使用 C++ 和 EasyHook 将 x64-DLL 注入到挂钩 x86-DLL 的 x64 进程中失败 [英] A x64-DLL injected into a x64-process hooking a x86-DLL fails using C++ and EasyHook
问题描述
使用 C++ 和 EasyHook 将 x64-DLL 注入挂钩 x86-DLL 的 x64 进程失败.如果 Loader、InjectionLibrary 和 InjectionTarget(它在两个版本中都可用,我需要两者都挂钩)是 x86,它就可以工作.获取导出过程的地址(GetProcAddress 本身)在 x64 上不是问题.InjectionTarget 也有 HookTarget(Kernel32.dll) 作为 x64 的依赖项.LhInstallHook(...) 返回 STATUS_NOT_SUPPORTED ,其中源评论说在以下情况下会发生:目标入口点包含不受支持的指令."
A x64-DLL injected into a x64-process hooking a x86-DLL fails using C++ and EasyHook. It works if Loader, InjectionLibrary and InjectionTarget(it's available in both versions and i need both to be hooked) are x86. Getting the address of the exported procedure(GetProcAddress itself) isn't a problem at x64. The InjectionTarget has HookTarget(Kernel32.dll) as a dependency at x64 aswell. LhInstallHook(...) returns STATUS_NOT_SUPPORTED where the source comments say that happens when: "The target entry point contains unsupported instructions."
由于源代码适用于 x86 构建,我决定不添加它.
Due to the fact that the source is fine for x86 builds i've decided to not add it.
我画了一个小图
推荐答案
你不能在 64 位进程中使用 32 位 DLL,事实上,这概括了 - 你不能混合和匹配 x86 和 x64 代码,单个进程是要么完全 x64,要么完全 x86.这是 x86-64 的基础,对此您无能为力.在Windows控制台中,他们制作一个64位进程和一个32位进程,并使用IPC控制32位进程加载和处理所有32位shell扩展.如果你勇敢和/或绝望,你可以尝试类似的事情.
You cannot use a 32-bit DLL in a 64bit process, and indeed, this generalizes- you cannot mix and match x86 and x64 code, a single process is either entirely x64, or entirely x86. That's fundamental to x86-64 and there's nothing you can do about it. In the Windows control console, they make a 64bit process and a 32bit process and use IPC to control the 32bit process to load and deal with all the 32bit shell extensions. You could try something similar, if you're brave and/or desperate.
等一下,等一下.当在 x86 模式下一切正常时,您能否在基础上多描述一下这个过程?比如,X 从 Y 加载一个函数,我在做 Z,因为看起来我不明白你在做什么.
Wait a minute, wait a minute. Could you describe this process a little more at basics when everything works fine in x86 mode? Like, X loads a function from Y, I am doing Z, because it appears that I don't understand what you're doing.
您有一个注入目标和一个注入的 DLL,您试图从中调用第三方仅 x86 DLL 中的过程.所以正常的调用流程是从 InjectionTarget -> InjectionLibrary -> HookTarget -> ExportedProcedure.这对您不起作用,因为 HookTarget 仅适用于 x86 并且您无法更改它,因此当您为 x64 版本的 InjectionTarget 重新编译用于 x64 的 InjectionLibrary 时,它不再起作用,因为您的 x64 InjectionLibrary 正在尝试加载x86 HookTarget.
You have an injection target, and an injected DLL, from which you're trying to call procedures in the third-party x86-only DLL. So the normal flow of call goes from InjectionTarget -> InjectionLibrary -> HookTarget -> ExportedProcedure. And this isn't working for you because HookTarget is x86 only and you can't change that, so when you recompile InjectionLibrary for x64 for the x64 version of InjectionTarget, it doesn't work anymore because your x64 InjectionLibrary is trying to load an x86 HookTarget.
这个问题的唯一解决方案是创建一个x86进程并使用进程间通信来让它调用你想要调用的HookTarget中的过程.如果您不能为 x64 重新编译 HookTarget,那么这是唯一的方法.
The only solution to this problem is to create an x86 process and use inter-process communication to get it to call the procedures in HookTarget that you want called. If you can't re-compile HookTarget for x64, then this is the only way to do it.
这篇关于使用 C++ 和 EasyHook 将 x64-DLL 注入到挂钩 x86-DLL 的 x64 进程中失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
