首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
请帮忙看看Hook出了什么问题。
发表于: 2024-10-24 15:50 1920

请帮忙看看Hook出了什么问题。

wx_king_794 活跃值
2024-10-24 15:50
1920

报错:0x7BBCCC31 (mfc140ud.dll)处(位于 MFCApplication1.exe 中)引发的异常: 0xC0000005: 读取位置 0x1821CCCB 时发生访问冲突。
问题是出现在调用原来的函数:jumpToAddressFunc(lpString);

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
BYTE OldCode[9] = { 0x00, 0x00, 0x00, 0x00, 0x00 , 0x00 };
 
typedef void (*JumpToAddressFunc)(LPCWSTR);
JumpToAddressFunc  jumpToAddressFunc = (void (*)(LPCWSTR))0x0041a000;
 
void UnHook()
{
    DWORD OldProtect = 0;
    LPVOID srcFuncAddress = (LPVOID)jumpToAddressFunc;
    if (VirtualProtect((LPVOID)srcFuncAddress, 9, PAGE_EXECUTE_READWRITE, &OldProtect))
    {
        memcpy((LPVOID)srcFuncAddress, OldCode, sizeof(OldCode));
        OutputDebugString(L"king:恢复模块成功。");
    }
    VirtualProtect((LPVOID)srcFuncAddress, 9, OldProtect, &OldProtect);
}
 
void Hook(LPVOID lpDstFunction)
{
    OutputDebugString(L"king:加载模块成功。");
    DWORD srcFuncAddress = (DWORD)jumpToAddressFunc;//(DWORD)GetProcAddress(hInstance, lpFuncName);
    //DWORD srcFuncAddress = (DWORD)GetProcAddress(hInstance, lpFuncName);
    DWORD OldProtect = 0;
 
    if (VirtualProtect((LPVOID)srcFuncAddress, 9, PAGE_EXECUTE_READWRITE, &OldProtect))
    {
        memcpy(OldCode, (LPVOID)srcFuncAddress, 9);                   // 拷贝原始机器码指令
        *(BYTE*)srcFuncAddress = 0xE9; //修改为JMP
        uintptr_t ralativeAddress = (uintptr_t)lpDstFunction - (uintptr_t)srcFuncAddress - 5; //计算要跳转到的地址
 
        WCHAR message[100];
        wsprintfW(message, L"king:跳转到地址:0x%X", ralativeAddress);
        OutputDebugString(message);
 
        *(PINT32)(srcFuncAddress + 1) = ralativeAddress;               // 填充90为指定跳转地址
        *(BYTE*)(srcFuncAddress + 5) = 0x90;
        *(BYTE*)(srcFuncAddress + 6) = 0x90;
        *(BYTE*)(srcFuncAddress + 7) = 0x90;
        *(BYTE*)(srcFuncAddress + 8) = 0x90;
 
    }
    else {
        WCHAR message[100];
        wsprintf(message, L"king:VirtualProtect失败。%d", srcFuncAddress);
        OutputDebugString(message);
    }
    //memcpy((LPVOID)srcFuncAddress, &HookCode, sizeof(HookCode));       // 拷贝Hook机器指令
    VirtualProtect((LPVOID)srcFuncAddress, 6, OldProtect, &OldProtect);
}
 
void
WINAPI
MySetTextContent(
    LPCWSTR lpString)
{
    UnHook();
    MessageBox(0, lpString, lpString, MB_OK);
    jumpToAddressFunc(lpString);
}
template<typename dst_type, typename src_type>
dst_type pointer_cast(src_type src)
{
    return *static_cast<dst_type*>(static_cast<void*>(&src));
}
 
 
void CMFCApplication1Dlg::OnBnClickedButton1()
{
    Hook((PROC)MySetTextContent);
    SetTextContent(L"hello");
}
 
void CMFCApplication1Dlg::SetTextContent(LPCWSTR lpString)
{
    SetDlgItemText(IDC_STATIC, lpString);
}

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2024-10-24 16:02 被wx_king_794编辑 ,原因:
收藏
免费 0
支持
分享
最新回复 (1)
Panel_demo
雪    币: 490
活跃值: (1702)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
我大概看了一下,代码段不可以写,修改一下属性
2024-10-24 16:08
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//