首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 付费问答
    3. 发新帖
[旧帖] [求助]用inline hook api ,explorer.exe经常报内存写错误,怎么解决呢? 0.00雪花
发表于: 2011-10-19 10:00 960

[旧帖] [求助]用inline hook api ,explorer.exe经常报内存写错误,怎么解决呢? 0.00雪花

kouke 活跃值
2011-10-19 10:00
960
exporer.exe报内存写错误,而且经常假死,哪位大牛帮忙看下源码?

源码如下:#include <windows.h>
#include <shlwapi.h>
#pragma comment(lib,"shlwapi.lib")

HANDLE g_hInstance=NULL;
BYTE g_btNewBytes[8]={0xB8,0x0,0x0,0x40,0x0,0xFF,0xE0,0x0}; //7个字节不行吗?
BYTE g_btOldBytes[8]={0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0};
HHOOK g_hOldHook=NULL;
DWORD g_pFindFirstFileW=0;
HANDLE g_hEvent=NULL;
HANDLE _stdcall Hook_FindFirstFileW(LPCWSTR lpFileName,LPWIN32_FIND_DATAW lpFindFileData);
DWORD dwOldProc;
DWORD dwNewProc;

BYTE g_btNewBytes2[8]={0xB8,0x0,0x0,0x40,0x0,0xFF,0xE0,0x0};
BYTE g_btOldBytes2[8]={0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0};
DWORD g_pFindNextFileW=0;
HANDLE g_hEvent2=NULL;
BOOL _stdcall Hook_FindNextFileW(HANDLE hFindFile,LPWIN32_FIND_DATAW lpFindFileData);

void StopHook(void)
{
        if(g_hOldHook!=NULL)
        {
                UnhookWindowsHookEx(g_hOldHook);
        }
}

BOOL APIENTRY DllMain(HANDLE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
{
        if(ul_reason_for_call==DLL_PROCESS_ATTACH)
        {
                g_hInstance=hModule;
                g_hEvent=CreateEvent(NULL,FALSE,TRUE,NULL); //信号自动复位,初始状态有信号
                g_hEvent2=CreateEvent(NULL,FALSE,TRUE,NULL);
                HMODULE hKernel32=LoadLibrary("kernel32.dll");
                g_pFindFirstFileW=(DWORD)GetProcAddress(hKernel32,"FindFirstFileW");
                ReadProcessMemory(INVALID_HANDLE_VALUE,(void*)g_pFindFirstFileW,(void*)g_btOldBytes,8,NULL);
                *(DWORD*)(g_btNewBytes+1)=(DWORD)Hook_FindFirstFileW;

                VirtualProtectEx(INVALID_HANDLE_VALUE,(void*)g_pFindFirstFileW,8,PAGE_READWRITE,&dwOldProc);
                WriteProcessMemory(INVALID_HANDLE_VALUE,(void*)g_pFindFirstFileW,(void*)g_btNewBytes,8,NULL);
                VirtualProtectEx(INVALID_HANDLE_VALUE,(void*)g_pFindFirstFileW,8,dwOldProc,&dwNewProc);

                g_pFindNextFileW=(DWORD)GetProcAddress(hKernel32,"FindNextFileW");
                ReadProcessMemory(INVALID_HANDLE_VALUE,(void*)g_pFindNextFileW,(void*)g_btOldBytes2,8,NULL);
                *(DWORD*)(g_btNewBytes2+1)=(DWORD)Hook_FindNextFileW;

                VirtualProtectEx(INVALID_HANDLE_VALUE,(void*)g_pFindNextFileW,8,PAGE_READWRITE,&dwOldProc);
                WriteProcessMemory(INVALID_HANDLE_VALUE,(void*)g_pFindNextFileW,(void*)g_btNewBytes2,8,NULL);
                VirtualProtectEx(INVALID_HANDLE_VALUE,(void*)g_pFindNextFileW,8,dwOldProc,&dwNewProc);
        }
        else if(ul_reason_for_call==DLL_PROCESS_DETACH)
        {
                {
                        WaitForSingleObject(g_hEvent,INFINITE);
                        VirtualProtectEx(INVALID_HANDLE_VALUE,(void*)g_pFindFirstFileW,8,PAGE_READWRITE,&dwOldProc);
                        WriteProcessMemory(INVALID_HANDLE_VALUE,(void*)g_pFindFirstFileW,(void*)g_btOldBytes,8,NULL);
                        VirtualProtectEx(INVALID_HANDLE_VALUE,(void*)g_pFindFirstFileW,8,dwOldProc,&dwNewProc);
                        CloseHandle(g_hEvent);

                        WaitForSingleObject(g_hEvent2,INFINITE);
                        VirtualProtectEx(INVALID_HANDLE_VALUE,(void*)g_pFindNextFileW,8,PAGE_READWRITE,&dwOldProc);
                        WriteProcessMemory(INVALID_HANDLE_VALUE,(void*)g_pFindNextFileW,(void*)g_btOldBytes2,8,NULL);
                        VirtualProtectEx(INVALID_HANDLE_VALUE,(void*)g_pFindNextFileW,8,dwOldProc,&dwNewProc);
                        CloseHandle(g_hEvent2);

                }
        }
        return TRUE;
}

HANDLE _stdcall Hook_FindFirstFileW(LPCWSTR lpFileName,LPWIN32_FIND_DATAW lpFindFileData)
{
        HANDLE hRet=INVALID_HANDLE_VALUE;
        WaitForSingleObject(g_hEvent,INFINITE);
        VirtualProtectEx(INVALID_HANDLE_VALUE,(void*)g_pFindFirstFileW,8,PAGE_READWRITE,&dwOldProc);
        WriteProcessMemory(INVALID_HANDLE_VALUE,(void*)g_pFindFirstFileW,(void*)g_btOldBytes,8,NULL);
        VirtualProtectEx(INVALID_HANDLE_VALUE,(void*)g_pFindFirstFileW,8,dwOldProc,&dwNewProc);
//        char lpFileName[MAX_PATH];
//        GetModuleFileName((HINSTANCE)GetModuleHandle(NULL),lpFileName,MAX_PATH);
//        if(StrCmpW(lpFileName,L"D:\\我的文档\\桌面\\桌面\\ft"))

        hRet=FindFirstFileW(lpFileName,lpFindFileData);

        VirtualProtectEx(INVALID_HANDLE_VALUE,(void*)g_pFindFirstFileW,8,PAGE_READWRITE,&dwOldProc);
        WriteProcessMemory(INVALID_HANDLE_VALUE,(void*)g_pFindFirstFileW,(void*)g_btNewBytes,8,NULL);
        VirtualProtectEx(INVALID_HANDLE_VALUE,(void*)g_pFindFirstFileW,8,dwOldProc,&dwNewProc);
        SetEvent(g_hEvent); //设置有信号
        return hRet;
}

BOOL _stdcall Hook_FindNextFileW(HANDLE hFindFile,LPWIN32_FIND_DATAW lpFindFileData)
{
        BOOL bRet=0;
        WaitForSingleObject(g_hEvent2,INFINITE);
        VirtualProtectEx(INVALID_HANDLE_VALUE,(void*)g_pFindNextFileW,8,PAGE_READWRITE,&dwOldProc);
        WriteProcessMemory(INVALID_HANDLE_VALUE,(void*)g_pFindNextFileW,(void*)g_btOldBytes2,8,NULL);
        VirtualProtectEx(INVALID_HANDLE_VALUE,(void*)g_pFindNextFileW,8,dwOldProc,&dwNewProc);

        //if(hFindFile!=INVALID_HANDLE_VALUE)
        bRet=FindNextFileW(hFindFile,lpFindFileData);
        VirtualProtectEx(INVALID_HANDLE_VALUE,(void*)g_pFindNextFileW,8,PAGE_READWRITE,&dwOldProc);
        WriteProcessMemory(INVALID_HANDLE_VALUE,(void*)g_pFindNextFileW,(void*)g_btNewBytes2,8,NULL);
        VirtualProtectEx(INVALID_HANDLE_VALUE,(void*)g_pFindNextFileW,8,dwOldProc,&dwNewProc);
        SetEvent(g_hEvent2); //设置有信号
        return bRet;
}

LRESULT WINAPI HookProc(int nCode,WPARAM wParam,LPARAM lParam)
{
        return CallNextHookEx(g_hOldHook,nCode,wParam,lParam);
}

BOOL StartHook(void)
{
        g_hOldHook=SetWindowsHookEx(WH_GETMESSAGE,HookProc,(HINSTANCE)g_hInstance,0);
        if(g_hOldHook==NULL)
                return FALSE;
        return TRUE;
}

[课程]Linux pwn 探索篇!

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//