问题描述
如何拦截dll方法调用?
How to intercept dll method calls?
- 可用的技术有哪些?
- 只能在C / C ++中完成?
- 如何拦截所有运行进程的方法调用到给定的dll?
- 方法调用从给定的进程到给定的dll?
- What are the techniques available for it?
- Can it be done only in C/C++?
- How to intercept method calls from all running processes to a given dll?
- How to intercept method calls from a given processes to a given dll?
推荐答案
有两种标准方式可以想到这样做
There are two standard ways I can think of for doing this
-
DLL导入表钩。
为此,您需要解析PE头的DLL,找到导入表并写自己的函数的地址,而不是已经写在那里。您可以保存原始功能的地址,以便稍后调用。此的外部链接中的引用应为您提供所需的所有信息这样做。
DLL import table hook.
For this you need to parse the PE Header of the DLL, find the import table and write the address of your own function instead of what is already written there. You can save the address of the original function to be able to call it later. The references in the external links of this wikipedia article should give you all the information you need to be able to do this.
直接修改代码。找到要钩住的函数的实际代码,并修改其第一个操作码以跳转到您自己的代码。您需要保存那里的操作码,以便最终执行。这比它听起来更简单,因为它已经通过。
这是一个非常整洁的事情。只需几行代码即可将所有调用GetSystemMetrics()从outlook.exe中取消,并观察发生的奇迹。
Direct modification of the code. Find the actual code of the function you want to hook and modify the first opcodes of it to jump to your own code. you need to save the opcode which were there so they will eventually get executed. This is simpler than it sounds mostly because it was already implement by no less than Microsoft themselves in the form of the Detours library.
This is a really neat thing to do. with just a couple of lines of code you can for instance replace all calls to GetSystemMetrics() from say outlook.exe and watch the wonders that occur.
一种方法的优点是另一种方法的缺点。第一种方法允许您将一个外科钩子完全添加到您想要的DLL中,其他所有其他DLL都通过未挂钩。第二种方法允许你最全局的钩子拦截所有的调用做这个功能。
The advantages of one method are the disadvantages of the other. The first method allows you to add a surgical hook exactly to DLL you want where all other DLLs go by unhooked. The second method allows you the most global kind of hook to intercept all calls do the function.
这篇关于如何拦截dll方法调用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!