我正在嘗試使用 EasyHook 來檢測(cè)本機(jī) LoadLibrary 調(diào)用。它確實(shí)檢測(cè)到庫的加載,但是該過程導(dǎo)致凍結(jié)。這是因?yàn)橄旅娴腖oadLibrary_Hook方法無法加載 dll 或庫,因?yàn)樗祷?0 IntPtr(可能找不到庫。)。我什至嘗試將事件設(shè)置為“void”類型,但隨后進(jìn)程就崩潰了,這可能是因?yàn)?EasyHook 期望我返回一個(gè)值來覆蓋該函數(shù)。有沒有辦法讓我返回要加載的確切需要的庫,或者只是獲取正在加載的庫的名稱而無需手動(dòng)加載庫?(也有這樣的名字在加載過程中:瑮湯?湯l邐邐仇嗿??謘??四襗?嶉觬?嶉觰?嶉????謀萋苐苒るるバ??萏?????疋?????瓋謇???綋? 有點(diǎn)奇怪……)private static LocalHook hook;[DllImport("kernel32.dll", CharSet=CharSet.Auto)]public static extern IntPtr GetModuleHandle(string lpModuleName);[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]public static extern IntPtr LoadLibrary(string lpFileName);[DllImport("kernel32.dll", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]public static extern IntPtr GetProcAddress(IntPtr handle, string varormethodname);[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]public delegate IntPtr LoadLibraryDelegate(string lpFileName);public TestHook(){ IntPtr kernel32 = GetModuleHandle("kernel32.dll"); Logger.Log("Kernel: " + kernel32); IntPtr address = GetProcAddress(kernel32, "LoadLibraryA"); Logger.Log("Address: " + address); hook = LocalHook.Create(address, new LoadLibraryDelegate(LoadLibrary_Hook), null); hook.ThreadACL.SetExclusiveACL(new Int32[] {0}); //RemoteHooking.WakeUpProcess();}public IntPtr LoadLibrary_Hook(string lpFileName){ Logger.Log("File load: " + lpFileName); return LoadLibrary(lpFileName);}
1 回答
喵喵時(shí)光機(jī)
TA貢獻(xiàn)1846條經(jīng)驗(yàn) 獲得超7個(gè)贊
解決方案是使用原始函數(shù)地址調(diào)用原始方法:
public IntPtr LoadLibrary_Hook(string lpFileName)
{
Logger.Log("File load: " + lpFileName);
LoadLibraryDelegate origMethod = (LoadLibraryDelegate)Marshal.GetDelegateForFunctionPointer(LoadLibraryAddress, typeof(LoadLibraryDelegate));
return origMethod(lpFileName);
}
- 1 回答
- 0 關(guān)注
- 339 瀏覽
添加回答
舉報(bào)
0/150
提交
取消