如何从dll注入进程的受害者进程调用静态库静态类成员函数 [英] How to call static library static class member function from victim process of dll-injection process
问题描述
我已经成功地通过 dll 注入钩住了一个受害者应用程序.我现在需要调用受害者进程的未导出的单例函数.这可能吗,我该怎么做?
I have successfully hooked a victim application with dll-injection. I now need to call an un-exported singleton function of the victim process. Is this possible, how would I go about it?
虽然我有受害者进程的目标文件等,但我无法重建/部署新版本,所以我不能只创建一个带有导出链接的函数.
Whilst I have the object files etc of the victim process I am unable to rebuild/deploy new versions, so I can't just create a function with export linkage.
我在钩子过程中尝试过代码:
I have tried code in my hook process:
#include "VictimSingleton.h"
//...
void SomeFuncInHook()
{
VictimSingleton *vs = VictimSingleton::Get();
vs->DoThing();
}
内部 Get() 实现如下:
internally Get() is implemented like:
VictimSingleton* VictimSingleton::Get()
{
static VictimSingleton singleton;
return &singleton;
}
预期结果: VictimSingleton::Get() 从我的钩子或我的受害者进程调用时返回相同的地址.
Expected Result: VictimSingleton::Get() returns same address when called from my hook or my victim process.
实际结果: Get 返回的指针虽然有效,但指向的 VictimSingleton 与受害进程使用的指针不同.
Actual result: The pointer returned by Get, whilst valid, refers to a different VictimSingleton than the one used by the victim process.
我猜这是因为它是两个独立的翻译单元,所以当从我的钩子进程调用时它会创建一个不同版本的单例.
I guess that is because it is two separate translation units, so it creates a different version of the singleton when called from my hook process.
推荐答案
如果函数未导出,则您没有 PDB 并且未嵌入调试符号,那么首先您必须找到该函数,使用反汇编程序,例如作为 IDA Pro.如果它是一个虚函数,那么找到它会容易得多,因为您可以使用 IDA 插件(例如 Class Informer)公开运行时类型信息,这将为您提供所有 vtable 函数的列表.
If the function is not exported, you don't have a PDB and debug symbols aren't embedded then first you must find the function, using a disassembler such as IDA Pro. If it is a virtual function then finding it will be much easier because you can expose the Run Time Type Information with an IDA plugin such as Class Informer, this will give you a list of all the vtable functions.
获得函数的地址后,您需要反转它的调用约定和参数.这很可能是一个 __thiscall 函数,因为它是一个成员函数.
Once you have the address of the function you need to reverse it's calling convention and it's arguments. Most likely this is a __thiscall function because it's a member function.
接下来,为了调用成员函数,您需要一个类实例作为 this 指针传递.为此,您还可以找到类的构造函数并调用它,使用它的返回作为您的实例.
Next, in order to call a member function you require a class instance to pass as the this pointer. To do so, you can also find the class's constructor and call that, using it's return as your instance.
接下来,您需要调用该函数.要调用 __thiscall 函数,您实际上将其称为 __fastcall,并将您创建的对象的地址作为 this 指针作为第一个参数传递,将 0 作为第二个变量传递,然后是实际的函数参数.
Next, you need to call the function. To call a __thiscall function you actually call it as a __fastcall and you pass the address of the object you created as the this pointer as the first argument, and a 0 for the second variables, following by the actual function arguments.
第二个参数是零,因为 __fastcall 需要在 EDX 中传递一个变量.
The second argument is a zero because __fastcall expects a variable passed in EDX.
typedef一个函数指针原型,创建这个函数指针的一个实例,赋值给它函数的地址,然后调用它.
Typedef a function pointer prototype, create an instance of this function pointer, assign it the address of the function and then call it.
typedef void(__fastcall* fFunc)(void* thisptr, void* not_edx, float arg1, int arg2);
fFunc Func = (fFunc)0xDEADC0DE; //address of function
Func(objectPtr, 0, 1.0f, 2);
这篇关于如何从dll注入进程的受害者进程调用静态库静态类成员函数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
