我想通过钩子来拦截一个应用程序调用的dsound api,这个应用程序使用了显式调用方式来调用dsound的api,因此我先将系统的
LoadLibrary替换成我自己写的MyLoadLibrary函数,这样我就可以在应用程序执行LoadLibrary("dsound.dll")的时候将dsound的
api替换成我自己写的函数,简要代码如下:
HMODULE WINAPI MyLoadLibraryA(LPCSTR lpFileName)
{
WriteToLog("\nhook LoadLibraryA call, name:");
WriteToLog((char*)lpFileName);
MyLoadLibraryA_Type fnOld = (MyLoadLibraryA_Type)Kernel32Hook.Functions[0].OrigFn;
HMODULE hMod = fnOld(lpFileName);
if(g_bNeedHook && hMod!=NULL)
{
if( !DSoundHook.Hooked && stricmp(lpFileName, DSoundHook.Name)==0 )
{
HookImportedFunction("dsound.dll", "DirectSoundCreate", 0, MyDirectSoundCreate );
}
}
return hMod;
}
// Dll -- 要替换的dll名
// FuncName -- 要替换的函数名
// Ordinal -- 函数在Dll中的偏移
// Function -- 我们写的替代函数
PVOID HookImportedFunction(const char *Dll, const char *FuncName, int Ordinal, void *Function)
{
DWORD oldProtect;
void *PrevValue=0;
DWORD image_base = (DWORD)GetModuleHandle(NULL);
IMAGE_DOS_HEADER *idh = (IMAGE_DOS_HEADER *)image_base;
IMAGE_FILE_HEADER *ifh = (IMAGE_FILE_HEADER *)(image_base +
idh->e_lfanew + sizeof(DWORD));
IMAGE_OPTIONAL_HEADER *ioh = (IMAGE_OPTIONAL_HEADER *)((DWORD)(ifh) +
sizeof(IMAGE_FILE_HEADER));
IMAGE_IMPORT_DESCRIPTOR *iid = (IMAGE_IMPORT_DESCRIPTOR *)(image_base +
ioh->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
VirtualProtect((LPVOID)(image_base +
ioh->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress),
ioh->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size, PAGE_READWRITE,
&oldProtect);
while(iid->Name)
{
if(stricmp(Dll, (char *)(image_base + iid->Name)) == 0)
{
//trace_printf("Found descriptor: %s\n", dhook->name);
IMAGE_THUNK_DATA * pThunk = (IMAGE_THUNK_DATA *)
((DWORD)iid->OriginalFirstThunk + image_base);
IMAGE_THUNK_DATA * pThunk2 = (IMAGE_THUNK_DATA *)
((DWORD)iid->FirstThunk + image_base);
while(pThunk->u1.AddressOfData)
{
char * name = 0;
int ordinal;
// Imported by ordinal only:
if(pThunk->u1.Ordinal & 0x80000000)
{
ordinal = pThunk->u1.Ordinal & 0xffff;
}
else // Imported by name, with ordinal hint
{
IMAGE_IMPORT_BY_NAME * pname = (IMAGE_IMPORT_BY_NAME *)
((DWORD)pThunk->u1.AddressOfData + image_base);
ordinal = pname->Hint;
name = (char *)pname->Name;
}
if(name != 0 && FuncName && strcmp(name, FuncName) == 0)
{
//trace_printf("Found entry name: %s\n", ehook->name);
PrevValue = (void*)pThunk2->u1.Function;
#if _MFC_VER == 0x0600
pThunk2->u1.Function = (DWORD*)Function;
#else
pThunk2->u1.Function = (DWORD)Function;
#endif
}
else if(ordinal == Ordinal)
{
//trace_printf("Found entry ordinal: %s\n", ehook->name);
PrevValue = (void*)pThunk2->u1.Function;
#if _MFC_VER == 0x0600
pThunk2->u1.Function = (DWORD*)Function;
#else
pThunk2->u1.Function = (DWORD)Function;
#endif
}
pThunk++;
pThunk2++;
}
}
iid++;
}
return PrevValue;
}
问题:在遍历执行 if(stricmp(Dll, (char *)(image_base + iid->Name)) == 0) 语句无法找到dsound.dll。
请问高手,问题出现什么地方呢,我已经先调用LoadLibrary将dsound.dll加载到进程中了,为什么无法在
IMAGE_IMPORT_DESCRIPTOR中找到它呢?
[课程]FART 脱壳王!加量不加价!FART作者讲授!
