Fatal编程技术网
  • cplusplus/
  • C++ 蹦床钩获取简单HWID锁上的体积信息

C++ 蹦床钩获取简单HWID锁上的体积信息

c++ windows

C++ 蹦床钩获取简单HWID锁上的体积信息,c++,windows,hook,detours,hwid,C++,Windows,Hook,Detours,Hwid,我试图使用trampoline钩子在一个简单的HWID锁上钩住GetVolumeInformationW,以返回序列号(123456789)的特定值。当我插入dll时,程序立即崩溃。我试图从programs 86文件夹启动hwid lock,但它还是崩溃了。我在Sendboxa和SwapBuffers上试过蹦床钩,效果非常好。 这是HWID锁代码 #include <iostream> #include <Windows.h> #include <tchar.h&g

我试图使用trampoline钩子在一个简单的HWID锁上钩住GetVolumeInformationW,以返回序列号(123456789)的特定值。当我插入dll时,程序立即崩溃。我试图从programs 86文件夹启动hwid lock,但它还是崩溃了。我在Sendboxa和SwapBuffers上试过蹦床钩,效果非常好。 这是HWID锁代码

#include <iostream>
#include <Windows.h>
#include <tchar.h>

int main()
{
    std::cout << "Checking...\n";
    TCHAR volumeName[MAX_PATH + 1] = { 0 };
    TCHAR fileSystemName[MAX_PATH + 1] = { 0 };
    DWORD serialNumber = 0;
    DWORD maxComponentLen = 0;
    DWORD fileSystemFlags = 0;
    if (GetVolumeInformation(
        _T("C:\\"),
        volumeName,
        ARRAYSIZE(volumeName),
        &serialNumber,
        &maxComponentLen,
        &fileSystemFlags,
        fileSystemName,
        ARRAYSIZE(fileSystemName)
    ))
    {
        Sleep(1000000);
        DWORD acceptedSerial = 123456789;
        if (serialNumber == acceptedSerial) {
            std::cout << "Welcome to my app!" << std::endl;
        }
        else {
            std::cout << "You are not in the system!" << std::endl;
            Sleep(4000);
            return 0;
        }
    }
}

#包括
#包括
#包括
int main()
{

std::请以开头。另外,请阅读,因为“瞬间崩溃”不是对您的观察结果的充分描述。您的意思是我必须复制调试信息吗?在
DllMain
完成之前,研究一下您可以做什么和不能做什么。我怀疑线程正在执行不允许的任务。Starter-请注意,这包括
DllMain
具有compl之前在线程进程中执行的代码好吧,至少有些东西,不仅仅是你对所看到的东西的解释!你怎么知道它崩溃了并且没有成功完成?你期望得到什么输出?如果你想做这种逆向工程,你需要非常熟练地使用调试器。请从开始。另外,阅读,因为“立即崩溃”不是对您的观察结果的充分描述。您的意思是我必须复制调试信息吗?在
DllMain
完成之前,研究一下您可以做什么和不能做什么。我怀疑线程正在执行不允许的任务。Starter-请注意,这包括
DllMain
具有compl之前在线程进程中执行的代码好吧,至少有些东西,不仅仅是你对所看到的东西的解释!你怎么知道它崩溃了并且没有成功完成?你期望得到什么输出?如果你想做这种逆向工程,你需要非常熟悉使用调试器。

#include <iostream>
#include <Windows.h>
#include <tchar.h>


bool Detour32(char* src, char* dst, const intptr_t len)
{
    if (len < 5) return false;

    DWORD  curProtection;
    VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &curProtection);

    intptr_t  relativeAddress = (intptr_t)(dst - (intptr_t)src) - 5;

    *src = (char)'\xE9';
    *(intptr_t*)((intptr_t)src + 1) = relativeAddress;

    VirtualProtect(src, len, curProtection, &curProtection);
    return true;
}

char* TrampHook32(char* src, char* dst, const intptr_t len)
{
    // Make sure the length is greater than 5
    if (len < 5) return 0;

    // Create the gateway (len + 5 for the overwritten bytes + the jmp)
    void* gateway = VirtualAlloc(0, len + 5, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    //Write the stolen bytes into the gateway
    memcpy(gateway, src, len);

    // Get the gateway to destination addy
    intptr_t  gatewayRelativeAddr = ((intptr_t)src - (intptr_t)gateway) - 5;

    // Add the jmp opcode to the end of the gateway
    *(char*)((intptr_t)gateway + len) = 0xE9;

    // Add the address to the jmp
    *(intptr_t*)((intptr_t)gateway + len + 1) = gatewayRelativeAddr;

    // Perform the detour
    Detour32(src, dst, len);

    return (char*)gateway;
}

typedef BOOL(__stdcall* tGetVolumeInformation)
(
    LPCWSTR lpRootPathName,
    LPWSTR  lpVolumeNameBuffer,
    DWORD   nVolumeNameSize,
    LPDWORD lpVolumeSerialNumber,
    LPDWORD lpMaximumComponentLength,
    LPDWORD lpFileSystemFlags,
    LPWSTR  lpFileSystemNameBuffer,
    DWORD   nFileSystemNameSize
);
tGetVolumeInformation oGetVolumeInformation = nullptr;

BOOL __stdcall hkGetVolumeInformation
(
    LPCWSTR lpRootPathName,
    LPWSTR  lpVolumeNameBuffer,
    DWORD   nVolumeNameSize,
    LPDWORD lpVolumeSerialNumber,
    LPDWORD lpMaximumComponentLength,
    LPDWORD lpFileSystemFlags,
    LPWSTR  lpFileSystemNameBuffer,
    DWORD   nFileSystemNameSize
)
{

    *lpVolumeSerialNumber = 0x123456789;

    return oGetVolumeInformation
    (
        lpRootPathName, 
        lpVolumeNameBuffer, 
        nVolumeNameSize, 
        lpVolumeSerialNumber, 
        lpMaximumComponentLength, 
        lpFileSystemFlags, 
        lpFileSystemNameBuffer, 
        nFileSystemNameSize
    );
}

DWORD WINAPI Thread(HMODULE hModule)
{
    //Create Console
    AllocConsole();
    FILE* f;
    freopen_s(&f, "CONOUT$", "w", stdout);

    std::cout << "HWID Unlock\n";

    // Hook
    oGetVolumeInformation = (tGetVolumeInformation)GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetVolumeInformationW");

    oGetVolumeInformation = (tGetVolumeInformation)TrampHook32((char*)oGetVolumeInformation, (char*)hkGetVolumeInformation, 5);

    TCHAR volumeName[MAX_PATH + 1] = { 0 };
    TCHAR fileSystemName[MAX_PATH + 1] = { 0 };
    DWORD serialNumber = 0;
    DWORD maxComponentLen = 0;
    DWORD fileSystemFlags = 0;
    GetVolumeInformation(_T("C:\\"), volumeName, ARRAYSIZE(volumeName), &serialNumber, &maxComponentLen, &fileSystemFlags, fileSystemName, ARRAYSIZE(fileSystemName));
    std::cout << serialNumber << std::endl;
    //

    fclose(f);
    FreeConsole();
    return 0;
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)Thread, hModule, 0, nullptr));
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}