-
-
[原创]为了方便Hook PE,注入DLL
-
发表于: 2023-1-20 16:09
-
本篇是为了代码逆向还原做铺垫。相当于代码工程开始的环境搭建阶段。最后的Hook还有点问题,需要寻求一些大佬的指点才行。
接下来的内容,其实和之前的[原创]PE注入DLL有很多相似的过程。这是本篇主要重心是放在Hook上。
进入正文:
被Hook的Exe源代码:
Hook代码,Hook库是使用MinHook,完整代码如下:
#include <Windows.h>#include <iostream>using namespace std;int add(int a, int b)
{ int nResult = a + b;
printf("methold add, result: %d\n", nResult);
return nResult;
}int main(int argc, char* argv[])
{ int nResult = add(2, 3);
printf("%s %d : %d\n", __FILE__, __LINE__, nResult);
return 0;
}#include <Windows.h>#include <iostream>using namespace std;int add(int a, int b)
{ int nResult = a + b;
printf("methold add, result: %d\n", nResult);
return nResult;
}int main(int argc, char* argv[])
{ int nResult = add(2, 3);
printf("%s %d : %d\n", __FILE__, __LINE__, nResult);
return 0;
}// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"#include <Windows.h>#include<stdio.h>#include <iostream>#include "MinHook.h"#pragma comment(lib, "MinHook.x86.lib")extern "C" __declspec(dllexport) int Inject(void* pParam)
{ printf("%p\n", pParam);
return 0;
}typedef int (*FUNCTION_add)(int,int);
FUNCTION_add fpFunction_add = NULL;
FUNCTION_add fpFunctionOrg_add = (FUNCTION_add)0x401010;
int DetourFunction_add(int a, int b)
{ printf("fake function\n");
return 6;
}int HookEntry()
{ if (MH_Initialize() != MH_OK)
{
char szDbgInfor[512]{ 0 };
sprintf_s(szDbgInfor, "%s : %d\n", __FILE__, __LINE__);
OutputDebugStringA(szDbgInfor);
return 1;
}
//fpFunctionOrg_add = (FUNCTION_add)&add;
long lret = 0;
// Create a hook for method: add, in disabled state.
if ((lret = MH_CreateHook(fpFunctionOrg_add, &DetourFunction_add,
reinterpret_cast<LPVOID*>(&fpFunction_add))) != MH_OK)
{
char szDbgInfor[512]{ 0 };
sprintf_s(szDbgInfor, "%s : %d -->lret = %d, %p,%p\n", __FILE__, __LINE__, lret, &fpFunctionOrg_add, fpFunctionOrg_add);
OutputDebugStringA(szDbgInfor);
return 1;
}
if (MH_EnableHook(fpFunctionOrg_add) != MH_OK)
{
char szDbgInfor[512]{ 0 };
sprintf_s(szDbgInfor, "%s : %d\n", __FILE__, __LINE__);
OutputDebugStringA(szDbgInfor);
return 1;
}
char szDbgInfor[512]{ 0 };
sprintf_s(szDbgInfor, "%s : %d\n", __FILE__, __LINE__);
OutputDebugStringA(szDbgInfor);
return 0;
}int HookExit()
{ if (MH_DisableHook(fpFunctionOrg_add) != MH_OK)
{
return 1;
}
// Uninitialize MinHook.
if (MH_Uninitialize() != MH_OK)
{
return 1;
}
return 0;
}BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{ switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
char szDbgInfor[512]{ 0 };
sprintf_s(szDbgInfor, "%s : %d\n", __FILE__, __LINE__);
OutputDebugStringA(szDbgInfor);
HookEntry();
}
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
{
HookExit();
}
break;
}
return TRUE;
}// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"#include <Windows.h>#include<stdio.h>#include <iostream>#include "MinHook.h"#pragma comment(lib, "MinHook.x86.lib")extern "C" __declspec(dllexport) int Inject(void* pParam)
{ printf("%p\n", pParam);
return 0;
}typedef int (*FUNCTION_add)(int,int);
FUNCTION_add fpFunction_add = NULL;
FUNCTION_add fpFunctionOrg_add = (FUNCTION_add)0x401010;
int DetourFunction_add(int a, int b)
{ printf("fake function\n");
return 6;
}int HookEntry()
{ if (MH_Initialize() != MH_OK)
{
char szDbgInfor[512]{ 0 };
sprintf_s(szDbgInfor, "%s : %d\n", __FILE__, __LINE__);
OutputDebugStringA(szDbgInfor);
return 1;
}
//fpFunctionOrg_add = (FUNCTION_add)&add;
long lret = 0;
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2023-1-20 16:10
被_THINCT编辑
,原因:
|
|
|---|---|
