我在windows中发现了一个新功能,API重定向,这个功能允许应用程序"重定向"。API从它的dll中导入并调用不同的API。然后我仔细阅读了Link1和Link2的相关文档。我创建了一个程序链接A.DLL。我在DLL中定义了Sum()。我还在重定向. dll中定义了mySum()。当我开始这个过程时,我希望这个过程导入A.dll!Sum(),将其重定向到Redirection.dll!mySum()
- 写Redirection.DLL
- 用重定向. dll创建一个新进程
并遵循上面的wiki,定义我自己的重定向。dll如下:
#include "pch.h"
#include <stdlib.h>
int mySum(int a, int b) {
printf("rewrite! n");
return 222222222;
}
const REDIRECTION_FUNCTION_DESCRIPTOR RedirectionFunction[] = {
{ "Dll1.lib", "Sum", &mySum }
};
extern "C" __declspec(dllexport) const REDIRECTION_DESCRIPTOR __RedirectionInformation__ = {
CURRENT_IMPORT_REDIRECTION_VERSION,
_countof(RedirectionFunction),
RedirectionFunction
};
A.DLL
#include "pch.h"
extern "C" _declspec(dllexport) int Sum(int a, int b) {
printf("orginal dll1. n");
return a + b;
}
程序(target.exe):
#include <Windows.h>
#include <iostream>
#pragma comment(lib,"A.lib")
#define DLLIMPORT extern "C" _declspec(dllimport)
DLLIMPORT int Sum(int a, int b);
int main() {
//Sum(1, 2);
std::cout << "this is injectFuction main process: Hello World!n";
std::cout << Sum(1, 2) << std::endl;
Sleep(10000000);
return 0;
}
通过NtCreateUserProcess启动重定向. dll程序。我猜NtDLLpath意味着从NtDLLpath开始。但我只启动目标。exe而不是重定向。dll,而不是发生重定向。我可以错过一些步骤吗?
#include <Windows.h>
#include "ntdll.h"
//#pragma comment(lib, "ntdll")
int main()
{
// Path to the image file from which the process will be created
UNICODE_STRING NtImagePath;
UNICODE_STRING NtDLLPath;
RtlInitUnicodeString(&NtImagePath, (PWSTR)L"\??\D:\newJunFiles\RedirectionExample\x64\Debug\target.exe");
RtlInitUnicodeString(&NtDLLPath, (PWSTR)L"\??\D:\newJunFiles\RedirectionExample\x64\Debug\Redirection.dll");
// Create the process parameters
PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL;
RtlCreateProcessParametersEx(&ProcessParameters,
&NtImagePath, &NtDLLPath, NULL, NULL, NULL, NULL, NULL, NULL, NULL, RTL_USER_PROCESS_PARAMETERS_NORMALIZED);
//RtlCreateProcessParametersEx(&ProcessParameters, &NtImagePath, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, RTL_USER_PROCESS_PARAMETERS_NORMALIZED);
// Initialize the PS_CREATE_INFO structure
PS_CREATE_INFO CreateInfo = { 0 };
CreateInfo.Size = sizeof(CreateInfo);
CreateInfo.State = PsCreateInitialState;
// Initialize the PS_ATTRIBUTE_LIST structure
PPS_ATTRIBUTE_LIST AttributeList = (PS_ATTRIBUTE_LIST*)RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof(PS_ATTRIBUTE));
AttributeList->TotalLength = sizeof(PS_ATTRIBUTE_LIST) - sizeof(PS_ATTRIBUTE);
AttributeList->Attributes[0].Attribute = PS_ATTRIBUTE_IMAGE_NAME;
AttributeList->Attributes[0].Size = NtImagePath.Length;
AttributeList->Attributes[0].Value = (ULONG_PTR)NtImagePath.Buffer;
// Create the process
HANDLE hProcess, hThread = NULL;
NtCreateUserProcess(&hProcess,
&hThread,
PROCESS_ALL_ACCESS,
THREAD_ALL_ACCESS,
NULL, NULL, NULL, NULL,
ProcessParameters,
&CreateInfo,
AttributeList);
// Clean up
RtlFreeHeap(RtlProcessHeap(), 0, AttributeList);
RtlDestroyProcessParameters(ProcessParameters);
}
您的重定向表错误:
const REDIRECTION_FUNCTION_DESCRIPTOR RedirectionFunction[] = {
{ "Dll1.lib", "Sum", &mySum }
应该是这样的:
const REDIRECTION_FUNCTION_DESCRIPTOR RedirectionFunction[] = {
{ "A.dll", "Sum", &mySum }
.lib文件告诉编译器在哪里找到DLL,并将DLL名称放入EXE。运行时没有.lib文件
另外,请注意RtlCreateProcessParametersEx不是一个受支持的公共API。你为什么不使用普通的CreateProcess呢?