我写了一个hook程序,hook了我们在explorer.exe中的CreateProcessInternalW这个API函数来检测我需要的文件的运行,但是我要的messagebox函数已经成功得到,但是点击messagebox的确定后却得到了一个错误提示框,这里传图失败,我把上面的提示抄了如下:
The value of ESP was not properly saved across a funtioncall.this is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convertion
__________________________________________________________________________________________________________________________________
同时附上我的hook代码:
BOOL hand=NULL;
MessageBox(NULL,lpCommandLine, "显示结果", MB_OK);
WaitForSingleObject(g_hOpen, INFINITE ); //恢复API头8个字节
WriteProcessMemory( INVALID_HANDLE_VALUE, ( void* )g_pOpen,( void* )g_dwOldBytesforopen[0], sizeof( DWORD )*2,NULL ); hand=Old_CreateProcessInternalW //真正执行API函数
(hToken,lpApplicationName,lpCommandLine,lpProcessAttributes,lpThreadAttributes,bInheritHandles,dwCreationFlags,lpEnvironment,lpCurrentDirectory,lpStartupInfo,lpProcessInformation,hNewToken); //写入跳转语句,继续Hook
WriteProcessMemory( INVALID_HANDLE_VALUE, ( void* )g_pOpen, ( void* )g_btNewBytesforopen, sizeof( DWORD )*2, NULL );
SetEvent( g_hOpen);
return hand;
——————————————————————————————————————————————————————————————————————————
Old_CreateProcessInternalW 为我从kernel32.dll中导出的函数形式
导出形式:
typedef BOOL (*PFNCreateProcessInternalW)
(
HANDLE hToken,
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation ,
PHANDLE hNewToken
);
PFNCreateProcessInternalW Old_CreateProcessInternalW;
HMODULE hWsock = LoadLibrary("kernel32.dll");
Old_CreateProcessInternalW=(PFNCreateProcessInternalW)GetProcAddress(hWsock, "CreateProcessInternalW" );
The value of ESP was not properly saved across a funtioncall.this is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convertion
__________________________________________________________________________________________________________________________________
同时附上我的hook代码:
BOOL hand=NULL;
MessageBox(NULL,lpCommandLine, "显示结果", MB_OK);
WaitForSingleObject(g_hOpen, INFINITE ); //恢复API头8个字节
WriteProcessMemory( INVALID_HANDLE_VALUE, ( void* )g_pOpen,( void* )g_dwOldBytesforopen[0], sizeof( DWORD )*2,NULL ); hand=Old_CreateProcessInternalW //真正执行API函数
(hToken,lpApplicationName,lpCommandLine,lpProcessAttributes,lpThreadAttributes,bInheritHandles,dwCreationFlags,lpEnvironment,lpCurrentDirectory,lpStartupInfo,lpProcessInformation,hNewToken); //写入跳转语句,继续Hook
WriteProcessMemory( INVALID_HANDLE_VALUE, ( void* )g_pOpen, ( void* )g_btNewBytesforopen, sizeof( DWORD )*2, NULL );
SetEvent( g_hOpen);
return hand;
——————————————————————————————————————————————————————————————————————————
Old_CreateProcessInternalW 为我从kernel32.dll中导出的函数形式
导出形式:
typedef BOOL (*PFNCreateProcessInternalW)
(
HANDLE hToken,
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation ,
PHANDLE hNewToken
);
PFNCreateProcessInternalW Old_CreateProcessInternalW;
HMODULE hWsock = LoadLibrary("kernel32.dll");
Old_CreateProcessInternalW=(PFNCreateProcessInternalW)GetProcAddress(hWsock, "CreateProcessInternalW" );
效果还不错
这里没有声明调用约定,正确的形式应该是
应该是 typedef BOOL (WINAPI *PFNCreateProcessInternalW)
应该是typedef BOOL (WINAPI *PFNCreateProcessInternalW)
否则栈有4个字节没有调整。
调用约定不对,应该是__stdcalltypedef BOOL (__stdcall*PFNCreateProcessInternalW)
我做钩子的时候直接使用了微软的detours
效果还不错
是不错,可惜带个库,麻烦-------------------------------------哈哈,现在俺已经不用带那个dll了,