1. 首頁
  2. 問答
  3. 如何導入的Shell32.dll的表地址(Explorer.exe中)

如何導入的Shell32.dll的表地址(Explorer.exe中)

2011-12-03 62 views
0

例如:explore.exe加載一個名爲BROWSEUI.DLL DLL使用shdocvw.dll中使用的Shell32.dll如何導入的Shell32.dll的表地址(Explorer.exe中)

所以我問題是我如何導入Shell32.dll的表地址(IAT)(在explorer.exe中)?

我已經知道如何獲得正在運行的進程(explorer.exe)的IAT問題是我不能看到shell32.dll函數..:| |

編輯: 我的鉤碼

/* ========================================================= 
* IATHooking Function          * 
*               * 
* Replacing windows API functions with my own functions * 
* Return Value: True on success, False on failure.   * 
* ======================================================== */ 
bool CIAT_Hook::IAThooking(HMODULE hInstance,list<Hook_Data>& hookList) 
{ 
    bool flag=false; 

    PIMAGE_IMPORT_DESCRIPTOR importedModule; 
    PIMAGE_THUNK_DATA pFirstThunk,pOriginalFirstThunk; 
    PIMAGE_IMPORT_BY_NAME pFuncData; 

    importedModule=getImportTable(hInstance); 
    while(*(WORD*)importedModule!=0) //over on the modules (DLLs) 
    { 
     printf("\n%s - %x:\n---------\n",(char*)((PBYTE)hInstance+importedModule->Name));//printing Module Name 
     pFirstThunk=(PIMAGE_THUNK_DATA)((PBYTE)hInstance+ importedModule->FirstThunk);//pointing to its IAT 
     pOriginalFirstThunk=(PIMAGE_THUNK_DATA)((PBYTE)hInstance+ importedModule->OriginalFirstThunk);//pointing to OriginalThunk 
     pFuncData=(PIMAGE_IMPORT_BY_NAME)((PBYTE)hInstance+ pOriginalFirstThunk->u1.AddressOfData);// and to IMAGE_IMPORT_BY_NAME 
     while(*(WORD*)pFirstThunk!=0 && *(WORD*)pOriginalFirstThunk!=0) //moving over IAT and over names' table 
     { 
      printf("%X %s\n",pFirstThunk->u1.Function,pFuncData->Name);//printing function's name and addr 
      for (list<Hook_Data>::iterator it=hookList.begin(); it!=hookList.end(); ++it) 
      { 
       if(strcmp(it->getTargetFunction(),(char*)pFuncData->Name)==0)//checks if we are in the Target Function 
       { 
        printf("Hooking... \n"); 
        if(rewriteThunk(pFirstThunk, &(*it))) 
        { 
         printf("Hooked %s successfully :)\n",it->getTargetFunction()); 
         break; 
        } 
       } 
      } 
      pOriginalFirstThunk++; // next node (function) in the array 
      pFuncData=(PIMAGE_IMPORT_BY_NAME)((PBYTE)hInstance+ pOriginalFirstThunk->u1.AddressOfData); 
      pFirstThunk++;// next node (function) in the array 
     } 
     importedModule++; //next module (DLL) 
    } 
    return false; 
} 

PIMAGE_IMPORT_DESCRIPTOR CIAT_Hook::getImportTable(HMODULE hInstance) 
{ 
    PIMAGE_DOS_HEADER dosHeader; 
    IMAGE_OPTIONAL_HEADER optionalHeader; 
    PIMAGE_NT_HEADERS ntHeader; 
    IMAGE_DATA_DIRECTORY dataDirectory; 

    dosHeader=(PIMAGE_DOS_HEADER)hInstance;//cast hInstance to (IMAGE_DOS_HEADER *) - the MZ Header 
    ntHeader=(PIMAGE_NT_HEADERS)((PBYTE)dosHeader+dosHeader->e_lfanew);//The PE Header begin after the MZ Header (which has size of e_lfanew) 
    optionalHeader=(IMAGE_OPTIONAL_HEADER)(ntHeader->OptionalHeader); //Getting OptionalHeader 
    dataDirectory=(IMAGE_DATA_DIRECTORY)(optionalHeader.DataDirectory[IMPORT_TABLE_OFFSET]);//Getting the import table of DataDirectory 
    return (PIMAGE_IMPORT_DESCRIPTOR)((PBYTE)hInstance + dataDirectory.VirtualAddress);//ImageBase+RVA to import table 

} 

bool CIAT_Hook::rewriteThunk(PIMAGE_THUNK_DATA pThunk, Hook_Data* hd) 
{ 
    DWORD CurrentProtect; 
    DWORD junk; 
    VirtualProtect(pThunk,4096, PAGE_READWRITE, &CurrentProtect);//allow write to the page 
    hd->setSourceAddr(pThunk->u1.Function); 
    pThunk->u1.Function=(DWORD) hd->getNewFunc(); // rewrite the IAT to new function 
    VirtualProtect(pThunk,4096, CurrentProtect,&junk);//return previous premissions 
    return true; 
}

編輯:

我調試的IATHooking功能,看起來像它崩潰 當它到達 SHLWAPI.DLL第三功能...看起來就像pFuncData變量是空的一樣。爲什麼它很快樂?

它只是在EXPLORER.EXE在CMD.EXE它的工作正常的HAPPANS!

這是IATHooking輸出: http://pastebin.com/LkK4QhYQ 或在這裏:

ADVAPI32.dll - f4f8f817: 
--------- 
7688BED4 RegCloseKey 
76881CC0 RegCreateKeyW 
768818CB RegGetValueW 
7688BEC4 RegOpenKeyExW 
773DA4CA GetTraceEnableFlags 
773DA494 GetTraceEnableLevel 
773DA42B GetTraceLoggerHandle 
773D9627 RegisterTraceGuidsW 
773E17AD UnregisterTraceGuids 
7688B946 RegCreateKeyExW 
7688BCD5 RegQueryValueExW 
77415A12 EventRegister 
77413614 EventUnregister 
773CF5AB EventWrite 
773DDD62 EventEnabled 
7688B80C GetLengthSid 
7688B7B4 GetTokenInformation 
7688B7C4 OpenProcessToken 
76881C82 RegSetValueExW 
773E18F3 TraceMessage 
76883129 RegOpenKeyW 
7687D521 RegDeleteValueW 
7688BB72 RegEnumValueW 
7688BB42 RegQueryInfoKeyW 
76892C32 ConvertStringSidToSidW 
76889A61 CloseServiceHandle 
7687D20D OpenServiceW 
7687D1F5 OpenSCManagerW 
76883A84 QueryServiceStatus 
7688BB65 RegEnumKeyExW 
7688BD6B CreateWellKnownSid 
76878A9B StartServiceW 
7687E5C2 CryptAcquireContextW 
7687E552 CryptCreateHash 
7687E53A CryptHashData 
7687E582 CryptGetHashParam 
7687E56A CryptDestroyHash 
7687E74C CryptReleaseContext 
7687F486 StartTraceW 
76881338 EnableTraceEx 
768814F8 StopTraceW 
7689EEFB LsaLookupSids 
76888CB9 IsValidSid 
768818B3 GetSidSubAuthorityCount 
768818E3 GetSidSubAuthority 
76898D41 LsaOpenPolicy 
76898CB2 LsaFreeMemory 
76898E79 LsaClose 
7688B79C OpenThreadToken 
7688B83C ConvertSidToStringSidW 
76882B9B ConvertStringSecurityDescriptorToSecurityDescriptorW 
7687E4F4 CheckTokenMembership 

KERNEL32.dll - f4f8f817: 
--------- 
766ABC8B LoadLibraryExA 
766801A4 DelayLoadFailureHook 
766B0B5D CreateFileW 
766A5D47 GetFileSize 
766ADAA9 ReadFile 
766AB69A RaiseException 
766A6578 FlushInstructionCache 
766AF17D SetLastError 
766B0D8F OpenThread 
766AFE44 GetSystemTimeAsFileTime 
766B354A GetLocaleInfoW 
766AE1A1 GetTimeFormatW 
766AE49F GetDateFormatW 
766ADB98 GetLocalTime 
766AF23C InterlockedCompareExchange 
65241285 FindFirstFileW 
Hooking... 
Hooked FindFirstFileW successfully :) 
766ADB75 lstrcmpiW 
65241082 FindNextFileW 
Hooking... 
Hooked FindNextFileW successfully :) 
766B351A FindClose 
766B13CE GetFileAttributesW 
766B1844 GetSystemTime 
766B2997 SystemTimeToFileTime 
766AB606 ExpandEnvironmentStringsW 
766AF188 InterlockedIncrement 
766AF15B InterlockedDecrement 
766AF176 GetLastError 
766978A6 SetInformationJobObject 
76697832 CreateJobObjectW 
766923E7 GetPriorityClass 
766A254D SetPriorityClass 
766A73E4 OpenProcess 
766AA7A8 SearchPathW 
7669A2A8 GetSystemDefaultUILanguage 
766B125E UnmapViewOfFile 
766AC0D4 MapViewOfFile 
7669E588 GetTimeZoneInformation 
76693438 GetDynamicTimeZoneInformation 
766C78F4 GetBinaryTypeW 
766A5AAD QueryPerformanceFrequency 
7669E0CB GetTickCount64 
766AECC0 MulDiv 
766B41D9 GetLongPathNameW 
766AC68F GetThreadPriority 
766B0E69 MultiByteToWideChar 
766A2372 GlobalGetAtomNameW 
766AFE5F GetCurrentThread 
766A7407 SetThreadPriority 
766A7394 QueueUserWorkItem 
766AB6BF LoadLibraryExW 
7669E269 GetProductInfo 
766B2DE5 TerminateThread 
7669E011 CreateIoCompletionPort 
76696C94 GetQueuedCompletionStatus 
766A656B DeleteFileW 
766A9268 GetWindowsDirectoryW 
7669BAF2 GetProcessId 
766ACD40 CompareStringW 
766A8BF0 QueryFullProcessImageNameW 
766AF4B6 CompareFileTime 
766A3A51 CreateFileMappingW 
766AF224 ResetEvent 
766B0F86 WideCharToMultiByte 
766AD35C GlobalAlloc 
766AD275 GlobalLock 
766AD1BD GlobalUnlock 
766AD374 GlobalFree 
766B0636 DuplicateHandle 
766B356F GetCurrentDirectoryW 
766AF286 WaitForMultipleObjects 
766A3D8A GetComputerNameW 
766A911E DeactivateActCtx 
766A90ED ActivateActCtx 
766A91BD ReleaseActCtx 
766A75A3 CreateActCtxW 
766AA7EF FindResourceExW 
766AD3B0 LoadResource 
766A345C LockResource 
766B05B7 CloseHandle 
766B057C LocalFree 
766B0594 LocalAlloc 
766F6D0D QueryInformationJobObject 
766AEF66 Sleep 
766A3F14 ResumeThread 
76697AD3 AssignProcessToJobObject 
766B27FD CreateThread 
7666202D CreateProcessW 
766AEFA0 WaitForSingleObject 
766B19E9 FreeLibrary 
766B1837 GetProcAddress 
766B28B2 LoadLibraryW 
766A3CED GetUserDefaultUILanguage 
766B0613 CreateEventW 
766AFE37 lstrlenW 
766AF198 HeapFree 
7740209D HeapAlloc 
766AF24C GetProcessHeap 
766B060C GetCurrentProcess 
766BC41A HeapSetInformation 
766ACA61 GetVersionExW 
77407B5B DeleteCriticalSection 
7740F8BE InitializeCriticalSection 
766A3E65 HeapDestroy 
7669B5E0 GetPrivateProfileStringW 
766B29F4 GetModuleFileNameW 
766BECAB GetCommandLineW 
766B1C98 GetSystemDirectoryW 
766B2ACF ExitProcess 
76695995 RegisterApplicationRestart 
766AA89E SetProcessShutdownParameters 
766B7CB5 GetStartupInfoW 
766AEF88 ReleaseMutex 
766A5F40 CreateMutexW 
766B1297 SetErrorMode 
766985A7 SetProcessDEPPolicy 
766C86DA GetUserDefaultLangID 
766AF26E SetEvent 
773F6B40 LeaveCriticalSection 
773F6B7E EnterCriticalSection 
766AEF76 GetTickCount 
766AB613 OpenEventW 
766EFB87 SetTermsrvAppInstallMode 
766B0D23 GetCurrentProcessId 
766B19A1 GetModuleHandleW 
766AF212 GetCurrentThreadId 
766A509B TerminateProcess 
766C2B35 UnhandledExceptionFilter 
766A91A5 CompareStringOrdinal 
766AF2A7 QueryPerformanceCounter 
766B28D7 GetModuleHandleA 
766B3142 SetUnhandledExceptionFilter 
766AF25E InterlockedExchange 
766B05F4 VirtualAlloc 
766B0D35 VirtualFree 
766B2864 LoadLibraryA 

GDI32.dll - f4f8f817: 
--------- 
75225DDB GetStockObject 
75228336 SetWindowOrgEx 
7522F418 StretchBlt 
7522798F GetTextMetricsW 
752282A5 LPtoDP 
75230415 Polyline 
7522C968 CreatePen 
752290C6 GetTextColor 
7522C575 ExtCreateRegion 
75228D5B GetRegionData 
7522A23F SetLayout 
75227050 GetLayout 
7522B535 GetTextExtentPoint32W 
75228E01 CombineRgn 
75225FC5 GetRgnBox 
7522F234 OffsetViewportOrgEx 
75225F33 GdiFlush 
75228C20 OffsetRgn 
75228053 ExtTextOutW 
75229D1D SetDIBits 
75226F63 CreateRectRgn 
75227C93 GetClipRgn 
75227CCA IntersectClipRect 
752283CF GetViewportOrgEx 
7522814F SetViewportOrgEx 
75226D84 SelectClipRgn 
75229115 GetBkColor 
752266CD SetBkMode 
75226803 CreateBitmap 
75226055 PatBlt 
75227322 CreateCompatibleBitmap 
7522726D OffsetWindowOrgEx 
75226758 SetBkColor 
75226622 SetTextColor 
7522AF7E GetTextExtentPointW 
752281F2 GetClipBox 
752285F0 CreateDIBSection 
752274BF GetObjectW 
75228DE0 CreateRectRgnIndirect 
752268B4 DeleteObject 
75226522 CreateCompatibleDC 
752261D0 SelectObject 
75227180 BitBlt 
75226E03 GetDeviceCaps 
7522A3FD CreateFontIndirectW 
75226A2C DeleteDC 
75228213 GdiAlphaBlend 

USER32.dll - f4f8f817: 
--------- 
758F4493 PtInRect 
758F7450 GetWindowRect 
758F3C3E GetWindow 
758F764C SendMessageW 
758F5261 EnumChildWindows 
758F83A9 GetWindowLongW 
758EDEED CharPrevW 
758EF9CA CharNextW 
758F0E51 CreateWindowExW 
7591564A DialogBoxParamW 
758F2E8A GetClassInfoW 
758F2D26 GetClassInfoExW 
758ED02A GetMenuItemInfoW 
758ECF62 GetMenuItemCount 
758F319D GetClassNameW 
758F61DD GetKeyboardLayout 
758E817D ActivateKeyboardLayout 
758ECD2F IsChild 
758E88E3 InsertMenuW 
7591680C GetMenuStringW 
758F2767 SetMenuItemInfoW 
758ECA50 InsertMenuItemW 
7591584A IsWinEventHookInstalled 
758F3919 IsProcessDPIAware 
75931621 GetNextDlgGroupItem 
75916514 GetNextDlgTabItem 
758ED9BD GetDlgCtrlID 
758EA8C4 MoveWindow 
758F7511 IsRectEmpty 
758F5813 UnionRect 
759112AC ChildWindowFromPointEx 
758F394E GetGUIThreadInfo 
758E65C9 SetClassLongW 
758F5A28 GetClassLongW 
758F42E4 WindowFromDC 
75900C72 CharUpperW 
758EE5D5 UnregisterClassW 
75912603 FrameRect 
758F68EA GetWindowDC 
758F4DFC SendMessageCallbackW 
758EC01F UpdateLayeredWindow 
758F096C GetUserObjectInformationW 
758FFB00 GetThreadDesktop 
758F095A GetProcessWindowStation 
758F4FA4 GetIconInfo 
75944F4F ShowWindowAsync 
759145A1 FlashWindowEx 
7592FD8E EndTask 
758EDB52 SetThreadDesktop 
7591698E GetMenuState 
758F6632 SetScrollInfo 
758F5151 GetScrollInfo 
75911BD0 SetScrollPos 
75911B1D BringWindowToTop 
75905AE5 DeregisterShellHookWindow 
758F6BCA IsZoomed 
758EDA87 CloseDesktop 
758E5B5A OpenInputDesktop 
758E4C1A RegisterShellHookWindow 
758F68FE InternalGetWindowText 
758F6A82 GetWindowInfo 
75944F9F GetLayeredWindowAttributes 
758EC382 SetLayeredWindowAttributes 
758EFE12 GetCaretBlinkTime 
758ECC7B UnhookWindowsHookEx 
758ECC8F CallNextHookEx 
758F210A SetWindowsHookExW 
758EC265 GetUpdateRect 
758F8409 GetSystemMetrics 
758EEEE1 SystemParametersInfoW 
758ECF04 FindWindowW 
758F7055 ReleaseDC 
758F7041 GetDC 
758F8E8D DispatchMessageW 
758F910F TranslateMessage 
758F8F97 GetMessageW 
758E8A8A DestroyMenu 
758E8959 GetMenuDefaultItem 
758E88D6 CreatePopupMenu 
758F6225 PostMessageW 
758EEC79 MsgWaitForMultipleObjectsEx 
758F91B5 PeekMessageW 
758F6614 SetWindowLongW 
759307ED ShutdownBlockReasonCreate 
758F5533 LoadStringW 
758ED5EF DestroyWindow 
758ED6D7 PostQuitMessage 
758F3581 SetWindowPos 
758F93BF KillTimer 
758F77D5 SetTimer 
758F7A64 SetPropW 
758F147A ShowWindow 
758F7915 MapWindowPoints 
758F281B RegisterClassW 
758EF283 LoadCursorW 
758F53F9 SetActiveWindow 
758EB5FA UpdateLayeredWindowIndirect 
758F6D54 GetLastInputInfo 
75914CFE SendDlgItemMessageW 
7591555C EndDialog 
758EE7A9 GetDesktopWindow 
758F3508 GetShellWindow 
758EC6AA DestroyIcon 
758F55CD GetMonitorInfoW 
758F69DC CopyRect 
75915D86 ModifyMenuW 
758E612E CheckMenuItem 
758EC251 GhostWindowFromHungWindow 
758E89EF EnableMenuItem 
758E861C DeleteMenu 
758EC49E ReleaseCapture 
758EC198 GetCursorPos 
758F724B DefWindowProcW 
758F4C0C TrackMouseEvent 
758ECF30 GetDoubleClickTime 
758F7BC9 InvalidateRect 
75900FAD LockWorkStation 
7593BC38 TileWindows 
758F2BD9 UpdateWindow 
7593B994 CascadeWindows 
758ED9F6 GetWindowTextW 
75914B3B TrackPopupMenu 
758F23CB ClientToScreen 
75916D0C WindowFromPoint 
758F272A AppendMenuW 
758F7B73 EndPaint 
758F452A DrawEdge 
758F8308 FillRect 
75916BE4 LockSetForegroundWindow 
758F7080 InflateRect 
758F6939 IsWindowVisible 
758F565D GetForegroundWindow 
758F7AB3 GetParent 
758F93E7 WaitMessage 
758EEDFD RegisterWindowMessageW 
75915F72 TrackPopupMenuEx 
758F74B1 GetClientRect 
758EED89 MonitorFromRect 
758F689A EqualRect 
758E7FE7 SubtractRect 
758F52A2 RedrawWindow 
758F57FF EnumDisplayMonitors 
758F8267 SetWindowTextW 
758FF006 IntersectRect 
75916BD0 GetWindowPlacement 
758EEB65 SendNotifyMessageW 
758F7A0E RemovePropW 
758EC9CE SetWindowCompositionAttribute 
759080F8 HungWindowFromGhostWindow 
758ECBA9 SetFocus 
758F313E SendMessageTimeoutW 
758F5789 EnumWindows 
758EC90D UnregisterHotKey 
758EC8F9 RegisterHotKey 
758F590A MonitorFromWindow 
758F7756 IsWindow 
758F52EA SetCursor 
758EC09A GetAsyncKeyState 
758ED3AE SetForegroundWindow 
7592B6D2 ChildWindowFromPoint 
7592C1D8 SetCursorPos 
75916785 GetMessagePos 
758F66E3 IsIconic 
758F1431 LoadIconW 
758EC338 DeferWindowPos 
758FEFDD OffsetRect 
758F2FE3 GetWindowThreadProcessId 
758EC1F2 ScreenToClient 
758F3D0F GetAncestor 
758EB0D1 MonitorFromPoint 
758F6A10 SetRectEmpty 
758F524D ChangeWindowMessageFilterEx 
758EAC45 LoadAcceleratorsW 
758F9442 TranslateAcceleratorW 
758F4FDA GetKeyState 
758EB29A SetWindowRgn 
758F406C GetWindowRgnBox 
758F2323 LoadImageW 
758F5A1B GetFocus 
75915452 GetActiveWindow 
759144F7 MessageBeep 
758F7B87 BeginPaint 
75916C16 SwitchToThisWindow 
75916A4C GetLastActivePopup 
758EC2EA EndDeferWindowPos 
758EC316 BeginDeferWindowPos 
758E8169 SetWindowPlacement 
759170D3 IsHungAppWindow 
758EEDFD RegisterClipboardFormatW 
758F6A30 SetRect 
758F2949 GetSysColorBrush 
758F7829 GetPropW 
758E7B61 AllowSetForegroundWindow 
758F148E LoadMenuW 
758EB71C GetSubMenu 
758E8931 RemoveMenu 
758E8945 SetMenuDefaultItem 
758EBBB3 GetCapture 
758F4C5D DrawIconEx 
758ED9E2 GetMessageExtraInfo 
758E469F SetGestureConfig 
75908FFB AdjustWindowRect 
75901034 CalculatePopupWindowPosition 
758F8220 DrawTextW 
75916B2A SetCapture 
758F43DA CallWindowProcW 
75910A67 CheckDlgButton 
75909041 IsDlgButtonChecked 
758EC921 IsWindowEnabled 
75910B31 GetDlgItemInt 
75914DB1 SetDlgItemInt 
758E8510 GetDlgItem 
758EA72E EnableWindow 
758F507E SetWinEventHook 
758F59DF MsgWaitForMultipleObjects 
758F212B RegisterClassExW 
75915A25 CopyIcon 
758F64F8 AdjustWindowRectEx 
758FFA99 GetSysColor 
75914700 DrawFocusRect 
758FF299 NotifyWinEvent 
759306EF ExitWindowsEx 
758F1702 GetSystemMenu 

msvcrt.dll - f4f8f817: 
--------- 
7583E1E1 _controlfp 
758861CF [email protected]@YAXXZ 
7584112D _onexit 
7583A449 _lock 
7583F509 __dllonexit 
7583A42D _unlock 
75853E27 _except_handler4_common 
75842804 __set_app_type 
75839910 memcpy 
75839E5A memmove 
758559E4 _CIsin 
75839BA1 _ftol2 
7583EF16 _CIcos 
7583C823 _wtoi 
7583B05E wcsncmp 
7583AAE3 _wcsnicmp 
7583A9E9 _wcsicmp 
7583B34A bsearch 
758427CE __p__fmode 
758427C3 __p__commode 
758C77AD __setusermatherr 
7589B2EF _amsg_exit 
7583C151 _initterm 
758D04DC _wcmdln 
758436AA exit 
7585DC75 _XcptFilter 
7589B2C0 _exit 
758437D4 _cexit 
75844E7C __wgetmainargs 
75839E3A _ftol2_sse 
75839CEE malloc 
7583EEC0 _CIsqrt 
75840D74 ceil 
7583B10D realloc 
7583AA61 wcschr 
7583C136 iswalpha 
7583BF71 wcsstr 
75839894 free 
7583BBCE _vsnwprintf 
75839790 memset 

ntdll.dll - f4f8f817: 
--------- 
773B86F5 WinSqmSetString 
773F5490 NtQueryInformationProcess 
773F5AC0 NtSetInformationProcess 
774121D3 WinSqmIsOptedIn 
773B9622 WinSqmAddToStreamEx 
773F5260 NtOpenThreadToken 
773F51E0 NtOpenProcessToken 
773F5BD0 NtSetSystemInformation 
773CADD5 WinSqmAddToStream 
773D14BC WinSqmEventEnabled 
773CF5AB EtwEventWrite 
773DDD62 EtwEventEnabled 
773CFF3C RtlGetProductInfo 
773F4910 NtClose 
773F54C0 NtQueryInformationToken 
773CAEF4 WinSqmSetDWORD 

SHLWAPI.dll - f4f8f817: 
--------- 
7662E2EA SHStrDupA 
76615AA1 StrCmpW 
7660E230

來源

2011-12-03 DanR

+0

你能發表一些代碼嗎? –

+0

當然..你可以看看這個代碼在cmd.exe上完美工作的方式,同時鉤住FindNextFile函數。問題是在explorer.exe中的功能是通過shell32.dll調用,而不是直接從explorer.exe這就是爲什麼我不能掛鉤FindNextFile – DanR

+0

不知道這是關於什麼。你肯定會遇到麻煩,大部分的shell代碼都是基於COM的,它不使用IAT。 –

回答

0

你可以撥打電話(已萬一是的Shell32.dll)加載的LoadLibrary或的GetModuleHandle。這個函數會爲你提供在你的進程中加載​​庫的虛擬地址,這樣你就可以分析內存中的PE文件,以便查找Shell32.dll的導出導入表。

來源

2011-12-03 13:47:16 AlexTheo

相關問題

 相關問題