c++ - Trampoline Hook GetVolumeInformationW 上一个简单的 HWID 锁

问题描述

我正在尝试使用蹦床挂钩将 GetVolumeInformationW 挂在简单的 HWID 锁上，以返回序列号 (123456789) 的特定值。当我注入 dll 时，程序会立即崩溃。我也尝试从程序 86 文件夹中启动 hwid lock，但它还是崩溃了。我尝试了 SendBoxMessageA、SwapBuffers 上的蹦床钩子，效果很好。这是 HWID 锁定代码。

#include <iostream>
#include <Windows.h>
#include <tchar.h>

int main()
{
    std::cout << "Checking...\n";
    TCHAR volumeName[MAX_PATH + 1] = { 0 };
    TCHAR fileSystemName[MAX_PATH + 1] = { 0 };
    DWORD serialNumber = 0;
    DWORD maxComponentLen = 0;
    DWORD fileSystemFlags = 0;
    if (GetVolumeInformation(
        _T("C:\\"),
        volumeName,
        ARRAYSIZE(volumeName),
        &serialNumber,
        &maxComponentLen,
        &fileSystemFlags,
        fileSystemName,
        ARRAYSIZE(fileSystemName)
    ))
    {
        Sleep(1000000);
        DWORD acceptedSerial = 123456789;
        if (serialNumber == acceptedSerial) {
            std::cout << "Welcome to my app!" << std::endl;
        }
        else {
            std::cout << "You are not in the system!" << std::endl;
            Sleep(4000);
            return 0;
        }
    }
}

这是dll的代码

#include <iostream>
#include <Windows.h>
#include <tchar.h>


bool Detour32(char* src, char* dst, const intptr_t len)
{
    if (len < 5) return false;

    DWORD  curProtection;
    VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &curProtection);

    intptr_t  relativeAddress = (intptr_t)(dst - (intptr_t)src) - 5;

    *src = (char)'\xE9';
    *(intptr_t*)((intptr_t)src + 1) = relativeAddress;

    VirtualProtect(src, len, curProtection, &curProtection);
    return true;
}

char* TrampHook32(char* src, char* dst, const intptr_t len)
{
    // Make sure the length is greater than 5
    if (len < 5) return 0;

    // Create the gateway (len + 5 for the overwritten bytes + the jmp)
    void* gateway = VirtualAlloc(0, len + 5, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    //Write the stolen bytes into the gateway
    memcpy(gateway, src, len);

    // Get the gateway to destination addy
    intptr_t  gatewayRelativeAddr = ((intptr_t)src - (intptr_t)gateway) - 5;

    // Add the jmp opcode to the end of the gateway
    *(char*)((intptr_t)gateway + len) = 0xE9;

    // Add the address to the jmp
    *(intptr_t*)((intptr_t)gateway + len + 1) = gatewayRelativeAddr;

    // Perform the detour
    Detour32(src, dst, len);

    return (char*)gateway;
}

typedef BOOL(__stdcall* tGetVolumeInformation)
(
    LPCWSTR lpRootPathName,
    LPWSTR  lpVolumeNameBuffer,
    DWORD   nVolumeNameSize,
    LPDWORD lpVolumeSerialNumber,
    LPDWORD lpMaximumComponentLength,
    LPDWORD lpFileSystemFlags,
    LPWSTR  lpFileSystemNameBuffer,
    DWORD   nFileSystemNameSize
);
tGetVolumeInformation oGetVolumeInformation = nullptr;

BOOL __stdcall hkGetVolumeInformation
(
    LPCWSTR lpRootPathName,
    LPWSTR  lpVolumeNameBuffer,
    DWORD   nVolumeNameSize,
    LPDWORD lpVolumeSerialNumber,
    LPDWORD lpMaximumComponentLength,
    LPDWORD lpFileSystemFlags,
    LPWSTR  lpFileSystemNameBuffer,
    DWORD   nFileSystemNameSize
)
{

    *lpVolumeSerialNumber = 0x123456789;

    return oGetVolumeInformation
    (
        lpRootPathName, 
        lpVolumeNameBuffer, 
        nVolumeNameSize, 
        lpVolumeSerialNumber, 
        lpMaximumComponentLength, 
        lpFileSystemFlags, 
        lpFileSystemNameBuffer, 
        nFileSystemNameSize
    );
}

DWORD WINAPI Thread(HMODULE hModule)
{
    //Create Console
    AllocConsole();
    FILE* f;
    freopen_s(&f, "CONOUT$", "w", stdout);

    std::cout << "HWID Unlock\n";

    // Hook
    oGetVolumeInformation = (tGetVolumeInformation)GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetVolumeInformationW");

    oGetVolumeInformation = (tGetVolumeInformation)TrampHook32((char*)oGetVolumeInformation, (char*)hkGetVolumeInformation, 5);

    TCHAR volumeName[MAX_PATH + 1] = { 0 };
    TCHAR fileSystemName[MAX_PATH + 1] = { 0 };
    DWORD serialNumber = 0;
    DWORD maxComponentLen = 0;
    DWORD fileSystemFlags = 0;
    GetVolumeInformation(_T("C:\\"), volumeName, ARRAYSIZE(volumeName), &serialNumber, &maxComponentLen, &fileSystemFlags, fileSystemName, ARRAYSIZE(fileSystemName));
    std::cout << serialNumber << std::endl;
    //

    fclose(f);
    FreeConsole();
    return 0;
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)Thread, hModule, 0, nullptr));
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

有人可以帮助我吗？

标签： c++windowshookdetourshwid