BYR Achieve · 镜像论坛

hook了copyfile copyfileex createfile ,前面两个注入到目标进程都没问题，一旦加上createfile后程序就崩溃 dll代码 #include "stdafx.h" #include "detours.h" #pragma comment(lib,"detoured.lib") #pragma comment(lib,"detours.lib") // Must at least ONE export function: __declspec(dllexport) void ExportFunc(void) { } #ifdef _MANAGED #pragma managed(push, off) #endif //------------------------------------------------------- // 共享数据区 // 共享数据区中的数据在DLL被映射的进程中都是共享的 //------------------------------------------------------- //#pragma data_seg (".shared") //HWND g_hWnd = 0; //要读取的编辑框控件句柄 HINSTANCE hDll=NULL; HHOOK g_hHook = 0; //HOOK句柄 HHOOK g_hHook1 = 0; //HOOK句柄 //HHOOK g_hHook2 = 0; //HOOK句柄 //UINT WM_HOOKSPY = 0; //自定义消息，通知远程进程读取编辑框控件的内容 //#pragma data_seg () //#pragma comment(linker,"/SECTION:.shared,RWS") #ifdef _X86_ extern "C" { int _afxForceUSRDLL; } #else extern "C" { int __afxForceUSRDLL; } #endif static VOID (WINAPI * TrueSleep)(DWORD dwMilliseconds) = Sleep; VOID WINAPI DelaySleep(DWORD dwMilliseconds){ TrueSleep(dwMilliseconds+15000); } static BOOL (WINAPI * Real_CopyFileA)(LPCSTR lpExistingFileName, LPCSTR lpNewFileName, BOOL bFailIfExists) = CopyFileA; static BOOL (WINAPI * Real_CopyFileW)(LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName, BOOL bFailIfExists) = CopyFileW; static BOOL (WINAPI * Real_CopyFileExA)( LPCSTR lpExistingFileName,LPCSTR lpNewFileName,LPPROGRESS_ROUTINE lpProgressRoutine,LPVOID lpData,LPBOOL pbCancel,DWORD dwCopyFlags) = CopyFileExA; static BOOL (WINAPI * Real_CopyFileExW)( LPCWSTR lpExistingFileName,LPCWSTR lpNewFileName,LPPROGRESS_ROUTINE lpProgressRoutine,LPVOID lpData,LPBOOL pbCancel,DWORD dwCopyFlags) = CopyFileExW; static HANDLE (WINAPI *Real_CreateFileA)( LPCTSTR lpFileName, // file name DWORD dwDesiredAccess, // access mode DWORD dwShareMode, // share mode LPSECURITY_ATTRIBUTES lpSecurityAttributes, // SD DWORD dwCreationDisposition, // how to create DWORD dwFlagsAndAttributes, // file attributes HANDLE hTemplateFile // handle to template file )=CreateFileA; static HANDLE (WINAPI *Real_CreateFileW)( LPCWSTR lpFileName, // file name DWORD dwDesiredAccess, // access mode DWORD dwShareMode, // share mode LPSECURITY_ATTRIBUTES lpSecurityAttributes, // SD DWORD dwCreationDisposition, // how to create DWORD dwFlagsAndAttributes, // file attributes HANDLE hTemplateFile // handle to template file )=CreateFileW; BOOL WINAPI Mine_CopyFileA(LPCSTR lpExistingFileName, LPCSTR lpNewFileName, BOOL bFailIfExists) { return Real_CopyFileA(lpExistingFileName, lpNewFileName, bFailIfExists); } BOOL WINAPI Mine_CopyFileW(LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName, BOOL bFailIfExists) { char fname1[128]; int len =WideCharToMultiByte( CP_ACP, 0, lpExistingFileName, -1, fname1, 128,NULL,NULL); fname1[len] =0; char fname2[128]; len =WideCharToMultiByte( CP_ACP, 0, lpNewFileName, -1, fname2, 128,NULL,NULL); fname2[len] =0; return Real_CopyFileW(lpExistingFileName, lpNewFileName, bFailIfExists); } BOOL WINAPI Mine_CopyFileExA( LPCSTR lpExistingFileName,LPCSTR lpNewFileName,LPPROGRESS_ROUTINE lpProgressRoutine,LPVOID lpData,LPBOOL pbCancel,DWORD dwCopyFlags) { return Real_CopyFileExA( lpExistingFileName, lpNewFileName, lpProgressRoutine, lpData, pbCancel, dwCopyFlags); } BOOL WINAPI Mine_CopyFileExW( LPCWSTR lpExistingFileName,LPCWSTR lpNewFileName,LPPROGRESS_ROUTINE lpProgressRoutine,LPVOID lpData,LPBOOL pbCancel,DWORD dwCopyFlags) { char fname1[128]; int len =WideCharToMultiByte( CP_ACP, 0, lpExistingFileName, -1, fname1, 128,NULL,NULL); fname1[len] =0; char fname2[128]; len =WideCharToMultiByte( CP_ACP, 0, lpNewFileName, -1, fname2, 128,NULL,NULL); fname2[len] =0; WriteLog("复制W%%%s%%%s", lpExistingFileName, lpNewFileName); return Real_CopyFileExW( lpExistingFileName, lpNewFileName, lpProgressRoutine, lpData, pbCancel, dwCopyFlags); } HANDLE Mine_CreateFileA( LPCTSTR lpFileName, // file name DWORD dwDesiredAccess, // access mode DWORD dwShareMode, // share mode LPSECURITY_ATTRIBUTES lpSecurityAttributes, // SD DWORD dwCreationDisposition, // how to create DWORD dwFlagsAndAttributes, // file attributes HANDLE hTemplateFile // handle to template file ) { HANDLE h = Real_CreateFileA( lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes,hTemplateFile); return h; } HANDLE Mine_CreateFileW( LPCWSTR lpFileName, // file name DWORD dwDesiredAccess, // access mode DWORD dwShareMode, // share mode LPSECURITY_ATTRIBUTES lpSecurityAttributes, // SD DWORD dwCreationDisposition, // how to create DWORD dwFlagsAndAttributes, // file attributes HANDLE hTemplateFile // handle to template file ) { return Real_CreateFileW( lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes,hTemplateFile); } BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { hDll = hModule; int error; switch(ul_reason_for_call) { case DLL_PROCESS_ATTACH: DetourTransactionBegin(); DetourUpdateThread(::GetCurrentThread()); DetourAttach(&(PVOID&)Real_CopyFileA, Mine_CopyFileA); DetourAttach(&(PVOID&)Real_CopyFileW, Mine_CopyFileW); DetourAttach(&(PVOID&)Real_CopyFileExA, Mine_CopyFileExA); DetourAttach(&(PVOID&)Real_CopyFileExW, Mine_CopyFileExW); //DetourAttach(&(PVOID&)Real_CreateFileA,Mine_CreateFileA); //createfile有问题 //DetourAttach(&(PVOID&)Real_CreateFileW, Mine_CreateFileW); // error = DetourTransactionCommit(); if(NO_ERROR!=error) { ::MessageBox(NULL,"Error!","Error in Detours!",MB_OK); } break; case DLL_PROCESS_DETACH: DetourTransactionBegin(); DetourUpdateThread(GetCurrentThread()); DetourDetach(&(PVOID&)Real_CopyFileA, Mine_CopyFileA); DetourDetach(&(PVOID&)Real_CopyFileW, Mine_CopyFileW); DetourDetach(&(PVOID&)Real_CopyFileExA, Mine_CopyFileExA); DetourDetach(&(PVOID&)Real_CopyFileExW, Mine_CopyFileExW); //DetourDetach(&(PVOID&)Real_CreateFileA, Mine_CreateFileA); //DetourDetach(&(PVOID&)Real_CreateFileW, Mine_CreateFileW); error = DetourTransactionCommit(); ::MessageBox(NULL,"Detour ends","Prompt!",MB_OK); break; } return TRUE; } 我的注入程序 m_processToFind= "CDROMControl"; //这个是我要注入的目标进程 PROCESSENTRY32 pe32; pe32.dwSize=sizeof(pe32); HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPALL,0); int ret=Process32First(hSnapshot,&pe32); CString a; UpdateData(); if(-1==m_processToFind.Find(".exe",0)) m_processToFind+=".exe"; while(ret) { TRACE("pe32.szExeFile=%s\n",pe32.szExeFile); if(pe32.szExeFile==m_processToFind) { a.Format("进程：%s找到，它的进程ID为：%d",m_processToFind,pe32.th32ProcessID); MessageBox(a); break ; } ret=Process32Next(hSnapshot,&pe32); } HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,0,pe32.th32ProcessID); PVOID addr=VirtualAllocEx(hProcess,NULL,50,MEM_COMMIT, PAGE_READWRITE); if(addr==NULL) { CString a; int ret=GetLastError(); a.Format("1在远程进程申请空间失败！错误码为：%d",ret); MessageBox(a); } else { MessageBox("1远程进程地址空间中申请空间成功！1"); } char path[100]="D:\\360Downloads\\Software\\VCWorkspaces\\DetoursSleep\\Debug\\DetoursSleep.dll"; int retval=WriteProcessMemory(hProcess,addr,(LPVOID)path,sizeof(path),NULL); if(retval) { MessageBox("1写入1成功！"); } else MessageBox("1写入1失败！"); PTHREAD_START_ROUTINE pfnThread=(PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle("kernel32.DLL"),"LoadLibraryA"); HANDLE hRemoteThread=CreateRemoteThread( hProcess,//in HANDLE hProcess, NULL, 0,//__in SIZE_T dwStackSize, pfnThread, addr, 0, NULL); if(hRemoteThread==INVALID_HANDLE_VALUE) { MessageBox("1远程线程穿件失败！"); } else { MessageBox("1远程线程创建成功！"); } 先运行目标进程后，在运行我的注入程序，dll能注入，在dll中如果没有hook createfile,copyfile(ex)都能被hook,一旦在dll中加入createfile,程序就崩溃了

hook createfileA/W的问题，但是hook copyfileA/W都没问题