关于以前超级绿豆的HOOK API代码如何获取参数!
看以下代码,这个是被拦截的函数返回时的Private Sub m_oExpHooker_AfterAction(ByVal lHookID As Long, ByVal lHookType As Long, ByVal sAPIName As String, ByVal fIntercepted As Boolean, lRetValue As Long)
'显示堆栈内容
Dim abDumpData() As Byte
Dim alArgs() As Long
Dim EAX As Long
Dim ECX As Long
Dim EDX As Long
Dim EBX As Long
Dim ESP As Long
Dim EBP As Long
Dim ESI As Long
Dim EDI As Long
Dim EFLAGS As Long
AddMsg "函数 " & sAPIName & IIf(fIntercepted, "被阻止", " 调用完毕,返回参数为:&H" & Hex(lRetValue))
With m_oExpHooker
.DumpStack abDumpData(), 128
.GetArguments alArgs(), 16
.GetArgumentByName EAX, "EAX"
.GetArgumentByName ECX, "ECX"
.GetArgumentByName EDX, "EDX"
.GetArgumentByName EBX, "EBX"
.GetArgumentByName ESP, "ESP"
.GetArgumentByName EBP, "EBP"
.GetArgumentByName ESI, "ESI"
.GetArgumentByName EDI, "EDI"
.GetArgumentByName EFLAGS, "EFLAGS"
End With AddTxt "堆栈情况返回:" & vbCrLf
AddTxt Array2Str(abDumpData(), 1, 8) & vbCrLf & vbCrLf AddTxt "参数堆栈情况返回:" & vbCrLf
AddTxt Array2Str(alArgs(), 4, 4) & vbCrLf & vbCrLf
'修改函数返回值
lRetValue = 1End Sub有人说用 m_oExpHooker.GetArgumentByName EDI, 4 获得第一个参数,m_oExpHooker.GetArgumentByName EDI, 8获取第2个参数,但是我发现这个说的都是传递进去的参数,当函数返回的时候,地址就变了而且关键在于,这里所说的这些参数获取回来的都是LONG型的参数,对于所有LONG型参数都可以正常获取,但是有一个问题就是如果参数是STRING型的,该如何获取呢?看以下函数:
st = bm_read_hex(dev,30,1, data)这个函数的bm_read_hex 前3个值都是LONG型,我现在可以正常获取,但是最后一个是STRING型,而且函数执行后保存的结果也在DATA这个STRING型里面,我知道DATA的长度是3,我是不是要根据参数的堆栈地址获取到第4个参数的内存地址,然后往后读3个字节才能获取到DATA的准确数据?
看以下代码,这个是被拦截的函数返回时的Private Sub m_oExpHooker_AfterAction(ByVal lHookID As Long, ByVal lHookType As Long, ByVal sAPIName As String, ByVal fIntercepted As Boolean, lRetValue As Long)
'显示堆栈内容
Dim abDumpData() As Byte
Dim alArgs() As Long
Dim EAX As Long
Dim ECX As Long
Dim EDX As Long
Dim EBX As Long
Dim ESP As Long
Dim EBP As Long
Dim ESI As Long
Dim EDI As Long
Dim EFLAGS As Long
AddMsg "函数 " & sAPIName & IIf(fIntercepted, "被阻止", " 调用完毕,返回参数为:&H" & Hex(lRetValue))
With m_oExpHooker
.DumpStack abDumpData(), 128
.GetArguments alArgs(), 16
.GetArgumentByName EAX, "EAX"
.GetArgumentByName ECX, "ECX"
.GetArgumentByName EDX, "EDX"
.GetArgumentByName EBX, "EBX"
.GetArgumentByName ESP, "ESP"
.GetArgumentByName EBP, "EBP"
.GetArgumentByName ESI, "ESI"
.GetArgumentByName EDI, "EDI"
.GetArgumentByName EFLAGS, "EFLAGS"
End With AddTxt "堆栈情况返回:" & vbCrLf
AddTxt Array2Str(abDumpData(), 1, 8) & vbCrLf & vbCrLf AddTxt "参数堆栈情况返回:" & vbCrLf
AddTxt Array2Str(alArgs(), 4, 4) & vbCrLf & vbCrLf
'修改函数返回值
lRetValue = 1End Sub有人说用 m_oExpHooker.GetArgumentByName EDI, 4 获得第一个参数,m_oExpHooker.GetArgumentByName EDI, 8获取第2个参数,但是我发现这个说的都是传递进去的参数,当函数返回的时候,地址就变了而且关键在于,这里所说的这些参数获取回来的都是LONG型的参数,对于所有LONG型参数都可以正常获取,但是有一个问题就是如果参数是STRING型的,该如何获取呢?看以下函数:
st = bm_read_hex(dev,30,1, data)这个函数的bm_read_hex 前3个值都是LONG型,我现在可以正常获取,但是最后一个是STRING型,而且函数执行后保存的结果也在DATA这个STRING型里面,我知道DATA的长度是3,我是不是要根据参数的堆栈地址获取到第4个参数的内存地址,然后往后读3个字节才能获取到DATA的准确数据?
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货