c++ - Trampoline Hook GetVolumeInformationW 上一个简单的 HWID 锁
问题描述
我正在尝试使用蹦床挂钩将 GetVolumeInformationW 挂在简单的 HWID 锁上,以返回序列号 (123456789) 的特定值。当我注入 dll 时,程序会立即崩溃。我也尝试从程序 86 文件夹中启动 hwid lock,但它还是崩溃了。我尝试了 SendBoxMessageA、SwapBuffers 上的蹦床钩子,效果很好。这是 HWID 锁定代码。
#include <iostream>
#include <Windows.h>
#include <tchar.h>
int main()
{
std::cout << "Checking...\n";
TCHAR volumeName[MAX_PATH + 1] = { 0 };
TCHAR fileSystemName[MAX_PATH + 1] = { 0 };
DWORD serialNumber = 0;
DWORD maxComponentLen = 0;
DWORD fileSystemFlags = 0;
if (GetVolumeInformation(
_T("C:\\"),
volumeName,
ARRAYSIZE(volumeName),
&serialNumber,
&maxComponentLen,
&fileSystemFlags,
fileSystemName,
ARRAYSIZE(fileSystemName)
))
{
Sleep(1000000);
DWORD acceptedSerial = 123456789;
if (serialNumber == acceptedSerial) {
std::cout << "Welcome to my app!" << std::endl;
}
else {
std::cout << "You are not in the system!" << std::endl;
Sleep(4000);
return 0;
}
}
}
这是dll的代码
#include <iostream>
#include <Windows.h>
#include <tchar.h>
bool Detour32(char* src, char* dst, const intptr_t len)
{
if (len < 5) return false;
DWORD curProtection;
VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &curProtection);
intptr_t relativeAddress = (intptr_t)(dst - (intptr_t)src) - 5;
*src = (char)'\xE9';
*(intptr_t*)((intptr_t)src + 1) = relativeAddress;
VirtualProtect(src, len, curProtection, &curProtection);
return true;
}
char* TrampHook32(char* src, char* dst, const intptr_t len)
{
// Make sure the length is greater than 5
if (len < 5) return 0;
// Create the gateway (len + 5 for the overwritten bytes + the jmp)
void* gateway = VirtualAlloc(0, len + 5, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
//Write the stolen bytes into the gateway
memcpy(gateway, src, len);
// Get the gateway to destination addy
intptr_t gatewayRelativeAddr = ((intptr_t)src - (intptr_t)gateway) - 5;
// Add the jmp opcode to the end of the gateway
*(char*)((intptr_t)gateway + len) = 0xE9;
// Add the address to the jmp
*(intptr_t*)((intptr_t)gateway + len + 1) = gatewayRelativeAddr;
// Perform the detour
Detour32(src, dst, len);
return (char*)gateway;
}
typedef BOOL(__stdcall* tGetVolumeInformation)
(
LPCWSTR lpRootPathName,
LPWSTR lpVolumeNameBuffer,
DWORD nVolumeNameSize,
LPDWORD lpVolumeSerialNumber,
LPDWORD lpMaximumComponentLength,
LPDWORD lpFileSystemFlags,
LPWSTR lpFileSystemNameBuffer,
DWORD nFileSystemNameSize
);
tGetVolumeInformation oGetVolumeInformation = nullptr;
BOOL __stdcall hkGetVolumeInformation
(
LPCWSTR lpRootPathName,
LPWSTR lpVolumeNameBuffer,
DWORD nVolumeNameSize,
LPDWORD lpVolumeSerialNumber,
LPDWORD lpMaximumComponentLength,
LPDWORD lpFileSystemFlags,
LPWSTR lpFileSystemNameBuffer,
DWORD nFileSystemNameSize
)
{
*lpVolumeSerialNumber = 0x123456789;
return oGetVolumeInformation
(
lpRootPathName,
lpVolumeNameBuffer,
nVolumeNameSize,
lpVolumeSerialNumber,
lpMaximumComponentLength,
lpFileSystemFlags,
lpFileSystemNameBuffer,
nFileSystemNameSize
);
}
DWORD WINAPI Thread(HMODULE hModule)
{
//Create Console
AllocConsole();
FILE* f;
freopen_s(&f, "CONOUT$", "w", stdout);
std::cout << "HWID Unlock\n";
// Hook
oGetVolumeInformation = (tGetVolumeInformation)GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetVolumeInformationW");
oGetVolumeInformation = (tGetVolumeInformation)TrampHook32((char*)oGetVolumeInformation, (char*)hkGetVolumeInformation, 5);
TCHAR volumeName[MAX_PATH + 1] = { 0 };
TCHAR fileSystemName[MAX_PATH + 1] = { 0 };
DWORD serialNumber = 0;
DWORD maxComponentLen = 0;
DWORD fileSystemFlags = 0;
GetVolumeInformation(_T("C:\\"), volumeName, ARRAYSIZE(volumeName), &serialNumber, &maxComponentLen, &fileSystemFlags, fileSystemName, ARRAYSIZE(fileSystemName));
std::cout << serialNumber << std::endl;
//
fclose(f);
FreeConsole();
return 0;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)Thread, hModule, 0, nullptr));
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
有人可以帮助我吗?
解决方案
推荐阅读
- c# - 创建新表删除以前创建的表
- javascript - (index):44 Uncaught TypeError: Cannot read property 'type' of undefined ;at getanswer ((index):44) ;at HTMLButtonElement.onclick ((index):204)
- javascript - 如何处理表单 API 提交警报消息?
- mysql - 在sql中按日期小时分组
- javascript - “RectAreaLightHelper”在 React-three-fiber 中不动
- node.js - Cookie 不会保存在浏览器中
- mqtt - 通过 mqtt 从设备更新 IOT Central 中的可写属性
- istio - istio 如何进行基于权重的 tcp 流量转移?
- vba - Word-VBA-为什么我在内容控件中输入值后占位符文本会发生变化?
- c++ - 谁能向我解释默认参数值如何在 C++ 的递归函数中工作?