Location:
Search - hook iat A
Search list
Description: IATroot为一款以Hook IAT表中的输入函数为基础的一款RootKit,功能比较完整,其中自带一个Native API的开发库及源代码。-IATroot Hook to one to table the IAT input function-based one RootK it, more functional integrity, which own a Native API development libraries and source code.
Platform: |
Size: 867926 |
Author: onlyu |
Hits:
Description: 一个通过修改DLL文件的IAT表来实现的hook开发包源码-A DLL file by modifying the IAT table to achieve the hook development kit source
Platform: |
Size: 190464 |
Author: 站长 |
Hits:
Description: 开始,运行输入 sigverif
通过检查数字签名就知道是不是ms的了。
主要使用Win32API实现验证应用或驱动程
WinVerifyTrust API。如果该API被Hook有没有其他方法验证应用或驱动程序是否通过微软签名?如果仅仅是被挂钩了IAT,那么可以直接通过函数指针调用。
如果是像Detours那样用jmp改写了函数头,可以通过读取WinTrust.dll中WinVerifyTrust的实现位置,恢复函数头的机器码。
不知道使用CryptoAPI,再使用指定的Microsoft证书
是不是更好一点,不容易被欺骗
怕调api被hook的话,自己将验证的代码写出来,用openssl应该容易点。-Start, Run enter sigverif by checking the digital signature is not on the know of the ms. Win32API realize the main use of the application or driver to verify WinVerifyTrust API. If the API was Hook has no other way to verify whether the application or driver through Microsoft Signed? If merely being linked to the IAT, you can call directly through the function pointer. If it is used as the Detours as to alter the function jmp head, can be read in WinVerifyTrust Wintrust.dll realize the location, the restoration of function of the binary header. Do not know the use of CryptoAPI, and then use the specified certificate is not Microsoft a little better, not easy to be deceived by fear api tune hook, then he would write the code to verify, using openssl should be easy points.
Platform: |
Size: 200704 |
Author: 齐欢乐 |
Hits:
Description: api挂接的一段源代码,通过c++类来实现,你只要通过对象调用函数即可-api articulated section of the source code through c++ category to achieve, you need only call the function through the object can be
Platform: |
Size: 7168 |
Author: wangwei |
Hits:
Description: 使用系统IAT表查找要Hook的函数地址,然后进行挂钩。本代码Hook的是TextOut函数。-IAT table to find using the system to Hook a function of address, and then proceed to link. Hook this code is the TextOut function.
Platform: |
Size: 37888 |
Author: 骆爽 |
Hits:
Description: IAT HOOK I just try to hook a api call with John Chamberlain s source code. The code works, but nothing happen when i call CreateProcess in an other application. Why
Platform: |
Size: 2048 |
Author: RDGMax |
Hits:
Description: 能够找出给种类型的系统Hook,包括IAT表,SSDT表等相关的钩子-VICE is a tool to find hooks.
Features include:
1. Looks for people hooking IAT s.
2. Looks for people hooking functions in-line aka detouring.
3. Looks for hooks in the System Call Table. Thanks to Tan perhaps it will fix the table in the future.
4. Looks for detour hooks in the System Call Table functions themselves.
5. Looks for people hooking IRP_MJ table in drivers. This is configurable by driver.ini.
Platform: |
Size: 67584 |
Author: 袁晓辉 |
Hits:
Description: 进程注入API的连接
标题:进程注入/ API的挂接
描述:这表明你2接口连接的技术。内隐联系测验连接和功能调整,还如何在您的代码注入到另一个VB的过程和钩子函数遥。由于离子离子亚历克约内斯库他注射演示。重要的是,你读了读的“注入”目录。
此文件来自星球源Code.com ...家庭数百万行的源代码
您可以查看关于此代码/和或投票在: http://www.Planet-Source-Code.com/vb/scripts/ShowCode.asp?txtCodeId=62338&lngWId=1
作者可能有某些保留版权此代码...请遵守它们的要求和法律的审查所有版权条件在上述乌拉圭回-The process of heading into the API connection: the process of injection/API articulated Description: This indicates that the 2 interface to connect your technology. IAT connections and functions of the adjustment, but also how to inject your code to another VB function of the process and hook away. As a result of ion-ion injection Alex Ionescu his presentation. Importantly, the time you read the " injection" directory. This document is the source from the planet Code.com ... the family millions of lines of source code you can see on this code/and or vote in: http://www.Planet-Source-Code.com/vb/scripts/ShowCode . asp? txtCodeId = 62338 & lngWId = 1 the author may have some reservations about the copyright of this code ... please observe their request and review all copyright laws in the above-mentioned conditions of the Uruguay Round
Platform: |
Size: 17408 |
Author: fangxiaowang |
Hits:
Description: 1. 内容
2. 介绍
3. 挂钩方法
3.1 运行前挂钩
3.2 运行时挂钩
3.2.1 使用IAT挂钩本进程
3.2.2 改写入口点挂钩本进程
3.2.3 保存原始函数
3.2.4 挂钩其它进程
3.2.4.1 DLL注入
3.2.4.2 独立的代码
3.2.4.3 原始修改
4. 结束语-1. The content of 2. Introduction 3. Hook method of 3.1 to run 3.2 before the hook when the hook is running 3.2.1 using the IAT hook 3.2.2 of this process to rewrite the entry point 3.2.3 of this process linked to 3.2.4 to save the original function of other processes linked to 3.2.4.1 DLL into a separate code 3.2.4.3 source 3.2.4.2 changes 4. Conclusion
Platform: |
Size: 9216 |
Author: GlenZhang |
Hits:
Description: this is a simple IAT Hook Dll , whick hooks function send in ws2_32.d-this is a simple IAT Hook Dll , whick hooks function send in ws2_32.dll
Platform: |
Size: 2048 |
Author: 12usver12 |
Hits:
Description: 大家好,我们又见面啦,今天我将为各位讲述一个新故事,那就是IAT HOOK。再观看这个故事之前,需要观众确定具备两个基本能力: 1.对简单的数据结构在内存中的样子能有个宏观的理解。 2.理解运行在windows环境程序的工作原理。驱动教程-Hello everybody, we meet again, I will speak to you today a new story, that is, IAT HOOK. Then watch this story, you need to determine the audience have two basic capabilities: 1. on the simple data structure in memory looks to have a macro understanding. 2. to understand the program runs in windows environment works. Driver Guide
Platform: |
Size: 302080 |
Author: 魍酆 |
Hits:
Description: 一份相对比较简单的IAT HOOK 汇编代码 比较简短-A relatively simple IAT HOOK relatively short assembly code
Platform: |
Size: 1024 |
Author: 熊 |
Hits:
Description: 屏幕取词功能实现方法2 一个通过修改DLL文件的IAT表来实现的hook开发包源码--Screen Translation Method 2 to achieve a functional DLL file by modifying the IAT table to achieve the hook development kit source code-
Platform: |
Size: 172032 |
Author: py |
Hits:
Description: 这个工具采用的是HOOK进程的winsock API,把一些数据记录下来。
2.1 patch静态文件,即运行前挂钩.
2.2 也是修改IAT,跟1.1一样.
2.3 修改目标函数的前几个字节,跳转到新的函数,但不再调用原始函数,无
实际意义,作者只是做演示?
2.4 这种方法(3.2.3 保存原始函数)很COOL,其中的亮点和难点就是“获取任意
地址的指令长度”。
之前我也想用2.4这种办法,但卡在如何“获取任意地址的指令长度”上面了:(
在看到《挂钩Windows API》这篇文章之前,我取了一个比较简单有效的办法:
3.1 把目标函数的DLL COPY一份到内存中,修改原目标函数的前几字节,跳转
到我们的函数,在我们的函数中调用原函数新的COPY。-AppWizard has created this xHook DLL for you.
This file contains a summary of what you will find in each of the files that
make up your xHook application.
xHook.dsp
This file (the project file) contains information at the project level and
is used to build a single project or subproject. Other users can share the
project (.dsp) file, but they should export the makefiles locally.
xHook.cpp
This is the main DLL source file.
xHook.h
This file contains your DLL exports.
/////////////////////////////////////////////////////////////////////////////
Other standard files:
StdAfx.h, StdAfx.cpp
These files are used to build a precompiled header (PCH) file
named xHook.pch and a precompiled types file named StdAfx.obj.
/////////////////////////////////////////////////////////////////////////////
Other notes:
AppWizard uses "TODO:" to indicate parts of the source code you
should add to or customize.
Platform: |
Size: 58368 |
Author: yunfeng |
Hits:
Description: ring3下的IAT HOOK,IAT是一个IMAGE_THUNK_DATAj结构的数组。只要程序装载进内存中,就只与IAT查询信息,所以可见IAT表是一个非常重要的位置。
如果在IAT表中把某个函数的地址修改为钩子函数的地址,当调用到函数的时候,就会执行到该钩子函数中去
-the ring3 under IAT HOOK, IAT is a IMAGE_THUNK_DATAj structure array. As long as the program is loaded into memory, it is only with the IAT query information, it shows the IAT table is a very important position. IAT table, the address of a function to modify the hook function address, when the call to the function will be executed to the hook function
Platform: |
Size: 1024 |
Author: 陈峰 |
Hits:
Description: Il y a quelques temps, j avais publié sur le blog la technique de l IAT Hook qui permettait de détourner l appel d une fonction via la table d importation.
Mais cela a ses limites: si vous posez un hook après que le programme ai récupéré l adresse de la fonction, cela ne fonctionnera pas. De même si le programme a utilisé GetProcAddress.
Ici, nous changeons donc de tactique: plutô t que de modifier l adresse de la fonction, nous allons modifier le code de la fonction pour la faire sauter via l instruction JMP (0xE9) sur notre fonction.
Pour ce faire, j ai donc dû calculer la taille des instructions et j ai donc utilisé le projet x86ime.
-Il y a quelques temps, j avais publié sur le blog la technique de l IAT Hook qui permettait de détourner l appel d une fonction via la table d importation.
Mais cela a ses limites: si vous posez un hook après que le programme ai récupéré l adresse de la fonction, cela ne fonctionnera pas. De même si le programme a utilisé GetProcAddress.
Ici, nous changeons donc de tactique: plutô t que de modifier l adresse de la fonction, nous allons modifier le code de la fonction pour la faire sauter via l instruction JMP (0xE9) sur notre fonction.
Pour ce faire, j ai donc dû calculer la taille des instructions et j ai donc utilisé le projet x86ime.
Platform: |
Size: 278528 |
Author: Lord Noteworthy |
Hits:
Description: 这是一个dll工程。通过注入到其他进程能捕获到进程的网络收发数据。(所用技术:IAT HOOK,能截取send()、recv()等网络收发函数)-This is a dll project which can capture the data from send(),recv() and so on.
Platform: |
Size: 4096 |
Author: collin |
Hits:
Description: api hook类, 遍历IAT表hook指定模块中的函数, hook单个函数的时候很有用-api hook class, traversing IAT table specified module hook function, hook a single function is useful when
Platform: |
Size: 6144 |
Author: hkcly |
Hits:
Description: IATroot为一款以Hook IAT表中的输入函数为基础的一款RootKit,功能比较完整,其中自带一个Native API的开发库及源代码。-IATroot Hook to one to table the IAT input function-based one RootK it, more functional integrity, which own a Native API development libraries and source code.
Platform: |
Size: 1024 |
Author: orce |
Hits:
Description: Ring 3 的IAT HOOK和 EAT HOOK是一种是一种改函数地址的HOOK法,类似于 SSDT HOOK。-Ring IAT HOOK and EAT HOOK 3 is a function of an address change HOOK law, similar SSDT HOOK.
Platform: |
Size: 53248 |
Author: 石林 |
Hits: