我的目标是执行IAT挂钩。我想用自己的函数LoadLibraryA替换ModifiedLLA(LLA)。
我浏览了PE格式,并且能够找到每个导入的DLL文件的功能名称。
考虑这将是我的替代功能:
DWORD ModifiedLLA(char* str){
printf("test\n");
return 0;
}
请在主函数中考虑以下代码:
...
//IAT & ILTs have been assigned previously
//Declare pointer to our own function
DWORD(WINAPI *procPtr)(char*);
procPtr = ModifiedLLA;
while(ilt->u1.AddressOfData){
namedata = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)imagebase +
(DWORD)ilt->u1.AddressOfData);
//We have found the LoadLibraryA function.
if(strcmp(namedata->Name, "LoadLibraryA") == 0){
//Here we must replace the original LoadLibraryA with procPtr;
break;
}
ilt++;
alt++;
}
...
问题是“如何分配procPtr到LLA地址”?
我读到当未设置IMAGE_ORDINAL_FLAG时,LoadLibraryA的地址变为iat->u1.Function + namedata。
但是,我不确定应该将(DWORD_PTR)namedata + (DWORD)iat->u1.Function转换为哪种数据类型。我试图将其转换为DWORD_PTR。当我尝试将procPtr分配给该地址时,出现错误,例如:一元“ *”的无效类型参数(具有“ DWORD_PTR” {aka'long long unsigned int'})
我找到了答案。显然,它像iat->u1.Function = (ULONGLONG)procPtr
因此,代码变为:
//IAT & ILTs have been assigned previously
//Declare pointer to our own function
DWORD(WINAPI *procPtr)(char*);
procPtr = ModifiedLLA;
while(ilt->u1.AddressOfData){
namedata = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)imagebase +
(DWORD)ilt->u1.AddressOfData);
//We have found the LoadLibraryA function.
if(strcmp(namedata->Name, "LoadLibraryA") == 0){
iat->u1.Function = (ULONGLONG)procPtr;
break;
}
ilt++;
alt++;
}
...
我希望这也会对其他人有所帮助。