[求助][求助]HOOK API 卸载HOOK时 explorer崩溃-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (6)
红黑魔导雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 14 粉丝 0 关注私信	红黑魔导 2 楼这个是我参考的源码能运行 /* 本例中拦截以下两个位于Kernel32.dll中的API BOOL WINAPI CreateProcessW( // UNICODE 版本 LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ); BOOL CreateProcessA( // ANSI 版本 LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ); */ #include "Hook.h" #include <windows.h> #include "detours.h" #pragma comment(lib, "detours.lib") HHOOK g_hHook = NULL; HMODULE g_hInst = NULL; bool g_bIntercepted = false; BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved ); LRESULT CALLBACK ShellProc( int nCode, WPARAM wParam, LPARAM lParam ); void Intercept(); void UnIntercept(); BOOL WINAPI Replace_CreateProcessW( LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ); BOOL Replace_CreateProcessA( LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ); // --------------------------------------------------------------------------- DETOUR_TRAMPOLINE( BOOL WINAPI Real_CreateProcessA( LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation), CreateProcessA); DETOUR_TRAMPOLINE( BOOL WINAPI Real_CreateProcessW( LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation), CreateProcessW); // --------------------------------------------------------------------------- BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved ) { g_hInst = hinstDLL; switch(fdwReason) { case DLL_PROCESS_ATTACH: break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; case DLL_PROCESS_DETACH: UnIntercept(); break; } return TRUE; } LRESULT CALLBACK ShellProc( int nCode, WPARAM wParam, LPARAM lParam ) { if(!g_bIntercepted) Intercept(); return CallNextHookEx(g_hHook, nCode, wParam, lParam); } void InstallHook() { if(g_hHook == NULL) g_hHook = ::SetWindowsHookEx( WH_SHELL , ShellProc ,(HINSTANCE)g_hInst, 0); } void UninstallHook() { if(::UnhookWindowsHookEx( g_hHook )) g_hHook = NULL; } BOOL WINAPI Replace_CreateProcessW( LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ) { BOOL res = 0; __try { MessageBoxW( NULL, lpApplicationName, L"拦截成功!", MB_OK ); res = Real_CreateProcessW( lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation); } __finally { }; return res; } BOOL Replace_CreateProcessA( LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ) { BOOL res = 0; __try { MessageBoxA( NULL, lpApplicationName, "拦截成功!", MB_OK ); res = Real_CreateProcessA( lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation); } __finally { }; return res; } void Intercept() { DetourFunctionWithTrampoline((PBYTE)Real_CreateProcessW, (PBYTE)Replace_CreateProcessW); DetourFunctionWithTrampoline((PBYTE)Real_CreateProcessA, (PBYTE)Replace_CreateProcessA); } void UnIntercept() { DetourRemove( (PBYTE)Real_CreateProcessW,(PBYTE)Replace_CreateProcessW); DetourRemove( (PBYTE)Real_CreateProcessA,(PBYTE)Replace_CreateProcessA); } 2009-3-25 16:02 0
zhoro 雪币： 109 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 23 粉丝 0 关注私信	zhoro 3 楼 windows是多线程的。当你的线程在改写内存的时候，有可能改写到一半的时候就被挂起了。然后新的线程运行，刚好执行到这个函数。。就出错了。代码逻辑再正确也无法避免。。。。 2009-3-26 15:27 0
红黑魔导雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 14 粉丝 0 关注私信	红黑魔导 4 楼楼上说的也对，不过应该怎么改。能说下基本的思想嘛要是我对一个新建的进程，先挂起进程，再修改导入表。就不会出现我全局HOOK的所出现的问题了吧 2009-3-27 19:45 0
nevergone 雪币： 63 活跃值： (17) 能力值： ( LV8，RANK：130 ) 在线值：发帖 5 回帖 270 粉丝 0 关注私信	nevergone 3 5 楼可以考虑使用shellhook实现 2009-3-27 21:49 0
flipcode 雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 5 粉丝 0 关注私信	flipcode 6 楼楼主你用的是detours1.5版本吧，这个版本有bug，在多次inline hook后再卸载就会出现你所说的情况改用版本吧 2009-6-22 18:29 0
xzchina 雪币： 615 活跃值： (1222) 能力值： ( LV4，RANK：50 ) 在线值：发帖 42 回帖 843 粉丝 0 关注私信	xzchina 1 7 楼 ye zhu de li liang 2009-6-22 18:44 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

红黑魔导

雪币： 201

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

14

粉丝

0

关注

私信

红黑魔导: 2 楼

这个是我参考的源码能运行
/*
本例中拦截以下两个位于Kernel32.dll中的API

BOOL WINAPI CreateProcessW( // UNICODE 版本
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);

BOOL CreateProcessA( // ANSI 版本
   LPCTSTR lpApplicationName,
   LPTSTR lpCommandLine,
   LPSECURITY_ATTRIBUTES lpProcessAttributes,
   LPSECURITY_ATTRIBUTES lpThreadAttributes,
   BOOL bInheritHandles,
   DWORD dwCreationFlags,
   LPVOID lpEnvironment,
   LPCTSTR lpCurrentDirectory,
   LPSTARTUPINFO lpStartupInfo,
   LPPROCESS_INFORMATION lpProcessInformation
);
*/

#include "Hook.h"
#include <windows.h>
#include "detours.h"
#pragma comment(lib, "detours.lib")

HHOOK g_hHook = NULL;
HMODULE g_hInst = NULL;
bool g_bIntercepted = false;

BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved );
LRESULT CALLBACK ShellProc( int nCode, WPARAM wParam, LPARAM lParam );
void Intercept();
void UnIntercept();
BOOL WINAPI Replace_CreateProcessW(
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);

BOOL Replace_CreateProcessA(
  LPCTSTR lpApplicationName,
  LPTSTR lpCommandLine,
  LPSECURITY_ATTRIBUTES lpProcessAttributes,
  LPSECURITY_ATTRIBUTES lpThreadAttributes,
  BOOL bInheritHandles,
  DWORD dwCreationFlags,
  LPVOID lpEnvironment,
  LPCTSTR lpCurrentDirectory,
  LPSTARTUPINFO lpStartupInfo,
  LPPROCESS_INFORMATION lpProcessInformation
);

// ---------------------------------------------------------------------------

DETOUR_TRAMPOLINE( BOOL WINAPI Real_CreateProcessA( LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation),
CreateProcessA);

DETOUR_TRAMPOLINE( BOOL WINAPI Real_CreateProcessW( LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation),
CreateProcessW);

// ---------------------------------------------------------------------------

BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved )
{
g_hInst = hinstDLL;

switch(fdwReason)
{
case DLL_PROCESS_ATTACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
UnIntercept();
break;
}

return TRUE;
}

LRESULT CALLBACK ShellProc( int nCode, WPARAM wParam, LPARAM lParam )
{
if(!g_bIntercepted)
Intercept();

return CallNextHookEx(g_hHook, nCode, wParam, lParam);
}

void InstallHook()
{
if(g_hHook == NULL)
g_hHook = ::SetWindowsHookEx( WH_SHELL , ShellProc ,(HINSTANCE)g_hInst, 0);
}

void UninstallHook()
{
if(::UnhookWindowsHookEx( g_hHook ))
g_hHook = NULL;
}

BOOL WINAPI Replace_CreateProcessW(
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
)
{
BOOL res = 0;
__try
{
MessageBoxW( NULL, lpApplicationName, L"拦截成功!", MB_OK );
res = Real_CreateProcessW( lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
}
__finally
{
};
return res;
}

BOOL Replace_CreateProcessA(
  LPCTSTR lpApplicationName,
  LPTSTR lpCommandLine,
  LPSECURITY_ATTRIBUTES lpProcessAttributes,
  LPSECURITY_ATTRIBUTES lpThreadAttributes,
  BOOL bInheritHandles,
  DWORD dwCreationFlags,
  LPVOID lpEnvironment,
  LPCTSTR lpCurrentDirectory,
  LPSTARTUPINFO lpStartupInfo,
  LPPROCESS_INFORMATION lpProcessInformation
)
{
BOOL res = 0;
__try
{
MessageBoxA( NULL, lpApplicationName, "拦截成功!", MB_OK );
res = Real_CreateProcessA( lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
}
__finally
{
};
return res;
}

void Intercept()
{
DetourFunctionWithTrampoline((PBYTE)Real_CreateProcessW, (PBYTE)Replace_CreateProcessW);
DetourFunctionWithTrampoline((PBYTE)Real_CreateProcessA, (PBYTE)Replace_CreateProcessA);
}

void UnIntercept()
{
DetourRemove( (PBYTE)Real_CreateProcessW,(PBYTE)Replace_CreateProcessW);
DetourRemove( (PBYTE)Real_CreateProcessA,(PBYTE)Replace_CreateProcessA);
}

2009-3-25 16:02

0