Microsoft Detours 如何工作以及如何使用它来获取堆栈跟踪?

发布于 2024-10-08 11:03:42 字数 428 浏览 5 评论 0原文

我是 Microsoft Detours 的新手。我安装它是为了跟踪进程进行的系统调用。我运行从网上获得的以下命令,

syelogd.exe /q C:\Users\xxx\Desktop\log.txt 
withdll.exe /d:traceapi.dll C:\Program Files\Google\Google Talk\googletalk.exe

获取日志文件。问题是我不完全理解这里发生的事情。绕行路如何运作?它如何跟踪系统调用? 我也不知道如何读取 log.txt 中的输出。这是 log.txt 中的一行

20101221060413329 2912 50.60: traceapi: 001 GetCurrentThreadId()

最后我想获取进程的堆栈跟踪。我怎样才能得到它?

I am new to Microsoft Detours. I have installed it to trace the system calls a process makes. I run the following commands which I got from the web

syelogd.exe /q C:\Users\xxx\Desktop\log.txt 
withdll.exe /d:traceapi.dll C:\Program Files\Google\Google Talk\googletalk.exe

I get the log file. The problem is I don't fully understand what is happening here. How does detours work? How does it trace the system calls?
Also I don't know how to read the output in log.txt. Here is one line in log.txt

20101221060413329 2912 50.60: traceapi: 001 GetCurrentThreadId()

Finally I want to get the stack trace of the process. How can I get that?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

仅此而已 2024-10-15 11:03:42

Detours 可让您拦截任何函数。它将 jmp 放置在您指定的地址中,为您的代码创建蹦床。最后,如果你想这样做,你可以调用旧函数。
要使用 Detours,您必须将代码注入要拦截的进程中。

要简化此过程,您可以使用 Deviare API Hook 来完成所有操作注入人员可以使用任何支持COM技术的编程语言拦截应用程序,包括.NET、Delphi、C++、Python等。
下载该软件包后,您将在其中找到一些示例。有一个名为 DeviareCSharpConsole 的控制台,可让您拦截显示完整堆栈跟踪信息的任何进程的任何 API。

这就是 Deviare API Hook 的工作方式,但正是您需要的如果您想创建一个挂钩另一个进程的应用程序,请执行以下操作:

Deviare API Hook Design

应在目标进程中创建代理拦截你想要的API。要拦截这些 API,您可以使用 Detours,但您必须编写未包含在该库中的 IPC 人员代码。

如果您需要使用 Deviare API Hook 在目标进程内编写代码您可以使用 Deviare 自定义挂钩。此功能允许您拦截 API 并异步处理已处理的参数。

Detours lets you intercept any function. It places a jmp in the address that you specify creating a trampoline to your code. Finally, you call the old function if you want to do it.
To use Detours you have to inject your code in the process you want to intercept.

To simplify this process you can use Deviare API Hook which does all the injection staff and you can use intercept applications from any programming language that supports COM technology, including .NET, Delphi, C++, Python, etc..
After downloading the package you will find some examples in it. There is a console named DeviareCSharpConsole that let you intercept any API of any process showing full stack trace information.

This is the way Deviare API Hook works but is what you need to do if you want to create an application that hooks another process:

Deviare API Hook Design

An agent should be created in the target process to intercept the APIs you want. To intercept these APIs you can use Detours but you have to code IPC staff that is not included in that library.

If you need to write code inside the target process using Deviare API Hook you can use Deviare Custom Hooks. This feature lets you intercept APIs and handle processed parameters asynchronously.

旧时模样 2024-10-15 11:03:42

除了 detours(仅 32 位免费)或 easyhook(khm,有点有点混乱的代码),您可能需要查看 mhook 2.4 这是非常简洁的代码并且获得了 BSD 许可。适用于 x86 和 x64,处理 IP 相关代码等。

网站上还有关于它如何工作的详细描述。

alt text

至于堆栈回溯,您可以使用 CaptureStackBackTrace() 来自 kernel32,或者如果您想变得更奇特,请使用 StackWalk64() 来自 dbghelp

Instead of detours (which is free for 32-bit only) or easyhook (which is, khm, a little bit messy code) you may want to check out mhook 2.4 which is very neat code and BSD-licensed. Works on x86 and x64, handles IP-relative code, etc.

There's also a thorough description on how it works at the site.

alt text

As for the stack backtrace, you can use CaptureStackBackTrace() from kernel32, or if you want to get fancy, use StackWalk64() from dbghelp.

萤火眠眠 2024-10-15 11:03:42

首先,我强烈建议,如果你想执行 API hooking,我会使用 easyhook: http:// easyhook.codeplex.com/(开源)。
这是一个非常好的、简单的 api-hooking 框架。

关于如何获取堆栈跟踪,我不记得具体如何操作,但请查看 WinAPIOverride32: http://jacquelin.potier.free.fr/winapioverride32/(开源)。
他正是这样做的,而且它是开源的。
此外,如果您需要跟踪进行研究,WinAPIOverride32 是一个很好的应用程序,可以用来研究应用程序如何工作。

编辑:只需再添加一个应用程序。 http://www.rohitab.com/ 就像 WinAPIOVerride32,但它支持 64 位,自从我使用以来它确实有所改进写下了这个答案。我必须指出,在某些情况下,它错过了我在 WinAPIOverride32 中找到的 API 调用,但它仍然相当不错。不幸的是,来源没有公开。

关于 api-hooking 的工作原理,
好吧,它的解释很长,我会向你推荐这篇文章:
http://www.codeproject.com/KB/system/hooksys.aspx
它很好地解释了它是如何在幕后完成的(除了那里写的之外还有其他方法,但它仍然是一篇非常好的文章)。

希望有帮助! :-)

First of all, I would HIGHLY advise, that if you want to perform API hooking, I would go with easyhook: http://easyhook.codeplex.com/ (open source).
It is a VERY good and easy api-hooking framework.

About how to get the stack trace, I don't remember exactly how to do it, but check out WinAPIOverride32: http://jacquelin.potier.free.fr/winapioverride32/ (open source).
He's doing exactly that, and it is open source.
Besides, if you need the traces for research, WinAPIOverride32 is a great application to use in order to study how applications work.

EDIT: Just adding one more application. http://www.rohitab.com/ is like WinAPIOVerride32, but it supports 64bit and it really improved since I wrote this answer. I must point out that it in some cases it missed API calls that I found in WinAPIOverride32, but its still pretty good. Unfortunately the source is not published.

About how api-hooking works,
Well its a long explanation, I would point you to this article:
http://www.codeproject.com/KB/system/hooksys.aspx
It gives a pretty good explanation of how it is done under the hood (there are other methods besides what is written there, but still, it is a very good article).

Hope it helps! :-)

删除会话 2024-10-15 11:03:42

如果允许您使用 Detours 以外的其他工具,您可以安装像 WinDbg 这样的调试器并将其附加到进程以获取调用堆栈。

您还可以尝试其他工具,例如 Process Monitor 和 Windows Performance Toolkit,如下所述:

If you are allowed to use something other than Detours, you could install a debugger like WinDbg and attach it to the process to get a callstack.

You could also try other tools like Process Monitor and Windows Performance Toolkit as explained here.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文