Hook URLDownLoadToFile,进入自己的函数,弹出是否下载,是则再次调用URLDownLoadToFile下载文件,否则不下载,返回。
可是点是时,再次调用URLDownLoadToFile,被注入的程序自己动退出了。
点否调用MESSAGEBOX,被注入程序可以回到流程中。二晚了,还没想通。
大虾指点下。。
====================================================
// SimpleHook.cpp : Defines the entry point for the DLL application.
//
#include "stdafx.h"
#include "urlmon.h"
#include "windows.h"
#pragma comment(lib,"urlmon.lib");
BYTE orig_code[8] = {0x0, 0x0, 0x0, 0x0, 0x0,0x0,0x0,0x0};
BYTE hook_code[8] = { 0xB8, 0x0, 0x0, 0x40, 0x0,0xFF,0xE0,0x0 };
ULONG OldProc;
ULONG OldProc2;
//HANDLE Event = NULL;
///////////////////////////////////////////////////////
HRESULT __stdcall MY_URLDownloadToFile(
LPUNKNOWN pCaller,
LPCTSTR szURL,
LPCTSTR szFileName,
DWORD dwReserved,
LPBINDSTATUSCALLBACK lpfnCB
)
{
LPUNKNOWN pCaller1 = pCaller;
LPCTSTR szURL1 = szURL;
LPCTSTR szFileName1 = szFileName ;
DWORD dwReserved1 = dwReserved;
LPBINDSTATUSCALLBACK lpfnCB1 = lpfnCB;
DWORD dwOldProtect;
int ret;
//WaitForSingleObject(Event,INFINITE);
if(MessageBox(NULL,"要下载吗?",NULL,MB_YESNO)==IDYES)
{
//VirtualProtect((LPVOID)OldProc, 8, PAGE_EXECUTE_READWRITE, &dwOldProtect);
//VirtualProtect((LPVOID)OldProc2, 8, PAGE_EXECUTE_READWRITE, &dwOldProtect);
MessageBox(0,szURL,"点了确定",0);
memcpy((BYTE *)OldProc, orig_code, 8);
memcpy((BYTE *)OldProc2, orig_code, 8);
ret = URLDownloadToFileA(pCaller1,szURL1,szFileName1,dwReserved1,lpfnCB1);
memcpy((BYTE *)OldProc, hook_code, 8);
memcpy((BYTE *)OldProc2, hook_code, 8);
//SetEvent(Event);
return ret; //return ret? return 0?
}
else{
MessageBox(NULL,"到消下载。",NULL,0);
return 0;
}
}
void hook_func()
{
DWORD dwOldProtect;
OldProc = (ULONG)GetProcAddress(GetModuleHandle("urlmon.dll"),"URLDownloadToFileA");
if(!VirtualProtect((LPVOID)OldProc, 8, PAGE_EXECUTE_READWRITE, &dwOldProtect))
{
return;
}
OldProc2 = (ULONG)GetProcAddress(GetModuleHandle ("urlmon.dll"),"URLDownloadToFileW");
if(!VirtualProtect((LPVOID)OldProc2, 8, PAGE_EXECUTE_READWRITE, &dwOldProtect))
{
return ;
}
memcpy(orig_code, (BYTE *)OldProc, 8);
*((ULONG*)(hook_code+1) ) = (ULONG)MY_URLDownloadToFile
// 修改原始入口
memcpy((BYTE *)OldProc, hook_code, 8);
memcpy((BYTE *)OldProc2, hook_code, 8);
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
DWORD ThreadId;
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
/Event = CreateEvent(NULL,FALSE,TRUE,NULL);
MessageBox(NULL,"Inject OK",NULL,0);
hook_func();
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)