首页 新闻 会员 周边 捐助

64位系统下inline hook 32位程序

0
悬赏园豆:200 [待解决问题] 
DWORD _myCreate;

void BackupDll()
{
    MODULEINFO    Mdl_Info;
    LPVOID        lpNewDLL    =    NULL;
    ZeroMemory(&Mdl_Info,sizeof(Mdl_Info));
    // 获取模块信息
    GetModuleInformation(GetCurrentProcess(),GetModuleHandle(L"kernel32"), &Mdl_Info, sizeof(Mdl_Info));
    lpNewDLL = VirtualAllocEx(
        GetCurrentProcess(),
        NULL,
        Mdl_Info.SizeOfImage,
        MEM_COMMIT|MEM_RESERVE,
        PAGE_EXECUTE_READWRITE
        );
    if (lpNewDLL == NULL)
        return;
    if (!WriteProcessMemory(GetCurrentProcess(), lpNewDLL, Mdl_Info.lpBaseOfDll, Mdl_Info.SizeOfImage, NULL))
    {
        VirtualFreeEx(GetCurrentProcess(),lpNewDLL,Mdl_Info.SizeOfImage,MEM_DECOMMIT);
        return;
    }
    _myCreate = (DWORD)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "CreateFileW") - (DWORD)Mdl_Info.lpBaseOfDll + (DWORD)lpNewDLL;
}

HANDLE WINAPI MyCreateFileW(__in LPCWSTR lpFileName, __in DWORD dwDesiredAccess, __in DWORD dwShareMode, 
    __in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes, __in DWORD dwCreationDisposition, 
    __in DWORD dwFlagsAndAttributes, __in_opt HANDLE hTemplateFile)
{
    typedef HANDLE WINAPI CREATE(__in LPCWSTR lpFileName, __in DWORD dwDesiredAccess, __in DWORD dwShareMode, 
        __in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes, __in DWORD dwCreationDisposition, 
        __in DWORD dwFlagsAndAttributes, __in_opt HANDLE hTemplateFile);
    CREATE* pCreate=(CREATE*)_myCreate;
    return pCreate(lpFileName,dwDesiredAccess,dwShareMode,lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);
}

//DLL操作
        LPVOID _pCreate=(PVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "CreateFileW");
        BYTE New_Code2[7];
        DWORD _JmpAddr=(DWORD)MyCreateFileW;
        if (NULL==_pCreate)
            return 5;
        New_Code2[0] = 0xB8;
        memcpy(&New_Code2[1],&_JmpAddr,4);
        New_Code2[5] = 0xFF;
        New_Code2[6] = 0xE0;
        if (!WriteProcessMemory(GetCurrentProcess(),_pCreate,New_Code2,sizeof(New_Code2),NULL))
            return 6;
        return 0;

上面这段代码在32位系统HOOK32位程序正常
但是在64位系统HOOK32位程序不正常

不知道是哪里的问题,大家帮忙看看吧
注入程序是32位的

如果不调用pCreate返回的话一切正常
调用的话被注入程序弹出错误提示框
什么地址错误什么的

 

如果

48 B8 XX XX XX XX XX XX XX XX 50 C3

memcpy(&New_Code2[2],&_JmpAddr,8);
还是不行啊

风卷残云的主页 风卷残云 | 初学一级 | 园豆:2
提问于:2012-08-16 17:26
< >
分享
所有回答(2)
0

是不是系统有问题啊

L875155279 | 园豆:26 (初学一级) | 2012-08-16 17:36

没有问题的,在别的电脑、虚拟机上都测试过了

结果都是这样

支持(0) 反对(0) 风卷残云 | 园豆:2 (初学一级) | 2012-08-16 17:37

@风卷残云: 那就不清楚了

支持(0) 反对(0) L875155279 | 园豆:26 (初学一级) | 2012-08-16 17:38
0

New_Code2[0] = 0xB8; memcpy(&New_Code2[1],&_JmpAddr,4); New_Code2[5] = 0xFF; New_Code2[6] = 0xE0;

 

64位的地址长度为8,你这个只能在32位下使用。

改成:

memcpy(&New_Code2[1],&MyCreateFileW,sizeof(void*));

试试

*神气* | 园豆:196 (初学一级) | 2014-01-04 16:58

我查了一下,64位下的绝对jmp与32位不同:

/*
The absolute jump is (x64) :

48 b8 ef cd ab 89 67 45 23 01   mov rax, 0x0123456789abcdef
ff e0                           jmp rax

And for x86 :

b8 67 45 23 01   mov eax, 0x01234567
ff e0            jmp eax
*/

 

FYI !

支持(1) 反对(0) *神气* | 园豆:196 (初学一级) | 2014-01-04 16:59
清除回答草稿
   您需要登录以后才能回答,未注册用户请先注册