|
马上注册,结交更多好友,享用更多功能^_^
您需要 登录 才可以下载或查看,没有账号?立即注册
x
将dll注入到release版exe中,用xuetr发现MessageboxA已经被挂钩但是hook失败,注入到debug版中hook成功,为啥呢?
@小甲鱼 @人造人
dll代码:
- #include <windows.h>
- #include <imagehlp.h>
- #include <stdio.h>
- #include "process.h"
- #pragma comment(lib,"IMAGEHLP.lib")
- /*
- pDllName [in] - 要HOOK的API所在的DLL
- pApiName [in] - 要HOOK的API的名称
- iNewApi [in] - 新的API入口地址
- pOldApi [out] - 用于输出源API入口地址,
- */
- int ReplaceIAT(const char *pDllName, const char *pApiName, INT_PTR iNewApi, INT_PTR *pOldApi)
- {
- HANDLE hProcess = ::GetModuleHandle (NULL);
- DWORD dwSize = 0;
- PIMAGE_IMPORT_DESCRIPTOR pImageImport = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hProcess,TRUE,
- IMAGE_DIRECTORY_ENTRY_IMPORT,&dwSize);
- if (NULL == pImageImport)
- return 1;
- PIMAGE_IMPORT_BY_NAME pImageImportByName = NULL;
- PIMAGE_THUNK_DATA pImageThunkOriginal = NULL;
- PIMAGE_THUNK_DATA pImageThunkReal = NULL;
- while (pImageImport->Name)
- {
- char *pName = (char*)(PBYTE)hProcess+pImageImport->Name;
- if (0 == strcmpi((char*)((PBYTE)hProcess+pImageImport->Name),pDllName))
- {
- break;
- }
- ++pImageImport;
- }
- if (!pImageImport->Name) return 2;
- pImageThunkOriginal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->OriginalFirstThunk);
- pImageThunkReal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->FirstThunk);
- while (pImageThunkOriginal->u1.Function)
- {
- if ((pImageThunkOriginal->u1.Ordinal & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG)
- {
- pImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PBYTE)hProcess+pImageThunkOriginal->u1.AddressOfData);
- if (0 == strcmpi(pApiName,(char*)pImageImportByName->Name))
- {
- MEMORY_BASIC_INFORMATION mbi_thunk;
- VirtualQuery(pImageThunkReal, &mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION));
- VirtualProtect(mbi_thunk.BaseAddress,mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect);
- *pOldApi =(INT_PTR) pImageThunkReal->u1.Function;
- pImageThunkReal->u1.Function = (DWORD)iNewApi;
- DWORD dwOldProtect;
- VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, mbi_thunk.Protect, &dwOldProtect);
- break;
- }
- }
- ++pImageThunkOriginal;
- ++pImageThunkReal;
- }
- return 0;
- }
- //自己想hook函数这里
- typedef int (WINAPI *MESSAGEBOXA)(HWND, LPCWSTR, LPCWSTR, UINT);
- // Pointer for calling original MessageBoxW.
- MESSAGEBOXA fpMessageBoxA = NULL;
- // Detour function which overrides MessageBoxW.
- int WINAPI DetourMessageBoxA(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType)
- {
- return fpMessageBoxA(hWnd, L"Hookedbybybyby!", lpCaption, uType);
- }
- void ThreadProc(void *param)
- {
- ReplaceIAT("user32.dll","MessageBoxA", (INT_PTR)DetourMessageBoxA, (INT_PTR*)&fpMessageBoxA);
- }
- BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved)
- {
- switch (fdwReason)
- {
- case DLL_PROCESS_ATTACH:
- WinExec("notepad",SW_NORMAL);
- _beginthread(ThreadProc,0,NULL); //创建线程,调用ThreadProc
- //SetHook();
- //ReplaceIAT("user32.dll","MessageBoxA", (INT_PTR)DetourMessageBoxA, (INT_PTR*)&fpMessageBoxA);
- break;
- case DLL_PROCESS_DETACH:
- // Code to run when the DLL is freed
- break;
- case DLL_THREAD_ATTACH:
- // Code to run when a thread is created during the DLL's lifetime
- break;
- case DLL_THREAD_DETACH:
- // Code to run when a thread ends normally.
- break;
- }
- return TRUE;
- }
复制代码
exe代码:
- #include "stdafx.h"
- #include "stdio.h"
- #include "windows.h"
- int _tmain(int argc, _TCHAR* argv[])
- {
- printf("test---/n");
- while(1)
- {
- getchar();
- MessageBoxA(NULL, "原函数", "09HookDemo", 0);
- }
- return 0;
- }
复制代码 |
|