我正在尝试使用Detours Express(3.0)挂钩GetVolumeInformation,以更改卷序列。
问题是每次调用该挂钩函数时,它都会返回一个随机的卷序列。
#include <fstream>
#include <string>
#include <windows.h>
#include <detours.h>
#include <fcntl.h>
#include <stdio.h>
#include <io.h>
#pragma comment(lib,"detours.lib")
#pragma comment(lib,"ws2_32.lib")
std::string rcvBuf;
HANDLE CreateConsole();
HANDLE CreateConsole()
{
int hConHandle = 0;
HANDLE lStdHandle = 0;
FILE *fp = 0;
// Allocate a console
AllocConsole();
// redirect unbuffered STDOUT to the console
lStdHandle = GetStdHandle(STD_OUTPUT_HANDLE);
hConHandle = _open_osfhandle(PtrToUlong(lStdHandle), _O_TEXT);
fp = _fdopen(hConHandle, "w");
*stdout = *fp;
setvbuf(stdout, NULL, _IONBF, 0);
return lStdHandle;
}
HMODULE hLib = GetModuleHandle("Kernel32.dll");
typedef BOOL (WINAPI *HWIDPtr)(LPCTSTR lpRootPathName, LPTSTR lpVolumeNameBuffer, DWORD nVolumeNameSize, LPDWORD &lpVolumeSerialNumber, LPDWORD lpMaximumComponentLength, LPDWORD lpFileSystemFlags, LPTSTR lpFileSystemNameBuffer, DWORD nFileSystemNameSize);
HWIDPtr pHWID = (HWIDPtr)GetProcAddress(hLib, "GetVolumeInformationW");
BOOL WINAPI MyHWID(LPCTSTR lpRootPathName, LPTSTR lpVolumeNameBuffer, DWORD nVolumeNameSize, LPDWORD lpVolumeSerialNumber, LPDWORD lpMaximumComponentLength, LPDWORD lpFileSystemFlags, LPTSTR lpFileSystemNameBuffer, DWORD nFileSystemNameSize)
{
printf( ("Real : %u"),&lpVolumeSerialNumber);
return pHWID(lpRootPathName, lpVolumeNameBuffer, nVolumeNameSize, lpVolumeSerialNumber, lpMaximumComponentLength, lpFileSystemFlags, lpFileSystemNameBuffer, nFileSystemNameSize);
}
BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved)
{
if (DetourIsHelperProcess()) {
return TRUE;
}
if (dwReason == DLL_PROCESS_ATTACH) {
CreateConsole();
DetourRestoreAfterWith();
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)pHWID, MyHWID);
if(DetourTransactionCommit() == NO_ERROR)
printf("Attached successfuly!@");
}
else if (dwReason == DLL_PROCESS_DETACH) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)pHWID, MyHWID);
DetourTransactionCommit();
}
return TRUE;
}
任何建议将不胜感激。
最佳答案
如果您指的是钩子函数内部的printf()调用会输出随机垃圾的事实-这是很合理的,因为lpVolumeSerialNumber是一个out参数,因此在原始函数调用之前它可能(而且很可能会)包含垃圾。 。如果要查看原始函数返回的值,则应按以下方式重写钩子函数:
BOOL WINAPI MyHWID(LPCTSTR lpRootPathName, LPTSTR lpVolumeNameBuffer, DWORD nVolumeNameSize, LPDWORD lpVolumeSerialNumber, LPDWORD lpMaximumComponentLength, LPDWORD lpFileSystemFlags, LPTSTR lpFileSystemNameBuffer, DWORD nFileSystemNameSize)
{
BOOL retval = pHWID(lpRootPathName, lpVolumeNameBuffer, nVolumeNameSize, lpVolumeSerialNumber, lpMaximumComponentLength, lpFileSystemFlags, lpFileSystemNameBuffer, nFileSystemNameSize);
printf( ("Real : %u"), *lpVolumeSerialNumber);
return retval;
}
请注意,我也将“&”更改为“ *”-如果要取消引用指针而不是获取其地址,则应使用此方法。
希望这可以帮助
关于c++ - 弯路钩:GetVolumeInformation随机卷序列号,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/32173938/