嗯,我想学习hooking,但是网上找的教程好像跑不了。
我想做的是 C++ 中的跳钩。
代码如下:
void DoHook(DWORD* Address, DWORD* Hook, DWORD pid){
HANDLE Server = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ , false, pid );
Address = (DWORD*)Address + 0x18;
DWORD OldProt;
DWORD HookOffset = (DWORD*)Hook-(DWORD*)Address-5;
std::wcout << "Hook on address" << std::hex << Address<< std::endl;
std::wcout << "Hook offset is " << std::hex << HookOffset << std::endl;
if ( ! VirtualProtectEx(Server, (LPVOID) Address, 40,PAGE_EXECUTE_READWRITE, &OldProt) ) {
ErrorExit(L"VirtualProtectEx");
};
char* CharPointer = (char*) Address;
BYTE newdata[5]={0xE9};
BYTE x;
int i = 1;
while ( HookOffset > 0 ) {
x = HookOffset & 0xff;
newdata[5-i] = x;
i++;
HookOffset >>= 8;
}
std::wcout << "Bytes " <<newdata[0] << " " << newdata[1] << " " << newdata[2] << " " << newdata[3] << " " << newdata[4] << std::endl;
DWORD newdatasize = sizeof(newdata);
if ( ! WriteProcessMemory(Server,Address,(LPCVOID*)newdata,newdatasize,NULL) ) {
ErrorExit(L"WriteProcessMemory");
}
// VirtualProtect((void*) Address, 40, 0x40, &OldProt);
return;
}
这是一些输出文本:
Process ID is 2764 // PID of the app that's being hooked
Function address is 00A81190 // this is the function i'm doing the jump to
Entry point is 00080000 // for the app that's being hooked
Hook on address 00080060 // for the app that's being hooked
Hook offset is 28048e // HookAddress - FunctionAddress - 5
Bytes e9 0 28 4 8e // this is the jump i'm planning to do
Press any key to continue . . .
但是,应用程序不会更新。
最佳答案
您必须以管理员身份运行程序才能拥有写入进程内存的正确权限。这是我的x86绕行函数,我已经测试并使用了很多次
bool Detour32(char* src, char* dst, const intptr_t len)
{
if (len < 5) return false;
DWORD curProtection;
VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &curProtection);
intptr_t relativeAddress = (intptr_t)(dst - (intptr_t)src) - 5;
*src = (char)'\xE9';
*(intptr_t*)((intptr_t)src + 1) = relativeAddress;
VirtualProtect(src, len, curProtection, &curProtection);
return true;
}
src是你要放置钩子(Hook)的地址,dst是你要跳转到的地址。 len 是您要使用 jmp 销毁的字节数。 jmp 是 5 个字节,因此如果您要销毁超过 5 个字节的指令,则需要将 5 个以上的“被盗字节”复制到您的目标中以确保它们得到执行。
关于C++ 跳转钩子(Hook) [Windows],我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/18692525/