IAT挂钩，Explorer.exe中的FindNextFile [英] IAT Hooking, FindNextFile in Explorer.exe

问题描述

我一直试图将Explorer.exe中的FindNextFileW挂钩.
我使用了IAT挂钩，并且设法成功更改了导入表中FindNextfileW的地址，但是当我执行程序时，更改地址后，explorer.exe将重新启动.
我得到一个消息框，数据执行保护，然后资源管理器重新启动.所以我关闭了Explorer.exe的数据执行保护，现在我没有收到任何错误消息，并且资源管理器没有重新启动，但是当我打开目录时，什么也没有发生.
定义中有问题吗?
的myFindFirstFileExW或还有其他我想念的东西?

Hi,

I have been trying to hook FindNextFileW in Explorer.exe.
I have used IAT hooking and I manage to successfully change the address of FindNextfileW in the import table but when I execute the program, after the address is changed, explorer.exe restarts.
I get a message box ,Data Execution Prevention, and then explorer restarts. So I turned off the Data Execution Prevention for Explorer.exe and now I don''t get any erro message and explorer doesn''t restart but when I open a directory nothing happens.
Is there a problem in the definition
of myFindFirstFileExW or is there something else I am missing?

BOOL myFindNextFileW (HANDLE hFindFile,LPWIN32_FIND_DATA lpFindFileData);
int WINAPI DllEntryPoint(HINSTANCE hinstDll, unsigned long fdwReason,
	void* fImpLoad) {
	char lib_name[50];
	GetModuleFileName(hinstDll, lib_name, 50);
	LoadLibrary(lib_name);
	switch(fdwReason) {
	case DLL_PROCESS_ATTACH: {
	       ShowMessage("DLL_PROCESS_ATTACH");
       	       HookAPI("FindNextFileW", (DWORD)myFindNextFileW);
		}
	case DLL_PROCESS_DETACH: {
			break;
		}
	case DLL_THREAD_ATTACH: {
			break;
		}
	case DLL_THREAD_DETACH: {
			break;
		}
	}
	return(TRUE);
}

BOOL myFindNextFileW (HANDLE hFindFile,LPWIN32_FIND_DATA lpFindFileData)
{
FILE *hfptr4;
	hfptr4 = fopen("c:\\hookedCP.txt", "a");
	fprintf(hfptr4, "%s", "findNextFile\n");
	fclose(hfptr4);
	ShowMessage("FindNextFileW");
	return FindNextFileW(hFindFile, (_WIN32_FIND_DATAW *)lpFindFileData);
}

推荐答案

只有一种可能性.当您收到数据执行保护错误消息...时，这意味着内存中的指令未标记为 VirtualProtect函数 [

Hi,

There is only a single possibility. When you get the Data Execution Prevention error message... it means that the instructions located in memory were not marked with execute access[^].

It sounds like you are using an old hook library that was written prior to 2004 and intended for use with Windows XP SP1 and below. Windows XP SP2 was released in 2004 and brought DEP and broke many of the old hook libraries that were not using the VirtualProtect function[^] to mark the memory as executable.

Best Wishes,
-David Delaune

[Updated dates and Service pack numbers]

这篇关于IAT挂钩，Explorer.exe中的FindNextFile的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！