使用 CreateToolHelp32Snapshot 查找加载的 dll,在 dll 中查找函数然后调用它,GetProcAddress

发布于 2024-10-10 17:01:07 字数 2428 浏览 3 评论 0原文

我正在尝试获取 .dll 中函数的句柄。我正在创建一个 CreateToolHelp32Snapshot,然后枚举模块,直到找到我想要的模块,我想从该 .dll 中找到特定的函数。如何正确调用 GetProcAddress() 以便获取“that”.dll 中的函数而不是另一个可能正在运行的实例?

上述问题的延续是,好吧,我有一个函数的句柄,我实际上如何调用它?

编辑:正如已经指出的那样。我已经在第 3 方应用程序地址空间中。如果 getprocaddress 不起作用,如何使用 readprocessmemory 和必要的偏移量获取函数的入口点?

谢谢。

HANDLE h_th_32snap =  CreateToolhelp32Snapshot(0x8u, pid);
if( h_th_32snap == INVALID_HANDLE_VALUE )
  {
    printError( TEXT("CreateToolhelp32Snapshot (of modules)") );
    return( FALSE );
  }

  // Set the size of the structure before using it.
  me32.dwSize = sizeof( MODULEENTRY32 );

  // Retrieve information about the first module,
  // and exit if unsuccessful
  if( !Module32First( h_th_32snap, &me32 ) )
  {
    printError( TEXT("Module32First") );  // show cause of failure
    CloseHandle( h_th_32snap );           // clean the snapshot object
    return( FALSE );
  }

  // Now walk the module list of the process,
  // and display information about each module

  BYTE *d_pointer_qtgui4_dll = 0x0;
  do
  {
    _tprintf( TEXT("\n\n     MODULE NAME:     %s"),   me32.szModule );
    _tprintf( TEXT("\n     Executable     = %s"),     me32.szExePath );
    _tprintf( TEXT("\n     Process ID     = 0x%08X"),         me32.th32ProcessID );
    _tprintf( TEXT("\n     Ref count (g)  = 0x%04X"),     me32.GlblcntUsage );
    _tprintf( TEXT("\n     Ref count (p)  = 0x%04X"),     me32.ProccntUsage );
    _tprintf( TEXT("\n     Base address   = 0x%08X"), (DWORD) me32.modBaseAddr );
    _tprintf( TEXT("\n     Base size      = %d"),             me32.modBaseSize );

    if(!wcsncmp(me32.szModule, L"QtGui4.dll", 255))
    {

              FARPROC test = GetProcAddress(GetModuleHandle( L"QtGui4.dll"),"?rowsInserted@QListView@@MAEXABVQModelIndex@@HH@Z");

    }

  } while( Module32Next( h_th_32snap, &me32 ) );

  CloseHandle( h_th_32snap );

格雷格,我有兴趣知道为什么这是错误的?它不会抛出任何错误,但也不起作用!

函数原型:

QWidget * QWidget::find ( WId id )   [static];

我尝试调用它:

hDLL = GetModuleHandle( L"QtGui4.dll");
if (hDLL != NULL)
{

   func pointer_find = (func)GetProcAddress(hDLL,"?find@QWidget@@SAPAV1@PAUHWND__@@@Z");

   if (!pointer_find)
   {
      // handle the error
      FreeLibrary(hDLL);       
      //return SOME_ERROR_CODE;
   }
   else
   {
      // call the function
       widget = pointer_find(my_hwnd);
   }
}

I'm trying to get a handle to a function within a .dll. I am creating a CreateToolHelp32Snapshot and then enumerating over the modules until I find the one I want, from that .dll I want to find a particular function. How do I call GetProcAddress() correctly so that I get the function within 'that' .dll rather than another instance that may be running?

The continuation from the above question would then be, ok so I have a handle to the function, how do I actually call it?

EDIT: As has already been pointed out. I am already in the 3rd party app address space. If getprocaddress will not work, how do I get the entry point for the function using readprocessmemory and necessary offset?

Thanks.

HANDLE h_th_32snap =  CreateToolhelp32Snapshot(0x8u, pid);
if( h_th_32snap == INVALID_HANDLE_VALUE )
  {
    printError( TEXT("CreateToolhelp32Snapshot (of modules)") );
    return( FALSE );
  }

  // Set the size of the structure before using it.
  me32.dwSize = sizeof( MODULEENTRY32 );

  // Retrieve information about the first module,
  // and exit if unsuccessful
  if( !Module32First( h_th_32snap, &me32 ) )
  {
    printError( TEXT("Module32First") );  // show cause of failure
    CloseHandle( h_th_32snap );           // clean the snapshot object
    return( FALSE );
  }

  // Now walk the module list of the process,
  // and display information about each module

  BYTE *d_pointer_qtgui4_dll = 0x0;
  do
  {
    _tprintf( TEXT("\n\n     MODULE NAME:     %s"),   me32.szModule );
    _tprintf( TEXT("\n     Executable     = %s"),     me32.szExePath );
    _tprintf( TEXT("\n     Process ID     = 0x%08X"),         me32.th32ProcessID );
    _tprintf( TEXT("\n     Ref count (g)  = 0x%04X"),     me32.GlblcntUsage );
    _tprintf( TEXT("\n     Ref count (p)  = 0x%04X"),     me32.ProccntUsage );
    _tprintf( TEXT("\n     Base address   = 0x%08X"), (DWORD) me32.modBaseAddr );
    _tprintf( TEXT("\n     Base size      = %d"),             me32.modBaseSize );

    if(!wcsncmp(me32.szModule, L"QtGui4.dll", 255))
    {

              FARPROC test = GetProcAddress(GetModuleHandle( L"QtGui4.dll"),"?rowsInserted@QListView@@MAEXABVQModelIndex@@HH@Z");

    }

  } while( Module32Next( h_th_32snap, &me32 ) );

  CloseHandle( h_th_32snap );

Greg, I would be interested to know why this is wrong? It doesn't throw any errors but it doesn't work either!

function prototype:

QWidget * QWidget::find ( WId id )   [static];

My attempt to call it:

hDLL = GetModuleHandle( L"QtGui4.dll");
if (hDLL != NULL)
{

   func pointer_find = (func)GetProcAddress(hDLL,"?find@QWidget@@SAPAV1@PAUHWND__@@@Z");

   if (!pointer_find)
   {
      // handle the error
      FreeLibrary(hDLL);       
      //return SOME_ERROR_CODE;
   }
   else
   {
      // call the function
       widget = pointer_find(my_hwnd);
   }
}

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

何处潇湘 2024-10-17 17:01:07

不可能,GetProcAddress() 需要模块句柄。 HMODULE 仅在获取它的进程内有效。您必须执行与 GetProcAddress() 相同的操作,迭代 IAT 来查找入口点。并应用基地址偏移量。这对于另一个进程来说是非常痛苦的,因为您无法直接访问内存来读取 IAT。需要读取进程内存。

在目标进程中注入代码是唯一合理的方法。我认为您接下来想做的事情(调用该函数)也是必需的。 codeproject.com 上详细介绍了代码注入技术

Not possible, GetProcAddress() requires a module handle. A HMODULE is only valid inside the process in which it was obtained. You would have to do the same kind of thing that GetProcAddress() does, iterating the IAT to find the entrypoint. And apply the base address offset. This is beyond painful to do for another process since you cannot directly access the memory to read the IAT. ReadProcessMemory is required.

Injecting code in the target process is the only reasonable approach. Which is also required to do what I presume you'd want to do next, call the function. Code injection techniques are covered well at codeproject.com

您的好友蓝忘机已上羡 2024-10-17 17:01:07

如果您正在进行中,那么您就快到了。

GetModuleHandle 将获取当前加载的模块句柄,而 LoadLibrary 将加载模块(并增加引用计数)。只需要该函数的正确原型即可。

typedef void __thiscall (QListView::*rowsInserted)(class QModelIndex const &,int,int);

rowsInserted test = (rowsInserted)GetProcAddress(GetModuleHandle( L"QtGui4.dll"),"?rowsInserted@QListView@@MAEXABVQModelIndex@@HH@Z");

//QListView *object
if( test && object )
  (object.*test)(my_QModelIndex, int_x, int_y);

If you are in process you are almost there.

GetModuleHandle will get a currently loaded module handle, compared to LoadLibrary which will load a module (and increase the ref count). Just need the right prototype for the function.

typedef void __thiscall (QListView::*rowsInserted)(class QModelIndex const &,int,int);

rowsInserted test = (rowsInserted)GetProcAddress(GetModuleHandle( L"QtGui4.dll"),"?rowsInserted@QListView@@MAEXABVQModelIndex@@HH@Z");

//QListView *object
if( test && object )
  (object.*test)(my_QModelIndex, int_x, int_y);
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文