Windows 我可以在链接库中钩住函数吗? 使用EasyHook,我成功地钩住了各种C++类的导出函数和已知的VTABLE函数。在所有这些情况下,目标程序都使用了DLL
如果我知道一个函数入口点的地址,当一个库链接到目标程序中而不是作为一个单独的库时,是否也可以这样做?看起来,您可以钩住任何地址可计算的子例程 在我的例子中,挂接静态链接的SSL_读取和SSL_写入就像用我最喜欢的调试器识别偏移量,然后安装挂接一样简单Windows 我可以在链接库中钩住函数吗? 使用EasyHook,我成功地钩住了各种C++类的导出函数和已知的VTABLE函数。在所有这些情况下,目标程序都使用了DLL,windows,hook,code-injection,easyhook,Windows,Hook,Code Injection,Easyhook,如果我知道一个函数入口点的地址,当一个库链接到目标程序中而不是作为一个单独的库时,是否也可以这样做?看起来,您可以钩住任何地址可计算的子例程 在我的例子中,挂接静态链接的SSL_读取和SSL_写入就像用我最喜欢的调试器识别偏移量,然后安装挂接一样简单 // delegate for EasyHook: [UnmanagedFunctionPointer(CallingConvention.Cdecl, SetLastError = true, CharSet = CharSet.Ans
// delegate for EasyHook:
[UnmanagedFunctionPointer(CallingConvention.Cdecl,
SetLastError = true, CharSet = CharSet.Ansi)]
delegate Int32 SLL_readDelegate(IntPtr SSL_ptr, IntPtr buffer, Int32 length);
// import SSL_read (I actually did it manually, but this will work in most cases)
/* proto from ssl_lib.c -> int SSL_read(SSL *s,void *buf,int num) */
[DllImport("ssleay32.dll", SetLastError = true)]
public static extern Int32 SSL_read(IntPtr ssl, IntPtr buffer, Int32 len);
// the new routine
static Int32 SSL_readCallback(IntPtr SSL_ptr, IntPtr buffer, Int32 length)
{
/* call the imported SSL_read */
int ret = SSL_read(SSL_ptr, buffer, length);
/* TODO: your code here, e.g:
* string log_me = Marshal.PtrToString(buffer, ret);
*/
return ret;
}
现在只剩下安装挂钩了:
private LocalHook sslReadHook;
public void Run(RemoteHooking.IContext InContext, String InArg1)
{
// ... initialization code omitted for brevity
/* the value for ssl_read_addr is made up in this example
* you'll need to study your target and how it's loaded(?) to
* identify the addresses you want to hook
*/
int ssl_read_addr = 0x12345678; /* made up for examples sake */
sslReadHook = LocalHook.Create(new IntPtr(ssl_read_addr),
new SSL_readDelegate(SSL_readCallback), this);
// ...
}
我应该提到,在本例中,您需要libeay32.dll和ssleay32.dll,因为后者依赖于前者
钓得开心