-
-
[旧帖] [求助] Dll 注入添加用SetUnhandledExceptionFilter添加 VEH 修改内存属性,抛出异常进行跳转。求教高手 0.00雪花
-
发表于: 2011-7-25 16:50
-
[旧帖] [求助] Dll 注入添加用SetUnhandledExceptionFilter添加 VEH 修改内存属性,抛出异常进行跳转。求教高手 0.00雪花
2011-7-25 16:50
学习veh,于是想写个跳转,拿计算器下手。修改 calc中选择进制(科学型)的函数(0x100675B)。
把函数开头第一个字节把内存改成PAGE_NOACCESS,但是注入后
然后心碎的事情就发生了 内存访问错误的地址居然是 0x1006118。吐血,这是为什么?代码如下:
#include "stdafx.h"
#include <tchar.h>
#include <strsafe.h>
LONG WINAPI MyUnFilterA (_EXCEPTION_POINTERS *lpExceptionInfo);
const unsigned long Hookaddr = 0x100675B;
unsigned long ulProtect;
void DebugPrint(__format_string STRSAFE_LPCWSTR pszFormat, ...)
{
va_list va;
va_start(va, pszFormat);
wchar_t* pszDebug = new wchar_t[256];
StringCchVPrintf(pszDebug, 256, pszFormat, va);
OutputDebugString(pszDebug);
delete[] pszDebug;
va_end(va);
}
__declspec(naked) VOID MyHook()
{
OutputDebugString(_T("Hook_"));
__asm
{
push ebx
mov eax,Hookaddr
add eax,1
jmp eax
}
}
DWORD WINAPI MyThreadFunction( LPVOID lpParam )
{
//添加VEH处理
SetUnhandledExceptionFilter(MyUnFilterA);
//修改内存属性
VirtualProtect((LPVOID)Hookaddr, 1, PAGE_NOACCESS, &ulProtect);
return 0;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
UNREFERENCED_PARAMETER(lpReserved);
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&MyThreadFunction, (void*)hModule, 0, NULL);
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
LONG WINAPI MyUnFilterA (_EXCEPTION_POINTERS *lpExceptionInfo)
{
if (lpExceptionInfo->ExceptionRecord->ExceptionCode == STATUS_ACCESS_VIOLATION)
{
if (lpExceptionInfo->ContextRecord->Eip == Hookaddr)
{
//如果报错的地址是Hookaddr就跳转
lpExceptionInfo->ContextRecord->Eip = (DWORD)MyHook;
return EXCEPTION_CONTINUE_EXECUTION;
}
else
{
//如果不是就修改内存属性,记录下地址。
DebugPrint(L"addr %X ,EIP %X",lpExceptionInfo->ExceptionRecord->ExceptionAddress,lpExceptionInfo->ContextRecord->Eip);
VirtualProtect((LPVOID)lpExceptionInfo->ExceptionRecord->ExceptionAddress, 1, PAGE_EXECUTE_READWRITE, &ulProtect);
return EXCEPTION_CONTINUE_EXECUTION;
}
}
else return EXCEPTION_CONTINUE_SEARCH;
}
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
我糊涂了,也被雷了,LZ你确认你的方法是VEH嘛?
看看这个补充点基本知识,Windows平台下的异常处理 另外,不知道API怎么用无所谓的,但是要多看看MSDN, http://msdn.microsoft.com/en-us/library/aa366898(v=vs.85).aspx BOOL WINAPI VirtualProtect( __in LPVOID lpAddress, __in SIZE_T dwSize, __in DWORD flNewProtect, __out PDWORD lpflOldProtect ); dwSize [in] The size of the region whose access protection attributes are to be changed, in bytes. The region of affected pages includes all pages containing one or more bytes in the range from the lpAddress parameter to (lpAddress+dwSize). This means that a 2-byte range straddling a page boundary causes the protection attributes of both pages to be changed. |
