2.2 hook自定义c 函数
int RunCmd(const char* cmd);
如果要hook这个函数,可以按照以下几步来做:
a)
b)
c)
d)
Int DetourRunCmd(const char* cmd)
{
}
这样就完成了hook RunCmd函数的定义,所需要的就是调用DetourAttack
2.3 hook类成员函数
class CData
{
public:
};
现在需要hook int CData::Run(const char*)
a)
class CDataHook
{
public:
};
b)
c)
{
}
e)
2.4 DetourCreateProcessWithD ll
使用这个函数相当于用CREATE_SUSPENDED
标志调用函数
CreateProcess
.
#undef UNICODE
#include <cstdio>
#include <windows.h>
#include <detours\detours.h>
int main()
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(STARTUPINFO));
ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
char* DirPath = new char[MAX_PATH];
char* DLLPath = new char[MAX_PATH]; //testdll.dll
char* DetourPath = new char[MAX_PATH]; //detoured.dll
GetCurrentDirectory(MAX_PATH, DirPath);
sprintf_s(DLLPath, MAX_PATH, "%s\\testdll.dll", DirPath);
sprintf_s(DetourPath, MAX_PATH, "%s\\detoured.dll", DirPath);
DetourCreateProcessWithD ll(NULL, "C:\\windows\\notepad.exe", NULL,
NULL, FALSE, CREATE_DEFAULT_ERROR_MODE, NULL, NULL,
&si, &pi, DetourPath, DLLPath, NULL);
delete [] DirPath;
delete [] DLLPath;
delete [] DetourPath;
return 0;
}
2.5 Detouring by Address
假如出现这种情况怎么办?我们需要hook的函数既不是一个标准的WIN32 API,也不是导出函数。这时我们需要吧我们的程序和被所要注入的程序同事编译,或者,把函数的地址硬编码:
#undef UNICODE
#include <cstdio>
#include <windows.h>
#include <detours\detours.h>
typedef void (WINAPI *pFunc)(DWORD);
void WINAPI MyFunc(DWORD);
pFunc FuncToDetour = (pFunc)(0x0100347C); //Set it at address to detour in
//the process
INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
switch(Reason)
{
case DLL_PROCESS_ATTACH:
{
DisableThreadLibraryCall s(hDLL);
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)FuncToDetour, MyFunc);
DetourTransactionCommit();
}
break;
case DLL_PROCESS_DETACH:
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)FuncToDetour, MyFunc);
DetourTransactionCommit();
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
void WINAPI MyFunc(DWORD someParameter)
{
//Some magic can happen here
}