Delphi中是否可以获取另一个进程中函数/过程的地址?

发布于 2024-09-24 16:57:20 字数 220 浏览 8 评论 0原文

我使用 Madshi 的 madCodeHook 组件在进程中注入 DLL,然后挂钩过程/函数。问题是每次新版本的 EXE 出现时,函数的地址都可能会改变。目前我的做法是使用 Ollydbg,然后对我注入进程的 DLL 中的地址进行硬编码,这是非常丑陋且不安全的。只是想知道如果我可以动态地执行此操作,是否有办法知道过程的定义。

请注意,这并不是出于恶意,我只是为了记录目的而在目标 EXE 中挂接了一些程序。

I use Madshi's madCodeHook components to Inject a DLL in a process, and then hook a procedure/function. The problem is each time a new version of the EXE comes out the address of the functions may change. Currently the way I do it is to use Ollydbg and then hard code the address in the DLL that I inject into the process, this is very ugly and unsafe. Just wondering if there is a way knowing the the procedure's definition if I can do it dynamically.

Please note, this is not for malicious intent, I merely hook a few procedures in the target EXE for logging purposes.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

木森分化 2024-10-01 16:57:20

如果函数本身没有改变(很多),你可以搜索你需要的代码(搜索操作码或十六进制字节)或使用 Madshi 的 disasm 单元来达到相同的目的。

If the function itsself doesn't change (a lot) you can search for the code that you need (search for the opcodes or the hex bytes) or use Madshi's disasm unit for the same purpose.

独守阴晴ぅ圆缺 2024-10-01 16:57:20

如果没有您所挂接的程序的配合,就没有简单的方法来完成您需要的事情。

通常,这种合作以模块导出表的形式出现,但它也可能来自提供 API 的程序,用于向其询问其函数的地址。

即使您为挂钩程序的每个版本更新 DLL,仍然不能保证您的代码能够正常工作。您正在做的正是解决空间布局随机化问题 应该防止。该程序每次运行时可能会加载到不同的地址。

我认为你最好的选择是,如果你能以某种方式自动化你用来在 Ollydbg 中查找函数的任何过程。然后您可以将其合并到您的 DLL 中,以便它可以搜索函数本身。

Without cooperation from the program you're hooking, there's no easy way to do what you need.

Usually, that cooperation comes in the form of the module's export table, but it could also come from the program providing an API to use to ask it for the addresses of its functions.

Even if you update your DLL for every release of the hooked program, there's still no guarantee your code will work. What you're doing is exactly the sort of thing that address space layout randomization is supposed to protect against. The program might be loaded at a different address every time it runs.

I think your best bet is if you can somehow automate whatever process you use to find the functions in Ollydbg. Then you can incorporate that into your DLL so it can search for the functions itself.

感悟人生的甜 2024-10-01 16:57:20

这取决于。默认情况下,Delphi 编译为本机机器代码。大多数情况下没有这样的元数据。 (很多人将其视为一项安全功能;它阻止人们完全执行您在此处尝试执行的操作,这可能会用于邪恶目的。)但是任何具有可用 RTTI 的方法都将在 RTTI 表中包含其地址。这包括 D2010 和 Delphi XE 中的所有已发布方法以及所有公共方法(至少默认情况下)。这些RTTI表是可以读取的,但是需要大量的底层知识才能找到它们。

此外,某些程序在安装文件夹中附带了某种地图文件,或者作为资源嵌入,以便在出现问题时方便报告错误。如果这个程序有一个,并且您可以弄清楚它的格式,您也许可以从那里获取方法地址。

It depends. By default, Delphi compiles to native machine code. There's no metadata like that for most cases. (A lot of people see that as a security feature; it keeps people from doing exactly what you're trying to do here, which can be used for evil purposes.) But any method with RTTI available will have its address in the RTTI tables. This includes all published methods, and all public methods (by default, at least) in D2010 and Delphi XE. These RTTI tables can be read, but it takes a lot of low-level knowledge to find them.

Also, some programs come with some variety of map file either in the install folder or embedded as a resource, to facilitate error reporting when something goes wrong. If this program has one, and you can figure out its format, you might be able to get method addresses from there.

可遇━不可求 2024-10-01 16:57:20

如果您使用的是 dll,您可以在 dll 内使用 getprocaddress 来检索函数的地址

if you are using a dll u can use getprocaddress inside the dll to retrive the adress of function

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文