将Detours钩子应用于CreateFile有什么问题?

时间:2019-12-07 11:21:24

标签: winapi hook detours

在这个小程序中尝试对CreateFile进行Detours钩子时遇到了一些麻烦:

    #include <windows.h>
    #include <iostream>

    int main(HINSTANCE hinst, HINSTANCE hPrevInstance, LPSTR cmdLine, int showCmd)
    {

    HANDLE file;
    DWORD bytesRead, bytesWritten, pos;
    TCHAR msg[1000];

    std::cout << "Start creating file \"SampleFile.txt\"" << std::endl;
    file = CreateFile(L"C:\\TestHook\\SampleFile.txt", GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    std::cout << "\"SampleFile.txt\" added into C folder" << std::endl;

    CloseHandle(file);

    return 0;
    }

应用了一个DLL:

    #include<windows.h>
    #include<windows.h>
    #include "C:\Detours\Detours-4.0.1\include\detours.h"


    static HANDLE(WINAPI* TrueCreateFile)(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode,
    LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes,
    HANDLE hTemplateFile) = CreateFileW;

    __declspec(dllexport) HANDLE WINAPI MyCreateFile(LPCTSTR lpFileName, DWORD dwDesiredAccess, DWORD 
    dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
    {
    HANDLE hookFile = CreateFile(L"C:\\TestHook\\hookYouGo.txt", GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, 
    FILE_ATTRIBUTE_NORMAL, NULL);
    std::cout << "CreateFile() is hooked...Meet other file name than you want" << std::endl;     
    CloseHandle(hookFile);

    return hookFile;
    }

    BOOL WINAPI DLLMain(HINSTANCE hinst, DWORD reason_for_call, LPVOID lpReserved)
    {
    std::cout << "test" << std::endl;

    if (reason_for_call = DLL_PROCESS_ATTACH)
    {
        DetourRestoreAfterWith();
        DetourTransactionBegin();
        DetourUpdateThread(GetCurrentThread());
        DetourAttach(&(PVOID&)TrueCreateFile, MyCreateFile);
        DetourTransactionCommit();
    }

    return TRUE;
    }

一旦在Visual Studio '19(OS Windows 10)中执行,它将向目标文件夹中添加一个新文件,但超出我的预期。似乎钩子附件失败,而不是hookYouGo.txt,而是显示SampleHook.txt。在完成过程后查看API监视器,我找不到任何证据证明DLL也已按顺序应用。在命令行中,这是相同的,因为我启动了withdll.exe,它运行到类似SampleFile上的语句之类的输出中,但是DLL似乎超出了该过程。当然,withdll.exe和主函数程序以及DLL都位于同一文件夹中。

1 个答案:

答案 0 :(得分:0)

您做错了方法,必须获取函数地址才能将其挂接。

赞:

static HANDLE(WINAPI* TrueCreateFile)(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode,
    LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes,
    HANDLE hTemplateFile);

TrueCreateFile HookCreateFile;

HookCreateFile = (TrueCreateFile)GetProcAddress(GetModuleHandle("Kernel32.dll"), "CreateFile");

然后进行实际的挂钩:

DetourAttach(&(PVOID&)HookCreateFile, MyCreateFile);
相关问题
最新问题