRVA; PBYTE pAddr; hMod = GetModuleHandle(NULL); pAddr = (PBYTE)hMod; pAddr += *((DWORD*)&pAddr[0x3C]);
dwRVA = *((DWORD*)&pAddr[0x80]);
pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)hMod+dwRVA);
for( ; pImportDesc->Name; pImportDesc++ ) { szLibName = (LPCSTR)((DWORD)hMod + pImportDesc->Name); if( !_stricmp(szLibName, szDllName) ) { pThunk = (PIMAGE_THUNK_DATA)((DWORD)hMod + pImportDesc->FirstThunk);
for( ; pThunk->u1.Function; pThunk++ ) { if( pThunk->u1.Function == (DWORD)pfnOrg ) { bool a = VirtualProtect((LPVOID)&pThunk->u1.Function, 4, PAGE_EXECUTE_READWRITE, &dwOldProtect);
pThunk->u1.Function = (DWORD)pfnNew; VirtualProtect((LPVOID)&pThunk->u1.Function, 4, dwOldProtect, &dwOldProtect); return TRUE; } } } } return FALSE; }
|