BOOL IATHookInjector::HookFunction(DWORD dwProcessId, CHAR* pModuleName, CHAR* pFunctionName, PVOID pHandler, DWORD dwHandlerSize) const
{
//PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE
auto hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessId);
if (!hProcess)
{
printf("Error opening process\r\n");
return FALSE;
}
auto dwPEBAddress = FindRemotePEB(hProcess);
if (!dwPEBAddress)
{
printf("Error finding remote PEB\r\n");
return FALSE;
}
auto pPEB = ReadRemotePEB(hProcess);
if (!pPEB)
{
printf("Error reading remote PEB\r\n");
return FALSE;
}
auto pImage = ReadRemoteImage(hProcess, pPEB->ImageBaseAddress);
if (!pImage)
{
printf("Error reading remote image\r\n");
return FALSE;
}
auto pImportDescriptors = ReadRemoteImportDescriptors(hProcess, pPEB->ImageBaseAddress, pImage->FileHeader->OptionalHeader.DataDirectory);
if (!pImportDescriptors)
{
printf("Error reading remote import descriptors\r\n");
return FALSE;
}
for (DWORD i = 0; i < 0x2000; i++)
{
auto descriptor = pImportDescriptors[i];
auto pName = ReadRemoteDescriptorName(hProcess, pPEB->ImageBaseAddress, &descriptor);
if (!pName)
{
printf("Error reading remote descriptor name\r\n");
return FALSE;
}
if (!_stricmp(pName, pModuleName))
{
DWORD dwThunkArrayLen = BUFFER_SIZE / sizeof(IMAGE_THUNK_DATA32);
auto pILT = ReadRemoteILT(hProcess, pPEB->ImageBaseAddress, &descriptor);
if (!pILT)
{
printf("Error reading remote ILT\r\n");
return FALSE;
}
DWORD dwOffset = 0;
for (dwOffset = 0; dwOffset < dwThunkArrayLen; dwOffset++)
{
auto pImportByName = ReadRemoteImportByName(hProcess, pPEB->ImageBaseAddress, &pILT[dwOffset]);
if (!pImportByName)
{
printf("Error reading remote import by name\r\n");
return FALSE;
}
if (!strcmp(static_cast<char*>(pImportByName->Name), pFunctionName))
break;
}
auto pIAT = ReadRemoteIAT(hProcess, pPEB->ImageBaseAddress, &descriptor);
if (!pIAT)
{
printf("Error reading remote IAT\r\n");
return FALSE;
}
auto dwOriginalAddress = pIAT[dwOffset].u1.AddressOfData;
printf("Original import address: 0x%x\r\n", dwOriginalAddress);
auto pImportImageBase = FindRemoteImageBase(hProcess, pPEB, pModuleName);
if (!pImportImageBase)
{
printf("Could not find remote image base for %s\r\n", pModuleName);
return FALSE;
}
auto pImportImage = ReadRemoteImage(hProcess, pImportImageBase);
if (!pImportImage)
{
printf("Could not find remote image at 0x%p\r\n", pImportImageBase);
return FALSE;
}
auto pImportTextHeader = FindSectionHeaderByName(pImportImage->Sections, pImportImage->NumberOfSections, ".text");
if (!pImportTextHeader)
{
printf("Could not find section header\r\n");
return FALSE;
}
auto pHandlerBuffer = new BYTE[dwHandlerSize];
memcpy(pHandlerBuffer, pHandler, dwHandlerSize);
auto bSuccess = PatchDWORD(pHandlerBuffer, dwHandlerSize, 0xDEADBEEF, dwOriginalAddress);
if (!bSuccess)
{
printf("Error patching import address into handler");
return FALSE;
}
auto dwHandlerAddress = DWORD(pImportImageBase) + pImportTextHeader->VirtualAddress + pImportTextHeader->SizeOfRawData - dwHandlerSize;
// Write handler to text section
bSuccess = WriteProcessMemory(hProcess, LPVOID(dwHandlerAddress), pHandlerBuffer, dwHandlerSize, nullptr);
if (!bSuccess)
{
printf("Error writing process memory");
return FALSE;
}
printf("Handler address: 0x%x\r\n", dwHandlerAddress);
auto pAddress = LPVOID(DWORD(pPEB->ImageBaseAddress) + descriptor.FirstThunk + (dwOffset * sizeof(IMAGE_THUNK_DATA32)));
// Write IAT
bSuccess = WriteProcessMemory(hProcess, pAddress, &dwHandlerAddress, 4, nullptr);
if (!bSuccess)
{
printf("Error writing process memory");
return FALSE;
}
return TRUE;
}
if (!descriptor.Characteristics)
{
return FALSE;
}
}
return FALSE;
}
BOOL HookFunction(DWORD dwProcessId, CHAR* pModuleName, CHAR* pFunctionName,
PVOID pHandler, DWORD dwHandlerSize)
{
HANDLE hProcess = OpenProcess
(
PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_OPERATION |
PROCESS_VM_READ | PROCESS_VM_WRITE,
0,
dwProcessId
);
if (!hProcess)
{
printf("Error opening process\r\n");
return FALSE;
}
DWORD dwPEBAddress = FindRemotePEB(hProcess);
if (!dwPEBAddress)
{
printf("Error finding remote PEB\r\n");
return FALSE;
}
PEB* pPEB = ReadRemotePEB(hProcess);
if (!pPEB)
{
printf("Error reading remote PEB\r\n");
return FALSE;
}
PLOADED_IMAGE pImage = ReadRemoteImage(hProcess, pPEB->ImageBaseAddress);
if (!pImage)
{
printf("Error reading remote image\r\n");
return FALSE;
}
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptors = ReadRemoteImportDescriptors
(
hProcess,
pPEB->ImageBaseAddress,
pImage->FileHeader->OptionalHeader.DataDirectory
);
if (!pImportDescriptors)
{
printf("Error reading remote import descriptors\r\n");
return FALSE;
}
for (DWORD i = 0; i < 0x2000; i++)
{
IMAGE_IMPORT_DESCRIPTOR descriptor = pImportDescriptors[i];
char* pName = ReadRemoteDescriptorName
(
hProcess,
pPEB->ImageBaseAddress,
&descriptor
);
if (!pName)
{
printf("Error reading remote descriptor name\r\n");
return FALSE;
}
BOOL bSuccess;
if (!_stricmp(pName, pModuleName))
{
DWORD dwThunkArrayLen = BUFFER_SIZE / sizeof(IMAGE_THUNK_DATA32);
PIMAGE_THUNK_DATA32 pILT = ReadRemoteILT
(
hProcess,
pPEB->ImageBaseAddress,
&descriptor
);
if (!pILT)
{
printf("Error reading remote ILT\r\n");
return FALSE;
}
DWORD dwOffset = 0;
for (dwOffset = 0; dwOffset < dwThunkArrayLen; dwOffset++)
{
PIMAGE_IMPORT_BY_NAME pImportByName = ReadRemoteImportByName
(
hProcess,
pPEB->ImageBaseAddress,
&pILT[dwOffset]
);
if (!pImportByName)
{
printf("Error reading remote import by name\r\n");
return FALSE;
}
if (!strcmp((char*)pImportByName->Name, pFunctionName))
break;
}
PIMAGE_THUNK_DATA32 pIAT = ReadRemoteIAT
(
hProcess,
pPEB->ImageBaseAddress,
&descriptor
);
if (!pIAT)
{
printf("Error reading remote IAT\r\n");
return FALSE;
}
DWORD dwOriginalAddress = pIAT[dwOffset].u1.AddressOfData;
printf("Original import address: 0x%p\r\n", dwOriginalAddress);
PVOID pImportImageBase = FindRemoteImageBase
(
hProcess,
pPEB,
pModuleName
);
if (!pImportImageBase)
{
printf("Could not find remote image base for %s\r\n", pModuleName);
return FALSE;
}
PLOADED_IMAGE pImportImage = ReadRemoteImage
(
hProcess,
pImportImageBase
);
if (!pImportImage)
{
printf("Could not find remote image at 0x%p\r\n", pImportImageBase);
return FALSE;
}
PIMAGE_SECTION_HEADER pImportTextHeader = FindSectionHeaderByName
(
pImportImage->Sections,
pImportImage->NumberOfSections,
".text"
);
if (!pImportTextHeader)
{
printf("Could not find section header\r\n");
return FALSE;
}
BYTE* pHandlerBuffer = new BYTE[dwHandlerSize];
memcpy(pHandlerBuffer, pHandler, dwHandlerSize);
BOOL bSuccess = PatchDWORD
(
pHandlerBuffer,
dwHandlerSize,
0xDEADBEEF,
dwOriginalAddress
);
if (!bSuccess)
{
printf("Error patching import address into handler");
return FALSE;
}
DWORD dwHandlerAddress = (DWORD)pImportImageBase +
pImportTextHeader->VirtualAddress +
pImportTextHeader->SizeOfRawData -
dwHandlerSize;
// Write handler to text section
bSuccess = WriteProcessMemory
(
hProcess,
(LPVOID)dwHandlerAddress,
pHandlerBuffer,
dwHandlerSize,
0
);
if (!bSuccess)
{
printf("Error writing process memory");
return FALSE;
}
printf("Handler address: 0x%p\r\n", dwHandlerAddress);
LPVOID pAddress = (LPVOID)((DWORD)pPEB->ImageBaseAddress +
descriptor.FirstThunk + (dwOffset * sizeof(IMAGE_THUNK_DATA32)));
// Write IAT
bSuccess = WriteProcessMemory
(
hProcess,
pAddress,
&dwHandlerAddress,
4,
0
);
if (!bSuccess)
{
printf("Error writing process memory");
return FALSE;
}
return TRUE;
}
else if (!descriptor.Characteristics)
return FALSE;
}
return FALSE;
}
