1.5w+
社区成员
使用Detours截获CoGetClassObjectFromURL失败的问题
我用用Detours截获CoGetClassObjectFromURL函数,想在IE安装插件截获并先做一些处理,
但是知道插件安装完毕,都没有截获到。
我自己做了Detours的DLL,代码如下:
#include "stdafx.h"
#include "HtHook.h"
#include "detours.h"
#include "BindCBHttpCallback.h"
HMODULE g_hDll = NULL;
HHOOK g_hHook = NULL;
#pragma comment(lib, "detours.lib")
#pragma comment(lib, "urlmon.lib")
typedef HRESULT (WINAPI *MY_FakeCoGetClassObjectFromURL)( REFCLSID rCLASSID,
LPCWSTR szCODE, DWORD dwFileVersionMS,
DWORD dwFileVersionLS, LPCWSTR szTYPE,
LPBINDCTX pBindCtx, DWORD dwClsContext,
LPVOID pvReserved, REFIID riid, LPVOID * ppv);
MY_FakeCoGetClassObjectFromURL s_pFakeCoGetClassObjectFromURL = NULL;
MY_FakeCoGetClassObjectFromURL s_pReal_FakeCoGetClassObjectFromURL = NULL;
HRESULT WINAPI Replace_FakeCoGetClassObjectFromURL( REFCLSID rCLASSID,
LPCWSTR szCODE, DWORD dwFileVersionMS,
DWORD dwFileVersionLS, LPCWSTR szTYPE,
LPBINDCTX pBindCtx, DWORD dwClsContext,
LPVOID pvReserved, REFIID riid, LPVOID * ppv)
{
MessageBox(NULL,"run into Replace_FakeCoGetClassObjectFromURL",NULL,MB_OK);
int ret = 0;
HRESULT hr;
CBindCBHttpCallback *httpcallback =NULL;
if(httpcallback==NULL)
httpcallback = new CBindCBHttpCallback();
MessageBox(NULL,"after new CBindCBHttpCallback()",NULL,MB_OK);
IBindStatusCallback *pPre = NULL;
hr = RegisterBindStatusCallback(pBindCtx, httpcallback, &pPre, 0);
MessageBox(NULL,"after RegisterBindStatusCallback",NULL,MB_OK);
if (SUCCEEDED(hr))
httpcallback->SetPreInterface(pPre);
MessageBox(NULL,"after httpcallback->SetPreInterface",NULL,MB_OK);
hr = s_pReal_FakeCoGetClassObjectFromURL(
rCLASSID, szCODE, dwFileVersionMS, dwFileVersionLS, szTYPE, pBindCtx, //(LPBINDCTX)callback,
dwClsContext, pvReserved, riid, ppv);
if (S_OK == hr)
{
// 下载完毕通知
MessageBox(NULL, "下载完毕", "Replace_FakeCoGetClassObjectFromURL", MB_OK);
}
return hr;
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
g_hDll = (HMODULE)hModule;
s_pFakeCoGetClassObjectFromURL
= ((MY_FakeCoGetClassObjectFromURL)
DetourFindFunction("UrlMon.dll", "CoGetClassObjectFromURL"));
if (!s_pFakeCoGetClassObjectFromURL)
{
MessageBox(NULL,"DetourFindFunction失败",NULL,MB_OK);
}
s_pReal_FakeCoGetClassObjectFromURL
= (MY_FakeCoGetClassObjectFromURL)DetourFunction((PBYTE)s_pFakeCoGetClassObjectFromURL,
(PBYTE)Replace_FakeCoGetClassObjectFromURL);
MessageBox(NULL,"设置Detours完毕",NULL,MB_OK);
break;
case DLL_THREAD_ATTACH:
if(s_pReal_FakeCoGetClassObjectFromURL)
DetourRemove((PBYTE)s_pReal_FakeCoGetClassObjectFromURL,(PBYTE)Replace_FakeCoGetClassObjectFromURL);
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
LRESULT CALLBACK MyShellProc (int nCode, WPARAM wParam, LPARAM lParam)
{
return 0;
}
bool InstallHook(BOOL bInstall)
{
return true;
}
void UninstallHook()
{
}
我然后做了BHO程序,在BHO程序的DllMain里加载Detours的DLL,代码如下,
BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID /*lpReserved*/)
{
if (dwReason == DLL_PROCESS_ATTACH)
{
TCHAR pszLoader[MAX_PATH];
GetModuleFileName(NULL, pszLoader, MAX_PATH);
_tcslwr(pszLoader);
if (_tcsstr(pszLoader, _T("explorer.exe")))
return FALSE;
hDllHook = LoadLibrary("HtHook.dll");
if (!hDllHook)
{
MessageBox(NULL,"加载HtHook.dll失败",NULL,MB_OK);
return FALSE;
}
MessageBox(NULL,"加载HtHook.dll成功",NULL,MB_OK);
INSTALLHOOK dllInstallHook = (INSTALLHOOK)GetProcAddress(hDllHook, "InstallHook");
if (!dllInstallHook)
{
MessageBox(NULL,"寻址失败",NULL,MB_OK);
return FALSE;
}
dllInstallHook();
_Module.Init(ObjectMap, hInstance, &LIBID_GETOCXLib);
DisableThreadLibraryCalls(hInstance);
}
大家给看看是怎么回事?
但是知道插件安装完毕,都没有截获到。
我自己做了Detours的DLL,代码如下:
#include "stdafx.h"
#include "HtHook.h"
#include "detours.h"
#include "BindCBHttpCallback.h"
HMODULE g_hDll = NULL;
HHOOK g_hHook = NULL;
#pragma comment(lib, "detours.lib")
#pragma comment(lib, "urlmon.lib")
typedef HRESULT (WINAPI *MY_FakeCoGetClassObjectFromURL)( REFCLSID rCLASSID,
LPCWSTR szCODE, DWORD dwFileVersionMS,
DWORD dwFileVersionLS, LPCWSTR szTYPE,
LPBINDCTX pBindCtx, DWORD dwClsContext,
LPVOID pvReserved, REFIID riid, LPVOID * ppv);
MY_FakeCoGetClassObjectFromURL s_pFakeCoGetClassObjectFromURL = NULL;
MY_FakeCoGetClassObjectFromURL s_pReal_FakeCoGetClassObjectFromURL = NULL;
HRESULT WINAPI Replace_FakeCoGetClassObjectFromURL( REFCLSID rCLASSID,
LPCWSTR szCODE, DWORD dwFileVersionMS,
DWORD dwFileVersionLS, LPCWSTR szTYPE,
LPBINDCTX pBindCtx, DWORD dwClsContext,
LPVOID pvReserved, REFIID riid, LPVOID * ppv)
{
MessageBox(NULL,"run into Replace_FakeCoGetClassObjectFromURL",NULL,MB_OK);
int ret = 0;
HRESULT hr;
CBindCBHttpCallback *httpcallback =NULL;
if(httpcallback==NULL)
httpcallback = new CBindCBHttpCallback();
MessageBox(NULL,"after new CBindCBHttpCallback()",NULL,MB_OK);
IBindStatusCallback *pPre = NULL;
hr = RegisterBindStatusCallback(pBindCtx, httpcallback, &pPre, 0);
MessageBox(NULL,"after RegisterBindStatusCallback",NULL,MB_OK);
if (SUCCEEDED(hr))
httpcallback->SetPreInterface(pPre);
MessageBox(NULL,"after httpcallback->SetPreInterface",NULL,MB_OK);
hr = s_pReal_FakeCoGetClassObjectFromURL(
rCLASSID, szCODE, dwFileVersionMS, dwFileVersionLS, szTYPE, pBindCtx, //(LPBINDCTX)callback,
dwClsContext, pvReserved, riid, ppv);
if (S_OK == hr)
{
// 下载完毕通知
MessageBox(NULL, "下载完毕", "Replace_FakeCoGetClassObjectFromURL", MB_OK);
}
return hr;
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
g_hDll = (HMODULE)hModule;
s_pFakeCoGetClassObjectFromURL
= ((MY_FakeCoGetClassObjectFromURL)
DetourFindFunction("UrlMon.dll", "CoGetClassObjectFromURL"));
if (!s_pFakeCoGetClassObjectFromURL)
{
MessageBox(NULL,"DetourFindFunction失败",NULL,MB_OK);
}
s_pReal_FakeCoGetClassObjectFromURL
= (MY_FakeCoGetClassObjectFromURL)DetourFunction((PBYTE)s_pFakeCoGetClassObjectFromURL,
(PBYTE)Replace_FakeCoGetClassObjectFromURL);
MessageBox(NULL,"设置Detours完毕",NULL,MB_OK);
break;
case DLL_THREAD_ATTACH:
if(s_pReal_FakeCoGetClassObjectFromURL)
DetourRemove((PBYTE)s_pReal_FakeCoGetClassObjectFromURL,(PBYTE)Replace_FakeCoGetClassObjectFromURL);
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
LRESULT CALLBACK MyShellProc (int nCode, WPARAM wParam, LPARAM lParam)
{
return 0;
}
bool InstallHook(BOOL bInstall)
{
return true;
}
void UninstallHook()
{
}
我然后做了BHO程序,在BHO程序的DllMain里加载Detours的DLL,代码如下,
BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID /*lpReserved*/)
{
if (dwReason == DLL_PROCESS_ATTACH)
{
TCHAR pszLoader[MAX_PATH];
GetModuleFileName(NULL, pszLoader, MAX_PATH);
_tcslwr(pszLoader);
if (_tcsstr(pszLoader, _T("explorer.exe")))
return FALSE;
hDllHook = LoadLibrary("HtHook.dll");
if (!hDllHook)
{
MessageBox(NULL,"加载HtHook.dll失败",NULL,MB_OK);
return FALSE;
}
MessageBox(NULL,"加载HtHook.dll成功",NULL,MB_OK);
INSTALLHOOK dllInstallHook = (INSTALLHOOK)GetProcAddress(hDllHook, "InstallHook");
if (!dllInstallHook)
{
MessageBox(NULL,"寻址失败",NULL,MB_OK);
return FALSE;
}
dllInstallHook();
_Module.Init(ObjectMap, hInstance, &LIBID_GETOCXLib);
DisableThreadLibraryCalls(hInstance);
}
大家给看看是怎么回事?
...全文
当前发帖距今超过3年,不再开放新的回复
发表回复
matrix2009 2009-08-20
搞定了
MoXiaoRab 2009-08-20
虽然我没用做过,但是你这么拦截ActiveX是不可取的
matrix2009 2009-08-20
我上午用Detours 2.1,重写了一下DLL程序,发现Detours加载上了,但是IE打开一个网页很慢,查看本地连接,收到了很多的数据包,但是网页几乎打不开。后来修改了一下代码,勉强可以打开网页,代码如下:
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
int error = 0;
long err = 0;
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
g_hDll = (HMODULE)hModule;
s_pFakeCoGetClassObjectFromURL
= ((MY_FakeCoGetClassObjectFromURL)
DetourFindFunction("UrlMon.dll", "CoGetClassObjectFromURL"));
if (!s_pFakeCoGetClassObjectFromURL)
{
MessageBox(NULL,"DetourFindFunction失败",NULL,MB_OK);
}
err = DetourTransactionBegin();
if (NO_ERROR == err)
{
MessageBox(NULL,"success","DetourTransactionBegin",MB_OK);
}
else if (ERROR_INVALID_OPERATION)
{
MessageBox(NULL,"error","DetourTransactionBegin",MB_OK);
}
err = DetourUpdateThread(::GetCurrentThread());
if (NO_ERROR == err)
{
MessageBox(NULL,"success","DetourUpdateThread",MB_OK);
}
else
{
MessageBox(NULL,"error","DetourUpdateThread",MB_OK);
}
err = DetourAttach(&(PVOID&)s_pFakeCoGetClassObjectFromURL, Replace_FakeCoGetClassObjectFromURL);
if (NO_ERROR == err)
{
MessageBox(NULL,"success","DetourAttach",MB_OK);
}
else if (ERROR_INVALID_BLOCK == err)
{
MessageBox(NULL,"ERROR_INVALID_BLOCK","DetourAttach",MB_OK);
}
else if (ERROR_INVALID_HANDLE == err)
{
MessageBox(NULL,"ERROR_INVALID_HANDLE","DetourAttach",MB_OK);
}
else if (ERROR_INVALID_OPERATION == err)
{
MessageBox(NULL,"ERROR_INVALID_OPERATION","DetourAttach",MB_OK);
}
else if (ERROR_NOT_ENOUGH_MEMORY == err)
{
MessageBox(NULL,"ERROR_NOT_ENOUGH_MEMORY","DetourAttach",MB_OK);
}
error = DetourTransactionCommit();
if(NO_ERROR == error)
{
//::MessageBox(NULL,"Error!","Error in Detours!",MB_OK);
MessageBox(NULL,"success!","Detours!",MB_OK);
}
else if (ERROR_INVALID_DATA == error)
{
MessageBox(NULL,"ERROR_INVALID_DATA",NULL,MB_OK);
}
else if (ERROR_INVALID_OPERATION == error)
{
MessageBox(NULL,"ERROR_INVALID_OPERATION",NULL,MB_OK);
}
else
{
MessageBox(NULL,"Other",NULL,MB_OK);
}
//MessageBox(NULL,"设置Detours完毕",NULL,MB_OK);
// s_pFakeCoGetClassObjectFromURL
// = ((MY_FakeCoGetClassObjectFromURL)
// DetourFindFunction("UrlMon.dll", "CoGetClassObjectFromURL"));
//
// if (!s_pFakeCoGetClassObjectFromURL)
// {
// MessageBox(NULL,"DetourFindFunction失败",NULL,MB_OK);
// }
//
// s_pReal_FakeCoGetClassObjectFromURL
// = (MY_FakeCoGetClassObjectFromURL)DetourFunction((PBYTE)s_pFakeCoGetClassObjectFromURL,
// (PBYTE)Replace_FakeCoGetClassObjectFromURL);
//
// MessageBox(NULL,"设置Detours完毕",NULL,MB_OK);
break;
}
case DLL_THREAD_ATTACH:
{
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)s_pFakeCoGetClassObjectFromURL, Replace_FakeCoGetClassObjectFromURL);
error = DetourTransactionCommit();
::MessageBox(NULL,"Detour ends","Prompt!",MB_OK);
// if(s_pReal_FakeCoGetClassObjectFromURL)
// DetourRemove((PBYTE)s_pReal_FakeCoGetClassObjectFromURL,(PBYTE)Replace_FakeCoGetClassObjectFromURL);
break;
}
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
网页打开还是很慢,而且不停的弹出Detour ends这个消息框,
请问是怎么回事?
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
int error = 0;
long err = 0;
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
g_hDll = (HMODULE)hModule;
s_pFakeCoGetClassObjectFromURL
= ((MY_FakeCoGetClassObjectFromURL)
DetourFindFunction("UrlMon.dll", "CoGetClassObjectFromURL"));
if (!s_pFakeCoGetClassObjectFromURL)
{
MessageBox(NULL,"DetourFindFunction失败",NULL,MB_OK);
}
err = DetourTransactionBegin();
if (NO_ERROR == err)
{
MessageBox(NULL,"success","DetourTransactionBegin",MB_OK);
}
else if (ERROR_INVALID_OPERATION)
{
MessageBox(NULL,"error","DetourTransactionBegin",MB_OK);
}
err = DetourUpdateThread(::GetCurrentThread());
if (NO_ERROR == err)
{
MessageBox(NULL,"success","DetourUpdateThread",MB_OK);
}
else
{
MessageBox(NULL,"error","DetourUpdateThread",MB_OK);
}
err = DetourAttach(&(PVOID&)s_pFakeCoGetClassObjectFromURL, Replace_FakeCoGetClassObjectFromURL);
if (NO_ERROR == err)
{
MessageBox(NULL,"success","DetourAttach",MB_OK);
}
else if (ERROR_INVALID_BLOCK == err)
{
MessageBox(NULL,"ERROR_INVALID_BLOCK","DetourAttach",MB_OK);
}
else if (ERROR_INVALID_HANDLE == err)
{
MessageBox(NULL,"ERROR_INVALID_HANDLE","DetourAttach",MB_OK);
}
else if (ERROR_INVALID_OPERATION == err)
{
MessageBox(NULL,"ERROR_INVALID_OPERATION","DetourAttach",MB_OK);
}
else if (ERROR_NOT_ENOUGH_MEMORY == err)
{
MessageBox(NULL,"ERROR_NOT_ENOUGH_MEMORY","DetourAttach",MB_OK);
}
error = DetourTransactionCommit();
if(NO_ERROR == error)
{
//::MessageBox(NULL,"Error!","Error in Detours!",MB_OK);
MessageBox(NULL,"success!","Detours!",MB_OK);
}
else if (ERROR_INVALID_DATA == error)
{
MessageBox(NULL,"ERROR_INVALID_DATA",NULL,MB_OK);
}
else if (ERROR_INVALID_OPERATION == error)
{
MessageBox(NULL,"ERROR_INVALID_OPERATION",NULL,MB_OK);
}
else
{
MessageBox(NULL,"Other",NULL,MB_OK);
}
//MessageBox(NULL,"设置Detours完毕",NULL,MB_OK);
// s_pFakeCoGetClassObjectFromURL
// = ((MY_FakeCoGetClassObjectFromURL)
// DetourFindFunction("UrlMon.dll", "CoGetClassObjectFromURL"));
//
// if (!s_pFakeCoGetClassObjectFromURL)
// {
// MessageBox(NULL,"DetourFindFunction失败",NULL,MB_OK);
// }
//
// s_pReal_FakeCoGetClassObjectFromURL
// = (MY_FakeCoGetClassObjectFromURL)DetourFunction((PBYTE)s_pFakeCoGetClassObjectFromURL,
// (PBYTE)Replace_FakeCoGetClassObjectFromURL);
//
// MessageBox(NULL,"设置Detours完毕",NULL,MB_OK);
break;
}
case DLL_THREAD_ATTACH:
{
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)s_pFakeCoGetClassObjectFromURL, Replace_FakeCoGetClassObjectFromURL);
error = DetourTransactionCommit();
::MessageBox(NULL,"Detour ends","Prompt!",MB_OK);
// if(s_pReal_FakeCoGetClassObjectFromURL)
// DetourRemove((PBYTE)s_pReal_FakeCoGetClassObjectFromURL,(PBYTE)Replace_FakeCoGetClassObjectFromURL);
break;
}
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
网页打开还是很慢,而且不停的弹出Detour ends这个消息框,
请问是怎么回事?
Yofoo 2009-08-20
先确定 插件安装 是否一定会调用 CoGetClassObjectFromURL 这个API, 如果是其他方法实现, 你Hook也没用
跟踪看你的Hook是否成功
跟踪看你的Hook是否成功
matrix2009 2009-08-20
怎样才能成功截获呢?
大家帮帮忙
大家帮帮忙
MoXiaoRab 2009-08-19
首先,Detours不是成功率100%
第二,很多情况下Detours都无效
第二,很多情况下Detours都无效
缺乏detours.h引用问题 Detours是Microsoft开发一个库,1拦截x86机器上的任意的win32 API函数。 2插入任意的数据段到PE文件中,修改DDL文件的导入表。这是已经编译好的头文件以及lib包,只需要复制到项目即可。
使用Detours库截获windows api 介绍微软的一个用来截获系统API的库detours的简单用法,示例截获MessageBox的方法。 2,实现 win32控制台程序: #include "stdafx.h" #include #include "detours.h" #include #include #pragma comment(lib...
摸索Detours 2:使用Detours 进行简单的Hook 32位的话将摸索Detours 1:使用Vs2019 编译Detours中编译的include添加包含目录、lib.X86添加到库目录。 64位的话将摸索Detours 1:使用Vs2019 编译Detours中编译的include添加包含目录、lib.X64添加到库目录。 ...
Detours使用说明.doc "Detours is a library for intercepting arbitrary Win32 binary functions on x86 machines. Interception code is applied dynamically at runtime. Detours replaces the first few instructions of the target ...
摸索Detours 3:使用Detours 采用dll 方式进行Hook 使用DLL进行Hook的时候,主要处理DLL_PROCESS_ATTACH和DLL_PROCESS_DETACH 这两项,在编写相应的处理代码之前,当然是要先定义和引入需要Hook的函数,和替换的函数,如下: static int (WINAPI* Ol...
摸索Detours 1:使用Vs2019 编译Detours Detours 是干嘛的 ? 可以去微软的官网查看相关的信息:微软Detours 官网。 然后呢,就可以下载源码编译了,相关的源码下载可以去Github:https://github.com/microsoft/detours。 下面就可以开始编译工作了。 1....
Detours-4.0.1 VS2015编译好的的Detours 4.0.1版本的静态hook库,支持x86,x64和其他Windows兼容处理器(IA64和ARM)下的。它包括对32位或64位进程的支持。微软自家的产品。
使用 detours 框架 hook 函数 detours是微软的hook框架,可以去 github 下载源码编译: https://github.com/microsoft/Detours 编译得到 detours.lib ,然后把 detours.lib 和 detours.h 加到你的项目文件夹中: 接下来就可以无脑 hook 啦!我...
使用Detours库完成一个安全检测小工具 使用Detours库完成一个安全检测小工具 Detours库可以拦截任意的API调用,拦截代码是在动态运行时加载的。github链接:PFSafetyGuard???? 1. Get start 1.1 项目介绍 项目主要有四个部分: testCode:测试程序,...
Detours专业版,64位系统下能用的Detours 大家知道免费的Detours Express 3.0 以及一下的版本只能在32位系统下才有效果, 而专业版的价格高得吓人, 在查阅了众多网上资料,修改了部分头文件源代码. 终于把DetoursPro 编译成功,经测试 在Win7 64位旗舰版下能够...
