本文介绍了尝试挂钩“TerminateProcess"时出错功能.目标进程崩溃.谁能帮我?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

使用 Visual Studio 2005 进行调试时显示以下错误:

Debugging with visual studio 2005 The following Error Displayed :

procexp.exe 中 0x00000000 处未处理的异常:0xC0000005:访问违规读取位置 0x00000000.

和线程信息:

2704 Win32 线程 00000000 正常 0

extern "C" VDLL2_API BOOL WINAPI MyTerminateProcess(HANDLE hProcess,UINT uExitCode)
{
     SetLastError(5);
     return FALSE;
}

FARPROC HookFunction(char *UserDll,FARPROC pfn,FARPROC HookFunc) 

{
    DWORD dwSizeofExportTable=0;
    DWORD dwRelativeVirtualAddress=0;
    HMODULE hm=GetModuleHandle(NULL);
    FARPROC pfnOriginalAddressToReturn;
    PIMAGE_DOS_HEADER pim=(PIMAGE_DOS_HEADER)hm;
    PIMAGE_NT_HEADERS pimnt=(PIMAGE_NT_HEADERS)((DWORD)pim + 
(DWORD)pim->e_lfanew); 
    PIMAGE_DATA_DIRECTORY 
pimdata=(PIMAGE_DATA_DIRECTORY)&(pimnt->OptionalHeader.DataDirectory);

    PIMAGE_OPTIONAL_HEADER pot=&(pimnt->OptionalHeader);
    PIMAGE_DATA_DIRECTORY 
pim2=(PIMAGE_DATA_DIRECTORY)((DWORD)pot+(DWORD)104);
    dwSizeofExportTable=pim2->Size;
    dwRelativeVirtualAddress=pim2->VirtualAddress;
    char *ascstr;
    PIMAGE_IMPORT_DESCRIPTOR 
pimexp=(PIMAGE_IMPORT_DESCRIPTOR)(pim2->VirtualAddress + (DWORD)pim);
    while(pimexp->Name)
    {
        ascstr=(char *)((DWORD)pim + (DWORD)pimexp->Name);
        if(strcmpi(ascstr,UserDll) == 0)
        {
            break;
        }
        pimexp++;
    }
    PIMAGE_THUNK_DATA 
pname=(PIMAGE_THUNK_DATA)((DWORD)pim+(DWORD)pimexp->FirstThunk);
    LPDWORD lpdw=&(pname->u1.Function);
    DWORD dwError=0;
    DWORD OldProtect=0;
    while(pname->u1.Function)
    {
        if((DWORD)pname->u1.Function == (DWORD)pfn)
        {
            lpdw=&(pname->u1.Function);

VirtualProtect((LPVOID)lpdw,sizeof(DWORD),PAGE_READWRITE,&OldProtect);


            pname->u1.Function=(DWORD)HookFunc;

VirtualProtect((LPVOID)lpdw,sizeof(DWORD),PAGE_READONLY,&OldProtect);

            return pfn;
        }
        pname++;

    }
    return (FARPROC)0;
}


FARPROC CallHook(void) 
{
        HMODULE hm=GetModuleHandle(TEXT("Kernel32.dll"));
    FARPROC fp=GetProcAddress(hm,"TerminateProcess");
    HMODULE hm2=GetModuleHandle(TEXT("vdll2.dll"));
    FARPROC fpHook=GetProcAddress(hm2,"MyTerminateProcess");

    dwAddOfTerminateProcess=HookFunction("Kernel32.dll",fp,fpHook);
    if(dwAddOfTerminateProcess == 0)
    {
        MessageBox(NULL,TEXT("Unable TO Hook Function."),TEXT("Parth"),MB_OK);
    }
    else
    {
        MessageBox(NULL,TEXT("Success Hooked."),TEXT("Parth"),MB_OK);
    }
    return 0;
}

在此先感谢您的帮助.

004118AC mov esi,esp
004118AE 推0
004118B0 mov eax,dword ptr [hProc]
004118B3 推eax
004118B4 调用双字 ptr[__imp__TerminateProcess@8(4181E4h)]
004118BA cmp esi,esp

004118AC mov esi,esp
004118AE push 0
004118B0 mov eax,dword ptr [hProc]
004118B3 push eax
004118B4 call dword ptr[__imp__TerminateProcess@8(4181E4h)]
004118BA cmp esi,esp

esi 返回零.为什么 ?

推荐答案

VDLL2_API 的定义是什么?它可能会干扰调用约定(这意味着此函数的 WINAPI,因为您稍后在同一行上编写它).

What is VDLL2_API defined as? It may be interfering with the calling convention (which is meant to be WINAPI for this function, as you write it later on the same line).

退出时的堆栈问题(ESI、ESP)通常表明您混淆了调用约定.您似乎在其他任何地方都始终使用 FARPROC,但由于您知道该函数的确切原型,请尝试使用 typedef-ing 作为要使用的类型:

Stack problems on exit (ESI, ESP) usually indicate that you have your calling conventions mixed up. You appear to have used FARPROC consistently everywhere else, but since you know the exact prototype of the function, try typedef-ing that as the type to use instead:

typedef BOOL (WINAPI *TERMINATEPROCESS_PROC)(HANDLE, UINT); 

现在到处使用 TERMINATEPROCESS_PROC 而不是 FARPROC.

Now use TERMINATEPROCESS_PROC everywhere instead of FARPROC.

这篇关于尝试挂钩“TerminateProcess"时出错功能.目标进程崩溃.谁能帮我?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-25 03:01