|
|
本帖最后由 _TomCat_ 于 2022-5-2 14:10 编辑
不知道为什么我Hook了Api后有时候资源管理器会退出。写了好几次都这样,有时候又hook成功了,问问大家,不知道有什么解决方法,感谢!
#include <Windows.h>
#include <stdio.h>
BYTE g_OldData32[5] = { 0 };
BYTE g_OldData64[12] = { 0 };
void WINAPI HOOKAPI();
void WINAPI UnhookApi();
BOOL
WINAPI
MyCreateProcessW(
_In_opt_ LPCSTR lpApplicationName,
_Inout_opt_ LPSTR lpCommandLine,
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ BOOL bInheritHandles,
_In_ DWORD dwCreationFlags,
_In_opt_ LPVOID lpEnvironment,
_In_opt_ LPCSTR lpCurrentDirectory,
_In_ LPSTARTUPINFOA lpStartupInfo,
_Out_ LPPROCESS_INFORMATION lpProcessInformation
){
MessageBox(0, "拦截进程!", 0, 0);
//UnhookApi();
/*CreateProcessW(lpApplicationName, lpCommandLine
, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags
, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);*/
//HOOKAPI();
return TRUE;
}
void WINAPI HOOKAPI()
{
//MessageBox(0, "Hook", 0, 0);
PROC Proc = (PROC)GetProcAddress(GetModuleHandle("kernel32.dll"), "CreateProcessW");
if (Proc == NULL)
MessageBox(0, "GetProcAddresss失败!", 0, 0);
#ifndef _WIN64
BYTE pData[5] = { 0xe9,0,0,0,0 };
DWORD dwOffset = (DWORD)MyCreateProcessW - (DWORD)Proc - 5;
RtlCopyMemory(&pData[1], &dwOffset, sizeof(dwOffset));
RtlCopyMemory(&g_OldData32, &dwOffset, sizeof(dwOffset));
#else
BYTE pData[12] = { 0x48, 0xb8, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xe0 };
ULONGLONG ullOffset = (ULONGLONG)MyCreateProcessW;
RtlCopyMemory(&pData[2], &ullOffset, sizeof(ullOffset));
RtlCopyMemory(&g_OldData64, Proc, sizeof(pData));
#endif
DWORD dwOldProtect = 0;
VirtualProtect(Proc, sizeof(pData), PAGE_EXECUTE_READWRITE, &dwOldProtect);
RtlCopyMemory(Proc, pData, sizeof(pData));
VirtualProtect(Proc, sizeof(pData), dwOldProtect, &dwOldProtect);
}
void WINAPI UnhookApi()
{
MessageBox(0, "Unhook", 0, 0);
PROC Proc = GetProcAddress(GetModuleHandle("kernel32.dll"), "CreateProcessW");
if (NULL == Proc)
{
return;
}
DWORD dwOldProtect = 0;
VirtualProtect(Proc, 12, PAGE_EXECUTE_READWRITE, &dwOldProtect);
#ifndef _WIN64
RtlCopyMemory(Proc, g_OldData32, sizeof(g_OldData32));
#else
RtlCopyMemory(Proc, g_OldData64, sizeof(g_OldData64));
#endif
VirtualProtect(Proc, 12, dwOldProtect, &dwOldProtect);
}
HMODULE g_hModule;
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
//MessageBox(0, "Run", 0, 0);
HOOKAPI();
g_hModule = hModule;
break;
}
case DLL_THREAD_ATTACH:
{
break;
}
case DLL_THREAD_DETACH:
{
break;
}
case DLL_PROCESS_DETACH:
{
UnhookApi();
break;
}
default:
break;
}
return TRUE;
}
|
上一篇: 我的输出怎么不一样,帮我改一改下一篇: 窗口类动态调用之类怎么设计
|
/2 
发表于 2022-5-2 09:39:40
