MessageBox上的64位挂钩失败

时间:2019-06-14 10:32:59

标签: c++

对于Intel来说是相当新的东西,所以我可能不太了解,这里我只需要某种形式的指导。 我正在尝试为函数挂钩做一个简单的64位挂钩弯路

我这样做是这样的:

绕行钩引擎:

    BOOL SHook::SetHook(LPCSTR dll, LPCSTR name, LPVOID proxy, LPVOID original, PDWORD length)
{
    LPVOID FunctionAddress;
    DWORD TrampolineLength = 0, OriginalProtection;
    hde64s disam;
    BYTE Jump[13] = { 0x49, 0xBB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0xFF, 0xE3 };

    FunctionAddress = GetProcAddress(GetModuleHandleA(dll), name);
    if (!FunctionAddress)
        return FALSE;

    //disassemble length of each instruction, until we have 5 or more bytes worth
    while (TrampolineLength < 5)
    {
        LPVOID InstPointer = (LPVOID)((DWORD)FunctionAddress + TrampolineLength);
        TrampolineLength += hde64_disasm(InstPointer, &disam);
    }

    //Build the trampoline buffer
    memcpy(original, FunctionAddress, TrampolineLength);
    *(DWORD*)(Jump + 1) = ((DWORD)FunctionAddress + TrampolineLength) - ((DWORD)original + TrampolineLength + 5);
    memcpy((LPVOID)((DWORD)original + TrampolineLength), Jump, 5);

    //Make sure the function is writable
    if (!VirtualProtect(FunctionAddress, TrampolineLength, PAGE_EXECUTE_READWRITE, &OriginalProtection))
        return FALSE;

    //Build and atomically write the hook
    *(DWORD*)(Jump + 1) = (DWORD)proxy - (DWORD)FunctionAddress - 5;
    //SafeMemcpyPadded(FunctionAddress, Jump, 5);

    //Restore the original page protection
    VirtualProtect(FunctionAddress, TrampolineLength, OriginalProtection, &OriginalProtection);

    //Clear CPU instruction cache
    FlushInstructionCache(GetCurrentProcess(), FunctionAddress, TrampolineLength);

    *length = TrampolineLength;
    return TRUE;
}

头文件。

#pragma once

#include <stdio.h>
#include <stdlib.h>
#include <Windows.h>
#include "hde64.h"

class SHook
{
private :
    LPVOID FunctionAddress;
    DWORD TrampolineLength = 0, OriginalProtection;
    hde64s disam;
    BYTE Jump[13] = { 0x49, 0xBB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0xFF, 0xE3 };
public:
    BOOL SetHook(LPCSTR dll, LPCSTR name, LPVOID proxy, LPVOID original, PDWORD length);
};

现在执行

#include <stdio.h>
#include <Windows.h>
#include <intrin.h>
#include <string>
#include "SHook.h"

typedef int (WINAPI* TdefOldMessageBoxA)(HWND hWnd, LPCSTR lpText, LPCTSTR lpCaption, UINT uType);
TdefOldMessageBoxA myOldMessageBoxA;

SHook shook;
int WINAPI HookMessageBoxA(HWND hWnd, LPCSTR lpText, LPCTSTR lpCaption, UINT uType) 
{
    MessageBoxA(NULL, "Hooked", "Hooked", MB_OK);
    return myOldMessageBoxA(hWnd, lpText, lpCaption, uType);
}

void EstablishHook()
{
        shook.SetHook("user32.dll","MessageBoxA", (LPVOID)&HookMessageBoxA, myOldMessageBoxA,0);
}

int main() 
{
    EstablishHook();
}

现在,我期望看到类似于Messagebox的消息,它被钩住了,我只是看到一个cmd的错误而将其作为错误崩溃:抛出异常:读取访问冲突。在HDE64头文件上,p为0x82042490。

没什么,我在哪里弄错了?

0 个答案:

没有答案
相关问题
最新问题