我用建立远程线程的方法将我的dll注入到被hook的进程中,dll的主要作用挂钩 gethostbyname 这个api。我想用自己的MY_gethostbyname来代替原来的函数。现在只成功了30%,当执行到MY_gethostbyname时就出现 “Access violation at address 000003e7,Read of address 000003e7”的错误,幸好没有崩溃。显然是返回值出现了问题。老实说我不会处理这个MY_gethostbyname的返回值,我想他返回一个虚假的ip地址,而不是实际的ip地址。代码基本是安照《windows核心编程》组装的。请各位指点一下!谢谢! 如果能帮我改一下代码就更好了。我的代码如下:#include "stdafx.h"#include <winsock2.h>
#include <windows.h>
#include <ImageHlp.h>
#pragma comment(lib, "ImageHlp")
#pragma comment(lib,"Ws2_32")
extern "C" __declspec(dllexport) struct hostent* FAR MY_gethostbyname(const char* name
);static void WINAPI ReplaceIATEntryInOneMod(PCSTR pszCalleeModName,
PROC pfnOrig, PROC pfnHook, HMODULE hmodCaller);
void process();hostent *phostent=new hostent;BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
process();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}struct hostent* FAR MY_gethostbyname(const char* name)
{
//hostent *phostent=malloc(sizeof(hostent));
//MessageBox(NULL,"I'm in MY_gethostbyname",NULL,NULL);
BYTE ip[5]={0xa,0xc6,0,0xb4,0};
char *p=(char*)ip;
phostent->h_addr_list =(char**)&p;
return phostent;
}///////////////////////////////////////////////////////////////////////////////
//替换IAT入口点
//pszCalleeModName:要寻找dll
//pfnCurrent:要寻找函数
//pfnNew:自己的函数
//hmodCaller:需要调用自己的函数的模块(exe、dll)的句柄static void WINAPI ReplaceIATEntryInOneMod(PCSTR pszCalleeModName,
PROC pfnCurrent, PROC pfnNew, HMODULE hmodCaller) { // Get the address of the module's import section
ULONG ulSize;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)
ImageDirectoryEntryToData(hmodCaller, TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize); if (pImportDesc == NULL)
return; // This module has no import section // Find the import descriptor containing references to callee's functions
for (; pImportDesc->Name; pImportDesc++) {
PSTR pszModName = (PSTR) ((PBYTE) hmodCaller + pImportDesc->Name);
if (lstrcmpiA(pszModName, pszCalleeModName) == 0)
break; // Found
} if (pImportDesc->Name == 0)
return; // This module doesn't import any functions from this callee // Get caller's import address table (IAT) for the callee's functions
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)
((PBYTE) hmodCaller + pImportDesc->FirstThunk); // Replace current function address with new function address
for (; pThunk->u1.Function; pThunk++) { // Get the address of the function address
PROC* ppfn = (PROC*) &pThunk->u1.Function; // Is this the function we're looking for?
BOOL fFound = (*ppfn == pfnCurrent);
// if (!fFound && (*ppfn > sm_pvMaxAppAddr)) { // If this is not the function and the address is in a shared DLL,
// then maybe we're running under a debugger on Windows 98. In this
// case, this address points to an instruction that may have the
// correct address.// PBYTE pbInFunc = (PBYTE) *ppfn;
// if (pbInFunc[0] == cPushOpCode) {
// // We see the PUSH instruction, the real function address follows
// ppfn = (PROC*) &pbInFunc[1]; // Is this the function we're looking for?
// fFound = (*ppfn == pfnCurrent);
// }
// } if (fFound) {
// The addresses match, change the import section address
MessageBox(NULL,"Changing!",NULL,NULL);
WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew,
sizeof(pfnNew), NULL);
return; // We did it, get out
}
} // If we get to here, the function is not in the caller's import section
}void process()
{
PROC oldpfn=GetProcAddress(GetModuleHandle("wsock32.dll"),"gethostbyname");
PROC newpfn=GetProcAddress(GetModuleHandle("hook.dll"),"MY_gethostbyname");
HMODULE exehandle=GetModuleHandle("COME.exe");
ReplaceIATEntryInOneMod("wsock32.dll",oldpfn,newpfn,exehandle);
}
#include <windows.h>
#include <ImageHlp.h>
#pragma comment(lib, "ImageHlp")
#pragma comment(lib,"Ws2_32")
extern "C" __declspec(dllexport) struct hostent* FAR MY_gethostbyname(const char* name
);static void WINAPI ReplaceIATEntryInOneMod(PCSTR pszCalleeModName,
PROC pfnOrig, PROC pfnHook, HMODULE hmodCaller);
void process();hostent *phostent=new hostent;BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
process();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}struct hostent* FAR MY_gethostbyname(const char* name)
{
//hostent *phostent=malloc(sizeof(hostent));
//MessageBox(NULL,"I'm in MY_gethostbyname",NULL,NULL);
BYTE ip[5]={0xa,0xc6,0,0xb4,0};
char *p=(char*)ip;
phostent->h_addr_list =(char**)&p;
return phostent;
}///////////////////////////////////////////////////////////////////////////////
//替换IAT入口点
//pszCalleeModName:要寻找dll
//pfnCurrent:要寻找函数
//pfnNew:自己的函数
//hmodCaller:需要调用自己的函数的模块(exe、dll)的句柄static void WINAPI ReplaceIATEntryInOneMod(PCSTR pszCalleeModName,
PROC pfnCurrent, PROC pfnNew, HMODULE hmodCaller) { // Get the address of the module's import section
ULONG ulSize;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)
ImageDirectoryEntryToData(hmodCaller, TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize); if (pImportDesc == NULL)
return; // This module has no import section // Find the import descriptor containing references to callee's functions
for (; pImportDesc->Name; pImportDesc++) {
PSTR pszModName = (PSTR) ((PBYTE) hmodCaller + pImportDesc->Name);
if (lstrcmpiA(pszModName, pszCalleeModName) == 0)
break; // Found
} if (pImportDesc->Name == 0)
return; // This module doesn't import any functions from this callee // Get caller's import address table (IAT) for the callee's functions
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)
((PBYTE) hmodCaller + pImportDesc->FirstThunk); // Replace current function address with new function address
for (; pThunk->u1.Function; pThunk++) { // Get the address of the function address
PROC* ppfn = (PROC*) &pThunk->u1.Function; // Is this the function we're looking for?
BOOL fFound = (*ppfn == pfnCurrent);
// if (!fFound && (*ppfn > sm_pvMaxAppAddr)) { // If this is not the function and the address is in a shared DLL,
// then maybe we're running under a debugger on Windows 98. In this
// case, this address points to an instruction that may have the
// correct address.// PBYTE pbInFunc = (PBYTE) *ppfn;
// if (pbInFunc[0] == cPushOpCode) {
// // We see the PUSH instruction, the real function address follows
// ppfn = (PROC*) &pbInFunc[1]; // Is this the function we're looking for?
// fFound = (*ppfn == pfnCurrent);
// }
// } if (fFound) {
// The addresses match, change the import section address
MessageBox(NULL,"Changing!",NULL,NULL);
WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew,
sizeof(pfnNew), NULL);
return; // We did it, get out
}
} // If we get to here, the function is not in the caller's import section
}void process()
{
PROC oldpfn=GetProcAddress(GetModuleHandle("wsock32.dll"),"gethostbyname");
PROC newpfn=GetProcAddress(GetModuleHandle("hook.dll"),"MY_gethostbyname");
HMODULE exehandle=GetModuleHandle("COME.exe");
ReplaceIATEntryInOneMod("wsock32.dll",oldpfn,newpfn,exehandle);
}
解决方案 »
- 如何对CString扩容?
- 请高手指点
- SetCapture的迷惑
- 请问:两副基本相同的BMP图像(原图像与处理过图像)的差图像怎么做呢?
- 高级话题:类似vc里面的dsw文件该怎么做啊?我要开发一个工程软件,在该软件中来获取外部的一些测量信息用不同文件保存,我想象VC的DSW文
- 一个关于ActiveX在IE浏览器上出现的奇怪现象,各位大侠帮帮忙。
- 关于DCOM的实现原理于应用前景提问!100分!
- 帮帮忙,拜托!
- 未发现数据源名称并且未指定默认驱动程序的错误。求解??
- 求救,WINAPI函数中对象出错
- 关于OnUpdataMenuItem(CCmdUI* pCmdUI)的问题
- ■有谁做过华为外包的,讲讲体会、经验,指点一下小弟我!谢谢!来者有分!!!■
// The addresses match, change the import section address
MessageBox(NULL,"Changing!",NULL,NULL);
WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew,
sizeof(pfnNew), NULL);
return; // We did it, get out
}可能使这里的内存不可写
我想错误之处应该出在 hostent 结构的填充和处理。搞了几天还是不会.......我快晕了
你可以参考一下他的帖子
static BYTE ip[5]={0xa,0xc6,0,0xb4,0};