我可以在鏈接庫中掛鉤函數嗎？

Question

使用EasyHook我已經成功地鉤住了各種C++類的導出函數和已知的vtable函數。在所有這些情況下，目標程序都使用DLL。

提供我知道一個函數入口點的地址，當一個庫已經鏈接到目標程序而不是一個單獨的庫時，可以這樣做嗎？

Answer 1

它與EasyHook一起出現，您可以掛接其地址可計算的任何子例程。

在我的案例中，掛鉤靜態鏈接SSL_read和SSL_write OpenSSL就像使用我最喜歡的調試器識別偏移然後安裝掛鉤一樣簡單。

// delegate for EasyHook: 
[UnmanagedFunctionPointer(CallingConvention.Cdecl, 
    SetLastError = true, CharSet = CharSet.Ansi)] 
delegate Int32 SLL_readDelegate(IntPtr SSL_ptr, IntPtr buffer, Int32 length); 

// import SSL_read (I actually did it manually, but this will work in most cases) 
/* proto from ssl_lib.c -> int SSL_read(SSL *s,void *buf,int num) */ 
[DllImport("ssleay32.dll", SetLastError = true)] 
public static extern Int32 SSL_read(IntPtr ssl, IntPtr buffer, Int32 len); 

// the new routine 
static Int32 SSL_readCallback(IntPtr SSL_ptr, IntPtr buffer, Int32 length) 
{ 
    /* call the imported SSL_read */ 
    int ret = SSL_read(SSL_ptr, buffer, length); 
    /* TODO: your code here, e.g: 
    * string log_me = Marshal.PtrToString(buffer, ret); 
    */ 
    return ret; 
} 

現在，所有剩下的就是安裝鉤子：

private LocalHook sslReadHook; 

public void Run(RemoteHooking.IContext InContext, String InArg1) 
{ 
    // ... initialization code omitted for brevity 

    /* the value for ssl_read_addr is made up in this example 
    * you'll need to study your target and how it's loaded(?) to 
    * identify the addresses you want to hook 
    */ 
    int ssl_read_addr = 0x12345678; /* made up for examples sake */ 
    sslReadHook = LocalHook.Create(new IntPtr(ssl_read_addr), 
     new SSL_readDelegate(SSL_readCallback), this); 

    // ... 
} 

我要指出，在這個例子中，因爲後者取決於前者，你需要的libeay32.dll和ssleay32.dll。

快樂掛鉤！