我一直在尝试(并且惨遭失败!)学习如何使用 Easyhook。我正在尝试为所有 GetVolumeInformation 调用挂钩并返回自定义文件系统名称。以下代码确实挂钩,我在 debugview 中获得了文件系统名称,但它使加载它的应用程序崩溃。
任何帮助将不胜感激
#include "stdafx.h"
#include <string>
#include <iostream>
#include <Windows.h>
#include <easyhook.h>
BOOL WINAPI myhook(LPCTSTR lpRootPathName, LPTSTR lpVolumeNameBuffer, DWORD nVolumeNameSize, LPDWORD lpVolumeSerialNumber, LPDWORD lpMaximumComponentLength, LPDWORD lpFileSystemFlags, LPTSTR lpFileSystemNameBuffer, DWORD nFileSystemNameSize);
BOOL WINAPI myhook(LPCTSTR lpRootPathName, LPTSTR lpVolumeNameBuffer, DWORD nVolumeNameSize, LPDWORD lpVolumeSerialNumber, LPDWORD lpMaximumComponentLength, LPDWORD lpFileSystemFlags, LPTSTR lpFileSystemNameBuffer, DWORD nFileSystemNameSize)
{
BOOL retval = GetVolumeInformationW(lpRootPathName, lpVolumeNameBuffer, nVolumeNameSize, lpVolumeSerialNumber, lpMaximumComponentLength, lpFileSystemFlags, lpFileSystemNameBuffer, nFileSystemNameSize);
if (retval) {
wcscpy_s(lpFileSystemNameBuffer, 8, L"NOTNTFS");
OutputDebugString(lpFileSystemNameBuffer);
}
return retval;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
NTSTATUS result = LhInstallHook(
GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "GetVolumeInformationW"),
myhook,
NULL,
&hHook);
if (FAILED(result))
{
OutputDebugStringA("FAILED TO HOOK");
}
else {
OutputDebugStringA("HOOKED");
ULONG ACLEntries[1] = { 0 };
LhSetInclusiveACL(ACLEntries, 1, &hHook);
}
}
case DLL_THREAD_DETACH:
{
}
case DLL_PROCESS_DETACH:
{
}
break;
}
return TRUE;
}