包含hook函式的dll是通過 SetWindowsHookEx 函式加載的:
g_hHookLlKbd = SetWindowsHookEx( WH_KEYBOARD_LL, DssLlKbdProc, g_hModule, 0 );
g_hHookCassWnd = SetWindowsHookEx( WH_CBT, DssCBTProc, g_hModule, 0 );
g_MouseHook = SetWindowsHookEx(WH_MOUSE, MouseProc, g_hModule, 0);
在dll的dllmain函式里對系統函式進行hook:
LhInstallHook(CreateFileMappingA, MyCreateFileMappingA, NULL, &g_HookHandle[i++]);
LhInstallHook(CreateFileMappingW, MyCreateFileMappingW, NULL, &g_HookHandle[i++]);
MyCreateFileMappingW函式的實作:
HANDLE WINAPI MyCreateFileMappingW(
__in HANDLE hFile,
__in_opt LPSECURITY_ATTRIBUTES lpAttributes,
__in DWORD flProtect,
__in DWORD dwMaximumSizeHigh,
__in DWORD dwMaximumSizeLow,
__in_opt LPCWSTR lpName
)
{
if (NULL == g_pfnCreateFileMappingW) return FALSE;
MyOutputDebugMsgW(L"%s, %d, lpName=%s", __WFILE__, __LINE__, lpName);
HANDLE handle = NULL;
if (StrStrIW(lpName, L"shared_memory_content_wps_starup_object"))
{
wstring str = L"wps_starup_object_";
str += DssCreateGuidw();
MyOutputDebugMsgW(L"%s, %d, str=%s", __WFILE__, __LINE__, str);
handle = g_pfnCreateFileMappingW(hFile, lpAttributes, flProtect, dwMaximumSizeHigh, dwMaximumSizeLow, str.c_str());
}
else
{
handle = g_pfnCreateFileMappingW(hFile, lpAttributes, flProtect, dwMaximumSizeHigh, dwMaximumSizeLow, lpName);
}
return handle;
}
目的是讓wps行程創建時,不要建立“\Sessions\2\BaseNamedObjects\shared_memory_content_wps_starup_object_{DEB796DA-F98E-48A4-AE1E-71411184820E}” 這個記憶體映射檔案,可是MyCreateFileMappingW函式里并沒有發現創建這個物件。如下圖,
那么,這個物件到底怎么創建出來的呢。 Process Explorer 里邊的section不就是映射檔案的意思嗎?
轉載請註明出處,本文鏈接:https://www.uj5u.com/gongcheng/267571.html
標籤:進程/線程/DLL
上一篇:求一個c++ 實作的事件委托