C++ 迂回3.0钩子GetProcAddresss()
我正在使用: MS VS 10 绕道v3.0 Express 完整的源代码DLL:C++ 迂回3.0钩子GetProcAddresss(),c++,hook,detours,C++,Hook,Detours,我正在使用: MS VS 10 绕道v3.0 Express 完整的源代码DLL: #include <windows.h> #include <detours.h> ofstream prclist ; #pragma comment(lib,"detours.lib") FARPROC (WINAPI * pGetProcAddress)(HMODULE hModule,LPCSTR lpProcName) = GetProcAddress; FARPROC WINA
#include <windows.h>
#include <detours.h>
ofstream prclist ;
#pragma comment(lib,"detours.lib")
FARPROC (WINAPI * pGetProcAddress)(HMODULE hModule,LPCSTR lpProcName) = GetProcAddress;
FARPROC WINAPI myGetProcAddress(HMODULE hModule,LPCSTR lpProcName);
FARPROC WINAPI myGetProcAddress(HMODULE hModule,LPCSTR lpProcName)
{
prclist << lpProcName << endl; // <- ACCESS_VIOLATION READ
return pGetProcAddress( hModule, lpProcName);
}
BOOL APIENTRY DllMain(HINSTANCE hDLL, DWORD reason, LPVOID reserved)
{
switch(reason)
{
case DLL_PROCESS_ATTACH:
{
prclist.open("proclst.log",ios::out | ios::app );
DisableThreadLibraryCalls(hDLL);
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)pGetProcAddress, myGetProcAddress);
DetourTransactionCommit();
break;
}
case DLL_PROCESS_DETACH:
{
prclist.close();
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)pGetProcAddress, myGetProcAddress);
DetourTransactionCommit();
break;
}
}
return TRUE;
}
#包括
#包括
流压梯度;
#pragma注释(lib,“detours.lib”)
FARPROC(WINAPI*pGetProcAddress)(HMODULE HMODULE,LPCSTR lpProcName)=GetProcAddress;
FARPROC WINAPI myGetProcAddress(HMODULE HMODULE,LPCSTR lpProcName);
FARPROC WINAPI myGetProcAddress(HMODULE HMODULE,LPCSTR lpProcName)
{
prclist请参阅我的评论。看起来只需要在插入运算符之前测试流是否打开(来自参考页,对于lpProcName
:
函数或变量名,或函数的序数值。如果此参数是序数值,则它必须位于低阶字中;高阶字必须为零
这意味着它可能不是指向字符串的指针,但替换函数总是以这种方式处理它。这可能是访问冲突的原因,因为它将使用整数值(182,例如)作为以null结尾的字符串的起始内存地址
用于更正:
if (HIWORD(lpProcName))
{
prclist << "name: " << lpProcName << std::endl;
}
else
{
prclist << "ordinal: " << reinterpret_cast<DWORD>(lpProcName) << std::endl;
}
if(HIWORD(lpProcName))
{
prclist您可以在调试器中捕获AV并检查调用堆栈等吗?对不起,此代码没有导致错误,我忘记添加:*prclist我更新了源代码。结果:proclst.log
…DecodePointer
DecodePointer
DecodePointer
DecodePointer
DecodePointer
DecodePointer
DecodePointer
指针
解码指针
解码指针
IsDebuggerPresent
,此应用程序遇到严重错误:程序:异常:0xC0000005(访问冲突)在001B:604DD950,“0x604DD950”处的指令引用了“0x00000068”处的内存。无法“读取”内存。请按“确定”终止应用程序。--------------------------------------------------这很有帮助。代码正在解引用对象指针以读取成员。指针为空,成员为104字节s偏移量,导致在0x00000068处读取失败。@DOLBOEB:。显式检查高位字。