WinAPI在记事本中挂钩CreateFileW
-2 c++ stack-overflow hook winapi detours
我制作了一个DLL,它应该CreateFileW从记事本挂钩,但它崩溃了.经过调试后我发现它导致了HookedCreateFile函数第一行的堆栈溢出:
(它说它导致地址异常错误......)
异常点处的callstack:
我的代码:
typedef HANDLE(WINAPI * CreateFileFn)(
LPCWSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile);
CreateFileFn oCreateFile = (CreateFileFn)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateFileW");
HANDLE WINAPI HookedCreateFile(
LPCWSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile)
{
//std::cout << "Hello!" << std::endl;
return oCreateFile(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
我使用DetourFunction的是Microsoft Detours:
DetourFunction((PBYTE)oCreateFile, (PBYTE)HookedCreateFile);
首先,DetourFunction()是旧的,它已被取代DetourAttach().您应该更新代码以使用新版本的Detours库.请参阅Microsoft的使用Detours的wiki .
其次,当你绕过一个函数时,你正在用跳转到钩子函数来替换函数的前几条指令.DetourFunction()返回一个蹦床,你必须使用它来调用原始函数.蹦床执行被替换的指令,然后跳转到原始函数的剩余未挂钩代码.
但是,你的钩子根本就没有使用蹦床,所以每当它调用时oCreateFile,它最终会在一个无限的递归循环中反复回调.这就是导致堆栈溢出错误的原因,因为每次调用都会将输入参数的另一个副本推送到调用堆栈.最终,调用堆栈的可用空间不足.
试试这个:
CreateFileFn origCreateFile = (CreateFileFn) GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "CreateFileW");
CreateFileFn trampCreateFile;
HANDLE WINAPI HookedCreateFile(
LPCWSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile)
{
//std::cout << "Hello!" << std::endl;
return trampCreateFile(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
...
trampCreateFile = (CreateFileFn) DetourFunction((PBYTE)origCreateFile, (PBYTE)HookedCreateFile);