首页
社区
课程
招聘
[求助][讨论]求各位大佬帮我看看,dll注入到od进程,HOOK OpenProcess之后,od还是能打开程序调试
发表于: 2021-11-6 22:10 25006

[求助][讨论]求各位大佬帮我看看,dll注入到od进程,HOOK OpenProcess之后,od还是能打开程序调试

2021-11-6 22:10
25006
1
自己的这个Dll 做了HOOK掉OpenProcess这个操作,将其远程线程注入到OD进程中后,od还是可以打开程序,这是为什么啊??求助,感谢感谢大家

DLL的代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#include<windows.h>
#include"1.h"
#include<tchar.h>
unsigned char g_OldOpcode[5] = {};
unsigned char g_NewOpcode[5] = {0XE9};
LPVOID g_OpAddr = 0;
HANDLE
WINAPI
MyOpenProcess(
    _In_ DWORD dwDesiredAccess,
    _In_ BOOL bInheritHandle,
    _In_ DWORD dwProcessId
)
{
    OffHook();
    MessageBox(0, L"HELLO", 0, 0);
    HANDLE h = OpenProcess(PROCESS_ALL_ACCESS, FALSE, -1);
    OnHook();
    return h;
}
 
void Init()
{
    HMODULE handle = GetModuleHandle(L"kernel32.dll");
    g_OpAddr = GetProcAddress(handle, "OpenProcess");
 
    memcpy(g_OldOpcode, g_OpAddr, 5);
 
    DWORD offset = (DWORD)MyOpenProcess - (DWORD)g_OpAddr - 5;
    memcpy(g_NewOpcode + 1, &offset, 4);
 
 
}
 
void OnHook()
{
    DWORD oldProtect = 0;
    VirtualProtect(g_OpAddr, 1, PAGE_EXECUTE_READWRITE, &oldProtect);
    memcpy(g_OpAddr, g_NewOpcode, 5);
    VirtualProtect(g_OpAddr, 1, oldProtect, &oldProtect);
}
 
void OffHook()
{
    DWORD oldProtect = 0;
    VirtualProtect(g_OpAddr, 1, PAGE_EXECUTE_READWRITE, &oldProtect);
    memcpy(g_OpAddr, g_OldOpcode, 5);
    VirtualProtect(g_OpAddr, 1, oldProtect, &oldProtect);
}

DLLMain的代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "framework.h"
#include"1.h"
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        MessageBox(0, L"已注入", 0, 0);
        Init();
        OnHook();
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        OffHook();
        break;
    }
    return TRUE;
}

远程线程注入的代码(没问题):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#include<windows.h>
 
 
int main()
{
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 16540);
    LPVOID pAddr = VirtualAllocEx(hProcess, 0, 1, MEM_COMMIT, PAGE_READWRITE);
    const WCHAR* p = L"C:\\Users\\27684\\source\\repos\\ConsoleApplication4\\Debug\\Project1.dll";
    DWORD dwRealSize = 0;
    WriteProcessMemory(hProcess, pAddr, p, 2 * (wcslen(p) + 1), &dwRealSize);
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibrary, pAddr, NULL, NULL);
    WaitForSingleObject(hThread, -1);
    VirtualFreeEx(hProcess, pAddr, 0, MEM_RELEASE);
    CloseHandle(hProcess);
    CloseHandle(hThread);
}

不知道哪里有问题?


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (3)
雪    币: 10
活跃值: (1168)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
求助啊
2021-11-6 22:15
0
雪    币: 1282
活跃值: (4570)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
3
用OD调试OD试试
2021-11-8 08:56
0
雪    币: 2392
活跃值: (1055)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
用Procmon apimonitor之类的工具看一下他调的是哪个函数
2021-11-8 09:46
0
游客
登录 | 注册 方可回帖
返回
//