windows 如何在 EXE 文件中找到挂钩/绕行的函数地址?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4317465/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to find a functions address to hook/detour in an EXE file?
提问by Nefarius
I drove against a wall again and need your help with some low-level stuff. I already succeeded in hooking exported DLL-Functions (with this code btw.) by injecting them into my target process (e.g. I can easily detour MessageBoxWfrom user32.dll). Unfortunately I aim for a different scenario: I have to detour a function defined inside the executableI'm injecting my code into. The application is Open-Source so I know everything about the function I'd need for hooking it, but the binary is signed with a certificate so I can not compile my own version. Is it possible to fetch the functions' address at runtime or detour it with another technique? The target is a "normal" 32bit Windows binary btw. nothing special I thought ;)
我又撞墙了,需要你帮忙处理一些低级的事情。我已经成功挂钩导出的DLL函数(顺便说一句,此代码。通过它们注入我的目标进程)(例如,我可以轻松地绕道MessageBoxW从user32.dll)。不幸的是,我的目标是一个不同的场景:我必须绕过在我注入代码的可执行文件中定义的函数。该应用程序是开源的,所以我知道挂钩它所需的所有功能,但二进制文件是用证书签名的,所以我无法编译我自己的版本。是否可以在运行时获取函数的地址或使用其他技术绕过它?目标是一个“普通”的 32 位 Windows 二进制文件。我觉得没什么特别的;)
Yours, Nefarius
你的,奈法留斯
EDIT:maybe due to my lame English I was not detailed enough, so here a little sample code:
编辑:可能是因为我的英语不够详细,所以这里有一些示例代码:
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
foo();
}
BOOL foo(char* someData)
{
return printf("%s", someData);
}
Now I want to detour the function foo()which does not exist in a dynamic library. This is my problem. I don't know how and I'm not sure if this works like I think it does.
现在我想绕过foo()动态库中不存在的函数。这是我的问题。我不知道怎么做,也不确定这是否像我想的那样工作。
EDIT:Now I know it is possible, so the important question changed to: how? How do I get the information I need; the functions address?
编辑:现在我知道这是可能的,所以重要的问题变成了:如何?我如何获得我需要的信息;函数地址?
采纳答案by Nefarius
I acquired my aim with hooking some low-level Windows API functions, not the best solution but it works, Assembler isn't mine...
我通过挂钩一些低级 Windows API 函数来实现我的目标,这不是最好的解决方案,但它有效,汇编程序不是我的......
回答by Chinmay Kanchi
Sure, just use something like Ollydbgto set a breakpoint, and edit the assembly after the executable has loaded (and finished checking its certificate). To do it permanently is a bit more challenging, but depending on how sophisticated the certificate check is, you might just be able to bypass that bit of code by replacing it with a NOP(no operation).
当然,只需使用类似Ollydbg 的东西来设置断点,并在加载可执行文件(并完成检查其证书)后编辑程序集。永久执行此操作更具挑战性,但取决于证书检查的复杂程度,您可能只能通过将其替换为NOP(无操作)来绕过该位代码。
EDIT:If you're running 64-bit Windows, you might have better luck with Microsoft's own Debugging Tools. I've never used them, so I have no idea how they compare to Ollydbg.
编辑:如果您运行的是 64 位 Windows,则使用 Microsoft 自己的Debugging Tools可能会更好。我从未使用过它们,所以我不知道它们与 Ollydbg 相比如何。
回答by Daniel Goldberg
If this is for something that is more than a one time debugging jaunt, look into Microsoft Detours, an API for hooking functions.
如果这是为了不止一次的调试短途旅行,请查看Microsoft Detours,一种用于挂钩函数的 API。
回答by opc0de
you need to get the functions address then insert a jmp at the functions entry point to your procedure and then restore the original proc and then jump back to the original function.
您需要获取函数地址,然后在函数入口点插入一个 jmp 到您的过程,然后恢复原始 proc,然后跳回原始函数。
回答by Pablo Yabo
Use EasyHook for that. With that library you can intercept a function with the address.
为此使用 EasyHook。使用该库,您可以拦截具有地址的函数。
