c++ - Detours 3.0 钩子(Hook) GetProcAddresss()

Question

我正在使用:

微软 VS 10

Detours v3.0 Express

完整的源代码DLL:

#include <windows.h>
#include <detours.h>
ofstream prclist ;
#pragma comment(lib,"detours.lib")
FARPROC (WINAPI * pGetProcAddress)(HMODULE hModule,LPCSTR lpProcName) = GetProcAddress;
FARPROC WINAPI  myGetProcAddress(HMODULE hModule,LPCSTR lpProcName);
FARPROC WINAPI  myGetProcAddress(HMODULE hModule,LPCSTR lpProcName)
{
    prclist << lpProcName << endl; // <- ACCESS_VIOLATION READ
    return pGetProcAddress( hModule, lpProcName);
}

BOOL APIENTRY DllMain(HINSTANCE hDLL, DWORD reason, LPVOID reserved)
{

switch(reason)
    {
        case DLL_PROCESS_ATTACH:
        {
            prclist.open("proclst.log",ios::out | ios::app );
            DisableThreadLibraryCalls(hDLL);
            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourAttach(&(PVOID&)pGetProcAddress, myGetProcAddress);
            DetourTransactionCommit();
            break;
        }
        case DLL_PROCESS_DETACH:
        {
            prclist.close();
            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourDetach(&(PVOID&)pGetProcAddress, myGetProcAddress);
            DetourTransactionCommit();
            break;
        }
   }
        return TRUE;
}

我尝试查看 GetProcAddress 接收的函数列表。但启动后，程序关闭并报错:“ACCESS_VIOLATION, UNABLE_TO_READ”

有人可以提示如何修复它吗？

Answer 1

来自 GetProcAddress() lpProcName 的引用页:

The function or variable name, or the function's ordinal value. If this parameter is an ordinal value, it must be in the low-order word; the high-order word must be zero.

这意味着它可能不是指向字符串的指针，但替换函数总是这样对待它。这是访问冲突的可能原因，因为它将使用整数值(例如 182)作为空终止字符串的起始内存地址。

使用HIWORD()更正:

if (HIWORD(lpProcName))
{
    prclist << "name: " << lpProcName << std::endl;
}
else
{
    prclist << "ordinal: " << reinterpret_cast<DWORD>(lpProcName) << std::endl;
}