钩和解钩一个文件DLL

时间:2018-11-06 07:42:38

标签: c++ hook

我尝试将文件DLL挂钩到控制台应用程序中。这段代码

#include "pch.h"
#include <vector>
#include <string>
#include <windows.h>
#include <Tlhelp32.h>

using std::vector;
using std::string;

int main(void)
{
while (true)
{
    vector<string>processNames;
    PROCESSENTRY32 pe32;
    pe32.dwSize = sizeof(PROCESSENTRY32);
    HANDLE hTool32 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
    BOOL bProcess = Process32First(hTool32, &pe32);
    if (bProcess == TRUE)
    {
        while ((Process32Next(hTool32, &pe32)) == TRUE)
        {
            processNames.push_back(pe32.szExeFile);
            if (strcmp(pe32.szExeFile, "ConsoleApplication4.exe") == 0)
            {
                char* DirPath = new char[MAX_PATH];
                char* FullPath = new char[MAX_PATH];
                GetCurrentDirectory(MAX_PATH, DirPath);
                sprintf_s(FullPath, MAX_PATH, "%s\\..\\ConsoleApplication1\\ConsoleApplication1.dll", DirPath);

                FILE *pFile;
                if (fopen_s(&pFile, FullPath, "r") || !pFile)
                {
                    OutputDebugString("[Hook] File name or file does not exist");
                    OutputDebugString(FullPath);
                    return -1;
                }
                fclose(pFile);

                HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
                if (!hProcess)
                {
                    OutputDebugString("[Hook] Open process fail");
                    return -1;
                }

                //attach
                LPVOID LoadLibraryAddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
                if (!LoadLibraryAddr)
                {
                    OutputDebugString("[Hook] Load LoadLibraryA fail");
                    return -1;
                }

                LPVOID LLParam = (LPVOID)VirtualAllocEx(hProcess, NULL, strlen(FullPath), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);

                if (!WriteProcessMemory(hProcess, LLParam, FullPath, strlen(FullPath), NULL))
                {
                    OutputDebugString("[Hook] Write process fail");
                    return -1;
                }

                HANDLE hHandle = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibraryAddr, LLParam, NULL, NULL);
                if (!hHandle)
                {
                    OutputDebugString("[Hook] Hooked fail");
                    return -1;
                }

                system("pause");

                //detach
                LoadLibraryAddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "FreeLibrary");
                if (!LoadLibraryAddr)
                {
                    OutputDebugString("[Hook] Load FreeLibrary fail");
                    return -1;
                }

                hHandle = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibraryAddr, LLParam, NULL, NULL);
                if (!hHandle)
                {
                    OutputDebugString("[Hook] detach fail");
                    return -1;
                }

                CloseHandle(hProcess);
                delete[] DirPath;
                delete[] FullPath;

                system("pause");

                return 0;
            }
        }
    }
    CloseHandle(hTool32);
}
return 0;
}

我对此有一些疑问:   -为什么此代码无法分离文件dll?   -为什么更改LoadLibraryA-> LoadLibrary:加载LoadLibrary失败?   -为什么更改LoadLibraryA-> LoadLibraryW:文件dll没有附加?   -Mutibyte中的代码运行良好,但是转换为Unicode,文件dll没有附加?

谢谢

1 个答案:

答案 0 :(得分:0)

之所以可以在多字节中工作,但不能与Unicode字符集一起编译,是因为您要传递一个常规的c字符串,它是一个常规的char数组。当您将构建类型设置为使用多字节时,LoadLibrary()解析为ansi版本,即LoadLibraryA()。如果要在项目属性中使用Unicode,它将解析为LoadLibraryW(),并且需要传递一个Unicode字符数组,通常为wchar_t []。

即使以unicode模式进行编译,您仍然可以调用LoadLibraryA()并传递ac字符串,但是您必须专门调用该函数的A(ansi)版本,而不是依靠为您解决这些问题的#ifdef预处理程序语句。

相关问题
最新问题