什么是挂钩的Win32 API的应用程序commmercial推荐的方式？ [英] What is the recommended way to hook Win32 APIs for a commmercial application?

问题描述

什么是在商业应用程序中使用的一个API钩子库或code建议？

What is your recommendation for an API hooking library or code to be used in a commercial application?

我已经看过微软的Detours这似乎是很不错的，但绝对是出于预算，我希望我的应用程序的利润。

I have looked at Microsoft Detours which seems to be very good, but definitely is out of budget for the profit I am expecting out of my application.

有没有办法，提供了跨的WinXP和Vista兼容性的任何库（和Windows 7如果不是过分的要求！）？是否有任何人以往在商业产品中使用这样的库的经验吗？

Is there any library that offers compatibility across WinXP and Vista (and Windows 7 if not too much to ask!)? Is there anyone with past experience in using such a library in a commercial product?

推荐答案

在Win32 API的钩子是不是真的有可能在全系统的意义。您可以通过注入一个DLL到每个进程，然后从内部修补每个进程接近它。您可以使用IAT修补（你修补调用二进制）或走弯路式的补丁（你修补被叫方）。

API hooking in Win32 isn't really possible in a system-wide sense. You can approximate it by injecting a DLL into each process and then patching each process from within. You can either use IAT patching (where you patch the calling binary) or a Detours-style patch (where you patch the callee).

修补来电（IAT修补）意味着你需要枚举每个在进程中加载​​DLL并分别补丁各一台。您还需要挂钩调用LoadLibrary ，以补丁被装上即时任何新的DLL。

Patching the caller (IAT patching) means that you need to enumerate every DLL that is loaded in the process and patch each one separately. You also would need to hook LoadLibrary in order to patch any new DLLs that are loaded on-the-fly.

修补被叫方（走弯路）的优点是，你只需要修补一个位置有钩适用于整个过程。

Patching the callee (Detours) has the advantage that you only need to patch one location to have the hook apply to the entire process.

您需要做的每个进程修补，即使你从挂钩共享系统DLL的API;由此，当你对系统打补丁的DLL，这个过程是给打补丁的私有副本的操作系统将调用写入时复制。

You have to do the per-process patching even if you're hooking APIs from shared system DLLs; the OS will invoke copy-on-write whereby when you patch the system DLL, the process is given a private copy to be patched.

DLL注入到达有点讨厌，再次有几个技巧：<一href=\"http://msdn.microsoft.com/en-us/library/dd744762%28VS.85%29.aspx\"><$c$c>AppInit_DLLs,其只适用于负载 USER32.DLL 流程（在Vista和Windows 7几个新的限制），使用<一个href=\"http://msdn.microsoft.com/en-us/library/ms644990%28VS.85%29.aspx\"><$c$c>SetWindowsHookEx,或者使用<一个href=\"http://msdn.microsoft.com/en-us/library/ms682437%28VS.85%29.aspx\"><$c$c>CreateRemoteThread. 完整性级别在Vista和Windows 7 的，使其更难以注入流程系统范围。你的应用需要具有管理员权限和较高的完整性级别运行能够成功地把它关闭。

DLL injecting gets to be a bit nasty, and again there are several techniques: AppInit_DLLs, which only works for processes that load USER32.DLL (and has several new restrictions in Vista and Windows 7), using SetWindowsHookEx, or by using CreateRemoteThread. Integrity levels in Vista and Windows 7 make it more difficult to inject into processes system-wide. Your app will need to run with administrator privileges and a high integrity level to be able to successfully pull it off.

另一种技术是在内核模式钩住系统服务。这需要写一个设备驱动程序，但它基本上是 Sysinternals的进程监视器的用途技术（或至少一样，一次）。这是在64位Vista和因 PatchGuard的和Win7的驱动程序签名要求的问题。您可以通过使用文件系统过滤驱动程序一些监控文件系统活动。

Another technique is to hook the system services in kernel-mode. This requires writing a device driver, but it is basically the technique that Sysinternals Process Monitor uses (or at least did, once). This is a problem on 64-bit Vista and Win7 because of PatchGuard and the driver signing requirements. You can monitor some file system activity by using file system filter drivers.

这篇关于什么是挂钩的Win32 API的应用程序commmercial推荐的方式？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！