MS Detours Express 3.0没有正确挂钩CreateFile win32 API函数

时间:2013-01-09 12:44:46

标签: c++ winapi hook createfile detours

我正在尝试使用MS Detours挂钩win32 API函数“CreateFile”,但是当我通过使用MS Word打开* .doc文件来测试它时,将重定向由MS Word加载的DLL和字体文件以及目录的CreateFile调用我的绕道功能,但不是那个* .doc文件,但当我用记事本打开一个* .txt文件时,该* .txt文件的CreateFile调用来到我的绕道功能。

我使用以下代码来挂钩CreateFile:

static HANDLE (WINAPI *Real_CreateFile)(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile) = CreateFile;

HANDLE WINAPI Routed_CreateFile(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
{
OutputDebugString(lpFileName);
return Real_CreateFile(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}

BOOL APIENTRY DllMain( HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved )
{
LONG Error;
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:

    OutputDebugString(L"Attaching MyDLL.dll");
    OutputDebugString(strInfo);
    DetourRestoreAfterWith();
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach(&(PVOID&)Real_CreateFile, Routed_CreateFile);
    Error = DetourTransactionCommit();

    if (Error == NO_ERROR)
        OutputDebugString(L"Hooked Success");
    else
        OutputDebugString(L"Hook Error");

    break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
    OutputDebugString(L"De-Attaching MyDLL.dll");
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourDetach(&(PVOID&)Real_CreateFile, Routed_CreateFile);
    Error = DetourTransactionCommit();

    if (Error == NO_ERROR)
        OutputDebugString(L"Un-Hooked Success");
    else
        OutputDebugString(L"Un-Hook Error");

    break;
}
return TRUE;
}

提前致谢。

2 个答案:

答案 0 :(得分:3)

我认为你在此之后错过了break

case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
    break;  // Not interested in thread messages
case DLL_PROCESS_DETACH:

您是否只是在调用前绕开绕道而行?也许打开.doc会创建一个新线程但.txt不会创建新线程,从而触发此代码路径。

答案 1 :(得分:1)

看起来您没有正确初始化Real_CreateFile函数指针。我猜你正在将它设置为模块的CreateFile的导入表条目。

相反,请将其初始化为GetProcAddress(GetModuleHandle("kernel32"),"CreateFileW");

相关问题
最新问题