我正在使用EasyHook将DLL注入到64位应用程序中。基本挂钩似乎有效,但只要DLL调用“LhInstallHook”方法,注入的应用程序就会崩溃。我认为我找到了所需功能的正确地址/偏移量。因此,我怀疑我的代码(在DLL中)有些损坏。
注射器:
NTSTATUS nt = RhInjectLibrary(
processId, // The process to inject into
0, // ThreadId to wake up upon injection
EASYHOOK_INJECT_DEFAULT,
NULL, // 32-bit
dllToInject, // 64-bit only
NULL, // data to send to injected DLL entry point
NULL // size of data to send
);
DLL:
struct Player {
_BYTE gap0[128];
__int64 saleStats;
_BYTE gap88[104];
int health;
int units;
};
typedef __int64 func(Player*, int);
func* FunctionBase = (func*)0x7FF7E4513F3D; // Function address found by debugging assembly
__int64 FunctionHook(Player *playerRef, int unitsToAdd);
__int64 FunctionHook(Player *playerRef, int unitsToAdd)
{
Beep(500, 500); // Beep to signal success
return FunctionBase(playerRef, unitsToAdd); // Execute base
}
NTSTATUS result = LhInstallHook( // This is the point where the host crashes
(void*)0x7FF7E4513F3D, // Function to hook
FunctionHook, // delegate
NULL, // callback
&hHook); // handler
我认为我对地址/偏移的使用是错误的,但我无法找到资源。