-
-
[求助]求助~Hook ExitProcess为什么我的新函数沒有调用?WriteProcessMemory成功
-
发表于: 2008-3-13 22:09
-
#include "stdafx.h"
#include "hookme.h"
#include <imagehlp.h>
#include <TLHELP32.H>
#pragma comment(lib,"imagehlp")
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
typedef int (FAR WINAPI *FARPROC)();
typedef int (NEAR WINAPI *NEARPROC)();
typedef int (WINAPI *PROC)();
BEGIN_MESSAGE_MAP(CHookmeApp, CWinApp)
//{{AFX_MSG_MAP(CHookmeApp)
// NOTE - the ClassWizard will add and remove mapping macros here.
// DO NOT EDIT what you see in these blocks of generated code!
//}}AFX_MSG_MAP
END_MESSAGE_MAP()
FILE* fp=fopen("d:\\hook.txt","w+");
CHookmeApp::CHookmeApp()
{
}
CHookmeApp theApp;
HHOOK g_hhook=NULL;
void ReplaceITAEntryInOneModule(LPCTSTR pszCalleeName, //改变ITA的函数
PROC pfnCurrent,
PROC pfnNew,
HMODULE hmodCaller);
void WINAPI NewFunc(UINT uExitCode) //新函数
{
AfxMessageBox("You Can Not Exit!");
ExitProcess(uExitCode);
}
//钩子函数
extern "C" LRESULT _declspec(dllexport) __stdcall hookProc(int nCode,WPARAM wParam,LPARAM lParam)
{
if(nCode<0)
return (CallNextHookEx(g_hhook,nCode,wParam,lParam));
if(nCode==HC_ACTION)
{
HMODULE hModKe32=GetModuleHandle("KERNEL32.dll");
FARPROC hOld=GetProcAddress(hModKe32,"ExitProcess");
HMODULE hModHookme=GetModuleHandle("hookme.dll");
FARPROC hNew=GetProcAddress(hModHookme,"NewFunc");
ReplaceITAEntryInOneModule( //需要改变ITA
"KERNEL32.dll",
hOld,
hNew,
GetModuleHandle(NULL));
return (CallNextHookEx(g_hhook,nCode,wParam,lParam));
}
return (CallNextHookEx(g_hhook,nCode,wParam,lParam));
}
extern "C" LRESULT (__stdcall *lpHookProc)(int,WPARAM,LPARAM)=hookProc;
void _declspec(dllexport) __stdcall hook() //在这个函数里挂上钩子
{
g_hhook=SetWindowsHookEx(
WH_GETMESSAGE,
lpHookProc,
GetModuleHandle("hookme.dll"),
0);
if(g_hhook==NULL)
AfxMessageBox("Hook Failed!",MB_OK);
}
void ReplaceITAEntryInOneModule(LPCTSTR pszCalleeModName, //被调用的模块名称
PROC pfnCurrent, //原地址
PROC pfnNew, //新地址
HMODULE hmodCaller) //调用进程基址
{
ULONG ulSize;
PIMAGE_IMPORT_DESCRIPTOR pid=(PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(
hmodCaller,
TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT,
&ulSize);
if(pid==NULL)
return;
while(pid->Name)
{
LPCTSTR name=LPCTSTR((DWORD)hmodCaller+pid->Name);
if(lstrcmpi(name,pszCalleeModName)==0)
break;
pid++;
}
if(pid->Name==NULL)
return;
else
{
PIMAGE_THUNK_DATA ptd=(PIMAGE_THUNK_DATA)((DWORD)hmodCaller+pid->FirstThunk);
while(ptd->u1.Function)
{
PROC* p=(PROC*)&ptd->u1.Function;
if(*p==pfnCurrent)
{
DWORD idCurr=GetCurrentProcessId();
HANDLE hCurr=OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE,TRUE,idCurr);
WriteProcessMemory(
hCurr,
ptd->u1.Function,
&pfnNew,
sizeof(pfnNew),
NULL);
DWORD error=GetLastError();
LPVOID lpMsgBuf;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
error,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR)&lpMsgBuf,
0,
NULL
);
fprintf(fp,(LPCTSTR)lpMsgBuf);
LocalFree(lpMsgBuf);
return;
}
ptd++;
}
}
}
根据打印的GetLastError()来看 是“操作成功完成。”
但是为什么AfxMessageBox("You Can Not Exit!");没有出来呢?
比如我打开任务管理器 再关上 就出现那个“遇到问题需要关闭”的对话框,但是AfxMessageBox("You Can Not Exit!")并没有出现
不解啊 请高人指教下 谢谢!
#include "hookme.h"
#include <imagehlp.h>
#include <TLHELP32.H>
#pragma comment(lib,"imagehlp")
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
typedef int (FAR WINAPI *FARPROC)();
typedef int (NEAR WINAPI *NEARPROC)();
typedef int (WINAPI *PROC)();
BEGIN_MESSAGE_MAP(CHookmeApp, CWinApp)
//{{AFX_MSG_MAP(CHookmeApp)
// NOTE - the ClassWizard will add and remove mapping macros here.
// DO NOT EDIT what you see in these blocks of generated code!
//}}AFX_MSG_MAP
END_MESSAGE_MAP()
FILE* fp=fopen("d:\\hook.txt","w+");
CHookmeApp::CHookmeApp()
{
}
CHookmeApp theApp;
HHOOK g_hhook=NULL;
void ReplaceITAEntryInOneModule(LPCTSTR pszCalleeName, //改变ITA的函数
PROC pfnCurrent,
PROC pfnNew,
HMODULE hmodCaller);
void WINAPI NewFunc(UINT uExitCode) //新函数
{
AfxMessageBox("You Can Not Exit!");
ExitProcess(uExitCode);
}
//钩子函数
extern "C" LRESULT _declspec(dllexport) __stdcall hookProc(int nCode,WPARAM wParam,LPARAM lParam)
{
if(nCode<0)
return (CallNextHookEx(g_hhook,nCode,wParam,lParam));
if(nCode==HC_ACTION)
{
HMODULE hModKe32=GetModuleHandle("KERNEL32.dll");
FARPROC hOld=GetProcAddress(hModKe32,"ExitProcess");
HMODULE hModHookme=GetModuleHandle("hookme.dll");
FARPROC hNew=GetProcAddress(hModHookme,"NewFunc");
ReplaceITAEntryInOneModule( //需要改变ITA
"KERNEL32.dll",
hOld,
hNew,
GetModuleHandle(NULL));
return (CallNextHookEx(g_hhook,nCode,wParam,lParam));
}
return (CallNextHookEx(g_hhook,nCode,wParam,lParam));
}
extern "C" LRESULT (__stdcall *lpHookProc)(int,WPARAM,LPARAM)=hookProc;
void _declspec(dllexport) __stdcall hook() //在这个函数里挂上钩子
{
g_hhook=SetWindowsHookEx(
WH_GETMESSAGE,
lpHookProc,
GetModuleHandle("hookme.dll"),
0);
if(g_hhook==NULL)
AfxMessageBox("Hook Failed!",MB_OK);
}
void ReplaceITAEntryInOneModule(LPCTSTR pszCalleeModName, //被调用的模块名称
PROC pfnCurrent, //原地址
PROC pfnNew, //新地址
HMODULE hmodCaller) //调用进程基址
{
ULONG ulSize;
PIMAGE_IMPORT_DESCRIPTOR pid=(PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(
hmodCaller,
TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT,
&ulSize);
if(pid==NULL)
return;
while(pid->Name)
{
LPCTSTR name=LPCTSTR((DWORD)hmodCaller+pid->Name);
if(lstrcmpi(name,pszCalleeModName)==0)
break;
pid++;
}
if(pid->Name==NULL)
return;
else
{
PIMAGE_THUNK_DATA ptd=(PIMAGE_THUNK_DATA)((DWORD)hmodCaller+pid->FirstThunk);
while(ptd->u1.Function)
{
PROC* p=(PROC*)&ptd->u1.Function;
if(*p==pfnCurrent)
{
DWORD idCurr=GetCurrentProcessId();
HANDLE hCurr=OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE,TRUE,idCurr);
WriteProcessMemory(
hCurr,
ptd->u1.Function,
&pfnNew,
sizeof(pfnNew),
NULL);
DWORD error=GetLastError();
LPVOID lpMsgBuf;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
error,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR)&lpMsgBuf,
0,
NULL
);
fprintf(fp,(LPCTSTR)lpMsgBuf);
LocalFree(lpMsgBuf);
return;
}
ptd++;
}
}
}
根据打印的GetLastError()来看 是“操作成功完成。”
但是为什么AfxMessageBox("You Can Not Exit!");没有出来呢?
比如我打开任务管理器 再关上 就出现那个“遇到问题需要关闭”的对话框,但是AfxMessageBox("You Can Not Exit!")并没有出现
不解啊 请高人指教下 谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
好了 结论是不要用WriteProcessMemory
换了个函数 和《Windows核心编程》不一样啊 
|
|
|
|
|
|
更正一下
这2天仔细对比了一下代码 发现应该是 WriteProcessMemory( hCurr, &(ptd->u1.Function), &pfnNew, sizeof(pfnNew), NULL); 是我自己搞错了 
|
