IAT随便HOOK+反检测方法.docxVIP

防IAT检测方法：IAT在指定目标文件的PE结构里面指定了的，我们把自己内存里面做了修改，没有修改目标文件，只要不让目标文件被其他文件映射，读取PE结构和我们内存中修改过的比较，保证能反一切IAT检测。用法： 代码:????HookImage(ZwSetInformationFile,(DWORD)MyZwSetInformationFile);????HookImage(NtTerminateProcess,(DWORD)MyNtTerminateProcess);????HookImage(NtTerminateThread,(DWORD)MyNtTerminateThread);????HookImport(KERNEL32.DLL,ExitProcess,(DWORD)MyNtTerminateProcess);????RemoveImage(NtTerminateProcess);代码 代码:/********************************************挂钩目标程序kernel32.dll里面输入的ntdll.dll的函数********************************************/DWORD?HookImage(char?*szName,DWORD?Newfunc){??HMODULE?hMod=LoadLibrary(NTDLL);??DWORD?RealAddr=(DWORD)GetProcAddress(hMod,szName);??UINT?Size=0;??hMod=LoadLibrary(kernel32.dll);????PIMAGE_IMPORT_DESCRIPTOR?pImport=(PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData?????????????????????????????????????????????????(hMod,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,Size);?????????????????????????????????????????????????if(pImport==NULL)????{????????return?FALSE;????}?????IMAGE_THUNK_DATA32?*Pthunk=(IMAGE_THUNK_DATA32*)((DWORD)hMod+pImport-FirstThunk);????MEMORY_BASIC_INFORMATION?mbi;????VirtualQuery(Pthunk,mbi,sizeof(MEMORY_BASIC_INFORMATION));????VirtualProtect(mbi.BaseAddress,mbi.RegionSize,PAGE_READWRITE,mbi.Protect);??while(Pthunk-u1.Function)??{????if(RealAddr==Pthunk-u1.Function)????{??????Pthunk-u1.Function=Newfunc;??????break;????}????Pthunk++;??}????DWORD?protect;????VirtualProtect(mbi.BaseAddress,mbi.RegionSize,mbi.Protect,protect);??return?TRUE;}/********************************************挂钩目标程序输入表里面的函数********************************************/DWORD?HookImport(char?*szDLL,char?*szName,DWORD?Newfunc){????DWORD?protect;??UINT?Size=0;??HMODULE?hMod=GetModuleHandle(NULL);????MEMORY_BASIC_INFORMATION?mbi;????????PIMAGE_IMPORT_DESCRIPTOR?pImport=(PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData?????????????????????????????????????????????????????????(hMod,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,Size);?////改写内存保护，以便转换大小写???VirtualQuery(pImport,mbi,sizeof