问题
I drove against a wall again and need your help with some low-level stuff. I already succeeded in hooking exported DLL-Functions (with this code btw.) by injecting them into my target process (e.g. I can easily detour MessageBoxW from user32.dll). Unfortunately I aim for a different scenario: I have to detour a function defined inside the executable I'm injecting my code into. The application is Open-Source so I know everything about the function I'd need for hooking it, but the binary is signed with a certificate so I can not compile my own version. Is it possible to fetch the functions' address at runtime or detour it with another technique? The target is a "normal" 32bit Windows binary btw. nothing special I thought ;)
Yours, Nefarius
EDIT: maybe due to my lame English I was not detailed enough, so here a little sample code:
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
foo();
}
BOOL foo(char* someData)
{
return printf("%s", someData);
}
Now I want to detour the function foo() which does not exist in a dynamic library. This is my problem. I don't know how and I'm not sure if this works like I think it does.
EDIT: Now I know it is possible, so the important question changed to: how? How do I get the information I need; the functions address?
回答1:
Sure, just use something like Ollydbg to set a breakpoint, and edit the assembly after the executable has loaded (and finished checking its certificate). To do it permanently is a bit more challenging, but depending on how sophisticated the certificate check is, you might just be able to bypass that bit of code by replacing it with a NOP (no operation).
EDIT: If you're running 64-bit Windows, you might have better luck with Microsoft's own Debugging Tools. I've never used them, so I have no idea how they compare to Ollydbg.
回答2:
If this is for something that is more than a one time debugging jaunt, look into Microsoft Detours, an API for hooking functions.
回答3:
you need to get the functions address then insert a jmp at the functions entry point to your procedure and then restore the original proc and then jump back to the original function.
回答4:
Use EasyHook for that. With that library you can intercept a function with the address.
回答5:
I acquired my aim with hooking some low-level Windows API functions, not the best solution but it works, Assembler isn't mine...
来源:https://stackoverflow.com/questions/4317465/how-to-find-a-functions-address-to-hook-detour-in-an-exe-file