求个IAT HOOK的源码.
网上找了好多HOOK IAT的源码,基本参数都是(DLL名,源地址,目标地址)类型的IAT HOOK

想找个用函数名HOOK的源码.

[解决办法]
// h

//本地版本,指定模块基地址和IAT表函数的地址，修改IAT的函数地址为dwHookedProc，返回原来函数名字
//如果dwHookingProc指定为0,结果仅为查询
//dwProcLoadAddress为内存加载的地址，通过GetProcAddress获取
const char* __stdcall IATHook_ByProcAddress(__in HMODULE hModule,__in DWORD dwProcLoadAddress,__in DWORD dwHookingProc,__out_opt LPDWORD lpdwOrigianlIATAddress);
//本地版本，指定模块及地址和IAT表函数的名字，修改IAT的函数地址为dwHookedProc，返回原来函数地址
//如果dwHookingProc指定为0，结果仅为查询
DWORD __stdcall IATHook_ByProcName(__in HMODULE hModule,__in const char* pszProcName,__in DWORD dwHookingProc);

////////////////////////////////////////////////////////

//cpp

//本地版本,指定模块基地址和IAT表函数的地址，修改IAT的函数地址为dwHookedProc，返回原来函数名字
//如果dwHookingProc指定为0,结果仅为查询
//dwOriginalProcAddress为内存加载的地址，通过GetProcAddress获取
const char* __stdcall IATHook_ByProcAddress(__in HMODULE hModule,__in DWORD dwProcLoadAddress,__in DWORD dwHookingProc,__out_opt LPDWORD lpdwOrigianlIATAddress)
{
PIMAGE_IMPORT_DESCRIPTOR pImpDtp=NULL;
PIMAGE_THUNK_DATA pThunkOgnData=NULL;
PIMAGE_THUNK_DATA pThunkData=NULL;
PIMAGE_IMPORT_BY_NAME pImpName=NULL;
DWORD dwFindProc=0;
MEMORY_BASIC_INFORMATION mbi;
DWORD dwOldPtc=0;
if(!hModule) return NULL;
__asm
{
mov eax,hModule
mov ebx,eax
add ebx,0x3c
mov ebx,[ebx]
add ebx,eax
add eax,[ebx+0x80]
mov pImpDtp,eax
}
while(pImpDtp->FirstThunk){
pThunkOgnData=(PIMAGE_THUNK_DATA)((DWORD)hModule+pImpDtp->OriginalFirstThunk);
pThunkData=(PIMAGE_THUNK_DATA)((DWORD)hModule+pImpDtp->FirstThunk);
while(pThunkOgnData->u1.Function){
dwFindProc=pThunkData->u1.Function;
if(dwFindProc==dwProcLoadAddress){
if(lpdwOrigianlIATAddress) *lpdwOrigianlIATAddress=pThunkData->u1.Function;
if(dwHookingProc){
VirtualQuery(mbi.AllocationBase,&mbi,sizeof(mbi));
VirtualProtect((LPVOID)dwFindProc,mbi.RegionSize,PAGE_READWRITE,&dwOldPtc);
pThunkData->u1.Function=dwHookingProc;
VirtualProtect(mbi.AllocationBase,mbi.RegionSize,dwOldPtc,&dwOldPtc);
}
pImpName=(PIMAGE_IMPORT_BY_NAME)((DWORD)hModule+pThunkOgnData->u1.AddressOfData);
return (char*)pImpName->Name;
}
pThunkOgnData++;
pThunkData++;
}
pImpDtp++;
}
return NULL;
}


//本地版本，指定模块及地址和IAT表函数的名字，修改IAT的函数地址为dwHookedProc，返回原来函数地址
//如果dwHookingProc指定为0，结果仅为查询
DWORD __stdcall IATHook_ByProcName(__in HMODULE hModule,__in const char* pszProcName,__in DWORD dwHookingProc)
{
PIMAGE_IMPORT_DESCRIPTOR pImpDtp=NULL;
PIMAGE_THUNK_DATA pThunkOgnData=NULL;
PIMAGE_THUNK_DATA pThunkData=NULL;
PIMAGE_IMPORT_BY_NAME pImpName=NULL;
DWORD dwFindProc=0;
MEMORY_BASIC_INFORMATION mbi;
DWORD dwOldPtc=0;
if(!hModule) return NULL;
__asm
{
mov eax,hModule
mov ebx,eax
add ebx,0x3c
mov ebx,[ebx]
add ebx,eax
add eax,[ebx+0x80]
mov pImpDtp,eax
}
while(pImpDtp->FirstThunk){
pThunkOgnData=(PIMAGE_THUNK_DATA)((DWORD)hModule+pImpDtp->OriginalFirstThunk);
pThunkData=(PIMAGE_THUNK_DATA)((DWORD)hModule+pImpDtp->FirstThunk);
while(pThunkOgnData->u1.Function){
pImpName=(PIMAGE_IMPORT_BY_NAME)((DWORD)hModule+pThunkOgnData->u1.AddressOfData);
if(0==lstrcmpiA((char*)pImpName->Name,pszProcName)){
dwFindProc=pThunkData->u1.Function;
if(dwHookingProc){
VirtualQuery((LPVOID)dwFindProc,&mbi,sizeof(mbi));
VirtualProtect(mbi.AllocationBase,mbi.RegionSize,PAGE_READWRITE,&dwOldPtc);
pThunkData->u1.Function=dwHookingProc;
VirtualProtect(mbi.AllocationBase,mbi.RegionSize,dwOldPtc,&dwOldPtc);
}

return dwFindProc;
}
pThunkOgnData++;
pThunkData++;
}
pImpDtp++;
}
return 0;
}

//////////////////////////////////////////////////////////////////////////

/*

对进程模块导入表函数地址进行hook --------IAT,并不实用

对模块导入表 函数地址进行修改，仅对模块导入表内的地址有效，如果使用LoadLibrary GetProcAddress，那么HOOK IAT 不会起作用

*/

/*用法

HMODULE __stdcall Fake_OpenProcess(LPSTR lpName){
MessageBoxA(0,lpName,0,0);
return NULL;
}
//byname
查询
DWORD dwfun= IATHook_ByProcName(GetModuleHandle(NULL),"LoadLibraryA",(DWORD)0);
LoadLibraryA("kernel32");
修改
dwfun=IATHook_ByProcName(GetModuleHandle(NULL),"LoadLibraryA",(DWORD)Fake_OpenProcess);
LoadLibraryA("kernel32");

//byaddress

查询
DWORD dwOgn=0;
DWORD dwp=(DWORD)GetProcAddress(GetModuleHandleA("kernel32"),"LoadLibraryA");
char* pname=(char*) IATHook_ByProcAddress(GetModuleHandle(NULL),dwp,(DWORD)0,&dwOgn);
LoadLibraryA("kernel32");
修改
pname=(char*)IATHook_ByProcAddress(GetModuleHandle(NULL),dwp,(DWORD)Fake_OpenProcess,&dwOgn);
LoadLibraryA("kernel32");
*/

修改字节的API hook 实用些