subject_21551.htm
来自「一些关于vc的问答」· HTM 代码 · 共 81 行 · 第 1/2 页
HTM
81 行
<hr size=1>
<blockquote><p>
回复者:佟锐 回复日期:2002-11-20 22:52:53
<br>内容:你可能想使用api hook技术拦截用户对文件的调用。我刚才使用soft ice和winxp,拦截CeatePocessW数,当使用资源管理器双击时确认可以拦截到。另:CeatePocess分为两个函数CreateProcessA(用于ansi字符串,98操作系统)、CreateProcessW(用于unicode,nt、2k、xp等)。请你根据不同操作系统进行拦截。你双击也好,ShellExecuteExW也好,到操作系统内部都需要为此创建一个新的进程来进行操作,所以,最后都会触发到CreateProcess函数,该函数再根据不同的操作系统调用CreateProcessA或CreateProcessW。
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:John Lan 回复日期:2002-11-20 23:45:32
<br>内容:CreateProcessW() on 2k.<BR>bpx CreateProcessW IF PID==XXX (XXX is explorer's process id.)
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:风语战士 回复日期:2002-11-21 08:40:09
<br>内容:to:佟锐。我的系统是98,我拦截的也是CreateProcessA,但是没有拦截到。我现在怀疑用钩子的技术是不足以实现我要的功能的。钩子的功能是有限的,我觉得。比如,拦截一个进程时,如果进程显试的调用了CreateProcessA函数,那就能拦截到,但是我不知道资源管理器里边是怎么做的,就是拦截不到。我想实现的是当用户双击或者选中一个文件(EXE或其他)时,可以根据名字来决定是否运行用户进程,非法的程序不让它运行,大家知不知道除了VXD以外(对驱动实在是不熟),还有没有什么技术可以实现我想要的功能。
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:verybigbug 回复日期:2002-11-21 09:32:25
<br>内容:钩子功能很有限的,API Hook也很有限。<BR>你用Window提供的策略编辑器就可以了。<BR>再说,即使你限制了资源管理器的启动,也没有限制别的程序中调用CreateProcess呀。<BR>
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:佟锐 回复日期:2002-11-21 22:45:47
<br>内容:我在98下替换了kernel32.dll中的CreateProcessA函数,在资源管理器里双击证实可以拦截到,连vm都可以拦截到。你提到的隐式调用,我了解。请你详细叙述你拦截不到的做法,我们可以研究一下。
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:风语战士 回复日期:2002-11-22 08:34:17
<br>内容:我把程序的主要部分帖出来,我用的是全局钩子,在DLL中。我的程序有点问题,似乎不能解除替换,我结束进程后,EXPLORER变的很不稳定,通常都会死掉。<BR><BR>HMODULE hmodule;<BR>DWORD* pOldFunc; //用于保存函数的原始地址<BR>BOOL replaced = FALSE;<BR><BR>BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)<BR>{<BR> switch(fdwReason)<BR> {<BR> case DLL_PROCESS_ATTACH:<BR> hmodule = GetModuleHandle(NULL);<BR> InterceptFunctionsInModule(hmodule, "KERNEL32.dll", (PROC*)MyCreateProcessA, "CreateProcessA");<BR> PostMessage(HWND_BROADCAST, WM_NULL, 0, 0);<BR> hInst = hinstDLL;<BR> break;<BR> case DLL_PROCESS_DETACH:<BR> InterceptFunctionsInModule(hmodule, "KERNEL32.dll", (PROC*)pOldFunc, "CreateProcessA");<BR> break;<BR> case DLL_THREAD_ATTACH:<BR> break;<BR> case DLL_THREAD_DETACH:<BR> break;<BR> default :<BR> break;<BR> }<BR> return TRUE;<BR>}<BR>//下面是执行替换函数功能的函数,用的是修改PE文件的跳转地址<BR>BOOL InterceptFunctionsInModule(HMODULE baseAddress, LPCSTR pDllName, PROC* pNewFunc, LPCSTR pOldFuncName)<BR>{<BR> PIMAGE_DOS_HEADER pDOSHeader = (PIMAGE_DOS_HEADER)baseAddress;<BR> PIMAGE_NT_HEADERS pNTHeader;<BR> PIMAGE_IMPORT_DESCRIPTOR pImportDesc;<BR> PIMAGE_IMPORT_BY_NAME pImportByName;<BR><BR> if (IsBadReadPtr(pDOSHeader, sizeof(IMAGE_DOS_HEADER)))<BR> {<BR> return FALSE; //不合法<BR> }<BR> if ( pDOSHeader->e_magic != IMAGE_DOS_SIGNATURE )<BR> {<BR> return FALSE; //不合法<BR> }<BR><BR> pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDOSHeader, <BR> pDOSHeader->e_lfanew);<BR> if ( pNTHeader ->Signature != IMAGE_NT_SIGNATURE )<BR> {<BR> return FALSE;<BR> }<BR><BR> pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, baseAddress, <BR> pNTHeader->OptionalHeader.<BR> DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].<BR> VirtualAddress);<BR> if ( pImportDesc == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeader )<BR> {<BR> return FALSE;<BR> }<BR><BR> while ( pImportDesc->Name ) //数组还存在DLL的名字<BR> {<BR> PSTR szCurrDll = (PSTR)((DWORD)pDOSHeader + (DWORD)pImportDesc->Name);<BR> if(lstrcmp(szCurrDll, pDllName) == 0)<BR> {<BR> PIMAGE_THUNK_DATA pThunk, pRunningThunk;<BR> <BR> pThunk = MakePtr(PIMAGE_THUNK_DATA, baseAddress, pImportDesc->OriginalFirstThunk);<BR> pRunningThunk = MakePtr(PIMAGE_THUNK_DATA, baseAddress, pImportDesc->FirstThunk );<BR><BR> while ( pThunk->u1.Function )<BR> { <BR> if(IMAGE_ORDINAL_FLAG32 != (pThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG32))<BR> {<BR> pImportByName = MakePtr(PIMAGE_IMPORT_BY_NAME, baseAddress, pThunk->u1.AddressOfData);<BR> if('/0' == pImportByName->Name[0])<BR> {<BR> continue;<BR> }<BR> BOOL hook_ok = FALSE;<BR> if(lstrcmp(pOldFuncName, (char *)pImportByName->Name) == 0) //找到了函数<BR> {<BR> if(pNewFunc)<BR> {<BR> hook_ok = TRUE;<BR> }<BR> }<BR> if(hook_ok)<BR> {<BR> if(replaced == FALSE)<BR> {<BR> replaced = TRUE;<BR> pOldFunc = pRunningThunk->u1.Function; <BR> }<BR>// PROC * ppfn= (PROC *)&pRunningThunk->u1.Function;<BR> if( 0 != WriteProcessMemory(GetCurrentProcess(), &(pRunningThunk->u1.Function), <BR> &pNewFunc, sizeof(pNewFunc), NULL))<BR> {<BR>// MessageBox(NULL, "WRITE SUCCESS", "SUCCESS", MB_OK);<BR> return TRUE;<BR> }<BR> else<BR> {<BR> return FALSE;<BR> }<BR> }<BR> } <BR> pThunk++;<BR> pRunningThunk++;<BR> }<BR> }<BR> pImportDesc++;<BR> } <BR> return TRUE;<BR>}<BR><BR>AHOOK_API HHOOK InstallHook(HWND hwnd)<BR>{<BR> hWnd = hwnd;<BR> hHook = SetWindowsHookEx(WH_GETMESSAGE, (HOOKPROC)GetMsgProc, hInst, 0);<BR> return hHook;<BR>}<BR><BR>AHOOK_API void UninstallHook(void)<BR>{<BR> InterceptFunctionsInModule(hmodule, "KERNEL32.dll", (PROC*)pOldFunc, "CreateProcessA");<BR> UnhookWindowsHookEx(hHook);<BR>}<BR><BR>LRESULT CALLBACK GetMsgProc(int code, WPARAM wParam, LPARAM lParam)<BR>{<BR> return CallNextHookEx(hHook, code, wParam, lParam);<BR>}<BR>//下面是<BR>BOOL<BR>WINAPI<BR>MyCreateProcessA(<BR> LPCSTR lpApplicationName,<BR> LPSTR lpCommandLine,<BR> LPSECURITY_ATTRIBUTES lpProcessAttributes,<BR> LPSECURITY_ATTRIBUTES lpThreadAttributes,<BR> BOOL bInheritHandles,<BR> DWORD dwCreationFlags,<BR> LPVOID lpEnvironment,<BR> LPCSTR lpCurrentDirectory,<BR> LPSTARTUPINFOA lpStartupInfo,<BR> LPPROCESS_INFORMATION lpProcessInformation<BR> )<BR><BR>{<BR> MessageBox(NULL, "you can execute this progress", "success", MB_OK);<BR> return CreateProcessA(lpApplicationName, lpCommandLine, lpProcessAttributes,<BR> lpThreadAttributes, bInheritHandles, dwCreationFlags, <BR> lpEnvironment, lpCurrentDirectory, lpStartupInfo,<BR> lpProcessInformation);<BR>}
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者:风语战士 回复日期:2002-11-22 08:41:36
<br>内容:感谢你们的关注。<BR>2002-11-22 9:47:48⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?