不知為何叫inlink hook 叫hot patch 更適合一點,說的是什么事呢,大概是這個意思
int ccc(int a, int b) { a++; b++; return a + b; } int main() { getchar(); char k[] = "xxxx"; //寫這一行,在OD上容易找到位置,要不還得麻煩! int c = ccc(1, 2); cout << c << endl; system("pause"); return 0; }
現在我想在跟一個第三方程序時,想獲取ccc方法中a的值,或者說想修改參數a的值,那么就肯定要改ccc這個函數的一些東西 ,最后變成這樣的
int ccc(int a, int b) { goto newaddress(); backaddress: a++; b++; return a + b; } int newaddress()() { do sth.... goto backaddress; }
當然在c++里是不能這樣寫的,但在內存里執行指令的時候可以,當然也有區別,內存的指令是不可以插隊的,但可以換個辦法把某個指令換掉,后面再執行回來
比如
在內存里,調用ccc方法(call C2.012B10EB)之前,有兩個指令push ,分別把1和2這個參數傳給它了,就在這里下手
一般情況下,為什么要用call來下手呢,因為剛好我們要用jmp xxxxxx 等5個字節替換它,長度一致,省得出問題,就直接替換成jmp xxxxxxxx
跳過去弄完自己的事,然后把這個call C2.012B10EB 執行一下,然后跳回012B6C11這個地址繼續執行,即可達到自己的目的 ,這個哥們雖然沒有完整代碼,但寫的較好理解
https://www.cnblogs.com/luoyesiqiu/p/12306336.html
exe代碼就上面那些,啥都沒有,空殼,dll代碼如下:
//#include "stdafx.h"; #include <iostream>; using namespace std; #include <windows.h>; #include <tlhelp32.h>; #include <tchar.h>; #include<stdio.h>; DWORD WINAPI MyThreadProc2( LPVOID pParam ); DWORD WINAPI MyThreadProc1(LPVOID pParam); int StartHooks(DWORD hookAddr, BYTE backCode[5], void(*FuncBeCall)()); BYTE backCode[5] = { 0 }; DWORD baseaddr; DWORD calloriaddr; DWORD jmbback; BOOL isrun=TRUE; DWORD EXesp; char addInt[1] = {5}; char testkk[1024] = { 0 }; int Unhooks(DWORD hookAddr, BYTE backCode[5]); void Wchar_tToString(std::string& szDst, wchar_t* wchar); HANDLE hProcessForWrite; int StartHooks(DWORD hookAddr, BYTE backCode[5], void(*FuncBeCall)()) { DWORD jmpAddr = (DWORD)FuncBeCall - (hookAddr + 5); BYTE jmpCode[5]; *(jmpCode + 0) = 0xE9; *(DWORD*)(jmpCode + 1) = jmpAddr; HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, GetCurrentProcessId()); if (ReadProcessMemory(hProcess, (LPVOID)hookAddr, backCode, 5, NULL) == 0) { return -1; } if (WriteProcessMemory(hProcess, (LPVOID)hookAddr, jmpCode, 5, NULL) == 0) { return -1; } return 0; } int Unhooks(DWORD hookAddr, BYTE backCode[5]) { HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, GetCurrentProcessId()); if (WriteProcessMemory(hProcess, (LPVOID)hookAddr, backCode, 5, NULL) == 0) { return -1; } return 0; } _declspec(naked) void OnCall() { calloriaddr = baseaddr + 0x110EB; jmbback= baseaddr + 0x16C11; __asm { mov EXesp, esp //跟了一下,第一個參數傳回的值在esp里,所以取了esp的值 pushad } //修改傳入的第一個參數的值 hProcessForWrite = OpenProcess(PROCESS_ALL_ACCESS, NULL, GetCurrentProcessId()); if (WriteProcessMemory(hProcessForWrite, (LPVOID)EXesp,addInt, sizeof(addInt), NULL) == 0) { MessageBox(NULL, "faild", "indll", NULL); } else { MessageBox(NULL, "success", "indll", NULL); } __asm { popad call calloriaddr jmp jmbback } isrun = FALSE; } DWORD WINAPI MyThreadProc1(LPVOID pParam) { while (isrun) { Sleep(100); } DWORD hkaddr = baseaddr + 0x16C0C; Unhooks(hkaddr, backCode); return 0; } DWORD WINAPI MyThreadProc2( LPVOID pParam ) { isrun = TRUE; HMODULE hModule = GetModuleHandle(NULL); baseaddr = (DWORD) hModule; DWORD hkaddr = baseaddr+ 0x16C0C; char kk[1024] = { 0 }; sprintf_s(kk, "%x", hkaddr); MessageBox(NULL, kk, "test", NULL); StartHooks(hkaddr, backCode,&OnCall); return 0; } BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { isrun = TRUE; MessageBox(NULL, "DLL已進入目標進程。", "信息", MB_ICONINFORMATION); DWORD dwThreadId; HANDLE myThread2 = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MyThreadProc2, NULL, 0, &dwThreadId); HANDLE myThread1 = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MyThreadProc1, NULL, 0, &dwThreadId); break; } case DLL_PROCESS_DETACH: { MessageBox(NULL, "DLL已從目標進程卸載。", "信息", MB_ICONINFORMATION); break; } } return TRUE; }