EasyHook LoadLibrary 崩溃失败
EasyHook LoadLibrary fails in crash
我正在尝试使用 EasyHook 检测本机 LoadLibrary 调用。
它确实检测到库的加载,但是该过程导致冻结。
这是因为下面的LoadLibrary_Hook方法无法加载dll或library,因为It returns 0 IntPtr(大概可以找不到图书馆。)。
我什至尝试将事件设置为 "void" 类型,但随后进程就崩溃了,这可能是因为 EasyHook 希望我 return 一个值来覆盖函数。
有没有办法让我 return 加载完全需要的库,或者只是简单地获取正在加载的库的名称而无需手动加载库?
(还有这样的名字正在加载中: 瑮汤汤l逦逦仇嗿謘ౕ㍓四襗ﱝ嶉觬嶉觰嶉ㄨ࿓トƠ谋ࡅ쌻萨里斯事㬔瓋㤉ᡝ萨苏팻Ѵ᪉ᢉ疋㬐ă㬀瓋謇ᡅᦉᢉ綋㬜这有点奇怪...)
private static LocalHook hook;
[DllImport("kernel32.dll", CharSet=CharSet.Auto)]
public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern IntPtr LoadLibrary(string lpFileName);
[DllImport("kernel32.dll", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]
public static extern IntPtr GetProcAddress(IntPtr handle, string varormethodname);
[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]
public delegate IntPtr LoadLibraryDelegate(string lpFileName);
public TestHook()
{
IntPtr kernel32 = GetModuleHandle("kernel32.dll");
Logger.Log("Kernel: " + kernel32);
IntPtr address = GetProcAddress(kernel32, "LoadLibraryA");
Logger.Log("Address: " + address);
hook = LocalHook.Create(address,
new LoadLibraryDelegate(LoadLibrary_Hook),
null);
hook.ThreadACL.SetExclusiveACL(new Int32[] {0});
//RemoteHooking.WakeUpProcess();
}
public IntPtr LoadLibrary_Hook(string lpFileName)
{
Logger.Log("File load: " + lpFileName);
return LoadLibrary(lpFileName);
}
解决方案是使用原始函数地址调用原始方法:
public IntPtr LoadLibrary_Hook(string lpFileName)
{
Logger.Log("File load: " + lpFileName);
LoadLibraryDelegate origMethod = (LoadLibraryDelegate)Marshal.GetDelegateForFunctionPointer(LoadLibraryAddress, typeof(LoadLibraryDelegate));
return origMethod(lpFileName);
}
我正在尝试使用 EasyHook 检测本机 LoadLibrary 调用。
它确实检测到库的加载,但是该过程导致冻结。 这是因为下面的LoadLibrary_Hook方法无法加载dll或library,因为It returns 0 IntPtr(大概可以找不到图书馆。)。
我什至尝试将事件设置为 "void" 类型,但随后进程就崩溃了,这可能是因为 EasyHook 希望我 return 一个值来覆盖函数。
有没有办法让我 return 加载完全需要的库,或者只是简单地获取正在加载的库的名称而无需手动加载库?
(还有这样的名字正在加载中: 瑮汤汤l逦逦仇嗿謘ౕ㍓四襗ﱝ嶉觬嶉觰嶉ㄨ࿓トƠ谋ࡅ쌻萨里斯事㬔瓋㤉ᡝ萨苏팻Ѵ᪉ᢉ疋㬐ă㬀瓋謇ᡅᦉᢉ綋㬜这有点奇怪...)
private static LocalHook hook;
[DllImport("kernel32.dll", CharSet=CharSet.Auto)]
public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern IntPtr LoadLibrary(string lpFileName);
[DllImport("kernel32.dll", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]
public static extern IntPtr GetProcAddress(IntPtr handle, string varormethodname);
[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]
public delegate IntPtr LoadLibraryDelegate(string lpFileName);
public TestHook()
{
IntPtr kernel32 = GetModuleHandle("kernel32.dll");
Logger.Log("Kernel: " + kernel32);
IntPtr address = GetProcAddress(kernel32, "LoadLibraryA");
Logger.Log("Address: " + address);
hook = LocalHook.Create(address,
new LoadLibraryDelegate(LoadLibrary_Hook),
null);
hook.ThreadACL.SetExclusiveACL(new Int32[] {0});
//RemoteHooking.WakeUpProcess();
}
public IntPtr LoadLibrary_Hook(string lpFileName)
{
Logger.Log("File load: " + lpFileName);
return LoadLibrary(lpFileName);
}
解决方案是使用原始函数地址调用原始方法:
public IntPtr LoadLibrary_Hook(string lpFileName)
{
Logger.Log("File load: " + lpFileName);
LoadLibraryDelegate origMethod = (LoadLibraryDelegate)Marshal.GetDelegateForFunctionPointer(LoadLibraryAddress, typeof(LoadLibraryDelegate));
return origMethod(lpFileName);
}