Autor
Código:
#include <windows.h>
#include <iostream>
using namespace std;
typedef int (WINAPI *MSGBX) (HWND,LPCSTR, LPCSTR,UINT);
int main(){
HMODULE hMod = LoadLibrary("User32.dll");
if (!hMod) return 1;
MSGBX mymsgbox = (MSGBX)GetProcAddress(hMod, "MessageBoxA");
if (!mymsgbox) return 1;
cout << "libreria cargada y funcion localizada, esperando el hook..." << endl;
cin.get();
mymsgbox(NULL, "no ok", "!!", 0); // no interceptada
MessageBox(NULL, "no ok", "!!", 0); // interceptada
return 0;
}
#include <iostream>
using namespace std;
typedef int (WINAPI *MSGBX) (HWND,LPCSTR, LPCSTR,UINT);
int main(){
HMODULE hMod = LoadLibrary("User32.dll");
if (!hMod) return 1;
MSGBX mymsgbox = (MSGBX)GetProcAddress(hMod, "MessageBoxA");
if (!mymsgbox) return 1;
cout << "libreria cargada y funcion localizada, esperando el hook..." << endl;
cin.get();
mymsgbox(NULL, "no ok", "!!", 0); // no interceptada
MessageBox(NULL, "no ok", "!!", 0); // interceptada
return 0;
}
esto es lo que hace mi dll
Código:
case DLL_PROCESS_ATTACH:
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)begin, 0, 0, 0);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)begin, 0, 0, 0);
Código:
LPTHREAD_START_ROUTINE begin()
{
HMODULE hMod = GetModuleHandle(0);
orig_box = (MSGBX) InterceptDllCall(hMod, "User32.dll", "MessageBoxA", (DWORD)&mymsgbox);
MessageBox(NULL, "Inyectado", "adasd", 0);
return 0;
}
{
HMODULE hMod = GetModuleHandle(0);
orig_box = (MSGBX) InterceptDllCall(hMod, "User32.dll", "MessageBoxA", (DWORD)&mymsgbox);
MessageBox(NULL, "Inyectado", "adasd", 0);
return 0;
}
y aqui la funcion (que no es mia) que sobreescribe la direccion de la funcion en la IAT
Código:
void *InterceptDllCall( HMODULE hModule, char *szDllName, char *szFunctionName, DWORD pNewFunction )
{
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pNTHeader;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
PIMAGE_THUNK_DATA pThunk;
DWORD dwOldProtect;
DWORD dwOldProtect2;
void *pOldFunction;
if( !( pOldFunction = (void*) GetProcAddress( GetModuleHandle( szDllName ), szFunctionName ) ) )
{
MessageBox(NULL, "GetProcAddress failed", "Error", 0);
return( NULL );
}
pDosHeader = ( PIMAGE_DOS_HEADER )hModule;
if( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE )
{
MessageBox(NULL, "dos_header failed", "Error", 0);
return( NULL );
}
pNTHeader = MakePtr( PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew );
if( pNTHeader->Signature != IMAGE_NT_SIGNATURE
|| ( pImportDesc = MakePtr( PIMAGE_IMPORT_DESCRIPTOR, pDosHeader, pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress ) ) == ( PIMAGE_IMPORT_DESCRIPTOR )pNTHeader )
{
MessageBox(NULL, "PIMAGE_NT_HEADERS failed", "Error", 0);
return( NULL );
}
while( pImportDesc->Name )
{
char *szModuleName = MakePtr( char *, pDosHeader, pImportDesc->Name );
if( !stricmp( szModuleName, szDllName ) )
break;
pImportDesc++;
}
if( pImportDesc->Name == NULL )
{
MessageBox(NULL, "pImportDesc failed", "Error", 0);
return( NULL );
}
pThunk = MakePtr( PIMAGE_THUNK_DATA, pDosHeader, pImportDesc->FirstThunk );
while( pThunk->u1.Function )
{
if( pThunk->u1.Function == ( DWORD )pOldFunction )
{
VirtualProtect( ( void * )&pThunk->u1.Function, sizeof( DWORD ), PAGE_EXECUTE_READWRITE, &dwOldProtect );
pThunk->u1.Function = (DWORD)pNewFunction;
VirtualProtect( ( void * )&pThunk->u1.Function, sizeof( DWORD ), dwOldProtect, &dwOldProtect2 );
return( pOldFunction );
}
pThunk++;
}
return( NULL );
}
{
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pNTHeader;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
PIMAGE_THUNK_DATA pThunk;
DWORD dwOldProtect;
DWORD dwOldProtect2;
void *pOldFunction;
if( !( pOldFunction = (void*) GetProcAddress( GetModuleHandle( szDllName ), szFunctionName ) ) )
{
MessageBox(NULL, "GetProcAddress failed", "Error", 0);
return( NULL );
}
pDosHeader = ( PIMAGE_DOS_HEADER )hModule;
if( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE )
{
MessageBox(NULL, "dos_header failed", "Error", 0);
return( NULL );
}
pNTHeader = MakePtr( PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew );
if( pNTHeader->Signature != IMAGE_NT_SIGNATURE
|| ( pImportDesc = MakePtr( PIMAGE_IMPORT_DESCRIPTOR, pDosHeader, pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress ) ) == ( PIMAGE_IMPORT_DESCRIPTOR )pNTHeader )
{
MessageBox(NULL, "PIMAGE_NT_HEADERS failed", "Error", 0);
return( NULL );
}
while( pImportDesc->Name )
{
char *szModuleName = MakePtr( char *, pDosHeader, pImportDesc->Name );
if( !stricmp( szModuleName, szDllName ) )
break;
pImportDesc++;
}
if( pImportDesc->Name == NULL )
{
MessageBox(NULL, "pImportDesc failed", "Error", 0);
return( NULL );
}
pThunk = MakePtr( PIMAGE_THUNK_DATA, pDosHeader, pImportDesc->FirstThunk );
while( pThunk->u1.Function )
{
if( pThunk->u1.Function == ( DWORD )pOldFunction )
{
VirtualProtect( ( void * )&pThunk->u1.Function, sizeof( DWORD ), PAGE_EXECUTE_READWRITE, &dwOldProtect );
pThunk->u1.Function = (DWORD)pNewFunction;
VirtualProtect( ( void * )&pThunk->u1.Function, sizeof( DWORD ), dwOldProtect, &dwOldProtect2 );
return( pOldFunction );
}
pThunk++;
}
return( NULL );
}
que deberia hacer para solucionarlo? habia pensado en hookear LoadLibrary y modificar la EAT para que apunte a mi funcion pero eso solo funcionaria si inyecto mi dll justo cuando el programa se ejecuta o bien abriendolo externamente, asi que estoy un poco perdido.
no veo forma de hacerlo sin el trampolin, pero esque no quiero usarlo xD
En línea
