挂接特定进程的注册表访问的简单方法 [英] Simple way to hook registry access for specific process

问题描述

是否有一种简单的方法来挂接对我的代码执行的进程的注册表访问?我了解SetWindowsHookEx和朋友，但是它太复杂了……我仍然希望有一种方法可以像Unix上的LD_PRELOAD一样简单...

Is there a simple way to hook registry access of a process that my code executes? I know about SetWindowsHookEx and friends, but its just too complex... I still have hopes that there is a way as simple as LD_PRELOAD on Unix...

推荐答案

在此处阅读DLL注入的理论:

Read up on the theory of DLL Injection here: http://en.wikipedia.org/wiki/DLL_injection

但是，我将在此处为您提供DLL注入代码段: http://www.dreamincode .net/code/snippet407.htm

However, I will supply you with a DLL Injection snippet here: http://www.dreamincode.net/code/snippet407.htm

一旦进入外部应用程序的内存中，执行这些类型的事情就很容易了，在注入时，您也很可能成为该过程的一部分.

It's pretty easy to do these types of things once you're in the memory of an external application, upon injection, you might as well be a part of the process.

有一种叫做绕行的东西，我相信这就是您要寻找的东西，它只是钩住一个函数，当该过程调用它时，它将执行您自己的函数. (为确保它不会崩溃，请在函数末尾调用该函数)

There's something called detouring, which I believe is what you're looking for, it simply hooks a function, and when that process calls it, it executes your own function instead. (To ensure that it doesn't crash, call the function at the end of your function)

因此，如果您想通过CreateRegKeyEx编写自己的函数

So if you were wanting to write your own function over CreateRegKeyEx

(http://msdn.microsoft.com/zh-cn/library/ms724844%28v=vs.85%29.aspx)

(http://msdn.microsoft.com/en-us/library/ms724844%28v=vs.85%29.aspx)

它可能看起来像这样:

    LONG WINAPI myRegCreateKeyEx(HKEY hKey, LPCTSTR lpSubKey, DWORD Reserved, LPTSTR lpClass, DWORD dwOptions, REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition)
    {
            //check for suspicious keys being made via the parameters
            RegCreateKeyEx(hKey, lpSubKey, Reserved, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition);
    }

您可以在此处获得一个写得很好的名为DetourXS的绕行库: http://www.gamedeception .net/threads/10649-DetourXS

You can get a very well written detour library called DetourXS here: http://www.gamedeception.net/threads/10649-DetourXS

这是他如何使用弯路建立示例的代码:

Here is his example code of how to establish a detour using it:

    #include <detourxs.h>

    typedef DWORD (WINAPI* tGetTickCount)(void);
    tGetTickCount oGetTickCount;

    DWORD WINAPI hGetTickCount(void)
    {
        printf("GetTickCount hooked!");
        return oGetTickCount();
    }

    // To create the detour
    oGetTickCount = (tGetTickCount) DetourCreate("kernel32.dll", "GetTickCount", hGetTickCount, DETOUR_TYPE_JMP);

    // ...Or an address
    oGetTickCount = (tGetTickCount) DetourCreate(0x00000000, hGetTickCount, DETOUR_TYPE_JMP);

    // ...You can also specify the detour len
    oGetTickCount = (tGetTickCount) DetourCreate(0x00000000, hGetTickCount, DETOUR_TYPE_JMP, 5);

    // To remove the detour
    DetourRemove(oGetTickCount);

如果您无法确定，该代码段正在钩住GetTickCount()，并且每当调用该函数时，他都会写"GetTickCount钩住！". -然后他按预期执行功能GetTickCount.

And if you can't tell, that snippet is hooking GetTickCount() and whenever the function is called, he writes "GetTickCount hooked!" -- then he executes the function GetTickCount is it was intended.

很抱歉如此分散信息，但我希望这会有所帮助. :) -我意识到这是一个古老的问题. -

Sorry for being so scattered with info, but I hope this helps. :) -- I realize this is an old question. --

这篇关于挂接特定进程的注册表访问的简单方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！