Hook从托管代码调用LoadLibrary [英] Hook LoadLibrary call from managed code
问题描述
我们希望将调用挂钩到LoadLibrary,以便下载未找到的程序集。我们有一个ResolveAssembly的处理托管程序集的处理程序,但是我们还需要处理非托管程序集。
We would like to hook calls to LoadLibrary in order to download assemblies that are not found. We have a handler for ResolveAssembly that handles the managed assemblies, but we also need to handle unmanaged assemblies.
我们尝试通过在为Microsoft Windows编程应用程序中指定的技术重写导入表来挂钩LoadLibrary调用,但是当我们调用WriteProcessMemory()许可拒绝错误(998)。 (是的,我们使用提升的privs运行)
We have attempted to hook LoadLibrary calls by re-writing the imports table via techniques specified in "Programming Applications for Microsoft Windows", but when we call WriteProcessMemory() we get a permission denied error (998). (Yes, we're running with elevated privs)
有人在加载CLR时成功重写了导入表?任何人都可以指向正确的方向?
Has anyone succeeded in re-writing the imports table while the CLR is loaded? Can anyone point me in the right direction?
更新:我们解决了权限被拒绝问题,但现在当我们迭代混合装配(托管+非托管),我们发现的唯一条目是mscoree.dll。有谁知道如何找到本地进口? (我们正在使用C ++ / CLI )。
Update: We resolved the permission denied issue, but now when we iterate the Imports Table of a mixed assembly (managed + unmanaged), the only entry we find is mscoree.dll. Does anyone know how to find the native imports? (we're working in C++/CLI).
推荐答案
。但是,我通过注入一个非托管DLL到远程进程,并重写了DllMain中的导入表。
I have successfully hooked from Managed code. However, I did it by injecting an unmanaged DLL into the remote process and have it rewrite the import table in DllMain. You may want to consider this method.
这是我的钩子函数:
//structure of a function to hook
struct HookedFunction {
public:
LPTSTR moduleName;
LPTSTR functionName;
LPVOID newfunc;
LPVOID* oldfunc;
};
BOOL Hook(HMODULE Module, struct HookedFunction Function) {
//parse dos header
IMAGE_DOS_HEADER* dos_header = (IMAGE_DOS_HEADER*)Module;
if (dos_header->e_magic != IMAGE_DOS_SIGNATURE) return 0; //not a dos program
//parse nt header
IMAGE_NT_HEADERS* nt_header = (IMAGE_NT_HEADERS*)(dos_header->e_lfanew + (SIZE_T)Module);
if (nt_header->Signature != IMAGE_NT_SIGNATURE) return 0; //not a windows program
//optional header (pretty much not optional)
IMAGE_OPTIONAL_HEADER optional_header = nt_header->OptionalHeader;
if (optional_header.Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC) return 0; //no optional header
IMAGE_IMPORT_DESCRIPTOR* idt_address = (IMAGE_IMPORT_DESCRIPTOR*)(optional_header.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (SIZE_T)Module);
if (!optional_header.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size) return 0; //no import table
//enumerate the import dlls
BOOL hooked = false;
for(IMAGE_IMPORT_DESCRIPTOR* i = idt_address; i->Name != NULL; i++)
//check the import filename
if (!_stricmp(Function.moduleName, (char*)(i->Name + (SIZE_T)Module)))
//enumerate imported functions for this dll
for (int j = 0; *(j + (LPVOID*)(i->FirstThunk + (SIZE_T)Module)) != NULL; j++)
//check if the function matches the function we are looking for
if (!_stricmp(Function.functionName, (char*)(*(j + (SIZE_T*)(i->OriginalFirstThunk + (SIZE_T)Module)) + (SIZE_T)Module + 2) )) {
//replace the function
LPVOID* memloc = j + (LPVOID*)(i->FirstThunk + (SIZE_T)Module);
if (*memloc != Function.newfunc) { //not already hooked
DWORD oldrights;
DWORD newrights = PAGE_READWRITE;
VirtualProtect(memloc, sizeof(LPVOID), newrights, &oldrights);
if (Function.oldfunc && !*Function.oldfunc)
*Function.oldfunc = *memloc;
*memloc = Function.newfunc;
VirtualProtect(memloc, sizeof(LPVOID), oldrights, &newrights);
}
hooked = true;
}
return hooked;
}
这篇关于Hook从托管代码调用LoadLibrary的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!