我正在学习钩子的知识,决定尝试钩住Win32 API函数 LoadLibraryA 来查看是否有东西通过 CreateRemoteThread 和 LoadLibrary. 我从我自己的控制台应用程序中挂接,我想保护。
我能够检测到我的应用程序的进程空间内有东西在调用 LoadLibrary但我如何找到更多关于加载的信息?例如,我可以得到DLL的路径和名称吗?
定义LoadLibrary的原型。
typedef HMODULE(__stdcall* LoadLibraryType) (LPCSTR fileName);
实例化一个LoadLibraryType:
static LoadLibraryType loadlib;
函数来拦截调用。
HMODULE __stdcall LoadLibraryHook(LPCSTR fileName) {
printf("\nLoadLibraryA has been called !!!\n");
return loadlib(fileName);
}
InitializeLoadLibraryCheck() 将从主函数中调用。
void InitializeLoadLibraryCheck()
{
HMODULE moduleHandle = LoadLibraryA("kernel32.dll");
LoadLibraryType realFuncAddy = (LoadLibraryType)GetProcAddress(moduleHandle, "LoadLibraryA");
loadlib = (LoadLibraryType)(CUtils::DetourFunc((PBYTE) realFuncAddy, (PBYTE) LoadLibraryHook, 5));
DWORD dwOld = 0;
BOOL bProtectRet = VirtualProtect(loadlib, 5, PAGE_EXECUTE_READWRITE, &dwOld);
}
编辑:忘记加绕道函数了。
PVOID CUtils::DetourFunc(BYTE *src, const BYTE *dst, const int len)
{
BYTE *jmp = (BYTE*)malloc(len + 5);
DWORD dwback;
VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &dwback);
memcpy(jmp, src, len);
jmp += len;
jmp[0] = 0xE9;
//relative address from trampoline to orig function + 5
*(DWORD*)(jmp + 1) = (DWORD)(src + len - jmp) - 5;
src[0] = 0xE9;
*(DWORD*)(src + 1) = (DWORD)(dst - src) - 5;
VirtualProtect(src, len, dwback, &dwback);
//address to trampoline
return (jmp - len);
}
我如何找到更多关于被加载的信息?例如,我可以得到DLL的路径和名称吗?
只需使用 fileName 参数。 这是被加载的DLL的路径,例如
HMODULE __stdcall LoadLibraryHook(LPCSTR fileName) {
printf("\nLoadLibraryA has been called !!!\nfileName: %s\n", fileName);
return loadlib(fileName);
}