浏览器在CreateProcess钩子上崩溃 [英] explorer crashing on CreateProcess hook
问题描述
我正在使用的图书馆是:
DDetours
钩子正在运行,我执行的每个应用程序弹出我在HookProc中设置的消息框,但在消息框之后,explorer.exe崩溃。
注入DLL的代码工作正常,如果我只是注入一个空的dll或一个dll与一个messagebox一切正常。所以我认为这个问题在钩子设置中。这是DLL代码:
库DLL;
使用
Windows,DDetours;
{$ R * .res}
var
CreateProcessHook:function(var lpApplicationName:String;
lpCommandLine:String;
lpProcessAttributes :IntPtr;
lpThreadAttributes:IntPtr;
bInheritHandles:Boolean;
dwCreationFlags:Int32;
lpEnvironment:IntPtr;
lpCurrentDirectory:IntPtr;
lpStartupInfo:STARTUPINFO ;
lpProcessInformation:PROCESS_INFORMATION):Boolean; stdcall = nil
函数InterceptCreateProcess(lpApplicationName:String;
lpCommandLine:String;
lpProcessAttributes:IntPtr;
lpThreadAttributes:IntPtr;
bInheritHandles:Boolean;
dwCreationFlags:Int32;
lpEnvironment:IntPtr;
lpCurrentDirectory:IntPtr;
lpStartupInfo:STARTUPINFO;
lpProcessInformation:PROCESS_INFORMATION):Boolean;标准
begin
MessageBoxA(0,'Process created :)','Hooked',0);
结束
程序DLLMain(dwReason:DWORD);
begin
case dwReason of
DLL_PROCESS_ATTACH:
begin
MessageBoxA(0,'Injected','Injected',MB_OK);
@CreateProcessHook:= InterceptCreate(@CreateProcess,@InterceptCreateProcess);
结束
结束
结束
begin
DLLProc:= @DLLMain;
DLLMain(DLL_PROCESS_ATTACH);
结束。
如你所见,InterceptCreateProcess只显示一个消息框,当我打开一些可执行文件,但如上所述,浏览器崩溃。我认为这是CreateProcess函数变量的声明。任何提示?
一切都是64位
你的钩子函数不符合 CreateProcess()。尝试这样做:
库DLL;
使用
Windows,DDetours;
{$ R * .res}
var
CreateProcessHook:function(lpApplicationName:PChar;
lpCommandLine:PChar;
lpProcessAttributes, lpThreadAttributes:PSecurityAttributes;
bInheritHandles:BOOL;
dwCreationFlags:DWORD;
lpEnvironment:指针;
lpCurrentDirectory:PChar;
const lpStartupInfo:STARTUPINFO;
var lpProcessInformation:PROCESS_INFORMATION):BOOL; stdcall = nil
函数InterceptCreateProcess(lpApplicationName:PChar;
lpCommandLine:PChar;
lpProcessAttributes,lpThreadAttributes:PSecurityAttributes;
bInheritHandles:BOOL;
dwCreationFlags:DWORD;
lpEnvironment:指针;
lpCurrentDirectory:PChar;
const lpStartupInfo:STARTUPINFO;
var lpProcessInformation:PROCESS_INFORMATION):BOOL;标准
begin
结果:= CreateProcessHook(lpApplicationName,lpCommandLine,lpProcessAttributes,lpThreadAttributes,bInheritHandles,dwCreationFlags,lpEnvironment,lpCurrentDirectory,lpStartupInfo,lpProcessInformation);
MessageBox(0,'CreateProcess','Hooked',0);
结束
程序DLLMain(dwReason:DWORD);
begin
case dwReason of
DLL_PROCESS_ATTACH:
begin
@CreateProcessHook:= InterceptCreate(@CreateProcess,@InterceptCreateProcess);
MessageBox(0,'Injected','Injected',MB_OK);
结束
DLL_PROCESS_DETACH:
begin
InterceptRemove(@CreateProcessHook);
结束
结束
结束
begin
DLLProc:= @DLLMain;
DLLMain(DLL_PROCESS_ATTACH);
结束。
I'm injecting a DLL inside explorer.exe to hook CreateProcess, this way I can intercept when user open some executables (I choose this hook method because I'm trying to learn more about hooks, I know could be done using WMI, or other ways). The library I'm using to hook is: DDetours
The hook is working, and every app I execute popup the messagebox I set in the HookProc, but right after the messagebox, explorer.exe crashes. The code to inject DLL is working fine, and if I just inject an empty dll or a dll with just a messagebox everything works properly. So I believe the problem is somewhere in the hook setup. Here is the DLL code:
library DLL;
uses
Windows, DDetours;
{$R *.res}
var
CreateProcessHook: function(var lpApplicationName:String;
lpCommandLine:String;
lpProcessAttributes:IntPtr;
lpThreadAttributes:IntPtr;
bInheritHandles:Boolean;
dwCreationFlags:Int32;
lpEnvironment:IntPtr;
lpCurrentDirectory:IntPtr;
lpStartupInfo:STARTUPINFO;
lpProcessInformation:PROCESS_INFORMATION): Boolean; stdcall = nil;
function InterceptCreateProcess(lpApplicationName:String;
lpCommandLine:String;
lpProcessAttributes:IntPtr;
lpThreadAttributes:IntPtr;
bInheritHandles:Boolean;
dwCreationFlags:Int32;
lpEnvironment:IntPtr;
lpCurrentDirectory:IntPtr;
lpStartupInfo:STARTUPINFO;
lpProcessInformation:PROCESS_INFORMATION): Boolean; stdcall;
begin
MessageBoxA(0, 'Process created :)', 'Hooked', 0);
end;
procedure DLLMain(dwReason: DWORD);
begin
case dwReason of
DLL_PROCESS_ATTACH:
begin
MessageBoxA(0,'Injected', 'Injected', MB_OK);
@CreateProcessHook:= InterceptCreate(@CreateProcess, @InterceptCreateProcess);
end;
end;
end;
begin
DLLProc := @DLLMain;
DLLMain(DLL_PROCESS_ATTACH);
end.
As you can see, the InterceptCreateProcess just shows a message box, and this is working when I open some executable, but like said above, explorer crashes. I think that's something with the declaration of the CreateProcess function variables. Any tips? everything is 64bits
Your hook functions do not match the proper signature of CreateProcess(). Try this instead:
library DLL;
uses
Windows, DDetours;
{$R *.res}
var
CreateProcessHook: function(lpApplicationName: PChar;
lpCommandLine: PChar;
lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
bInheritHandles: BOOL;
dwCreationFlags: DWORD;
lpEnvironment: Pointer;
lpCurrentDirectory: PChar;
const lpStartupInfo: STARTUPINFO;
var lpProcessInformation: PROCESS_INFORMATION): BOOL; stdcall = nil;
function InterceptCreateProcess(lpApplicationName: PChar;
lpCommandLine: PChar;
lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
bInheritHandles: BOOL;
dwCreationFlags: DWORD;
lpEnvironment: Pointer;
lpCurrentDirectory: PChar;
const lpStartupInfo: STARTUPINFO;
var lpProcessInformation: PROCESS_INFORMATION): BOOL; stdcall;
begin
Result := CreateProcessHook(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
MessageBox(0, 'CreateProcess', 'Hooked', 0);
end;
procedure DLLMain(dwReason: DWORD);
begin
case dwReason of
DLL_PROCESS_ATTACH:
begin
@CreateProcessHook := InterceptCreate(@CreateProcess, @InterceptCreateProcess);
MessageBox(0, 'Injected', 'Injected', MB_OK);
end;
DLL_PROCESS_DETACH:
begin
InterceptRemove(@CreateProcessHook);
end;
end;
end;
begin
DLLProc := @DLLMain;
DLLMain(DLL_PROCESS_ATTACH);
end.
这篇关于浏览器在CreateProcess钩子上崩溃的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
