我试图使用微软的弯路进行基本挂钩。我的程序能够成功运行CreateProcessWithDllEx并注入一个dll。但是,我似乎无法恢复实际的挂钩程序。我正在使用记事本进行测试,并且可以看到notepad.exe在我的进程列表中运行,但记事本窗口实际上并未出现。CreateProcessWithDLLEx - 挂钩进程启动,但无法恢复
我的DLL如下:
#undef UNICODE
#include <cstdio>
#include <windows.h>
#include <detours.h>
#pragma comment(lib, "detours.lib")
typedef void (WINAPI *pFunc)(void);
DWORD WINAPI MyFunc(void);
pFunc FuncToDetour = (pFunc)DetourFindFunction("Winmm.dll", "timeGetTime"); //Set it at address to detour in
//the process
extern "C" __declspec(dllexport)VOID NullExport(VOID)
{
}
INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
switch(Reason)
{
case DLL_PROCESS_ATTACH:
{
DisableThreadLibraryCalls(hDLL);
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
//DetourAttach(&(PVOID&)FuncToDetour, MyFunc);
//DetourTransactionCommit();
}
break;
case DLL_PROCESS_DETACH:
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)FuncToDetour, MyFunc);
DetourTransactionCommit();
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
DWORD WINAPI MyFunc()
{
return 0;
}
我的注射器如下:
#undef _UNICODE
#include "stdafx.h"
#include <cstdio>
#include <windows.h>
#include <detours.h>
int main()
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(STARTUPINFO));
ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
WCHAR DirPath[MAX_PATH+1];
wcscpy_s(DirPath, MAX_PATH, L"C:\\Documents and Settings\\Administrator\\My Documents\\Visual Studio 2010\\Projects\\hbotinjector\\Release");
char DLLPath[MAX_PATH+1] = "C:\\Documents and Settings\\Administrator\\My Documents\\Visual Studio 2010\\Projects\\hbotinjector\\Release\\hbotdll.dll";
WCHAR EXE[MAX_PATH+1]={0};
wcscpy_s(EXE, MAX_PATH, L"C:\\Documents and Settings\\Administrator\\My Documents\\Visual Studio 2010\\Projects\\hbotinjector\\Release\\notepad.exe");
STARTUPINFO _StartupInfo;
PROCESS_INFORMATION _Information;
ZeroMemory(&_Information, sizeof(PROCESS_INFORMATION));
if(DetourCreateProcessWithDllEx(EXE, NULL, NULL, NULL, TRUE,
CREATE_DEFAULT_ERROR_MODE | CREATE_SUSPENDED, NULL, DirPath, &_StartupInfo, &_Information,
DLLPath, NULL))
{
MessageBoxA(NULL,"INJECTED", NULL, NULL);
ResumeThread(_Information.hThread);
WaitForSingleObject(_Information.hProcess, INFINITE);
}
else
{
char error[100];
sprintf(error, "%d", GetLastError());
MessageBoxA(NULL, error, NULL, NULL);
}
return 0;
}
我建我的DLL一个.DEF文件,确保有在所需要的功能序号1为绕道正常工作:
LIBRARY HBOTDLL
EXPORTS
NullExport @1
有没有人知道是什么原因引起的过程从不ru nning?作为一个侧面说明,我已经试过它与一个空白的DLL以及它只包含序号1所需的功能,没有别的,它似乎有相同的结果。
另外,只要在进程列表中显示notepad.exe进程,我的注入器就会一直运行。这是对WaitForSingleObject的响应,这似乎表明进程已经正确产生。
'ZeroMemory(&_Information,sizeof(PROCESS_INFORMATION));'否看看它在代码开始时是如何正确完成的,si变量。 – 2012-07-22 20:08:11
你是男人。我不确定为什么我已经声明了同一组结构的两个不同版本。但问题是固定使用原本宣称结构: 和更改呼叫: \t如果(DetourCreateProcessWithDllEx(EXE,NULL,NULL,NULL,TRUE, \t CREATE_DEFAULT_ERROR_MODE | CREATE_SUSPENDED,NULL,DirPath,&SI,亚太裔, \t DLLPath,NULL)) – emist 2012-07-22 20:17:56