IAT hook hijacking process API call

*ω*
The goose factory answered hijacking during the interview API Various Hook When it comes to the way ,IAT-Hook It should be the simplest one . Than IAT-Hook What's more difficult is R3 Of 5 byte Hook, Then there is the hot patch Hook,SSDT-Hook…..
5 byte Hook In the previous two articles on process hiding ,7 Bytes are mainly right API The requirements are quite high , This article will be updated IAT-Hook Implementation code , Later, update and copy the original API Hot patch for some code Hook and SSDT-Hook

T＿T
I was going to spend last night 40 It will be finished in about minutes , As a result, various strange problems occurred , Debug to 2 Point done ！ As a result, there are still 1/3 Of people haven't slept yet …… Contemporary college students' daily life ？？？

Tips & Problems
1. The principle is very simple , hold DLL Inject into thought Hook The process of ( The process has hidden injector code ), then DLL Find the program process handle in the process space , The handle points to MZ The pointer to the head , Then you can find the input table through various structure operations , find IID Structure , Find the one that needs to be modified IAT, And then change it ~~OVER！！, Be more specific ,IAT-Hook The principle of is procedure call func The implementation of call [func Where IAT], For this iat Take the address value and call, The address value is PE Loader stay PE Dynamically obtained during loading .
2. The first problem encountered is the optimization of the compiler , It's no use trying to be lazy DLL The injection tool injects DLL Instead, I wrote a program directly LoadLibrary, Then pop up the window ,DLL Responsible for hijacking MessageBoxW function , But it can't be hijacked …. After debugging step by step, I found that the compiler called MessageBoxW The function is written as call esi, then esi=[MessageBoxW Of iat Address ], however Loadlibrary stay esi=[MessageBoxW Of iat Address ] after , That is to say, no matter how it is modified call esi Eventually, the original MessageBoxW….
3. String comparison function strcmp(char ,char ) The result is only one character …. I remember that this function should be less than ’\0’ No return ….. It took 5s, A string comparison function
4.Hook When the original function is transferred to the new function, you must pay attention to the stack balance problem
5. Because basically MZ Head structure PE The key values in the header structure are RVA, Add the process handle directly to get VA 了 , It's really super convenient
6. because DLL There is no need to uninstall , Generally injected DLL The uninstalled process also exits , So there is no need to write UnHook function

Here is the code

IAT.h

#include "windows.h"

HMODULE                 Current_Handle;     // Process handle 
PBYTE                   pfile;              // Point to MZ
PIMAGE_DOS_HEADER           Dos_Header;         //Dos head 
PIMAGE_NT_HEADERS           Nt_Header;          //NT head 
DWORD                   IATSection_Base;        //IAT The base address of the section 
DWORD                   IATSection_Size;        //IAT The size of the segment 

BOOL str_cmp(char *a,char *b);

void PeInit();

BOOL IatHook(LPCSTR DllName,LPCSTR ProcName);

int WINAPI NewMessageBoxW(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType);

IAT.cpp

#include "IAT.h"




BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    switch (fdwReason) {
    case DLL_PROCESS_ATTACH:
        Current_Handle = NULL;
        pfile = NULL;
        Dos_Header = NULL;
        Nt_Header = NULL;
        IATSection_Base = 0;
        IATSection_Size = 0;
        PeInit();
        IatHook("USER32.dll","MessageBoxW");
        break;
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

BOOL str_cmp(char *a,char *b){
    while(*a==*b && *a!='\0' && *b!='\0'){
        a++;
        b++;
    }
    if(*a=='\0' && *b=='\0') return true;
    return false;
}


int WINAPI NewMessageBoxW(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType) {
    return MessageBoxW(NULL,L"123",L"123", NULL);
}

BOOL IatHook(LPCSTR DllName,LPCSTR ProcName) {
    DWORD oldprotect = 0;
    FARPROC ori_func = GetProcAddress(GetModuleHandleA(DllName), ProcName);
    PIMAGE_THUNK_DATA pthunk=NULL;
    PIMAGE_IMPORT_DESCRIPTOR Current_IID = (PIMAGE_IMPORT_DESCRIPTOR)(pfile + IATSection_Base);
    while (Current_IID) {
        if (str_cmp((char *)DllName,(char *)(pfile + Current_IID->Name))) {
            pthunk = (PIMAGE_THUNK_DATA)(pfile+Current_IID->FirstThunk);
            while (pthunk->u1.Function) {
                if (pthunk->u1.Function == (DWORD)ori_func) {
                    VirtualProtect((LPVOID)&pthunk->u1.Function, 4, PAGE_EXECUTE_READWRITE, &oldprotect);
                    pthunk->u1.Function = (DWORD)NewMessageBoxW;
                    VirtualProtect((LPVOID)&pthunk->u1.Function, 4, oldprotect, &oldprotect);
                    break;
                }
                pthunk++;
            }
            return true;
        }
        Current_IID++;
    }
    return false;
}


void PeInit() {
    Current_Handle = GetModuleHandle(NULL); 
    pfile = (PBYTE)Current_Handle;
    Dos_Header = (PIMAGE_DOS_HEADER)pfile;
    if (Dos_Header->e_magic != IMAGE_DOS_SIGNATURE){
        OutputDebugString(L"Is Not PE");
        return;
    }
    Nt_Header = (PIMAGE_NT_HEADERS)(pfile + Dos_Header->e_lfanew);
    if (Nt_Header->Signature != IMAGE_NT_SIGNATURE) {
        OutputDebugString(L"Is Not PE");
        return;
    }
    IMAGE_DATA_DIRECTORY IAT_Section = (IMAGE_DATA_DIRECTORY)(Nt_Header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]);
    IATSection_Base = IAT_Section.VirtualAddress;
    IATSection_Size = IAT_Section.Size;
}