XP下想hook OpenProcess函数,但是总是失败,why?
源代码如下:
#include "windows.h"
#include "HookAPI.h"
// Macro for adding pointers/DWORDs together without C arithmetic interfering
#define MakePtr(cast, ptr, addValue) (cast)((DWORD)(ptr)+(DWORD)(addValue))
PROC HookAPIFunction(HMODULE hFromModule,
PSTR pszFunctionModule,
PSTR pszFunctionName,
PROC pfnNewProc)
{
PROC pfnOriginalProc;
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pNTHeader;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
PIMAGE_THUNK_DATA pThunk;
DWORD dwProtectionFlags;
DWORD dwScratch;
// Verify that a valid pfn was passed
if (IsBadCodePtr(pfnNewProc))
return 0;
// First, verify the the module and function names passed to use are valid
pfnOriginalProc = GetProcAddress(GetModuleHandle(pszFunctionModule), pszFunctionName);
if (!pfnOriginalProc)
return 0;
pDosHeader = (PIMAGE_DOS_HEADER)hFromModule;
// Tests to make sure we're looking at a module image (the 'MZ' header)
if (IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER)))
return 0;
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
return 0;
// The MZ header has a pointer to the PE header
pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew);
// More tests to make sure we're looking at a "PE" image
if (IsBadReadPtr(pNTHeader, sizeof(IMAGE_NT_HEADERS)))
return 0;
if (pNTHeader->Signature != IMAGE_NT_SIGNATURE)
return 0;
// We know have a valid pointer to the module's PE header.
// Now go get a pointer to its imports section
pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, pDosHeader,
pNTHeader->OptionalHeader.
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].
VirtualAddress);
// Bail out if the RVA of the imports section is 0 (it doesn't exist)
if (pImportDesc == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeader)
return 0;
// Iterate through the array of imported module descriptors, looking
// for the module whose name matches the pszFunctionModule parameter
while (pImportDesc->Name)
{
PSTR pszModName = MakePtr(PSTR, pDosHeader, pImportDesc->Name);
if (stricmp(pszModName, pszFunctionModule) == 0)
break;
// Advance to next imported module descriptor
pImportDesc++;
}
// Bail out if we didn't find the import module descriptor for the
// specified module. pImportDesc->Name will be non-zero if we found it.
if (pImportDesc->Name == 0)
return 0;
// Get a pointer to the found module's import address table (IAT)
pThunk = MakePtr(PIMAGE_THUNK_DATA, pDosHeader, pImportDesc->FirstThunk);
// Blast through the table of import addresses, looking for the one
// that matches the address we got back from GetProcAddress above.
while (pThunk->u1.Function)
{
if (pThunk->u1.Function == (PDWORD)pfnOriginalProc)//---《1》
{
dwProtectionFlags = PAGE_READWRITE;
VirtualProtect(&pThunk->u1.Function, 4096, dwProtectionFlags, &dwScratch);
// We found it! Overwrite the original address with the
// address of the interception function. Return the original
// address to the caller so that they can chain on to it.
pThunk->u1.Function = (PDWORD)pfnNewProc;
return pfnOriginalProc;
}
// Advance to next imported function address
pThunk++;
}
// Function not found
return 0;
}
我发现在《1》中,pThunk并没有OpenProcess的函数,而且循环的次数也很少,与kernel.dll引出的几百个函数不同,为什么,怎么样才能将OpenProcess函数hook到我的自定义函数?
问题点数:0、回复次数:4Top
1 楼boman258(boman258)回复于 2005-06-03 15:14:21 得分 0
没人会吗?Top
2 楼orbit(走了走了)回复于 2005-06-03 15:23:03 得分 0
导入表只有用到的api的入口,kernel有很多函数,但是并不是每个都用到了,另外,如果这个程序没有使用openprocess,自然就没有这个入口Top
3 楼gooyan(超级替补)回复于 2005-06-03 16:07:03 得分 0
你可以弄一个测试程序,测试程序里面调用OpenProcess,这样就应该能够看到了。
如果能不用hook最好不要用hook
1)Windows核心编程里面有一补遗,再往上搜索以下可以找到。
2)会涉及到权限问题
3)兼容性问题Top
4 楼linuxpgy(永远)回复于 2005-06-11 18:56:51 得分 0
现在没那么多时间看你的代码
不过可以给你几个APIHOOK程序给你参考一下
http://myproject.91x.net/
<完美版API拦截> 和 <APIHook的核心实现代码>Top
