|
|
|
|
|
[求助]在劫持DLL过程中如何取得函数的参数
楼上我的这个申明在VC6编译通不过 //int (__stdcall *WSARecvFrom1)(SOCKET,WSABUF *,DWORD,LPDWORD,LPDWORD,struct sockaddr FAR *,_OVERLAPPED *,LPWSAOVERLAPPED_COMPLETION_ROUTINE ); 黑体部分编译错,这个东东不知道该如何如何写,也没找到类型申明. 编译信息: D:\源代码source\看雪下载 ws2_32\ws2_32.cpp(23) : error C2199: syntax error : found 'int (' at global scope (was a declaration intended?) |
|
[求助]在劫持DLL过程中如何取得函数的参数
因为不太懂汇编,所以我把接收发送数据的函数单独搞出来 希望各位大哥指教. 同样是调用相同写包的函数,在send函数中调用包写文件函数的时候容易出错,比如测试时候导致IE经常出错. 不知道icersg老大能否也把你的代码贴上来,以供我等新手学习参考下. CPP源文件我增加的部分代码 另外我增加处理的几个函数用def文件导出函数名,同时需要把源文件下面的#pragma comment相应的函数申明注释掉. int (__stdcall *sendto1)(SOCKET,const char FAR *,int,int,const struct sockaddr FAR *,int); //int (__stdcall *recvfrom1)(SOCKET,char FAR*,int,int,struct sockaddr FAR*,int FAR*); int (__stdcall *recvfrom1)(SOCKET,char FAR*,int,int,struct sockaddr FAR*,int FAR*); int (__stdcall *recv1)(SOCKET ,char FAR * ,int ,int ); int (__stdcall *send1)(SOCKET ,const char FAR * ,int ,int); //int (__stdcall *WSARecvFrom1)(SOCKET,WSABUF *,DWORD,LPDWORD,LPDWORD,struct sockaddr FAR *,_OVERLAPPED *,LPWSAOVERLAPPED_COMPLETION_ROUTINE *); void wbs_openfile_b(void) { //if (g_wbs_fp!=NULL) fclose(g_wbs_fp); //g_wbs_fp=NULL; if (g_wbs_fp==NULL) g_wbs_fp=fopen(wbs_DataFile,"at"); if (g_wbs_fp==NULL) { MessageBox(NULL,"打开文件失败","wbs_openfile_b",0); } } void PrintData_header(FILE *pf, BYTE FAR *pdata,int len,char * header) { int i,i_16; int size; char * temp_buf[16]={" "}; i_16=0; size = len; g_packet_number=g_packet_number+1; //判断是否目标程序,将目标程序特征码g_Targetcode写入文件 isTarget(GetCurrentProcess()); fprintf(pf,"p:=%6d %s 特征码:%08xh\n",g_packet_number,header,g_Targetcode); if(size>Max_Data_Len) size=Max_Data_Len; for(i=0;i<size;i++) { //16进制的格式化 switch (i_16) { case 0: { fprintf(pf,"%08xh ",g_position); //写行数 fprintf(pf,"%02x ",pdata[i]); //memcpy(&temp_buf[i_16],"0",1); memcpy(temp_buf,&pdata[i],16); g_position=g_position+1; i_16=i_16+1; //放在CASE最后, break; } case 15: { fprintf(pf,"%02x ",pdata[i]); //最后一个字节给出4个空格 //写TEXT部分 //memcpy(&temp_buf[i_16],"q",1); //memcpy(&temp_buf[i_16],&pdata[i],1); fprintf(pf,"%s",temp_buf); fprintf(pf,"\n"); //写满16个字节换行 i_16=0; //放在CASE最后,写满16个字节,初始化 break; } default : { fprintf(pf,"%02x ",pdata[i]); //memcpy(&temp_buf[i_16],&pdata[i],1); //memcpy(temp_buf[i_16],"d",1); i_16=i_16+1; //放在CASE最后 break; } }//switch结束 }//for语句结束 if (i_16!=15) fprintf(pf," %s",temp_buf); fprintf(pf,"\n"); } int wbs_SaveSendData(int socket, char *p, int size,char * header) { if(size<=0) return size; wbs_openfile_b(); if(g_wbs_fp!=NULL) { //fprintf(g_wbs_fp,"call recv, used socket=%d,len:%d\n",socket,size); PrintData_header(g_wbs_fp,(BYTE *)p,size,header); } return size; } //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // 入口函数 BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved) { HINSTANCE h_dll; if (dwReason == DLL_PROCESS_ATTACH) { DisableThreadLibraryCalls(hModule); for (INT i = 0; i < sizeof(m_dwReturn) / sizeof(DWORD); i++) { m_dwReturn[i] = TlsAlloc(); } } else if (dwReason == DLL_PROCESS_DETACH) { for (INT i = 0; i < sizeof(m_dwReturn) / sizeof(DWORD); i++) { TlsFree(m_dwReturn[i]); } Free(); } h_dll=LoadLibrary("c:\\winnt\\system32\\ws2_32.dll"); //h_dll=LoadLibrary("ws2_32_1.dll"); proc=GetProcAddress(h_dll,"sendto"); sendto1=(int (__stdcall *)(SOCKET,const char FAR *,int,int,const struct sockaddr FAR *,int))proc; proc=GetProcAddress(h_dll,"recvfrom"); recvfrom1=(int (__stdcall *)(SOCKET,char FAR*,int,int,struct sockaddr FAR*,int FAR*))proc; proc=GetProcAddress(h_dll,"recv"); recv1=(int (_stdcall *)(SOCKET ,char FAR * ,int ,int ))proc; proc=GetProcAddress(h_dll,"send"); send1=(int (_stdcall *)(SOCKET ,const char FAR * ,int ,int ))proc; //proc=GetProcAddress(h_dll,"WSARecv"); //WSARecv1=(int (_stdcall *)(SOCKET,LPWSABUF,DWORD,DWORD,LPWSAOVERLAPPED,LPWSAOVERLAPPED_COMPLETION_ROUTINE))proc; return TRUE; } //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////// /////////////// wbs开始处理ws2_32.dll的接收发送函数 ///////////// int PASCAL FAR sendto(SOCKET s,const char FAR * buf,int len,int flags,const struct sockaddr FAR * to,int tolen) { int rc; char * s_len[6]; rc=sendto1(s,buf,len,flags,to,tolen); { wsprintf((char *)s_len,"function sendto size:=%d",len); wbs_SaveSendData((int)s, (char *)buf, len,(char *)s_len); } return rc; } int PASCAL FAR recvfrom (SOCKET s,char FAR* buf,int len,int flags,struct sockaddr FAR* from,int FAR* fromlen) { int rc; char * s_len[6]; rc=recvfrom1(s,buf,len,flags,from,fromlen); { wsprintf((char *)s_len,"function recvfrom size:=%d",len); wbs_SaveSendData((int)s, (char *)buf, len,(char *)s_len); } return rc; } int PASCAL FAR recv(SOCKET s, char FAR * buf, int len, int flags) { int rc; char * s_len[6]; rc=recv1(s, buf, len, flags); { wsprintf((char *)s_len,"function recv size:=%d",len); wbs_SaveSendData((int)s, (char *)buf, len,(char *)s_len); } return rc; } int PASCAL FAR send(SOCKET s,const char FAR * buf,int len,int flags) { int rc; char * s_len[6]; rc = send1(s,buf,len,flags); //容易出错的代码 /* { wsprintf((char *)s_len,"function send size:=%d",len); wbs_SaveSendData((int)s, (char *)buf, len,(char *)s_len); } */ return rc; } /* int PASCAL FAR WSARecv (SOCKET s,LPWSABUF lpBuffers,DWORD dwBufferCount,LPDWORD lpNumberOfBytesRecvd,LPDWORD lpFlags,LPWSAOVERLAPPED lpOverlapped,LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionROUTINE) { int rc; char * s_len[6]; rc=WSARecv1(s, lpBuffers, dwBufferCount, lpNumberOfBytesRecvd,lpFlags,lpOverlapped,lpCompletionROUTINE); //if (g_VK_F9==TRUE) { wsprintf((char *)s_len,"function recv size:=%d",dwBufferCount); //wbs_SaveSendData((int)s, (char *)buf, rc,(char *)s_len); wbs_SaveSendData((int)s, (char *)lpBuffers, dwBufferCount,(char *)s_len); } return rc; } */ /////////////// wbs结束处理ws2_32.dll的接收发送函数 ///////////// ///////////////////////////////////////////////////////////////////////////////////////////// |
|
[求助]在劫持DLL过程中如何取得函数的参数
按2楼大侠的方法: ALCDECL MemCode_sendto(void) { SOCKET s; const char FAR * buf; int len; __asm { mov EAX, [esp+4] mov s, EAX /* mov eax, [esp+8] mov buf, eax mov eax, [esp+12] mov len, eax //对汇编只了解一般,int类型也是esp的指针往后指4个单位么 */ } GetAddress("sendto"); //__asm JMP EAX; } 编译,将ws2_32.dll拷贝到应用程序目录。 启动,报错 信息:0x1001a2d4指令引用的0x00003f3a内存。该内存不能为"written"。 对汇编俺不熟悉,希望大侠们指教。 |
|
[求助]我的DLL文件劫持了我的网络
说明一下,我的操作系统是2000 pro |
|
|
|
[分享]加壳软件TTProtect Demo 1.02 (7.14)更新
搞不懂,LZ这个工具加壳以后程序运行则IE不能访问网络 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值