-
-
HOOK API-DeleteFile中遇到的问题?
-
发表于: 2014-6-10 08:19
-
刚接触HOOK API,就想写个demo测试下效果,打算把DeleteFileW进行hook,这样所有进程调用DeleteFile的时候我都晓得了,挂个wh_cbt全局钩子,然后把api hook掉,over。
DLL部分:
FileProjectLib.h
FileProjectLib.cpp
EXE部分:
自己生成了一个MFC dialog based程序在里面调用DeleteFile删除文件,发现弹出了MessageBox,证明hook到了DeleteFile,但是再用nsis生成一个安装包,安装包里面调用Delete函数删除文件(nsis源码中Delete会调用DeleteFileA-DeleteFileW)却没有MessageBox弹出,用OD调试运行,查看模块,发现没有我的FileProject.dll,请问是哪里出了问题了?求大虾们指点,所有的资源已经上传了
DLL部分:
FileProjectLib.h
/****************************************************************************** Module: FileProjectLib.h Notices: Copyright (c) 2014 ******************************************************************************/ #include<Windows.h> #ifndef FILEPROJECTLIBAPI #define FILEPROJECTLIBAPI extern "C" __declspec(dllimport) #endif /////////////////////////////////////////////////////////////////////////////// FILEPROJECTLIBAPI BOOL WINAPI FileProject_HookAllApps(BOOL bInstall, DWORD dwThreadId); //////////////////////////////// End of File //////////////////////////////////
FileProjectLib.cpp
/******************************************************************************
Module: FileProjectLib.cpp
Notices: Copyright (c) 2014
******************************************************************************/
#include <WindowsX.h>
#include <tchar.h>
#include <stdio.h>
//调试暂用绝对路径
#include "C:\\Users\\yiruirui\\Desktop\\保护\\FileProject\\FileProject\\mhook-lib\\mhook.h"
#define FILEPROJECTLIBAPI extern "C" __declspec(dllexport)
#include "C:\\Users\\yiruirui\\Desktop\\保护\\FileProject\\FileProject\\FileProjectLib.h"
///////////////////////////////////////////////////////////////////////////////
typedef BOOL (WINAPI *PFNDELETEFILEW)( LPCTSTR lpFileName);
PFNDELETEFILEW TrueDeleteFile = (PFNDELETEFILEW)
GetProcAddress(GetModuleHandle(L"Kernel32"), "DeleteFileW");
// This is the DeleteFileW replacement function
BOOL WINAPI HookDeleteFile( LPCTSTR lpFileName
) {
MessageBox(0,lpFileName,L"deletefile called",0);
return TrueDeleteFile(lpFileName);
}
///////////////////////////////////////////////////////////////////////////////
HHOOK g_hhook = NULL;
///////////////////////////////////////////////////////////////////////////////
static LRESULT WINAPI CBTProc(int code, WPARAM wParam, LPARAM lParam) {
return(CallNextHookEx(g_hhook, code, wParam, lParam));
}
///////////////////////////////////////////////////////////////////////////////
// Returns the HMODULE that contains the specified memory address
static HMODULE ModuleFromAddress(PVOID pv) {
MEMORY_BASIC_INFORMATION mbi;
return((VirtualQuery(pv, &mbi, sizeof(mbi)) != 0)
? (HMODULE) mbi.AllocationBase : NULL);
}
///////////////////////////////////////////////////////////////////////////////
BOOL WINAPI FileProject_HookAllApps(BOOL bInstall, DWORD dwThreadId) {
BOOL bOk;
if (bInstall) {
// chASSERT(g_hhook == NULL); // Illegal to install twice in a row
// Install the Windows' hook
g_hhook = SetWindowsHookEx(WH_CBT, CBTProc,
ModuleFromAddress(FileProject_HookAllApps), dwThreadId);
bOk = (g_hhook != NULL);
} else {
// chASSERT(g_hhook != NULL); // Can't uninstall if not installed
bOk = UnhookWindowsHookEx(g_hhook);
g_hhook = NULL;
}
return(bOk);
}
//////////////////////////////// End of File //////////////////////////////////
BOOL WINAPI DllMain( HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved
)
{
switch( fdwReason )
{
case DLL_PROCESS_ATTACH:
Mhook_SetHook((PVOID*)&TrueDeleteFile, HookDeleteFile);
break;
case DLL_THREAD_ATTACH:
// Do thread-specific initialization.
break;
case DLL_THREAD_DETACH:
// Do thread-specific cleanup.
break;
case DLL_PROCESS_DETACH:
Mhook_Unhook((PVOID*)&TrueDeleteFile);
// Perform any necessary cleanup.
break;
}
return true;
}EXE部分:
/******************************************************************************
Module: FileProjectInfo.cpp
Notices: Copyright (c) 2014
******************************************************************************/
#include <windowsx.h>
#include <tchar.h>
#include "C:\\Users\\yiruirui\\Desktop\\保护\\FileProject\\FileProject\\FileProjectLib.h"
#pragma comment(lib,"C:\\Users\\yiruirui\\Desktop\\保护\\FileProject\\Debug\\FileProject.lib");
///////////////////////////////////////////////////////////////////////////////
int WINAPI _tWinMain(HINSTANCE hInstExe, HINSTANCE, PTSTR pszCmdLine, int) {
DWORD dwThreadId = 0;
//安装全局钩子
FileProject_HookAllApps(TRUE, dwThreadId);
//测试50秒看效果
Sleep(50000);
//卸载全局钩子
FileProject_HookAllApps(FALSE, 0);
return(0);
}
//////////////////////////////// End of File //////////////////////////////////自己生成了一个MFC dialog based程序在里面调用DeleteFile删除文件,发现弹出了MessageBox,证明hook到了DeleteFile,但是再用nsis生成一个安装包,安装包里面调用Delete函数删除文件(nsis源码中Delete会调用DeleteFileA-DeleteFileW)却没有MessageBox弹出,用OD调试运行,查看模块,发现没有我的FileProject.dll,请问是哪里出了问题了?求大虾们指点,所有的资源已经上传了
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
hook native api 更好些吧
 不过还是支持 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
经过测试,xp,win7可以hook,WIN8中连dll都没注入到那个进程
|
|
|
亲,HOOK ShellExecuteA,
typedef HINSTANCE (WINAPI *PFNSHELLEXECUTEA)(HWND hwnd,LPCSTR lpOperation,LPCSTR lpFile,LPCSTR lpParameters,LPCSTR lpDirectory,INT nShowCmd); PFNSHELLEXECUTEA TrueShellExecute=(PFNSHELLEXECUTEA)GetProcAddress(GetModuleHandle(L"shell32"),"ShellExecuteA"); HINSTANCE WINAPI HookShellExecute(HWND hwnd,LPCSTR lpOperation,LPCSTR lpFile,LPCSTR lpParameters,LPCSTR lpDirectory,INT nShowCmd)
{
return TrueShellExecute(hwnd,lpOperation,lpFile,lpParameters,lpDirectory,nShowCmd);
}Mhook_SetHook((PVOID*)&TrueShellExecute,HookShellExecute); 这样运行时候弹出:应用程序初始化失败。。。。。调试发现是 GetProcAddress(GetModuleHandle(L"shell32"),"ShellExecuteA");这块的问题,这里如何调整呢,求指导 
|
|
|
|
