无法使用MS-detours(32位)挂钩注册表功能 [英] Unable to hook registry functions using MS-detours (32bit)
问题描述
我正在使用ms-detours来挂钩函数。我成功地将我的dll注入了一个进程。我成功捕获了createfile \ delete文件和事件的功能,在debugView看到它们。
我无法捕获所有注册表功能。
试过:
REGSETVALUEX OrigRegSetValueEx = NULL;
REGOPENKEYEXA OrigRegOpenKeyExA = NULL;
REGOPENKEY OrigRegOpenKey = NULL;
REGCREATEKEYEXW OrigRegCreateKeyExW = NULL;
REGCREATEKEYW OrigRegCreateKeyW = NULL;
REGSETVALUEXW OrigRegSetValueExW = NULL;
i有一个自编代码(c#)32位控制台程序,有3个功能:
createNewFile
DeleteFile
打开注册表子项并设置键值。 3号代码片段:
此处输入代码字符串Mash = String.Concat(Environment.MachineName,Environment.OSVersion.VersionString,Environment.UserName); RegistryKey rkApp = Registry.CurrentUser.OpenSubKey(SOFTWARE\Microsoft \ Windows \ CurrentVersion \ Run,true); rkApp.SetValue(newvalue,Mash); rkApp.Close();
createNewFile + DeleteFile - 成功捕获。
打开注册表子项并设置键值。 - 没有捕捉活动
我使用以下代码进行功能和弯路:
我尝试过:
我正在调试:
1.Process monitor - 捕捉我的活动。 ProcessMonitor捕获注册表事件
2.在'HookRegSetValue'函数中放置messagebox3并且没有看到它弹出。我不确定,但猜测它是一个弯路问题。
3.tried其他注册表功能 - 没有被解雇。
< br $> b $ b
include stdafx.h
包括 windows.h
包括 tchar.h
include stdio.h
typedef HANDLE(WINAPI * CREATEFILEW)(LPCWSTR,DWORD,DWORD,LPSECURITY_ATTRIBUTES,DWORD,DWORD,HANDLE);
typedef HANDLE(WINAPI * DELETEFILEW)(LPCWSTR,DWORD,DWORD,LPSECURITY_ATTRIBUTES,DWORD,DWORD,HANDLE);
typedef LONG(WINAPI * REGSETVALUE)(HKEY,LPCTSTR,DWORD,LPCSTR,DWORD);
CREATEFILEW OrigCreteFileW = NULL;
DELETEFILEW OrigDeleteFileW = NULL;
REGSETVALUE OrigRegSetValue = NULL;
HANDLE WINAPI HookCreateFileW(LPCWSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile)
{
OutputDebugString(__ TEXT( Inside HookCreateFileW));
OutputDebugStringW(lpFileName);
return OrigCreteFileW(lpFileName,dwDesiredAccess,dwShareMode,lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);
}
HANDLE WINAPI HookDeleteFileW(LPCWSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile)
{
OutputDebugString(__ TEXT( Inside HookDeleteFileW));
OutputDebugStringW(lpFileName);
return OrigDeleteFileW(lpFileName,dwDesiredAccess,dwShareMode,lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);
}
LONG WINAPI HookRegSetValue(HKEY hKey,LPCTSTR lpSubKey,DWORD dwType,LPCTSTR lpData,DWORD cbData)
{
MessageBox( 0 , and text here 3, MessageBox标题,MB_OK);
OutputDebugString(__ TEXT( Inside HookRegSetValue));
OutputDebugStringW((LPCWSTR)hKey);
return OrigRegSetValue(hKey,lpSubKey,dwType,lpSubKey,cbData);
}
void InstallHooks( void )
{
HMODULE modKernel32 = GetModuleHandle(TEXT( KERNEL32.dll< /跨度>));
HMODULE advapi32 = GetModuleHandle(TEXT( ADVAPI32.dll));
OrigCreteFileW =(CREATEFILEW)GetProcAddress(modKernel32, CreateFileW);
OrigDeleteFileW =(DELETEFILEW)GetProcAddress(modKernel32, DeleteFileW);
OrigRegSetValue =(REGSETVALUE)GetProcAddress(advapi32, RegSetValue);
// install hooks
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
// 文件挂钩
OutputDebugString( __TEXT( 4.DetourAttach));
/ * DetourAttach(&(PVOID&)OrigCreteFileW,HookCreateFileW);
OutputDebugString(__ TEXT(HookCreateFileW));
DetourAttach(&(PVOID&)OrigDeleteFileW,HookDeleteFileW);
OutputDebugString(__ TEXT(HookDeleteFileW)); * /
DetourAttach(&(PVOID&)OrigRegSetValue,HookRegSetValue);
OutputDebugString(__ TEXT( HookRegSetValue));
DetourTransactionCommit();
void RestoreHooks( void )
{
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
// 文件挂钩
OutputDebugString( __TEXT( 5.DetourDetach));
DetourTransactionCommit();
}
// dllmain.cpp:定义DLL的入口点应用。
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
OutputDebugString(__ TEXT( InstallHooks));
InstallHooks();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
// OutputDebugString(__ TEXT(RestoreHooks) ));
// RestoreHooks();
< span class =code-keyword> break ;
}
return TRUE;
}
我刚刚审核了你的代码,这对我来说似乎有点奇怪。我建议你阅读这篇文章与MS Detours的API挂钩
im using ms-detours to hook functions. im successfully injecting my dll to a process. im successfully catching functions of createfile\deletefile and event see them at "debugView".
im unable to catch all registry functions.
tried:
REGSETVALUEX OrigRegSetValueEx = NULL;
REGOPENKEYEXA OrigRegOpenKeyExA = NULL;
REGOPENKEY OrigRegOpenKey = NULL;
REGCREATEKEYEXW OrigRegCreateKeyExW = NULL;
REGCREATEKEYW OrigRegCreateKeyW = NULL;
REGSETVALUEXW OrigRegSetValueExW = NULL;
i have a self-written code (c#) 32bit console programe that have 3 functions:
createNewFile
DeleteFile
open Registry subkey and set key value. code snip of number 3:
enter code here string Mash = String.Concat(Environment.MachineName, Environment.OSVersion.VersionString, Environment.UserName); RegistryKey rkApp = Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Run", true); rkApp.SetValue("newvalue", Mash); rkApp.Close();
createNewFile + DeleteFile - catching successfully.
open Registry subkey and set key value. - not catching event
im using the following code for functions and detours:
What I have tried:
I was debugging with:
1.Process monitor - which catching my events. ProcessMonitor Catching Registry Events
2.Placed messagebox3 at 'HookRegSetValue' function and not seeing it poping. im not sure but guessing it`s an issue with detours.
3.tried other registry functions - non of them fired.
include "stdafx.h"
include "windows.h"
include "tchar.h"
include "stdio.h"
typedef HANDLE(WINAPI *CREATEFILEW)(LPCWSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
typedef HANDLE(WINAPI *DELETEFILEW)(LPCWSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
typedef LONG(WINAPI *REGSETVALUE)(HKEY, LPCTSTR, DWORD,LPCSTR,DWORD);
CREATEFILEW OrigCreteFileW = NULL;
DELETEFILEW OrigDeleteFileW = NULL;
REGSETVALUE OrigRegSetValue = NULL;
HANDLE WINAPI HookCreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
{
OutputDebugString(__TEXT("Inside HookCreateFileW"));
OutputDebugStringW(lpFileName);
return OrigCreteFileW(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
HANDLE WINAPI HookDeleteFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
{
OutputDebugString(__TEXT("Inside HookDeleteFileW"));
OutputDebugStringW(lpFileName);
return OrigDeleteFileW(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
LONG WINAPI HookRegSetValue(HKEY hKey, LPCTSTR lpSubKey, DWORD dwType, LPCTSTR lpData, DWORD cbData)
{
MessageBox(0, "And text here3", "MessageBox caption", MB_OK);
OutputDebugString(__TEXT("Inside HookRegSetValue"));
OutputDebugStringW((LPCWSTR)hKey);
return OrigRegSetValue(hKey, lpSubKey, dwType, lpSubKey, cbData);
}
void InstallHooks(void)
{
HMODULE modKernel32 = GetModuleHandle(TEXT("KERNEL32.dll"));
HMODULE advapi32 = GetModuleHandle(TEXT("ADVAPI32.dll"));
OrigCreteFileW = (CREATEFILEW)GetProcAddress(modKernel32, "CreateFileW");
OrigDeleteFileW = (DELETEFILEW)GetProcAddress(modKernel32, "DeleteFileW");
OrigRegSetValue = (REGSETVALUE)GetProcAddress(advapi32, "RegSetValue");
// install hooks
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
//File Hooks
OutputDebugString(__TEXT("4.DetourAttach"));
/*DetourAttach(&(PVOID&)OrigCreteFileW, HookCreateFileW);
OutputDebugString(__TEXT("HookCreateFileW"));
DetourAttach(&(PVOID&)OrigDeleteFileW, HookDeleteFileW);
OutputDebugString(__TEXT("HookDeleteFileW"));*/
DetourAttach(&(PVOID&)OrigRegSetValue, HookRegSetValue);
OutputDebugString(__TEXT("HookRegSetValue"));
DetourTransactionCommit();
void RestoreHooks(void)
{
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
//File Hooks
OutputDebugString(__TEXT("5.DetourDetach"));
DetourTransactionCommit();
}
// dllmain.cpp : Defines the entry point for the DLL application.
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
OutputDebugString(__TEXT("InstallHooks"));
InstallHooks();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
//OutputDebugString(__TEXT("RestoreHooks"));
//RestoreHooks();
break;
}
return TRUE;
}I've just reviewed your code and this all seems to me a kind of strange. I'd recommend you to read this article API Hooking with MS Detours
这篇关于无法使用MS-detours(32位)挂钩注册表功能的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
