C++ 蹦床钩获取简单HWID锁上的体积信息
我试图使用trampoline钩子在一个简单的HWID锁上钩住GetVolumeInformationW,以返回序列号(123456789)的特定值。当我插入dll时,程序立即崩溃。我试图从programs 86文件夹启动hwid lock,但它还是崩溃了。我在Sendboxa和SwapBuffers上试过蹦床钩,效果非常好。 这是HWID锁代码C++ 蹦床钩获取简单HWID锁上的体积信息,c++,windows,hook,detours,hwid,C++,Windows,Hook,Detours,Hwid,我试图使用trampoline钩子在一个简单的HWID锁上钩住GetVolumeInformationW,以返回序列号(123456789)的特定值。当我插入dll时,程序立即崩溃。我试图从programs 86文件夹启动hwid lock,但它还是崩溃了。我在Sendboxa和SwapBuffers上试过蹦床钩,效果非常好。 这是HWID锁代码 #include <iostream> #include <Windows.h> #include <tchar.h&g
#include <iostream>
#include <Windows.h>
#include <tchar.h>
int main()
{
std::cout << "Checking...\n";
TCHAR volumeName[MAX_PATH + 1] = { 0 };
TCHAR fileSystemName[MAX_PATH + 1] = { 0 };
DWORD serialNumber = 0;
DWORD maxComponentLen = 0;
DWORD fileSystemFlags = 0;
if (GetVolumeInformation(
_T("C:\\"),
volumeName,
ARRAYSIZE(volumeName),
&serialNumber,
&maxComponentLen,
&fileSystemFlags,
fileSystemName,
ARRAYSIZE(fileSystemName)
))
{
Sleep(1000000);
DWORD acceptedSerial = 123456789;
if (serialNumber == acceptedSerial) {
std::cout << "Welcome to my app!" << std::endl;
}
else {
std::cout << "You are not in the system!" << std::endl;
Sleep(4000);
return 0;
}
}
}
#包括
#包括
#包括
int main()
{
std::请以开头。另外,请阅读,因为“瞬间崩溃”不是对您的观察结果的充分描述。您的意思是我必须复制调试信息吗?在DllMain
完成之前,研究一下您可以做什么和不能做什么。我怀疑线程正在执行不允许的任务。Starter-请注意,这包括DllMain
具有compl之前在线程进程中执行的代码好吧,至少有些东西,不仅仅是你对所看到的东西的解释!你怎么知道它崩溃了并且没有成功完成?你期望得到什么输出?如果你想做这种逆向工程,你需要非常熟练地使用调试器。请从开始。另外,阅读,因为“立即崩溃”不是对您的观察结果的充分描述。您的意思是我必须复制调试信息吗?在DllMain
完成之前,研究一下您可以做什么和不能做什么。我怀疑线程正在执行不允许的任务。Starter-请注意,这包括DllMain
具有compl之前在线程进程中执行的代码好吧,至少有些东西,不仅仅是你对所看到的东西的解释!你怎么知道它崩溃了并且没有成功完成?你期望得到什么输出?如果你想做这种逆向工程,你需要非常熟悉使用调试器。
#include <iostream>
#include <Windows.h>
#include <tchar.h>
bool Detour32(char* src, char* dst, const intptr_t len)
{
if (len < 5) return false;
DWORD curProtection;
VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &curProtection);
intptr_t relativeAddress = (intptr_t)(dst - (intptr_t)src) - 5;
*src = (char)'\xE9';
*(intptr_t*)((intptr_t)src + 1) = relativeAddress;
VirtualProtect(src, len, curProtection, &curProtection);
return true;
}
char* TrampHook32(char* src, char* dst, const intptr_t len)
{
// Make sure the length is greater than 5
if (len < 5) return 0;
// Create the gateway (len + 5 for the overwritten bytes + the jmp)
void* gateway = VirtualAlloc(0, len + 5, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
//Write the stolen bytes into the gateway
memcpy(gateway, src, len);
// Get the gateway to destination addy
intptr_t gatewayRelativeAddr = ((intptr_t)src - (intptr_t)gateway) - 5;
// Add the jmp opcode to the end of the gateway
*(char*)((intptr_t)gateway + len) = 0xE9;
// Add the address to the jmp
*(intptr_t*)((intptr_t)gateway + len + 1) = gatewayRelativeAddr;
// Perform the detour
Detour32(src, dst, len);
return (char*)gateway;
}
typedef BOOL(__stdcall* tGetVolumeInformation)
(
LPCWSTR lpRootPathName,
LPWSTR lpVolumeNameBuffer,
DWORD nVolumeNameSize,
LPDWORD lpVolumeSerialNumber,
LPDWORD lpMaximumComponentLength,
LPDWORD lpFileSystemFlags,
LPWSTR lpFileSystemNameBuffer,
DWORD nFileSystemNameSize
);
tGetVolumeInformation oGetVolumeInformation = nullptr;
BOOL __stdcall hkGetVolumeInformation
(
LPCWSTR lpRootPathName,
LPWSTR lpVolumeNameBuffer,
DWORD nVolumeNameSize,
LPDWORD lpVolumeSerialNumber,
LPDWORD lpMaximumComponentLength,
LPDWORD lpFileSystemFlags,
LPWSTR lpFileSystemNameBuffer,
DWORD nFileSystemNameSize
)
{
*lpVolumeSerialNumber = 0x123456789;
return oGetVolumeInformation
(
lpRootPathName,
lpVolumeNameBuffer,
nVolumeNameSize,
lpVolumeSerialNumber,
lpMaximumComponentLength,
lpFileSystemFlags,
lpFileSystemNameBuffer,
nFileSystemNameSize
);
}
DWORD WINAPI Thread(HMODULE hModule)
{
//Create Console
AllocConsole();
FILE* f;
freopen_s(&f, "CONOUT$", "w", stdout);
std::cout << "HWID Unlock\n";
// Hook
oGetVolumeInformation = (tGetVolumeInformation)GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetVolumeInformationW");
oGetVolumeInformation = (tGetVolumeInformation)TrampHook32((char*)oGetVolumeInformation, (char*)hkGetVolumeInformation, 5);
TCHAR volumeName[MAX_PATH + 1] = { 0 };
TCHAR fileSystemName[MAX_PATH + 1] = { 0 };
DWORD serialNumber = 0;
DWORD maxComponentLen = 0;
DWORD fileSystemFlags = 0;
GetVolumeInformation(_T("C:\\"), volumeName, ARRAYSIZE(volumeName), &serialNumber, &maxComponentLen, &fileSystemFlags, fileSystemName, ARRAYSIZE(fileSystemName));
std::cout << serialNumber << std::endl;
//
fclose(f);
FreeConsole();
return 0;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)Thread, hModule, 0, nullptr));
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}