挂钩功能问题 [英] Hooking functions question

问题描述

你好，
我想问一个关于函数挂钩的简短问题.
假设我将"MessageBox"函数挂接到"user32.dll"中，这样​​对"MessageBox"的调用将真正调用"MyMessageBox".
MyMessageBox是我编写的具有与MessageBox相同签名的函数，但是无论参数是什么，它始终显示"ABC"，而不是显示带有其参数中接收的文本的消息框.

我知道对于给定的已加载DLL，所有进程都共享一个代码空间.
从中我可以理解，如果我以某种方式挂接MessageBox函数，使其所有调用均真正调用MyMessageBox，则它将在使用user32.dll的所有进程中发生，因为它们都共享相同的代码空间. 但是实际上，只有创建钩子的进程才在调用Messagebox时调用MyMessagebox并根据需要打印"ABC"，而其他进程则正常打印其消息.
我正在使用Microsoft的detour.dll来创建钩子.

这就是我创建到MessageBox函数的钩子的方式.

Hello,
I would like to ask a short question about function hooking.
Say I hook the "MessageBox" function in "user32.dll", so that a call to "MessageBox" will really invoke "MyMessageBox".
MyMessageBox is a function I wrote with the same signature as MessageBox, but instead of showing its messagebox with the text received in its parameters it will always prints "ABC" no matter what the parameters were.

I know that all processes share one single code space for a given loaded DLL.
From that I would understand that if I hook the MessageBox function in a way that all of its calls will really invoke MyMessageBox it would happen in all process that use user32.dll, because they all share the same code space.
But in reality, only the process that created the hook calls MyMessagebox when Messagebox is called and prints "ABC" as required, while other processes print their messages normal.
I''m using Microsoft''s detour.dll in order to create the hook.

This is how I create the hook to the MessageBox function.

INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
    switch(Reason)
    {
        case DLL_PROCESS_ATTACH:
             DisableThreadLibraryCalls(hDLL);
             DetourTransactionBegin();
             DetourUpdateThread(GetCurrentThread());
             //messageBox is a pointer to the MessageBox function, myMessabeBox is
             //a pointer to the function that should be invoked every time a call to  MessageBox is made
             DetourAttach(&(PVOID&)messageBox, myMessabeBox);
             DetourTransactionCommit();
             break;

很想对这种现象得到很好的解释:]
在此先多谢！
Michael.

Would love to get a good explanation about this phenomena :]
Thanks alot in advance !
Michael.

推荐答案

我相信在win9x之后，Windows中的安全系统已更改，并且共享库调用现在已通过查找表实现，换句话说，它们被间接引用到实际的库代码.

因此，通过更改挂钩"，您可以更改进程查找表，而不是实际的库入口点.这样可以确保系统范围内的稳定性和安全性.

I believe that post win9x, the security system in windows changed and the shared libraries calls are now implemented via a lookup table in other words they are indirected to the actual library code.

So by changing the the "hook" you are changing your processes lookup table and not the actual library entry point. This ensures system wide stability and security.

这篇关于挂钩功能问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！