大名鼎鼎的detour想必大家都知道,可以detour x64微软居然售价9999美刀...(此处省略吐槽一万字)
在此本菜向大家介绍一款美帝的免费开源库EasyHook(inline hook),下面是下载地址
http://easyhook.codeplex.com/releases/view/24401 把头文件 lib文件全拷贝在工程文件夹中,把dll拷贝在%system32%中
好的,现在切入正题。
假设我们的工程是要监控Troj.exe的行为。A.exe为监控应用程序,A.exe先遍历当前进程,若找到Troj.exe则将B.dll远程线程注入到Troj.exe进程中
PS: XP CreateRemoteThread win7用NT系列函数,如下:
1 typedef DWORD (WINAPI *PFNTCREATETHREADEX) 2 ( 3 OUT PHANDLE ThreadHandle, 4 ACCESS_MASK DesiredAccess, 5 LPVOID ObjectAttributes, 6 HANDLE ProcessHandle, 7 LPTHREAD_START_ROUTINE lpStartAddress, 8 LPVOID lpParameter, 9 BOOL CreateSuspended, 10 DWORD dwStackSize, 11 DWORD dw1, 12 DWORD dw2, 13 LPVOID Unknown 14 ); 15 16 BOOL IsVistaOrLater() 17 { 18 OSVERSIONINFO osvi; 19 ZeroMemory(&osvi, sizeof(OSVERSIONINFO)); 20 osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); 21 GetVersionEx(&osvi); 22 if( osvi.dwMajorVersion >= 6 ) 23 { 24 return TRUE; 25 } 26 return FALSE; 27 } 28 29 BOOL MyCreateRemoteThread(HANDLE hProcess, LPTHREAD_START_ROUTINE pThreadProc, LPVOID pRemoteBuf) 30 { 31 HANDLE hThread = NULL; 32 FARPROC pFunc = NULL; 33 if( IsVistaOrLater() ) // Vista, 7, Server2008 34 { 35 pFunc = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx"); 36 if( pFunc == NULL ) 37 { 38 ErrorReport(GetLastError()); 39 } 40 ((PFNTCREATETHREADEX)pFunc)(&hThread, 41 0x1FFFFF, 42 NULL, 43 hProcess,