问题
I am trying to hook win32 API function "CreateFile" using MS Detours, but when I test it by opening a *.doc file using MS Word, The CreateFile call for DLLs and font files and directories loaded by MS Word are redirected to my detoured function but not for that *.doc file, but when I open a *.txt file using notepad the CreateFile call for that *.txt file comes to my detoured function.
I am using following code for hooking CreateFile:
static HANDLE (WINAPI *Real_CreateFile)(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile) = CreateFile;
HANDLE WINAPI Routed_CreateFile(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
{
OutputDebugString(lpFileName);
return Real_CreateFile(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved )
{
LONG Error;
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
OutputDebugString(L"Attaching MyDLL.dll");
OutputDebugString(strInfo);
DetourRestoreAfterWith();
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)Real_CreateFile, Routed_CreateFile);
Error = DetourTransactionCommit();
if (Error == NO_ERROR)
OutputDebugString(L"Hooked Success");
else
OutputDebugString(L"Hook Error");
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
OutputDebugString(L"De-Attaching MyDLL.dll");
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)Real_CreateFile, Routed_CreateFile);
Error = DetourTransactionCommit();
if (Error == NO_ERROR)
OutputDebugString(L"Un-Hooked Success");
else
OutputDebugString(L"Un-Hook Error");
break;
}
return TRUE;
}
Thanks in advance.
回答1:
I think you are missing a break
after this:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break; // Not interested in thread messages
case DLL_PROCESS_DETACH:
Are you just detaching the detour before it is called? Maybe opening a .doc
creates a new thread but a .txt
doesn't, triggering this code path.
回答2:
It looks like you're not initializing your Real_CreateFile function pointer properly. I'm guessing you're setting it to your module's import table entry for CreateFile.
Instead, initialize it to GetProcAddress(GetModuleHandle("kernel32"),"CreateFileW");
来源:https://stackoverflow.com/questions/14235482/ms-detours-express-3-0-is-not-hooking-createfile-win32-api-function-properly