2,640
社区成员
发帖
与我相关
我的任务
分享win32下用detous来Hook Api 系统蓝屏的问题?
我用微软的detous写了个win32下HookApi的DLL,注入当前所有管理员进程后,经常蓝屏.
后来经过好多天观察,大概是这样的.一般一个进程有时会发生异常,如"某某内存不能为Read",然后程序崩溃.但对系统没有多大影响,最多只是一个进程的问题,但我的HookApi.dll注入后,一旦有这种情况发生,直接系统就蓝屏,而且也不会弹出"某某内存不能为Read"的提示,不知道是哪些原因会引起的.敬请各位前来讨论?希望能对小弟有所帮助.
后来经过好多天观察,大概是这样的.一般一个进程有时会发生异常,如"某某内存不能为Read",然后程序崩溃.但对系统没有多大影响,最多只是一个进程的问题,但我的HookApi.dll注入后,一旦有这种情况发生,直接系统就蓝屏,而且也不会弹出"某某内存不能为Read"的提示,不知道是哪些原因会引起的.敬请各位前来讨论?希望能对小弟有所帮助.
...全文
请发表友善的回复…
发表回复
nanfei01055 2008-09-02
- 打赏
- 举报
我还曾经写过日志文件,一般前几千条记录都是正常的,蓝屏前一段时间的日志全是乱码,我是给每一个进程写了一个日志文件的.上面的代码我除去了写日志部分,因为我觉得日志没多大用处.
nanfei01055 2008-09-02
- 打赏
- 举报
Ghost到最初系统,依然蓝屏,有没有人能帮我啊?
nanfei01055 2008-09-02
- 打赏
- 举报
以下是主要代码,各位麻烦了,看有没有问题,如果真找不出毛病,可能是中毒了
#include "stdafx.h"
#include <stdio.h>
#include<atlbase.h>
#include "HookApi.h"
#include "detours.h" //the main API header of detours
#pragma comment(lib,"detours.lib")
#include "ApiInfo.h"
#include "psapi.h"
#pragma comment(lib,"psapi.lib")
//向控制程序进程询问,是否允许执行此Api,0表示允许,否则表示禁止
int getResult(LPCSTR ApiName,LPCSTR ApiParams)
{
try
{
HWND DesHwnd=FindWindow(NULL,"我的窗口名称");
if(!DesHwnd) return 0;
ApiInfo mApiInfo,*pApiInfo;
sprintf(mApiInfo.ApiName,"%.49s",ApiName);
sprintf(mApiInfo.Params,"%.1999s",ApiParams);
mApiInfo.TargetPid=GetCurrentProcessId();
pApiInfo=&mApiInfo;
COPYDATASTRUCT cpd;
// 给COPYDATASTRUCT结构赋值
cpd.dwData = 0;
cpd.cbData = sizeof(ApiInfo);
cpd.lpData = pApiInfo;
if(SendMessage(DesHwnd,WM_COPYDATA,(WPARAM)4325,(LPARAM)&cpd)!=0)//阻止了操作
{
return 1;
}
return 0;
}
catch(...)
{
return 0;
}
}
//hook OpenProcess
HANDLE WINAPI CopyOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId);
DETOUR_TRAMPOLINE(HANDLE WINAPI CopyOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId), OpenProcess);
HANDLE WINAPI MyOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
{
char mApiName[50];
char mApiParams[2000];
try
{
sprintf(mApiName,"%.49s","OpenProcess");
sprintf(mApiParams,"%d\n%d\n%d",(int)dwDesiredAccess,(int)bInheritHandle,(int)dwProcessId);
if(getResult(mApiName,mApiParams)==1)
return NULL;
HANDLE nResult=CopyOpenProcess(dwDesiredAccess,bInheritHandle,dwProcessId); //call origin function
return nResult;
}
catch(...)
{
return CopyOpenProcess(dwDesiredAccess,bInheritHandle,dwProcessId);
}
}
//hook CreateProcessA
//copy the origin function
DETOUR_TRAMPOLINE(BOOL WINAPI CopyCreateProcessA(LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation),CreateProcessA);
BOOL WINAPI MyCreateProcessA(LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation)
{
char mApiName[50];
char mApiParams[2000];
try
{
sprintf(mApiName,"%.49s","CreateProcess");
sprintf(mApiParams,"%.260s\n%.530s",lpApplicationName,lpCommandLine);
if(getResult(mApiName,mApiParams)==1)
return false;
BOOL nReturn=CopyCreateProcessA(lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
//将新创建进程ID传回
char id[10];
sprintf(id,"%d",lpProcessInformation->dwProcessId);
getResult("CreatedProcess",id);
return nReturn;
}
catch(...)
{
return CopyCreateProcessA(lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
}
}
//hook CreateProcessW
DETOUR_TRAMPOLINE(BOOL WINAPI CopyCreateProcessW(
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation),CreateProcessW);
BOOL WINAPI MyCreateProcessW(
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation)
{
char mApiName[50];
char mApiParams[2000];
try
{
USES_CONVERSION;
sprintf(mApiName,"%.49s","CreateProcess");
sprintf(mApiParams,"%.260s\n%.530s",W2A(lpApplicationName),W2A(lpCommandLine));
if(getResult(mApiName,mApiParams)==1)
return false;
BOOL nReturn =CopyCreateProcessW(
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
//将新创建进程ID传回
char id[10];
sprintf(id,"%d",lpProcessInformation->dwProcessId);
getResult("CreatedProcess",id);
return nReturn;
}
catch(...)
{
return CopyCreateProcessW(
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
}
}
BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
DetourFunctionWithTrampoline((PBYTE)CopyOpenProcess, (PBYTE)MyOpenProcess);
DetourFunctionWithTrampoline((PBYTE)CopyCreateProcessA, (PBYTE)MyCreateProcessA);
DetourFunctionWithTrampoline((PBYTE)CopyCreateProcessW, (PBYTE)MyCreateProcessW);
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
DetourRemoveWithTrampoline((PBYTE)CopyOpenProcess, (PBYTE)MyOpenProcess);
DetourRemoveWithTrampoline((PBYTE)CopyCreateProcessA, (PBYTE)MyCreateProcessA);
DetourRemoveWithTrampoline((PBYTE)CopyCreateProcessW, (PBYTE)MyCreateProcessW);
break;
}
return TRUE;
}
#include "stdafx.h"
#include <stdio.h>
#include<atlbase.h>
#include "HookApi.h"
#include "detours.h" //the main API header of detours
#pragma comment(lib,"detours.lib")
#include "ApiInfo.h"
#include "psapi.h"
#pragma comment(lib,"psapi.lib")
//向控制程序进程询问,是否允许执行此Api,0表示允许,否则表示禁止
int getResult(LPCSTR ApiName,LPCSTR ApiParams)
{
try
{
HWND DesHwnd=FindWindow(NULL,"我的窗口名称");
if(!DesHwnd) return 0;
ApiInfo mApiInfo,*pApiInfo;
sprintf(mApiInfo.ApiName,"%.49s",ApiName);
sprintf(mApiInfo.Params,"%.1999s",ApiParams);
mApiInfo.TargetPid=GetCurrentProcessId();
pApiInfo=&mApiInfo;
COPYDATASTRUCT cpd;
// 给COPYDATASTRUCT结构赋值
cpd.dwData = 0;
cpd.cbData = sizeof(ApiInfo);
cpd.lpData = pApiInfo;
if(SendMessage(DesHwnd,WM_COPYDATA,(WPARAM)4325,(LPARAM)&cpd)!=0)//阻止了操作
{
return 1;
}
return 0;
}
catch(...)
{
return 0;
}
}
//hook OpenProcess
HANDLE WINAPI CopyOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId);
DETOUR_TRAMPOLINE(HANDLE WINAPI CopyOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId), OpenProcess);
HANDLE WINAPI MyOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
{
char mApiName[50];
char mApiParams[2000];
try
{
sprintf(mApiName,"%.49s","OpenProcess");
sprintf(mApiParams,"%d\n%d\n%d",(int)dwDesiredAccess,(int)bInheritHandle,(int)dwProcessId);
if(getResult(mApiName,mApiParams)==1)
return NULL;
HANDLE nResult=CopyOpenProcess(dwDesiredAccess,bInheritHandle,dwProcessId); //call origin function
return nResult;
}
catch(...)
{
return CopyOpenProcess(dwDesiredAccess,bInheritHandle,dwProcessId);
}
}
//hook CreateProcessA
//copy the origin function
DETOUR_TRAMPOLINE(BOOL WINAPI CopyCreateProcessA(LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation),CreateProcessA);
BOOL WINAPI MyCreateProcessA(LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation)
{
char mApiName[50];
char mApiParams[2000];
try
{
sprintf(mApiName,"%.49s","CreateProcess");
sprintf(mApiParams,"%.260s\n%.530s",lpApplicationName,lpCommandLine);
if(getResult(mApiName,mApiParams)==1)
return false;
BOOL nReturn=CopyCreateProcessA(lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
//将新创建进程ID传回
char id[10];
sprintf(id,"%d",lpProcessInformation->dwProcessId);
getResult("CreatedProcess",id);
return nReturn;
}
catch(...)
{
return CopyCreateProcessA(lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
}
}
//hook CreateProcessW
DETOUR_TRAMPOLINE(BOOL WINAPI CopyCreateProcessW(
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation),CreateProcessW);
BOOL WINAPI MyCreateProcessW(
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation)
{
char mApiName[50];
char mApiParams[2000];
try
{
USES_CONVERSION;
sprintf(mApiName,"%.49s","CreateProcess");
sprintf(mApiParams,"%.260s\n%.530s",W2A(lpApplicationName),W2A(lpCommandLine));
if(getResult(mApiName,mApiParams)==1)
return false;
BOOL nReturn =CopyCreateProcessW(
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
//将新创建进程ID传回
char id[10];
sprintf(id,"%d",lpProcessInformation->dwProcessId);
getResult("CreatedProcess",id);
return nReturn;
}
catch(...)
{
return CopyCreateProcessW(
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
}
}
BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
DetourFunctionWithTrampoline((PBYTE)CopyOpenProcess, (PBYTE)MyOpenProcess);
DetourFunctionWithTrampoline((PBYTE)CopyCreateProcessA, (PBYTE)MyCreateProcessA);
DetourFunctionWithTrampoline((PBYTE)CopyCreateProcessW, (PBYTE)MyCreateProcessW);
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
DetourRemoveWithTrampoline((PBYTE)CopyOpenProcess, (PBYTE)MyOpenProcess);
DetourRemoveWithTrampoline((PBYTE)CopyCreateProcessA, (PBYTE)MyCreateProcessA);
DetourRemoveWithTrampoline((PBYTE)CopyCreateProcessW, (PBYTE)MyCreateProcessW);
break;
}
return TRUE;
}
龙凤呈祥焱 2008-09-01
- 打赏
- 举报
有点夸张,用户层程序应该很难引起蓝屏.
不过没用过Detous.
不过没用过Detous.
greatws 2008-09-01
- 打赏
- 举报
ring3蓝屏的可能性很小
有可能中了ring0的病毒,并且你的hook和病毒ring3下的函数冲突,导致ring0下的驱动程序运行错误,造成蓝屏
有可能中了ring0的病毒,并且你的hook和病毒ring3下的函数冲突,导致ring0下的驱动程序运行错误,造成蓝屏
awperpvip 2008-09-01
- 打赏
- 举报
用了,没蓝过屏~
nooning 2008-09-01
- 打赏
- 举报
很可能是你的硬件问题,用检查工具检查内存
nooning 2008-09-01
- 打赏
- 举报
ring3真的没碰到过蓝屏,只碰到一次死锁 和COW有关,不知道你的蓝是不是也是这个原因
