-
-
veh求助
-
发表于: 2014-5-30 21:02
-
今天看到论坛里一篇文章:http://bbs.pediy.com/showthread.php?t=143432
我也想试试,就写了一段奇丑无比的代码,尝试用veh进行hook一个函数:(4楼有C写的代码)
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
;数据段
.data
ctx CONTEXT <0>
hcurrentthread dd 0h
szkernel32 db "kernel32.dll",0h
hkernel32 dd 0h
szExitProcess db "ExitProcess",0h
hExitProcess dd 0h
sztext db "breakpoint occured!",0h
sztitle db "qqand360",0h
;数据段?
.data?
;代码段
.code
sethwbreakpoint proc address:dword
pushad
mov ctx.ContextFlags,CONTEXT_ALL
invoke GetCurrentThread
mov hcurrentthread,eax
invoke GetThreadContext,eax,addr ctx
mov eax,address
mov ctx.iDr0,eax
invoke SetThreadContext,hcurrentthread,addr ctx
popad
ret
sethwbreakpoint endp
exceptionhandler proc exceptioninfo:dword
local @dwret:dword
pushad
mov ebx,exceptioninfo
assume ebx:ptr EXCEPTION_POINTERS
mov eax,[ebx].pExceptionRecord
assume eax:ptr EXCEPTION_RECORD
mov eax,[eax].ExceptionAddress
assume eax:nothing
mov edx,hExitProcess
.if eax == edx
invoke MessageBoxA,NULL,addr sztext,addr sztitle,MB_OK
invoke GetThreadContext,hcurrentthread,addr ctx
mov ctx.iDr0,0h
invoke SetThreadContext,hcurrentthread,addr ctx
invoke Sleep,3000
.endif
popad
mov eax,EXCEPTION_CONTINUE_EXECUTION
ret
exceptionhandler endp
start:
main proc
invoke GetModuleHandle,addr szkernel32
mov hkernel32,eax
invoke GetProcAddress,eax,addr szExitProcess
mov hExitProcess,eax
invoke sethwbreakpoint,eax
invoke AddVectoredExceptionHandler,1,addr exceptionhandler
invoke ExitProcess,NULL
ret
main endp
end start
我用od调试的时候在sethwbreakpoint里的setthreadcontext返回的值显示已经设置成功,但是调用ExitProcess的时候并没有被断下来,exceptionhandler也没有被调用。请问各位坛子里的兄弟,我的代码在哪里错了,或者是我对那篇文章的理解有问题?
我也想试试,就写了一段奇丑无比的代码,尝试用veh进行hook一个函数:(4楼有C写的代码)
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
;数据段
.data
ctx CONTEXT <0>
hcurrentthread dd 0h
szkernel32 db "kernel32.dll",0h
hkernel32 dd 0h
szExitProcess db "ExitProcess",0h
hExitProcess dd 0h
sztext db "breakpoint occured!",0h
sztitle db "qqand360",0h
;数据段?
.data?
;代码段
.code
sethwbreakpoint proc address:dword
pushad
mov ctx.ContextFlags,CONTEXT_ALL
invoke GetCurrentThread
mov hcurrentthread,eax
invoke GetThreadContext,eax,addr ctx
mov eax,address
mov ctx.iDr0,eax
invoke SetThreadContext,hcurrentthread,addr ctx
popad
ret
sethwbreakpoint endp
exceptionhandler proc exceptioninfo:dword
local @dwret:dword
pushad
mov ebx,exceptioninfo
assume ebx:ptr EXCEPTION_POINTERS
mov eax,[ebx].pExceptionRecord
assume eax:ptr EXCEPTION_RECORD
mov eax,[eax].ExceptionAddress
assume eax:nothing
mov edx,hExitProcess
.if eax == edx
invoke MessageBoxA,NULL,addr sztext,addr sztitle,MB_OK
invoke GetThreadContext,hcurrentthread,addr ctx
mov ctx.iDr0,0h
invoke SetThreadContext,hcurrentthread,addr ctx
invoke Sleep,3000
.endif
popad
mov eax,EXCEPTION_CONTINUE_EXECUTION
ret
exceptionhandler endp
start:
main proc
invoke GetModuleHandle,addr szkernel32
mov hkernel32,eax
invoke GetProcAddress,eax,addr szExitProcess
mov hExitProcess,eax
invoke sethwbreakpoint,eax
invoke AddVectoredExceptionHandler,1,addr exceptionhandler
invoke ExitProcess,NULL
ret
main endp
end start
我用od调试的时候在sethwbreakpoint里的setthreadcontext返回的值显示已经设置成功,但是调用ExitProcess的时候并没有被断下来,exceptionhandler也没有被调用。请问各位坛子里的兄弟,我的代码在哪里错了,或者是我对那篇文章的理解有问题?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
me too ... 真心不会汇编。
感觉有必要的地方用inline asm 这种方式更好。
|
|
|
不好意思,主要觉得汇编不需要用强制转换方便,确实不方便阅读,我把代码用C写了一下,希望大牛帮忙看下,
 #include <iostream> #include <windows.h> using namespace std; DWORD ExitProcessAddress = 0; int sethwbreakpoint() { CONTEXT ctx; ctx.ContextFlags = CONTEXT_ALL; GetThreadContext(GetCurrentThread(),&ctx); ctx.Dr0 = ExitProcessAddress; SetThreadContext(GetCurrentThread(),&ctx); return 0; } DWORD ExceptionHandler(EXCEPTION_POINTERS *p) { if(p->ExceptionRecord->ExceptionAddress = (PVOID)ExitProcessAddress) { MessageBoxA(NULL,"hardware breakpoint","bp",MB_OK); CONTEXT ctx; ctx.ContextFlags = CONTEXT_ALL; GetThreadContext(GetCurrentThread(),&ctx); ctx.Dr0 = 0; SetThreadContext(GetCurrentThread(),&ctx); return EXCEPTION_CONTINUE_EXECUTION; } else return EXCEPTION_CONTINUE_SEARCH; } int main () { HMODULE hkernel32 = GetModuleHandle("kernel32.dll"); DWORD addr = (DWORD)GetProcAddress(hkernel32,"ExitProcess"); ExitProcessAddress = addr; sethwbreakpoint(); AddVectoredExceptionHandler(1,(PVECTORED_EXCEPTION_HANDLER)ExceptionHandler); ExitProcess(NULL); return 0; } |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
