大佬教程收集整理的这篇文章主要介绍了利用detours写了一个工具用于instrument任意指定dll的任意指定函数入口,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
目录
https://github.com/microsoft/Detours/wiki
Tests the Detours disassembler tables.
Uses
DetourEnumerateExports,DetourEnumerateModules,DetourGetEntryPoint,DetourGetModuleSize.
Detours the Win32 Sleep function and a private function. The private function is first detoured,then detoured recursively 3 times using the DetourAttach API.
Uses
DetourAttach,DetourtransactionBegin,DetourtransactionCommit,DetourupdateThread.
detour to modify the Windows Sleep API.
The withdll.exe program include in the Detours package uses the DetourCreateProcessWithDlls API to start a new process with a named DLl.
example of withdll
command
F:\codes\Detours-4.0.1\bin.X86>tracebld.exe /o:1.txt notepad TRACEBLD: Ready for clients. Press Ctrl-C to stop. TRACEBLD: StarTing: `notepad' TRACEBLD: with `F:\codes\Detours-4.0.1\bin.X86\trcbld32.dll' TRACEBLD: 1 processes.
output file
<?xml version="1.0" encoding="UTF-8"?> -<t:Process xmlns:t="@R_262_10107@://scheR_380_11845@as.microsoft.com/research/tracebld/2008" exe="notepad" par="" id="::0.::"> <t:Directory>F:\codes\Detours-4.0.1\bin.X86</t:Directory> <t:Executable>%sYSDIR%\notepad.exe</t:Executable> <t:Line>%sYSDIR%\notepad.exe </t:Line> <t:return>0</t:return> -<t:Files> <t:File write="true" read="true">\\.\NvAdminDevice</t:File> <t:File read="true">C:\ProgramData\NVIDIA Corporation\Drs\nvdRSSel.bin</t:File> <t:File read="true">C:\ProgramData\NVIDIA Corporation\Drs\nvdrsdb1.bin</t:File> <t:File read="true">C:\Windows\Fonts\staticcache.dat</t:File> </t:Files> <t:Vars> </t:Vars> </t:Process>@H_575_85@my instrumentation tool:
@L_674_14@ input.txt
dll=kernel32.dll fun=OpenFile dll=user32.dll fun=messageBoxA dll=user32.dll fun=messageBoxW dll=user32.dll fun=OffsetRect dll=kernel32.dll fun=WaitForSingLeobject dll=kernel32.dll fun=CloseHandle
测试
F:\codes\Detours-4.0.1\bin.X86>withdll.exe /d:C:\Users\cutep\source\repos\ConsoleApplication1\Debug\dll1.dll notepad Press any key to conTinue . . . withdll.exe: StarTing: `notepad' withdll.exe: with `C:\Users\cutep\source\repos\ConsoleApplication1\Debug\dll1.dll' Resume Thread... Press any key to conTinue . . .
'notepad.exe' (Win32): Loaded 'C:\Windows\syswow64\notepad.exe'. CAnnot find or open the PDB file. ... 'notepad.exe' (Win32): Loaded 'C:\Users\cutep\source\repos\ConsoleApplication1\Debug\Dll1.dll'. Symbols loaded. ... processing line: dll=kernel32.dll fun=OpenFile processing line: dll=user32.dll fun=messageBoxA processing line: dll=user32.dll fun=messageBoxW processing line: dll=user32.dll fun=OffsetRect processing line: dll=kernel32.dll fun=WaitForSingLeobject processing line: dll=kernel32.dll fun=CloseHandle processing line: >>dll=kernel32.dll fun=WaitForSingLeobject >>dll=kernel32.dll fun=CloseHandle ..... >>dll=user32.dll fun=OffsetRect >>dll=user32.dll fun=OffsetRect ... >>dll=kernel32.dll fun=CloseHandle Exception thrown at 0x0FF81BCC (ucrtbased.dll) in notepad.exe: 0xC0000005: Access violation reading LOCATIOn 0xFEEEFEEE. The program '[0x1DE0] notepad.exe' has exited with @R_698_@R_772_11289@6@ (0x0).
link: https://files.cnblogs.com/files/cutepig/ConsoleApplication1.7z
核心代码
//dllmain.cpp // dllmain.cpp : Defines the entry point for the DLL application. #include "stdafx.h" #include <detours.h> #include "../Injector.h" Injector gInj; static int (WINAPI * TrueEntryPoint)(VOID) = NULL; static int (WINAPI * RawEntryPoint)(VOID) = NULL; static void DebugStr(const char *fmt,...) { va_list l; va_start(l,fmt); char s[100]; vsnprintf(s,100,fmt,l); printf(s); OutputDebugStringA(s); } int WINAPI TimedEntryPoint(VOID) { FILE *fp = fopen("input.txt","r"); if (!fp) { DebugStr("Open file fails"); return -1; } char s[300]; while (fgets(s,300,fp)) { DebugStr("processing line: %s",s); char dll[100]; char fun[100]; if (2 != sscanf(s,"dll=%s fun=%s",dll,fun)) { DebugStr("Error scanf from line: %s",s); conTinue; } PVOID pFun = DetourFindFunction(dll,fun); if (!pFun) { DebugStr("Error DetourFindFunction from line: %s %s",fun); conTinue; } gInj.Inject(pFun,s); } return TrueEntryPoint(); } BOOL WINAPI DllMain(HINSTANCE hinst,DWORD dwReason,LPVOID reserved) { LONG error; (void)hinst; (void)reserved; if (DetourIsHelperProcess()) { return TRUE; } if (dwReason == DLL_PROCESS_ATTACH) { DetourRestoreAfterWith(); // NB: DllMain can't call LoadLibrary,so we hook the app entry point. TrueEntryPoint = (int (WINAPI *)(VOID))DetourGetEntryPoint(null); RawEntryPoint = TrueEntryPoint; DetourtransactionBegin(); DetourupdateThread(GetCurrentThread()); DetourAttach(&(PVOID&)TrueEntryPoint,TimedEntryPoint); error = DetourtransactionCommit(); if (error == NO_ERROR) { printf("dslept" DETOURS_StriNGIFY(DETOURS_BITS) ".dll: " " Detoured EntryPoint().\n"); } else { printf("dslept" DETOURS_StriNGIFY(DETOURS_BITS) ".dll: " " Error detouring EntryPoint(): %d\n",error); } } else if (dwReason == DLL_PROCESS_DETACH) { } return TRUE; }
// injector.cpp #include <Windows.h> #include <assert.h> #include <vector> #include <algorithm> #include <detours.h> #include "Injector.h" void GenCode(char *&p,int n,const char *data) { //std::copy(data,data + n,p); memcpy(p,data,n); p += n; } void GenAddEsp4(char *&p) { char data[3] = { 0x83,0xC4,0x04 }; GenCode(p,3,data); } void GenPushPtr(char *&p,void const *PDAta) { char *pcoffset = (char *)&PDAta; char data[5] = { 0x68,pcoffset[0],pcoffset[1],pcoffset[2],pcoffset[3] }; GenCode(p,5,data); } void GenCall(char *&p,void const *pFn) { DWORD offset = (DWORD)pFn - ((DWORD)p + 5); char *pcoffset = (char *)&offset; char data[5] = { 0xe8,data); } void GenJump(char *&p,void const *pFn) { DWORD offset = (DWORD)pFn - ((DWORD)p + 5); char *pcoffset = (char *)&offset; char data[5] = { 0xe9,data); } class InjectorImpl { struct Code { char* adr; char* codeOfJump; Code() :adr(0),codeOfJump(0) {} }; struct Item { std::string desc; void const *fOriginal; void *fTramper; // the original function is changed to tramper after inject Code code; char *codeOfJump; // ptr pointer to jump. It shoulod be updated after Submit Item():fOriginal(0),fTramper(0),codeOfJump(0) {} }; std::vector<Item> mvItems; static void Myinstrument(Item *item) { char s[100]; _snprintf_s(s,">>%s\n",item->desc.c_str()); printf(s); OutputDebugStringA(s); } static Code GenInjectCodePart1(Item const *item) { int size = 100; char *adr = (char*)VirtualAlloc(NULL,size,MEM_COMMIT | MEM_RESERVE,PAGE_READWRITE); Code code; code.adr = adr; // write code to the region char *p = adr; // Call instrument("Hello") GenPushPtr(p,item); GenCall(p,Myinstrument); GenAddEsp4(p); // call test() //GenCall(p,Test); // Jump to Add() code.codeOfJump = p; return code; } static void GenInjectCodePart2(Item const *item) { int size = 100; assert(item->fTramper != item->fOriginal); char *p = item->code.codeOfJump; GenJump(p,item->fTramper); // Set as executable DWORD oldProtection; BOOL ok = VirtualProtect(item->code.adr,PAGE_EXECUTE_READ,&oldProtection); assert(ok); FlushinstructionCache(GetCurrentProcess(),item->code.adr,sizE); } void FreeInjectCode(char* adr) { VirtualFree(adr,MEM_RELEASE); } public: InjectorImpl() { mvItems.reserve(100); } ~InjectorImpl() {} void Inject(void const *f,char const *desc) { assert(mvItems.size() < mvItems.capacity()); mvItems.push_BACk(Item()); Item &item = mvItems.BACk(); item.fOriginal = item.fTramper = (void*)f; item.desc = desc; Code code = GenInjectCodePart1(&item); item.code = code; DetourtransactionBegin(); DetourupdateThread(GetCurrentThread()); DetourAttach(&(PVOID&)item.fTramper,item.code.adr); DetourtransactionCommit(); GenInjectCodePart2(&item); } //void test() //{ // Item item; // item.fOriginal = item.fTramper = (void*)Add; // item.desc = "desc"; // Code code = GenInjectCodePart1(&item); // item.code = code; // GenInjectCodePart2(&item); // int(*pAdd)(int a,int b) = (int(*)(int a,int b))item.code.adr; // assert(pAdd(1,2) == 3); //} private: }; // Injector ///////////////////// Injector::Injector():impl(new InjectorImpl) { } Injector::~Injector(){} void Injector::Inject(void const *f,char const *desc) { impl->Inject(f,desc); }
以上是大佬教程为你收集整理的利用detours写了一个工具用于instrument任意指定dll的任意指定函数入口全部内容,希望文章能够帮你解决利用detours写了一个工具用于instrument任意指定dll的任意指定函数入口所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。