0

我可以使用Deviare来挂钩和拦截GetLocalTime函数,但是如何更改字段的参数值,out即编辑?我能找到很少的片段使用,不幸的是它是一个 void 函数并且直接分配什么都不做。wYearSYSTEMTIMENktHookCallInfo.ResultField(0).Value

CreateHook("kernel32.dll!GetLocalTime", (int)eNktHookFlags.flgOnlyPostCall);


private static void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo info)
{
    NktParamsEnum param = info.Params();
    NktParam value = param.First().Evaluate();

    for (int i = 0; i < 8; i++)
    {
        NktParam field = value.Field(i);
        Console.WriteLine("{0} {1} {2}", field.Name, field.TypeName, field.Value);
    }
}


void WINAPI GetLocalTime(
  _Out_ LPSYSTEMTIME lpSystemTime
);

typedef struct _SYSTEMTIME {
  WORD wYear;
  WORD wMonth;
  WORD wDayOfWeek;
  WORD wDay;
  WORD wHour;
  WORD wMinute;
  WORD wSecond;
  WORD wMilliseconds;
} SYSTEMTIME, *PSYSTEMTIME;
4

1 回答 1

0

基于评论的答案是:使用UShortVal

于 2016-09-21T14:29:32.007 回答