static BOOL (WINAPI *pExtTextOutW)(_In_ HDC hdc, _In_ int x, _In_ int y, _In_ UINT options, _In_opt_ CONST RECT* lprect, _In_reads_opt_(c) LPCWSTR lpString, _In_ UINT c, _In_reads_opt_(c) CONST INT* lpDx) = ExtTextOutW;
BOOL WINAPI MyExtTextOutW(_In_ HDC hdc, _In_ int x, _In_ int y, _In_ UINT options, _In_opt_ CONST RECT* lprect, _In_reads_opt_(c) LPCWSTR lpString, _In_ UINT c, _In_reads_opt_(c) CONST INT* lpDx)
{
return ExtTextOutW(hdc, x, y, options, lprect, lpString, c, lpDx);
}
就上述这段代码(这个MyExtTextOutW函数就算return的前面什么代码都不加都会崩溃),我用DLL注入工具将我写的这段DLL注入各进程,然而每个被注入进程都会崩溃,求逆向人解答,我用的是VS2013,detours 版本Version 3.0 Build_343,都是32位被注入程序,编译成32位DLL,只是操作系统是64位的win10;
以下是StartHook:
void StartHook()
{
printf("StartHook\n");
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)pExtTextOutW, MyExtTextOutW);
DetourTransactionCommit();
}
这个StartHook调其他功能不错,但是被注入程序只要刷新或切换窗口调用到MyExtTextOutW时就会闪退。
最好也能顺便教教我怎样获取lpString的数据(钱可以再商量),我提取的全是“88888888888888……”
