我想拦截一个进程的API调用,以知道一个进程何时调用了msvbvm60 dll的API rtcMsgBox。我已经用这段代码试过了,但它似乎不起作用:
from winappdbg import Debug, EventHandler
import sys
import os
class MyEventHandler( EventHandler ):
# Add the APIs you want to hook
apiHooks = {
'msvbvm60.dll' : [( 'rtcMsgBox' , 7 ),],'kernel32.dll' : [( 'CreateFileW' , 7 ),],
}
# The pre_ functions are called upon entering the API
def pre_CreateFileW(self, event, ra, lpFileName, dwDesiredAccess,
dwShareMode, lpSecurityAttributes, dwCreationDisposition,
dwFlagsAndAttributes, hTemplateFile):
fname = event.get_process().peek_string(lpFileName, fUnicode=True)
print "CreateFileW: %s" % (fname)
# The post_ functions are called upon exiting the API
def post_CreateFileW(self, event, retval):
if retval:
print 'Suceeded (handle value: %x)' % (retval)
else:
print 'Failed!'
if __name__ == "__main__":
if len(sys.argv) < 2 or not os.path.isfile(sys.argv[1]):
print sys.argv[1]
print "\nUsage: %s <File to monitor> [arg1, arg2, ...]\n" % sys.argv[0]
sys.exit()
# Instance a Debug object, passing it the MyEventHandler instance
debug = Debug( MyEventHandler() )
try:
# Start a new process for debugging
p = debug.execv(sys.argv[1:], bFollow=True)
# Wait for the debugged process to finish
debug.loop()
# Stop the debugger
finally:
debug.stop()
它适用于 Kernel32.dll 的 CreateFileW API,但不适用于 msvbvm60.dll 的 rtcMsgBox。为什么?我做错了什么?
编辑:顺便说一句,我不知道为什么我粘贴的代码分为两段代码。webapp 没有正确解析它,但它只是同一段代码。谢谢