我正在尝试使用蹦床挂钩将 GetVolumeInformationW 挂在简单的 HWID 锁上,以返回序列号 (123456789) 的特定值。当我注入 dll 时,程序会立即崩溃。我也尝试从程序 86 文件夹中启动 hwid lock,但它还是崩溃了。我尝试了 SendBoxMessageA、SwapBuffers 上的蹦床钩子,效果很好。这是 HWID 锁定代码。
#include <iostream>
#include <Windows.h>
#include <tchar.h>
int main()
{
std::cout << "Checking...\n";
TCHAR volumeName[MAX_PATH + 1] = { 0 };
TCHAR fileSystemName[MAX_PATH + 1] = { 0 };
DWORD serialNumber = 0;
DWORD maxComponentLen = 0;
DWORD fileSystemFlags = 0;
if (GetVolumeInformation(
_T("C:\\"),
volumeName,
ARRAYSIZE(volumeName),
&serialNumber,
&maxComponentLen,
&fileSystemFlags,
fileSystemName,
ARRAYSIZE(fileSystemName)
))
{
Sleep(1000000);
DWORD acceptedSerial = 123456789;
if (serialNumber == acceptedSerial) {
std::cout << "Welcome to my app!" << std::endl;
}
else {
std::cout << "You are not in the system!" << std::endl;
Sleep(4000);
return 0;
}
}
}
这是dll的代码
#include <iostream>
#include <Windows.h>
#include <tchar.h>
bool Detour32(char* src, char* dst, const intptr_t len)
{
if (len < 5) return false;
DWORD curProtection;
VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &curProtection);
intptr_t relativeAddress = (intptr_t)(dst - (intptr_t)src) - 5;
*src = (char)'\xE9';
*(intptr_t*)((intptr_t)src + 1) = relativeAddress;
VirtualProtect(src, len, curProtection, &curProtection);
return true;
}
char* TrampHook32(char* src, char* dst, const intptr_t len)
{
// Make sure the length is greater than 5
if (len < 5) return 0;
// Create the gateway (len + 5 for the overwritten bytes + the jmp)
void* gateway = VirtualAlloc(0, len + 5, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
//Write the stolen bytes into the gateway
memcpy(gateway, src, len);
// Get the gateway to destination addy
intptr_t gatewayRelativeAddr = ((intptr_t)src - (intptr_t)gateway) - 5;
// Add the jmp opcode to the end of the gateway
*(char*)((intptr_t)gateway + len) = 0xE9;
// Add the address to the jmp
*(intptr_t*)((intptr_t)gateway + len + 1) = gatewayRelativeAddr;
// Perform the detour
Detour32(src, dst, len);
return (char*)gateway;
}
typedef BOOL(__stdcall* tGetVolumeInformation)
(
LPCWSTR lpRootPathName,
LPWSTR lpVolumeNameBuffer,
DWORD nVolumeNameSize,
LPDWORD lpVolumeSerialNumber,
LPDWORD lpMaximumComponentLength,
LPDWORD lpFileSystemFlags,
LPWSTR lpFileSystemNameBuffer,
DWORD nFileSystemNameSize
);
tGetVolumeInformation oGetVolumeInformation = nullptr;
BOOL __stdcall hkGetVolumeInformation
(
LPCWSTR lpRootPathName,
LPWSTR lpVolumeNameBuffer,
DWORD nVolumeNameSize,
LPDWORD lpVolumeSerialNumber,
LPDWORD lpMaximumComponentLength,
LPDWORD lpFileSystemFlags,
LPWSTR lpFileSystemNameBuffer,
DWORD nFileSystemNameSize
)
{
*lpVolumeSerialNumber = 0x123456789;
return oGetVolumeInformation
(
lpRootPathName,
lpVolumeNameBuffer,
nVolumeNameSize,
lpVolumeSerialNumber,
lpMaximumComponentLength,
lpFileSystemFlags,
lpFileSystemNameBuffer,
nFileSystemNameSize
);
}
DWORD WINAPI Thread(HMODULE hModule)
{
//Create Console
AllocConsole();
FILE* f;
freopen_s(&f, "CONOUT$", "w", stdout);
std::cout << "HWID Unlock\n";
// Hook
oGetVolumeInformation = (tGetVolumeInformation)GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetVolumeInformationW");
oGetVolumeInformation = (tGetVolumeInformation)TrampHook32((char*)oGetVolumeInformation, (char*)hkGetVolumeInformation, 5);
TCHAR volumeName[MAX_PATH + 1] = { 0 };
TCHAR fileSystemName[MAX_PATH + 1] = { 0 };
DWORD serialNumber = 0;
DWORD maxComponentLen = 0;
DWORD fileSystemFlags = 0;
GetVolumeInformation(_T("C:\\"), volumeName, ARRAYSIZE(volumeName), &serialNumber, &maxComponentLen, &fileSystemFlags, fileSystemName, ARRAYSIZE(fileSystemName));
std::cout << serialNumber << std::endl;
//
fclose(f);
FreeConsole();
return 0;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)Thread, hModule, 0, nullptr));
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
有人可以帮助我吗?