Location:
Search - IAT HOOK
Search list
Description: 开始,运行输入 sigverif
通过检查数字签名就知道是不是ms的了。
主要使用Win32API实现验证应用或驱动程
WinVerifyTrust API。如果该API被Hook有没有其他方法验证应用或驱动程序是否通过微软签名?如果仅仅是被挂钩了IAT,那么可以直接通过函数指针调用。
如果是像Detours那样用jmp改写了函数头,可以通过读取WinTrust.dll中WinVerifyTrust的实现位置,恢复函数头的机器码。
不知道使用CryptoAPI,再使用指定的Microsoft证书
是不是更好一点,不容易被欺骗
怕调api被hook的话,自己将验证的代码写出来,用openssl应该容易点。
Platform: |
Size: 201211 |
Author: 下雨天 |
Hits:
Description: 使用系统IAT表查找要Hook的函数地址,然后进行挂钩。本代码Hook的是TextOut函数。
Platform: |
Size: 38641 |
Author: 骆爽 |
Hits:
Description: IAT表HOOK 拦截API参数
Platform: |
Size: 6613 |
Author: 3498124@qq.com |
Hits:
Description: VC++6.0编写的系统监控程序Demo包括主程序和DLL,只做演示,DLL采用全局钩子注入所有进程并在加载DLL时改写进程IAT。本程序演示截获MessageBox和MessageBeep-VC++6.0 program written in System Monitor Demo, including the main program and the DLL, Zhi Zuo demonstration, DLL into all processes using the global hook DLL is loaded, and when the process of adaptation IAT. This program demonstrates intercepted MessageBox and MessageBeep
Platform: |
Size: 6360064 |
Author: 孙新 |
Hits:
Description: 主要用于hook windows api,
当然也可以hook 其他指定函数,
采用的方法是:更改进程IAT表,
简便实用。
-Is mainly used for hook windows api, of course, you can hook other specified functions, the approach is: change the process of IAT table, simple and practical
Platform: |
Size: 3072 |
Author: jinxin |
Hits:
Description: 非常有用 学习hook时最好看一看 将复杂的修改IAT过程自动化 解放了大脑和双手-Very useful when studying the best look at the complicated hook changes to automate the process of liberating IAT brain and hands
Platform: |
Size: 3072 |
Author: jimmy |
Hits:
Description: Small hook library. It contain three methods of hooking:
- IAT hooks - import table hooks, functions are hooked only in one module (IAT
owner module)
- EAT hooks - export table hooks, functions are hooked for all modules
(modules loaded after setting EAT hook). EAT hooks works also
with GetProcAddress.
- HP hooks - it is kind of detours hooks, HP hooks are based on Hot Patching
mechanism, functions are hooked for all modules (loaded before
and after setting hook)
-Small hook library. It contain three methods of hooking:
- IAT hooks - import table hooks, functions are hooked only in one module (IAT
owner module)
- EAT hooks - export table hooks, functions are hooked for all modules
(modules loaded after setting EAT hook). EAT hooks works also
with GetProcAddress.
- HP hooks - it is kind of detours hooks, HP hooks are based on Hot Patching
mechanism, functions are hooked for all modules (loaded before
and after setting hook)
Platform: |
Size: 28672 |
Author: GamingMasteR |
Hits:
Description: 一个hook iat的例子,希望大家喜欢,找了很久才找到的.-api hook iat
Platform: |
Size: 37888 |
Author: beaton |
Hits:
Description: 通过修改IAT表实现API HOOK,已编译通过。-API HOOK, by modifying the IAT table compiled by.
Platform: |
Size: 7278592 |
Author: 李晓 |
Hits:
Description: 通过修改IAT表(入口地址表)来实现HOOK。-Hook technology, by modifying the import address table to achieve HOOK.
Platform: |
Size: 191488 |
Author: 李晓 |
Hits:
Description: 这个工具采用的是HOOK进程的winsock API,把一些数据记录下来。
2.1 patch静态文件,即运行前挂钩.
2.2 也是修改IAT,跟1.1一样.
2.3 修改目标函数的前几个字节,跳转到新的函数,但不再调用原始函数,无
实际意义,作者只是做演示?
2.4 这种方法(3.2.3 保存原始函数)很COOL,其中的亮点和难点就是“获取任意
地址的指令长度”。
之前我也想用2.4这种办法,但卡在如何“获取任意地址的指令长度”上面了:(
在看到《挂钩Windows API》这篇文章之前,我取了一个比较简单有效的办法:
3.1 把目标函数的DLL COPY一份到内存中,修改原目标函数的前几字节,跳转
到我们的函数,在我们的函数中调用原函数新的COPY。-AppWizard has created this xHook DLL for you.
This file contains a summary of what you will find in each of the files that
make up your xHook application.
xHook.dsp
This file (the project file) contains information at the project level and
is used to build a single project or subproject. Other users can share the
project (.dsp) file, but they should export the makefiles locally.
xHook.cpp
This is the main DLL source file.
xHook.h
This file contains your DLL exports.
/////////////////////////////////////////////////////////////////////////////
Other standard files:
StdAfx.h, StdAfx.cpp
These files are used to build a precompiled header (PCH) file
named xHook.pch and a precompiled types file named StdAfx.obj.
/////////////////////////////////////////////////////////////////////////////
Other notes:
AppWizard uses "TODO:" to indicate parts of the source code you
should add to or customize.
Platform: |
Size: 58368 |
Author: yunfeng |
Hits:
Description: api hook类, 遍历IAT表hook指定模块中的函数, hook单个函数的时候很有用-api hook class, traversing IAT table specified module hook function, hook a single function is useful when
Platform: |
Size: 6144 |
Author: hkcly |
Hits:
Description: Faz Hook na IAT
Faz Hook na IAT
Faz Hook na IAT-Faz Hook na IAT
Faz Hook na IAT
Faz Hook na IAT
Faz Hook na IAT
Faz Hook na IAT
Platform: |
Size: 35840 |
Author: Lukas Linares |
Hits:
Description: IATroot为一款以Hook IAT表中的输入函数为基础的一款RootKit,功能比较完整,其中自带一个Native API的开发库及源代码。-IATroot Hook to one to table the IAT input function-based one RootK it, more functional integrity, which own a Native API development libraries and source code.
Platform: |
Size: 1024 |
Author: orce |
Hits:
Description: 用 修改IAT(导入表)的方法HOOK 了CreateFile API函数,自定义的函数如下-Copy the code
With the modified IAT (Import table) method HOOK the CreateFile API function, custom function as follows
Platform: |
Size: 4096 |
Author: 李兰 |
Hits:
Description: IATTableHook.rar 驱动内iat表的hook,很好用的,比r3强多了-IATTableHook.rar driver in IAT Table Hook, very good, much better than R3
Platform: |
Size: 7168 |
Author: 敏敏 |
Hits:
Description: 1.进程、线程、进程模块、进程窗口、进程内存信息查看,杀进程、杀线程、卸载模块等功能
2.内核驱动模块查看,支持内核驱动模块的内存拷贝
3.SSDT、Shadow SSDT、FSD、KBD、TCPIP、Classpnp、Atapi、Acpi、SCSI、IDT、GDT信息查看,并能检测和恢复ssdt hook和inline hook
4.CreateProcess、CreateThread、LoadImage、CmpCallback、BugCheckCallback、Shutdown、Lego等Notify Routine信息查看,并支持对这些Notify Routine的删除
5.端口信息查看,目前不支持2000系统
6.查看消息钩子
7.内核模块的iat、eat、inline hook、patches检测和恢复
8.磁盘、卷、键盘、网络层等过滤驱动检测,并支持删除(1. process, thread, process module, process window, process memory information view, kill process, kill thread, unload module and so on
2. kernel driver module view, support the memory module of the kernel driver module
3.SSDT, Shadow, SSDT, FSD, KBD, TCPIP, Classpnp, Atapi, Acpi, SCSI, IDT, GDT, information view, and can detect and restore SSDT, hook and inline hook
4.CreateProcess, CreateThread, LoadImage, CmpCallback, BugCheckCallback, Shutdown, Lego and other Notify Routine information view, and support for the deletion of these Notify Routine
5. port information, currently 2000 systems are not supported
6. view message hook
7. kernel module of IAT, eat, inline, hook, patches detection and recovery
8. disk, volume, keyboard, network layer filter driver detection, and support deletion)
Platform: |
Size: 6559744 |
Author: aa77ss55dd
|
Hits: