我正在尝试使用 EasyHook 来检测本机 LoadLibrary 调用。它确实检测到库的加载,但是该过程导致冻结。这是因为下面的LoadLibrary_Hook方法无法加载 dll 或库,因为它返回 0 IntPtr(可能找不到库。)。我什至尝试将事件设置为“void”类型,但随后进程就崩溃了,这可能是因为 EasyHook 期望我返回一个值来覆盖该函数。有没有办法让我返回要加载的确切需要的库,或者只是获取正在加载的库的名称而无需手动加载库?(也有这样的名字在加载过程中:瑮汤汤l逦逦仇嗿謘ౕ㍓四襗ﱝ嶉觬嶉觰嶉㯨࿓トă谋萋苐苒るるバ㤉ᡝ萏ϯ팻Ѵ᪉ᢉ疋㬐ă㬀瓋謇ᡅᦉᢉ綋㬜 有点奇怪……)private static LocalHook hook;[DllImport("kernel32.dll", CharSet=CharSet.Auto)]public static extern IntPtr GetModuleHandle(string lpModuleName);[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]public static extern IntPtr LoadLibrary(string lpFileName);[DllImport("kernel32.dll", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]public static extern IntPtr GetProcAddress(IntPtr handle, string varormethodname);[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]public delegate IntPtr LoadLibraryDelegate(string lpFileName);public TestHook(){ IntPtr kernel32 = GetModuleHandle("kernel32.dll"); Logger.Log("Kernel: " + kernel32); IntPtr address = GetProcAddress(kernel32, "LoadLibraryA"); Logger.Log("Address: " + address); hook = LocalHook.Create(address, new LoadLibraryDelegate(LoadLibrary_Hook), null); hook.ThreadACL.SetExclusiveACL(new Int32[] {0}); //RemoteHooking.WakeUpProcess();}public IntPtr LoadLibrary_Hook(string lpFileName){ Logger.Log("File load: " + lpFileName); return LoadLibrary(lpFileName);}
1 回答
喵喵时光机
TA贡献1846条经验 获得超7个赞
解决方案是使用原始函数地址调用原始方法:
public IntPtr LoadLibrary_Hook(string lpFileName)
{
Logger.Log("File load: " + lpFileName);
LoadLibraryDelegate origMethod = (LoadLibraryDelegate)Marshal.GetDelegateForFunctionPointer(LoadLibraryAddress, typeof(LoadLibraryDelegate));
return origMethod(lpFileName);
}
- 1 回答
- 0 关注
- 280 浏览
添加回答
举报
0/150
提交
取消