Hook不到新建文件夹操作,困惑! 我用detours库HOOK了资源管理器进程的CreateDirectoryA、CreateDirectoryW、CreateDirectoryExA、CreateDirectoryExW这四个API,发现可以Hook资源管理器内部创建目录操作,但是当我右键菜单-->新建文件夹时,却Hook不到,难道新建文件夹操作没有调用上面的四个API?求解释! 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 CreateFileA、CreateFileW都试过了,还是Hook不到呀! FILE_ADD_SUBDIRECTORY For a directory, the right to create a subdirectory. hook NtCreateFile,这个应该不会有漏的 NtCreateFile是内核层API,偶还没有Hook过内核层的呢 你可以hook ntdll.dll的NtCreateFile,那个是用户模式的stub 求教用户态怎样Hook NtCreateFile,谢谢 经测试Hook tCreateFile成功,但是执行到自定义函数中就会挂掉//DLL中的自定义函数My_NtCreateFile(.....){ OutputDebugString("In My_NtCreateFile");//这里正常 return 0; //到这里程序就挂掉了,我要怎么处理} return 0; //到这里程序就挂掉了,我要怎么处理=================================================不能返回0,返回原参。 hook里多半情况不能返回0,返回0代表抛弃不处理,极有可能阻死原操作。 这里不是返回0的问题,是没有调用原来的api的问题。windows系统服务返回0代表操作成功。 还有shell api,SHCreateDirectory和SHCreateDirectoryEx 建议你还是hook ZwCreateDirectoryObject SHCreateDirectory什么的最终都是调用系统服务,因此只需改掉系统服务的入口 My_NtCreateFile 这是API?他自定义函数里返回0而没调用api直接导致阻死了。 My_NtCreateFile 是对api的替代,应该要调用原来的api然后返回api的返回值 hook里多半情况不能返回0,返回0代表抛弃不处理这句话的意思是就是,返回0表示不处理。那么我返回1呢? 你HOOK了API后 只应该是查看这个API的参数信息这些,然后还得去调用它本身的处理过程撒 谢谢大家,Hook NtCreateFile已解决。出现问题的原因有两个1、定义函数的调用约定和NtCreateFile不一致导致2、自定义函数里面不能直接调用调用文件创建函数,否则会出现递归调用 以下是完整源码#include "stdafx.h"#include <detours.h>#include "Util.h"#include <psapi.h>#include <tchar.h>#include <Winternl.h>#pragma comment(lib ,"detours.lib")#pragma comment(lib ,"detoured.lib")#define BUFSIZE 512HMODULE g_hDLL = NULL;#ifdef _MANAGED#pragma managed(push, off)#endifBOOL GetFileNameFromHandle(HANDLE hFile, LPSTR lpFileName);BOOL (WINAPI * Real_CreateProcessA)(LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) = CreateProcessA;BOOL (WINAPI * Real_CreateProcessW)(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) = CreateProcessW;BOOL WINAPI Mine_CreateProcessA( LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation){ char szDLLPath[1024] = {0}; char szDetourDLLPath[1024] = {0}; GetModuleFileName(g_hDLL, szDLLPath, 1024); lstrcpy(szDetourDLLPath, szDLLPath); char *pFind = strrchr(szDetourDLLPath, '\\'); lstrcpy(pFind+1, "detoured.dll"); OutputDebugString("in Mine_CreateProcessA-----------------------------"); OutputDebugString(szDetourDLLPath); OutputDebugString(szDLLPath); return DetourCreateProcessWithDllA( lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, szDetourDLLPath, szDLLPath, Real_CreateProcessA);}BOOL WINAPI Mine_CreateProcessW( LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation){ char szDLLPath[1024] = {0}; char szDetourDLLPath[1024] = {0}; GetModuleFileName(g_hDLL, szDLLPath, 1024); lstrcpy(szDetourDLLPath, szDLLPath); char *pFind = strrchr(szDetourDLLPath, '\\'); lstrcpy(pFind+1, "detoured.dll"); OutputDebugString("in Mine_CreateProcessA-----------------------------"); OutputDebugString(szDetourDLLPath); OutputDebugString(szDLLPath); return DetourCreateProcessWithDllW( lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, szDetourDLLPath, szDLLPath, Real_CreateProcessW); }typedef NTSTATUS (NTAPI* PMyNtCreateFile) ( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PVOID IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength );PMyNtCreateFile Real_NtCreateFile = (PMyNtCreateFile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateFile");NTSTATUS NTAPI My_NtCreateFile(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength ) { if (/*wcsstr(ObjectAttributes->ObjectName->Buffer, L"新建") &&*/(CreateOptions&0x00000001))//创建目录 { //OutputDebugString("################# Find The Target6 ####################"); char szExe[1024] = {0}; GetModuleFileName(NULL, szExe, 1024); FILE *pFile = fopen("C:\\FindOut.txt", "a"); char szRootPath[BUFSIZE] = {0}; wstring strFullPath = L""; //在cmd下用md命令,ObjectAttributes->ObjectName->Buffer会是相对路径,ObjectAttributes->RootDirectory非空 if (ObjectAttributes->RootDirectory) { if (GetCurrentDirectory(BUFSIZE, szRootPath)) { if (*(szRootPath+lstrlen(szRootPath)-1)!='\\') //if(szRootPath[lstrlen(szRootPath)-1]!='\\') { strFullPath = CUtil::s2ws(string(szRootPath)) + L"\\" +ObjectAttributes->ObjectName->Buffer; } else { strFullPath = CUtil::s2ws(string(szRootPath)) + ObjectAttributes->ObjectName->Buffer; } //strFullPath = CUtil::s2ws(string(szRootPath)) +L"\\" + ObjectAttributes->ObjectName->Buffer; } OutputDebugString("RootDirectory is not null"); OutputDebugStringW(strFullPath.c_str()); } else { strFullPath = ObjectAttributes->ObjectName->Buffer; } if (pFile) { fprintf(pFile, "--------------------------------------%s\n%s\n\n", szExe, CUtil::ws2s(strFullPath).c_str()); fclose(pFile); } } return Real_NtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); }BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ){ if (DLL_PROCESS_ATTACH==ul_reason_for_call) { g_hDLL = hModule; DetourTransactionBegin(); DetourUpdateThread(GetCurrentThread()); DetourAttach(&(PVOID&)Real_CreateProcessA, Mine_CreateProcessA); DetourAttach(&(PVOID&)Real_CreateProcessW, Mine_CreateProcessW); DetourAttach(&(PVOID&)Real_NtCreateFile, My_NtCreateFile); DetourTransactionCommit(); } else if (DLL_PROCESS_DETACH==ul_reason_for_call) { DetourTransactionBegin(); DetourUpdateThread(GetCurrentThread()); DetourDetach(&(PVOID&)Real_CreateProcessA, Mine_CreateProcessA); DetourDetach(&(PVOID&)Real_CreateProcessW, Mine_CreateProcessW); DetourDetach(&(PVOID&)Real_NtCreateFile, My_NtCreateFile); DetourTransactionCommit(); } return TRUE;}void TestFun(){}#ifdef _MANAGED#pragma managed(pop)#endif 定时器中显示图像窗口,怎样避免图像闪烁? 图片显示的问题 真是奇怪,内存使用越来越少,程序还能正常运行。 alphapaopao(炮炮) 来领分,谢谢你 如何在程序中调用使对话框最小化的语句 2000分要求认识一个盛大网络传奇的朋友! 菜鸟问题(100分)在字符串中查字符的函数。 我用mfc做的一个控件,里面用到别的dll,在调用时却不能出现调用的dll里的对话框,为何? 小问题,分不少! 发布ATL编的COM组件应该用哪个项目配置 视频转码 获取truetype字体中指定字符的宽度
求教用户态怎样Hook NtCreateFile,谢谢
My_NtCreateFile(.....)
{
OutputDebugString("In My_NtCreateFile");//这里正常
return 0; //到这里程序就挂掉了,我要怎么处理
}
=================================================
不能返回0,返回原参。
1、定义函数的调用约定和NtCreateFile不一致导致
2、自定义函数里面不能直接调用调用文件创建函数,否则会出现递归调用
#include <detours.h>
#include "Util.h"
#include <psapi.h>
#include <tchar.h>
#include <Winternl.h>
#pragma comment(lib ,"detours.lib")
#pragma comment(lib ,"detoured.lib")#define BUFSIZE 512HMODULE g_hDLL = NULL;
#ifdef _MANAGED
#pragma managed(push, off)
#endifBOOL GetFileNameFromHandle(HANDLE hFile, LPSTR lpFileName);
BOOL (WINAPI * Real_CreateProcessA)(LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation)
= CreateProcessA;BOOL (WINAPI * Real_CreateProcessW)(LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation)
= CreateProcessW;
BOOL WINAPI Mine_CreateProcessA( LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation)
{
char szDLLPath[1024] = {0};
char szDetourDLLPath[1024] = {0};
GetModuleFileName(g_hDLL, szDLLPath, 1024);
lstrcpy(szDetourDLLPath, szDLLPath);
char *pFind = strrchr(szDetourDLLPath, '\\');
lstrcpy(pFind+1, "detoured.dll");
OutputDebugString("in Mine_CreateProcessA-----------------------------");
OutputDebugString(szDetourDLLPath);
OutputDebugString(szDLLPath);
return DetourCreateProcessWithDllA(
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation,
szDetourDLLPath,
szDLLPath,
Real_CreateProcessA);
}BOOL WINAPI Mine_CreateProcessW( LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation)
{
char szDLLPath[1024] = {0};
char szDetourDLLPath[1024] = {0};
GetModuleFileName(g_hDLL, szDLLPath, 1024);
lstrcpy(szDetourDLLPath, szDLLPath);
char *pFind = strrchr(szDetourDLLPath, '\\');
lstrcpy(pFind+1, "detoured.dll");
OutputDebugString("in Mine_CreateProcessA-----------------------------");
OutputDebugString(szDetourDLLPath);
OutputDebugString(szDLLPath);
return DetourCreateProcessWithDllW(
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation,
szDetourDLLPath,
szDLLPath,
Real_CreateProcessW);
}
typedef NTSTATUS (NTAPI* PMyNtCreateFile) (
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PVOID IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength
);PMyNtCreateFile Real_NtCreateFile = (PMyNtCreateFile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateFile");NTSTATUS NTAPI My_NtCreateFile(OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength )
{
if (/*wcsstr(ObjectAttributes->ObjectName->Buffer, L"新建")
&&*/(CreateOptions&0x00000001))//创建目录
{
//OutputDebugString("################# Find The Target6 ####################");
char szExe[1024] = {0};
GetModuleFileName(NULL, szExe, 1024);
FILE *pFile = fopen("C:\\FindOut.txt", "a");
char szRootPath[BUFSIZE] = {0};
wstring strFullPath = L"";
//在cmd下用md命令,ObjectAttributes->ObjectName->Buffer会是相对路径,ObjectAttributes->RootDirectory非空
if (ObjectAttributes->RootDirectory)
{
if (GetCurrentDirectory(BUFSIZE, szRootPath))
{
if (*(szRootPath+lstrlen(szRootPath)-1)!='\\')
//if(szRootPath[lstrlen(szRootPath)-1]!='\\')
{
strFullPath = CUtil::s2ws(string(szRootPath)) + L"\\" +ObjectAttributes->ObjectName->Buffer;
}
else
{
strFullPath = CUtil::s2ws(string(szRootPath)) + ObjectAttributes->ObjectName->Buffer;
} //strFullPath = CUtil::s2ws(string(szRootPath)) +L"\\" + ObjectAttributes->ObjectName->Buffer; }
OutputDebugString("RootDirectory is not null");
OutputDebugStringW(strFullPath.c_str());
}
else
{
strFullPath = ObjectAttributes->ObjectName->Buffer;
} if (pFile)
{
fprintf(pFile, "--------------------------------------%s\n%s\n\n", szExe, CUtil::ws2s(strFullPath).c_str());
fclose(pFile);
}
}
return Real_NtCreateFile(FileHandle, DesiredAccess, ObjectAttributes,
IoStatusBlock, AllocationSize, FileAttributes, ShareAccess,
CreateDisposition, CreateOptions, EaBuffer, EaLength);
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
if (DLL_PROCESS_ATTACH==ul_reason_for_call)
{
g_hDLL = hModule;
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)Real_CreateProcessA, Mine_CreateProcessA);
DetourAttach(&(PVOID&)Real_CreateProcessW, Mine_CreateProcessW);
DetourAttach(&(PVOID&)Real_NtCreateFile, My_NtCreateFile);
DetourTransactionCommit();
}
else if (DLL_PROCESS_DETACH==ul_reason_for_call)
{
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)Real_CreateProcessA, Mine_CreateProcessA);
DetourDetach(&(PVOID&)Real_CreateProcessW, Mine_CreateProcessW);
DetourDetach(&(PVOID&)Real_NtCreateFile, My_NtCreateFile);
DetourTransactionCommit();
}
return TRUE;
}void TestFun(){}#ifdef _MANAGED
#pragma managed(pop)
#endif