C++ WriteProcessMemory在函数内部失败
嗨,我是函数挂钩的新手,我在使用一篇文章中的代码 这是我的密码C++ WriteProcessMemory在函数内部失败,c++,winapi,hook,user32,C++,Winapi,Hook,User32,嗨,我是函数挂钩的新手,我在使用一篇文章中的代码 这是我的密码 #include <windows.h> #include <iostream> FARPROC messageBoxAddress = NULL; SIZE_T bytesWritten = 0; unsigned char messageBoxOriginalBytes[6] = { } ; int __stdcall HookedMessageBox(HWND hWnd, LPCSTR lpT
#include <windows.h>
#include <iostream>
FARPROC messageBoxAddress = NULL;
SIZE_T bytesWritten = 0;
unsigned char messageBoxOriginalBytes[6] = { } ;
int __stdcall HookedMessageBox(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) {
printf("la la la ");
printf("\n");
WriteProcessMemory(GetCurrentProcess(), (LPVOID)messageBoxAddress, messageBoxOriginalBytes, sizeof(messageBoxOriginalBytes), &bytesWritten);
return MessageBoxA(NULL, lpText, lpCaption, MB_OK);
}
int main()
{
SIZE_T bytesRead = 0;
HINSTANCE library = LoadLibraryA("user32.dll");
FARPROC messageBoxAddress =GetProcAddress(library, "MessageBoxA");
ReadProcessMemory(GetCurrentProcess(), messageBoxAddress, messageBoxOriginalBytes, 6, &bytesRead);
void* hookedMessageBoxAddress = &HookedMessageBox;
char patch[6] = { 0 };
memcpy_s(patch, 1, "\x68", 1);
memcpy_s(patch + 1, 4, &hookedMessageBoxAddress, 4);
memcpy_s(patch + 5, 1, "\xC3", 1);
WriteProcessMemory(GetCurrentProcess(), (LPVOID)messageBoxAddress, patch, sizeof(patch), &bytesWritten);
MessageBoxA(NULL, "hello", "Welcome", MB_OK);
return 0;
}
问题是我只想要一个拉拉
这显示了一千个拉拉
int main()中的WriteProcessMemory可以工作,但“HookedMessageBox”中的WriteProcessMemory不能工作
有人能给我一个解决办法吗
我还想坚持基本原则。有图书馆的弯路等,但坚持基本帮助我了解它
我尝试使用GetLastError()获取错误,结果显示998表示拒绝访问(在网上搜索)这称为钩子递归,要解决这个问题,需要使用蹦床钩子 蹦床钩子就像一条常规的迂回路线,它跳转到您的代码,然后跳回实际jmp指令后面的地址,这样它就不会一次又一次地执行您的代码 在内部工作时不需要使用WriteProcessMemory(),也不应该在钩子中修改钩子 以下是我对您的问题的解决方案,它使用了蹦床挂钩,希望有一些代码更有意义:
#include <iostream>
#include <Windows.h>
bool Detour32(char* src, char* dst, const intptr_t len)
{
if (len < 5) return false;
DWORD curProtection;
VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &curProtection);
intptr_t relativeAddress = (intptr_t)(dst - (intptr_t)src) - 5;
*src = (char)'\xE9';
*(intptr_t*)((intptr_t)src + 1) = relativeAddress;
VirtualProtect(src, len, curProtection, &curProtection);
return true;
}
char* TrampHook32(char* src, char* dst, const intptr_t len)
{
// Make sure the length is greater than 5
if (len < 5) return 0;
// Create the gateway (len + 5 for the overwritten bytes + the jmp)
void* gateway = VirtualAlloc(0, len + 5, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
//Write the stolen bytes into the gateway
memcpy(gateway, src, len);
// Get the gateway to destination addy
intptr_t gatewayRelativeAddr = ((intptr_t)src - (intptr_t)gateway) - 5;
// Add the jmp opcode to the end of the gateway
*(char*)((intptr_t)gateway + len) = 0xE9;
// Add the address to the jmp
*(intptr_t*)((intptr_t)gateway + len + 1) = gatewayRelativeAddr;
// Perform the detour
Detour32(src, dst, len);
return (char*)gateway;
}
typedef int(__stdcall* tMessageBoxA)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
tMessageBoxA oMessageBoxA = nullptr;
int __stdcall hkMessageBoxA(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType)
{
lpText = "hax0red";
return oMessageBoxA(hWnd, lpText, lpCaption, uType);
}
int main()
{
oMessageBoxA = (tMessageBoxA)GetProcAddress(GetModuleHandleA("user32.dll"), "MessageBoxA");
oMessageBoxA = (tMessageBoxA)TrampHook32((char*)oMessageBoxA, (char*)hkMessageBoxA, 5);
MessageBoxA(NULL, "Body Message", "Title Here", MB_OK);
return 0;
}
#包括
#包括
布尔绕道32(char*src、char*dst、const intptr\t len)
{
如果(len<5)返回false;
德沃德保护;
虚拟保护(src、len、PAGE\u EXECUTE\u READWRITE和curProtection);
intptr_t relativeAddress=(intptr_t)(dst-(intptr_t)src)-5;
*src=(char)'\xE9';
*(intptr_t*)((intptr_t)src+1)=相对地址;
虚拟保护(src、len、curProtection和curProtection);
返回true;
}
char*32(char*src、char*dst、const intptr\t len)
{
//确保长度大于5
如果(len<5)返回0;
//创建网关(被覆盖字节的len+5+jmp)
void*gateway=VirtualAlloc(0,len+5,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
//将被盗字节写入网关
memcpy(网关、src、len);
//获取到目的地addy的网关
intptr_t网关相对EADDR=((intptr_t)src-(intptr_t)网关)-5;
//将jmp操作码添加到网关的末尾
*(char*)((intptr_t)网关+len)=0xE9;
//将地址添加到jmp
*(intptr_t*)((intptr_t)gateway+len+1)=gatewayRelativeAddr;
//绕道而行
绕道32(src、dst、len);
返回(char*)网关;
}
typedef int(uu stdcall*tMessageBoxA)(HWND-HWND、LPCTSTR-lpText、LPCTSTR-lpCaption、UINT-uType);
tMessageBoxA oMessageBoxA=nullptr;
int uu stdcall hkMessageBoxA(HWND HWND、LPCTSTR lpText、LPCTSTR lpCaption、UINT uType)
{
lpText=“hax0red”;
返回oMessageBoxA(hWnd、lpText、lpCaption、uType);
}
int main()
{
oMessageBoxA=(tMessageBoxA)GetProcAddress(GetModuleHandleA(“user32.dll”),“MessageBoxA”);
oMessageBoxA=(tMessageBoxA)32((char*)oMessageBoxA,(char*)hkMessageBoxA,5);
MessageBoxA(空,“正文消息”,“此处标题”,MB_OK);
返回0;
}
这称为钩子递归,要解决这个问题,您需要使用蹦床钩子
蹦床钩子就像一条常规的迂回路线,它跳转到您的代码,然后跳回实际jmp指令后面的地址,这样它就不会一次又一次地执行您的代码
在内部工作时不需要使用WriteProcessMemory(),也不应该在钩子中修改钩子
以下是我对您的问题的解决方案,它使用了蹦床挂钩,希望有一些代码更有意义:
#include <iostream>
#include <Windows.h>
bool Detour32(char* src, char* dst, const intptr_t len)
{
if (len < 5) return false;
DWORD curProtection;
VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &curProtection);
intptr_t relativeAddress = (intptr_t)(dst - (intptr_t)src) - 5;
*src = (char)'\xE9';
*(intptr_t*)((intptr_t)src + 1) = relativeAddress;
VirtualProtect(src, len, curProtection, &curProtection);
return true;
}
char* TrampHook32(char* src, char* dst, const intptr_t len)
{
// Make sure the length is greater than 5
if (len < 5) return 0;
// Create the gateway (len + 5 for the overwritten bytes + the jmp)
void* gateway = VirtualAlloc(0, len + 5, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
//Write the stolen bytes into the gateway
memcpy(gateway, src, len);
// Get the gateway to destination addy
intptr_t gatewayRelativeAddr = ((intptr_t)src - (intptr_t)gateway) - 5;
// Add the jmp opcode to the end of the gateway
*(char*)((intptr_t)gateway + len) = 0xE9;
// Add the address to the jmp
*(intptr_t*)((intptr_t)gateway + len + 1) = gatewayRelativeAddr;
// Perform the detour
Detour32(src, dst, len);
return (char*)gateway;
}
typedef int(__stdcall* tMessageBoxA)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
tMessageBoxA oMessageBoxA = nullptr;
int __stdcall hkMessageBoxA(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType)
{
lpText = "hax0red";
return oMessageBoxA(hWnd, lpText, lpCaption, uType);
}
int main()
{
oMessageBoxA = (tMessageBoxA)GetProcAddress(GetModuleHandleA("user32.dll"), "MessageBoxA");
oMessageBoxA = (tMessageBoxA)TrampHook32((char*)oMessageBoxA, (char*)hkMessageBoxA, 5);
MessageBoxA(NULL, "Body Message", "Title Here", MB_OK);
return 0;
}
#包括
#包括
布尔绕道32(char*src、char*dst、const intptr\t len)
{
如果(len<5)返回false;
德沃德保护;
虚拟保护(src、len、PAGE\u EXECUTE\u READWRITE和curProtection);
intptr_t relativeAddress=(intptr_t)(dst-(intptr_t)src)-5;
*src=(char)'\xE9';
*(intptr_t*)((intptr_t)src+1)=相对地址;
虚拟保护(src、len、curProtection和curProtection);
返回true;
}
char*32(char*src、char*dst、const intptr\t len)
{
//确保长度大于5
如果(len<5)返回0;
//创建网关(被覆盖字节的len+5+jmp)
void*gateway=VirtualAlloc(0,len+5,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
//将被盗字节写入网关
memcpy(网关、src、len);
//获取到目的地addy的网关
intptr_t网关相对EADDR=((intptr_t)src-(intptr_t)网关)-5;
//将jmp操作码添加到网关的末尾
*(char*)((intptr_t)网关+len)=0xE9;
//将地址添加到jmp
*(intptr_t*)((intptr_t)gateway+len+1)=gatewayRelativeAddr;
//绕道而行
绕道32(src、dst、len);
返回(char*)网关;
}
typedef int(uu stdcall*tMessageBoxA)(HWND-HWND、LPCTSTR-lpText、LPCTSTR-lpCaption、UINT-uType);
tMessageBoxA oMessageBoxA=nullptr;
int uu stdcall hkMessageBoxA(HWND HWND、LPCTSTR lpText、LPCTSTR lpCaption、UINT uType)
{
lpText=“hax0red”;
返回oMessageBoxA(hWnd、lpText、lpCaption、uType);
}
int main()
{
oMessageBoxA=(tMessageBoxA)GetProcAddress(GetModuleHandleA(“user32.dll”),“MessageBoxA”);
oMessageBoxA=(tMessageBoxA)32((char*)oMessageBoxA,(char*)hkMessageBoxA,5);
MessageBoxA(空,“正文消息”,“此处标题”,MB_OK);
返回0;
}
谢谢@guidedhack,我终于得到了一个64工作代码
重命名为Detour64和TrampHook64
#include <iostream>
#include <Windows.h>
bool Detour64(char* src, char* dst, const intptr_t len)
{
if (len < 12) return false;
DWORD curProtection;
VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &curProtection);
intptr_t absoluteAddress = (intptr_t)(dst);
*src = (char)'\x48';
*(src + 1) = (char)'\xb8';
*(src + 2) = absoluteAddress % 256;
*(src + 3) = (absoluteAddress/256) % 256;
*(src + 4) = (absoluteAddress/65536) % 256;
*(src + 5) = (absoluteAddress/(65536*256)) % 256;
*(src + 6) = (absoluteAddress/((long long)65536*65536)) % 256;
*(src + 7) = (absoluteAddress/((long long)65536*65536*256)) % 256;
*(src + 8) = (absoluteAddress/((long long)65536*65536*65536))%256;
*(src + 9) = (absoluteAddress/((long long)65536*65536*65536*256)) % 256;
*(src + 10) = (char)'\xff';
*(src + 11) = (char)'\xe0';
VirtualProtect(src, len, curProtection, &curProtection);
return true;
}
char* TrampHook64(char* src, char* dst, const intptr_t len)
{
// Make sure the length is greater than 5
if (len < 12) return 0;
// Create the ga+teway (len + 5 for the overwritten bytes + the jmp)
void* gateway = VirtualAlloc(0, len + 12, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
//Write the stolen bytes into the gateway
memcpy(gateway, src, len);
// Get the gateway to destination addy
intptr_t gatewayAbsoluteAddr = (intptr_t)src+len;
// Add the jmp opcode to the end of the gateway
*((char*)gateway + len) = 0xFF;
*((char*)gateway + len + 1) = 0x25;
*((char*)gateway + len + 2) = 0;
*((char*)gateway + len + 3) = 0;
*((char*)gateway + len + 4) = 0;
*((char*)gateway + len + 5) = 0;
// Add the address to the jmp
*((char*)gateway + len + 6) = gatewayAbsoluteAddr % 256;
*((char*)gateway + len + 7) = (gatewayAbsoluteAddr / 256) % 256;
*((char*)gateway + len + 8) = (gatewayAbsoluteAddr / 65536) % 256;
*((char*)gateway + len + 9) = (gatewayAbsoluteAddr / (65536 * 256)) % 256;
*((char*)gateway + len + 10) = (gatewayAbsoluteAddr / ((long long)65536 * 65536)) % 256;
*((char*)gateway + len + 11) = (gatewayAbsoluteAddr / ((long long)65536 * 65536 * 256)) % 256;
*((char*)gateway + len + 12) = (gatewayAbsoluteAddr / ((long long)65536 * 65536 * 65536)) % 256;
*((char*)gateway + len + 13) = (gatewayAbsoluteAddr / ((long long)65536 * 65536 * 65536 * 256)) % 256;
// Perform the detour
Detour64(src, dst, len);
return (char*)gateway;
}
typedef int(__stdcall* tMessageBoxA)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
tMessageBoxA oMessageBoxA = nullptr;
int __stdcall hkMessageBoxA(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType)
{
lpText = LPCTSTR("hax0red");
return oMessageBoxA(hWnd, lpText, lpCaption, uType);
}
int main()
{
HINSTANCE libr = LoadLibrary(L"User32.dll");
oMessageBoxA = (tMessageBoxA)GetProcAddress(libr, "MessageBoxA");
oMessageBoxA = (tMessageBoxA)TrampHook64((char*)oMessageBoxA, (char*)hkMessageBoxA, 14);
MessageBoxA(NULL, "Body Message", "Title Here", MB_OK);
return 0;
}
#包括
#包括
布尔绕道64(字符*src、字符*dst、常量intptr\t len)
{
如果(len<12)返回false;
德沃德保护;
虚拟保护(src、len、PAGE\u EXECUTE\u READWRITE和curProtection);
intptr_t绝对地址=(intptr_t)(dst);
*src=(char)'\x48';
*(src+1)=(char)'\xb8';
*(src+2)=绝对地址%256;
*(src+3)=(绝对地址/256)%256;
*(src+4)=(绝对地址/65536)%256;
*(src+5)=(绝对地址/(65536*256))%256;
*(src+6)=(绝对地址/((长)65536*65536))%