通過修改模塊匯入段來攔截API,這是WINDOWS核心編程上的源代碼。今天敲了一下發現有點小問題。
我要攔截kernel32的ExitProcess函式,并且可以攔截,但是攔截之后系統拋出一個例外。查了一下貌似是函式的約定呼叫問題。改了很多次仍然不行。
之后是DLL的代碼,就一個簡單的函式
#pragma once
#ifndef MYDLLAPI
#define MYDLLAPI extern"C" __declspec(dllimport)
#endif
MYDLLAPI void Add(UINT T);
#include "stdafx.h"
#define MYDLLAPI extern"C" __declspec(dllimport)
#include "DLLLL.h"
void Add(UINT T){
MessageBox(GetForegroundWindow(), TEXT("HACKED!"), TEXT("干啥玩意呢"), 1);
}
之后是攔截部分
#include<windows.h>
#include<iostream>
#include<Dbghelp.h>
typedef void(*T)(int);
void ReplaceIATEntryInOneMod(PCSTR pszCalleeModName, T pfnCurrent, T pfnNEW, HMODULE hmodCaller){
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = NULL;
ULONG ulSize;
pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hmodCaller, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize);
if (pImportDesc == NULL){
return;
}
for (; pImportDesc->Name; pImportDesc++){
PSTR pszModName = (PSTR)((PBYTE)hmodCaller + pImportDesc->Name);
if (lstrcmpiA(pszModName, pszCalleeModName) == 0){
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((PBYTE)hmodCaller + pImportDesc->FirstThunk);
for (; pThunk->u1.Function; pThunk++){
T* ppfn = (T*)&pThunk->u1.Function;
BOOL bFound = (*ppfn == pfnCurrent);
if (bFound){
if (!WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNEW, sizeof(pfnNEW), NULL) && (ERROR_NOACCESS == GetLastError())){
DWORD dwOldProtect;
if (VirtualProtect(ppfn, sizeof(pfnNEW), PAGE_WRITECOPY, &dwOldProtect)){
WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNEW, sizeof(pfnNEW), NULL);
VirtualProtect(ppfn, sizeof(pfnNEW), dwOldProtect, &dwOldProtect);
}
}
}
}
}
}
}
int main(){
T pfnOrig = (T)GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")), "ExitProcess");
HMODULE hmodCaller = GetModuleHandle(TEXT("ConsoleApplication2.exe"));
if (hmodCaller == NULL){
std::cout << "NO B354" << GetLastError();
}
HMODULE Module;
Module = LoadLibrary(TEXT("E:\\QTC\\DLLLL\\Debug\\DLLLL.dll"));
if (Module == NULL){
std::cout << "NO B3" << GetLastError();
}
T FA;
FA = (T)GetProcAddress(Module, "Add");
if (FA == NULL){
std::cout << "NO ADD" << GetLastError();
}
ReplaceIATEntryInOneMod("kernel32.dll",pfnOrig,FA, hmodCaller);
ExitProcess(0);
//std::cout << "CONTINUE"<<std::endl;
//Sleep(INFINITE);
}
uj5u.com熱心網友回復:
江湖救急啊………………uj5u.com熱心網友回復:
系統裝360(或其他殺毒軟體)的情況下,你這個代碼是不可能運行成功的,所有殺毒軟體都是提前運行好,把所有DLL都提前hook了,你掉用的的代碼都會跳到人家的hook里面,殺毒軟體的安全機制會判斷呼叫是否合法,你這種hook,直接被殺毒軟體非法化,直接拒絕了,即便你關掉殺毒軟體,代碼測驗成功,也只針對你自己代碼啟動后,呼叫系統kernel的app起作用。你敢保證人家電腦或服務器不裝360!建議別搞這套了,毫無意義。
轉載請註明出處,本文鏈接:https://www.uj5u.com/net/99175.html
標籤:VC.NET
上一篇:c++,socket 通訊問題,accept函式有些時候需要 按 Enter鍵才能繼續執行!
下一篇:幫忙轉一小段php to C#