对于Intel来说是相当新的东西,所以我可能不太了解,这里我只需要某种形式的指导。 我正在尝试为函数挂钩做一个简单的64位挂钩弯路
我这样做是这样的:
绕行钩引擎:
BOOL SHook::SetHook(LPCSTR dll, LPCSTR name, LPVOID proxy, LPVOID original, PDWORD length)
{
LPVOID FunctionAddress;
DWORD TrampolineLength = 0, OriginalProtection;
hde64s disam;
BYTE Jump[13] = { 0x49, 0xBB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0xFF, 0xE3 };
FunctionAddress = GetProcAddress(GetModuleHandleA(dll), name);
if (!FunctionAddress)
return FALSE;
//disassemble length of each instruction, until we have 5 or more bytes worth
while (TrampolineLength < 5)
{
LPVOID InstPointer = (LPVOID)((DWORD)FunctionAddress + TrampolineLength);
TrampolineLength += hde64_disasm(InstPointer, &disam);
}
//Build the trampoline buffer
memcpy(original, FunctionAddress, TrampolineLength);
*(DWORD*)(Jump + 1) = ((DWORD)FunctionAddress + TrampolineLength) - ((DWORD)original + TrampolineLength + 5);
memcpy((LPVOID)((DWORD)original + TrampolineLength), Jump, 5);
//Make sure the function is writable
if (!VirtualProtect(FunctionAddress, TrampolineLength, PAGE_EXECUTE_READWRITE, &OriginalProtection))
return FALSE;
//Build and atomically write the hook
*(DWORD*)(Jump + 1) = (DWORD)proxy - (DWORD)FunctionAddress - 5;
//SafeMemcpyPadded(FunctionAddress, Jump, 5);
//Restore the original page protection
VirtualProtect(FunctionAddress, TrampolineLength, OriginalProtection, &OriginalProtection);
//Clear CPU instruction cache
FlushInstructionCache(GetCurrentProcess(), FunctionAddress, TrampolineLength);
*length = TrampolineLength;
return TRUE;
}
头文件。
#pragma once
#include <stdio.h>
#include <stdlib.h>
#include <Windows.h>
#include "hde64.h"
class SHook
{
private :
LPVOID FunctionAddress;
DWORD TrampolineLength = 0, OriginalProtection;
hde64s disam;
BYTE Jump[13] = { 0x49, 0xBB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0xFF, 0xE3 };
public:
BOOL SetHook(LPCSTR dll, LPCSTR name, LPVOID proxy, LPVOID original, PDWORD length);
};
现在执行
#include <stdio.h>
#include <Windows.h>
#include <intrin.h>
#include <string>
#include "SHook.h"
typedef int (WINAPI* TdefOldMessageBoxA)(HWND hWnd, LPCSTR lpText, LPCTSTR lpCaption, UINT uType);
TdefOldMessageBoxA myOldMessageBoxA;
SHook shook;
int WINAPI HookMessageBoxA(HWND hWnd, LPCSTR lpText, LPCTSTR lpCaption, UINT uType)
{
MessageBoxA(NULL, "Hooked", "Hooked", MB_OK);
return myOldMessageBoxA(hWnd, lpText, lpCaption, uType);
}
void EstablishHook()
{
shook.SetHook("user32.dll","MessageBoxA", (LPVOID)&HookMessageBoxA, myOldMessageBoxA,0);
}
int main()
{
EstablishHook();
}
现在,我期望看到类似于Messagebox的消息,它被钩住了,我只是看到一个cmd的错误而将其作为错误崩溃:抛出异常:读取访问冲突。在HDE64头文件上,p为0x82042490。。
没什么,我在哪里弄错了?