|
[原创]MinHook测试分析01 (x86的jmp+offset类型hook)
inline hook的难点并不在trampoline的构造和指令替换,相反这是非常机械化的工作。 写hook框架的时候难点在多线程问题考虑了么,多核问题考虑了么,指令缓存考虑了么? 线程被暂停的时候有可能刚刚执行了前两个字节,这个时候如果去hook 等线程恢复之后就crash了,当然还有更多潜在问题 |
|
|
|
[原创]不用导出任何函数的DLL劫持注入,完美!
哦, 楼主还要Hook pLdrLoadDll 我这有个更巧妙的方法,直接替换moudle list就行了,抽空我写篇文章 https://gist.github.com/tishion/96272231c54a42862569 /** ** tishion#163.com ** 2016-01-28 18:52:34 **/ PLDR_DATA_TABLE_ENTRY GetModuleEntryInLoadOrderModuleList(HMODULE hMod) { PPEB pPeb = NULL; // Get the base address of PEB struct __asm { push eax mov eax, fs:[0x30] mov pPeb, eax pop eax } // Get pointer value of PEB_LDR_DATA PPEB_LDR_DATA pLdr = pPeb->Ldr; // And get header of the InLoadOrderModuleList PLIST_ENTRY pHeaderOfModuleList = &(pLdr->InLoadOrderModuleList); if (pHeaderOfModuleList->Flink == pHeaderOfModuleList) { // Something was wrong return NULL; } PLDR_DATA_TABLE_ENTRY pEntry = NULL; PLIST_ENTRY pCur = pHeaderOfModuleList->Flink; // Find Entry of the fake module do { pEntry = CONTAINING_RECORD(pCur, LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList); // Ok, got it if (pEntry->BaseAddress == hMod) { break; } pEntry = NULL; pCur = pCur->Flink; } while (pCur != pHeaderOfModuleList); return pEntry; } /** ** Replace the return value of LoadLibrary ** **/ BOOL LoadFogModule(HMODULE hModule, LPCTSTR pOrigiModPath) { // First, we must get the Entry of the fake module PLDR_DATA_TABLE_ENTRY pEntryOfFakeMod = GetModuleEntryInLoadOrderModuleList(hModule); // Then, load the original module HMODULE hOrigiMod = ::LoadLibrary(pOrigiModPath); if (NULL != pEntryOfFakeMod && NULL != hOrigiMod) { // Now we need to find the Entry of the original module PLDR_DATA_TABLE_ENTRY pEntryOfOrigiMod = GetModuleEntryInLoadOrderModuleList(hOrigiMod); /* * Tish is the key statement which will replace the return value of LoadLibrary. * At the end of LoadLibrary, it will return the base address which get from the entry of fake module. * And then the process will import all the functions and variables it needs according to the base address. * Because we have replaced the address with the base address of real original module, * so it will work well, that is to say the process can get all valid imported functions and variables * from the original module. */ pEntryOfFakeMod->BaseAddress = pEntryOfOrigiMod->BaseAddress; // Then we must remove the fake module entry from all the module list, or it will lead the process crash // remove it from InLoadOrderModuleList pEntryOfFakeMod->InLoadOrderModuleList.Blink->Flink = pEntryOfFakeMod->InLoadOrderModuleList.Flink; pEntryOfFakeMod->InLoadOrderModuleList.Flink->Blink = pEntryOfFakeMod->InLoadOrderModuleList.Blink; // remove it from InInitializationOrderModuleList pEntryOfFakeMod->InInitializationOrderModuleList.Blink->Flink = pEntryOfFakeMod->InInitializationOrderModuleList.Flink; pEntryOfFakeMod->InInitializationOrderModuleList.Flink->Blink = pEntryOfFakeMod->InInitializationOrderModuleList.Blink; // remove it from InMemoryOrderModuleList pEntryOfFakeMod->InMemoryOrderModuleList.Blink->Flink = pEntryOfFakeMod->InMemoryOrderModuleList.Flink; pEntryOfFakeMod->InMemoryOrderModuleList.Flink->Blink = pEntryOfFakeMod->InMemoryOrderModuleList.Blink; return TRUE; } return FALSE;
|
|
|
|
[推荐]新版客户端for Windows 10 预告
可以了 不过昨天发现新的SDK在Window Mobile系统上布局有点问题 需要调整一下 又碰到Designer Crash所以还没有fix这个问题 暂时没有提交 |
|
|
|
[求助]关于TX公司的聊天记录 求助!
'just a test' "test " "message":'sdfsfsfsdf' }, { |
|
|
|
[推荐]看雪论坛客户端 for Windows Phone正式发布![代码开源]
代码开源了,有兴趣的同学可以继续开发。 |
|
[原创]看雪wp8 客户端
赞一个啊,不过界面应该稍微设计一下,另外,帖子不建议显示缩略内容了,直接把每个帖子的全部内容拉下来排版后再显示会好一点。 C#开发WP APP还比较成熟,本身没有太多问题,我发布的客户端是C++\CX + Windows Run Time的,本身这个框架就有bug,已经提交并且微软确认了。 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值