我将Redirect函数放在了DLL文件里,并在DLLMain的PROCESS_ATTACH的时候执行Redirect函数
我又用另外一个exe程序去setwindowshookex注入其他程序
但是总是注入成功,但是Redirect函数执行失败,我看了下,是从注释那里开始就出错
BOOL WINAPI RedirectApi ( PCHAR pDllName, PCHAR pFunName, DWORD dwNewProc, PIAT_ITEM pItem )
{
if ( pDllName == NULL || pFunName == NULL || !dwNewProc || !pItem )
{
MessageBox(NULL,"Fail","Value",MB_OK);
return FALSE ;
}
char szTempDllName[256] = {0} ;
DWORD dwBaseImage = (DWORD)GetModuleHandle(NULL) ;
if ( dwBaseImage == 0 )
{
MessageBox(NULL,"Fail","BaseImage",MB_OK);
return FALSE ;
}
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)dwBaseImage ;
PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)(dwBaseImage + (pDosHeader->e_lfanew)) ;
PIMAGE_OPTIONAL_HEADER32 pOptionalHeader = &(pNtHeader->OptionalHeader) ;
PIMAGE_SECTION_HEADER pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pNtHeader + 0x18 + pNtHeader->FileHeader.SizeOfOptionalHeader ) ;
PIMAGE_THUNK_DATA pThunk, pIAT ;
PIMAGE_IMPORT_DESCRIPTOR pIID = (PIMAGE_IMPORT_DESCRIPTOR)(dwBaseImage+pOptionalHeader->DataDirectory[1].VirtualAddress ) ;
while ( pIID->FirstThunk )
/*////////////////////这个循环好像没执行?因为上面都没有提示错误*/
{
if ( strcmp ( (PCHAR)(dwBaseImage+pIID->Name), pDllName ) )
{
pIID++ ;
continue ;
}
pIAT = (PIMAGE_THUNK_DATA)( dwBaseImage + pIID->FirstThunk ) ;
if ( pIID->OriginalFirstThunk )
pThunk = (PIMAGE_THUNK_DATA)( dwBaseImage + pIID->OriginalFirstThunk ) ;
else
pThunk = pIAT ;
DWORD dwThunkValue = 0 ;
while ( ( dwThunkValue = *((DWORD*)pThunk) ) != 0 )
{
if ( ( dwThunkValue & IMAGE_ORDINAL_FLAG32 ) == 0 )
{
if ( strcmp ( (PCHAR)(dwBaseImage+dwThunkValue+2), pFunName ) == 0 )
{
pItem->IATAddr = (DWORD)pIAT ;
pItem->IATOldValue = *((DWORD*)pIAT) ;
pItem->IATNewValue = dwNewProc;
DWORD dwOldProtect = 0 ;
VirtualProtect ( pIAT, 4, PAGE_READWRITE, &dwOldProtect ) ;
*((DWORD*)pIAT) = dwNewProc ;
VirtualProtect ( pIAT, 4, PAGE_READWRITE, &dwOldProtect ) ;
return TRUE ;
}
}
pThunk ++ ;
pIAT ++ ;
}
pIID ++ ;
}
MessageBox(NULL,"Fail","pIID",MB_OK);
return FALSE ;
}
[课程]Android-CTF解题方法汇总!
