我正在尝试为x86做一个简单的MessageBox挂钩,而我碰巧遵循了https://github.com/MalwareTech/BasicHook/blob/master/BasicHook/hook.cpp,并且我一直能够工作到现在为止。但是当我做一个简单的Messagebox Hook时,出现访问冲突错误。
我的代码看起来像这样:
SHook.h
#pragma once
#include <stdio.h>
#include <stdlib.h>
#include <Windows.h>
#include "hde32.h"
class SHook
{
private :
LPVOID FunctionAddress;
DWORD TrampolineLength = 0, OriginalProtection;
hde32s disam;
PBYTE pTrampBackup;
BYTE Jump[5] = { 0xE9, 0x00, 0x00, 0x00, 0x00 };
public:
BOOL SetHook(LPCSTR dll, LPCSTR name, LPVOID proxy, LPVOID original, PDWORD length);
};
对于 SHook.cpp
#include "SHook.h"
BOOL SHook::SetHook(LPCSTR dll, LPCSTR name, LPVOID proxy, LPVOID original, PDWORD length)
{
FunctionAddress = GetProcAddress(GetModuleHandleA(dll), name);
if (!FunctionAddress)
return FALSE;
//disassemble length of each instruction, until we have 5 or more bytes worth
while (TrampolineLength < 5)
{
LPVOID InstPointer = (LPVOID)((DWORD)FunctionAddress + TrampolineLength);
TrampolineLength += hde32_disasm(InstPointer, &disam);
}
//Build the trampoline buffer
pTrampBackup = static_cast<PBYTE>(VirtualAlloc(nullptr, TrampolineLength + 6, MEM_COMMIT, PAGE_EXECUTE_READWRITE));
memcpy(pTrampBackup, FunctionAddress, TrampolineLength);
*(DWORD*)(Jump + 1) = ((DWORD)FunctionAddress + TrampolineLength) - ((DWORD)original + TrampolineLength + 5);
memcpy((LPVOID)((DWORD)original + TrampolineLength), Jump, 5);
//memcpy(pTrampBackup + TrampolineLength, Jump, 5); --> This fired an Exception for Null pointers
//Make sure the function is writable
if (!VirtualProtect(FunctionAddress, TrampolineLength, PAGE_EXECUTE_READWRITE, &OriginalProtection))
return FALSE;
//Build and atomically write the hook
*(DWORD*)(Jump + 1) = (DWORD)proxy - (DWORD)FunctionAddress - 5;
//SafeMemcpyPadded(FunctionAddress, Jump, 5);
//Restore the original page protection
VirtualProtect(FunctionAddress, TrampolineLength, OriginalProtection, &OriginalProtection);
//Clear CPU instruction cache
FlushInstructionCache(GetCurrentProcess(), FunctionAddress, TrampolineLength);
*length = TrampolineLength;
return TRUE;
}
在简单的消息框的基本实现中
#include <stdio.h>
#include <Windows.h>
#include <intrin.h>
#include <string>
#include "SHook.h"
typedef int (WINAPI* TdefOldMessageBoxA)(HWND hWnd, LPCSTR lpText, LPCTSTR lpCaption, UINT uType);
TdefOldMessageBoxA myOldMessageBoxA;
SHook shook;
int WINAPI HookMessageBoxA(HWND hWnd, LPCSTR lpText, LPCTSTR lpCaption, UINT uType)
{
MessageBoxA(NULL, "Hooked", "Hooked", MB_OK);
return myOldMessageBoxA(hWnd, lpText, lpCaption, uType);
}
void EstablishHook()
{
myOldMessageBoxA = (TdefOldMessageBoxA)& MessageBoxA;
shook.SetHook("user32.dll","MessageBoxA", (LPVOID)&HookMessageBoxA, myOldMessageBoxA,0);
}
int main()
{
EstablishHook();
}
现在在此行特别触发了异常
memcpy((LPVOID)((DWORD)original + TrampolineLength), Jump, 5);
这是一个例外:
Exception thrown at 0x0F2B3839 (vcruntime140d.dll) in SHook.exe: 0xC0000005: Access violation writing location 0x75C51F75.
在这里我想念什么吗?