以 IsDebuggerPresent 函数为例,可以看到可以上跳(简单),也可以下跳(复杂)。
上跳:
BYTE NewCodes[2] = { 0xEB,0xF9 };
BYTE JmpCode[5] = { 0xE9,0 };
BYTE oldCodes[2] = { 0 };BOOL Mydebug()
{return FALSE;
}void Hook()
{PVOID funaddr = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "IsDebuggerPresent");memcpy(oldCodes, funaddr, 2);//UnHook用DWORD lpflOldProtect;VirtualProtect((LPVOID)((DWORD)funaddr - 5), 7, PAGE_EXECUTE_READWRITE, &lpflOldProtect);memcpy(funaddr, NewCodes, 2);DWORD dwFuncAddr = ((DWORD)Mydebug - (DWORD)funaddr);*(DWORD*)(JmpCode + 1) = dwFuncAddr;memcpy((PVOID)((DWORD)funaddr - 5), JmpCode, 5);VirtualProtect((LPVOID)((DWORD)funaddr - 5), 7, lpflOldProtect, &lpflOldProtect);
}
可以看到确实跳转到自己的函数
下跳:
BYTE NewCodes[2] = { 0xEB,0x05 };
BYTE JmpCode[5] = { 0xE9,0 };
BYTE oldCodes[2] = { 0 };BOOL Mydebug()
{return FALSE;
}void Hook()
{PVOID funaddr = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "IsDebuggerPresent");memcpy(oldCodes, funaddr, 2);//unhook可以用DWORD lpflOldProtect;VirtualProtect(funaddr, 5, PAGE_EXECUTE_READWRITE, &lpflOldProtect);memcpy(funaddr, NewCodes, 2);VirtualProtect(funaddr, 5, lpflOldProtect, &lpflOldProtect);DWORD dwFuncAddr = ((DWORD)Mydebug - ((DWORD)funaddr + 0xc));*(DWORD*)(JmpCode + 1) = dwFuncAddr;VirtualProtect((LPVOID)((DWORD)funaddr + 7), 5, PAGE_EXECUTE_READWRITE, &lpflOldProtect);memcpy((PVOID)((DWORD)funaddr + 7), JmpCode, 5);VirtualProtect((LPVOID)((DWORD)funaddr + 7), 5, lpflOldProtect, &lpflOldProtect);
}
可以看到下跳也可以跳到自己的函数
+0xc怎么来的:
因为BYTE NewCodes[2] = { 0xEB,0x05 },往下跳7个字节,再加上你新的跳转地址5个字节,即12个字节(0—B)
偏移量的计算是:目标地址 - 跳转指令的下一条指令地址
如果是上跳,我们跳转指令的下一条指令地址就是目标函数的首地址,所以DWORD dwFuncAddr = ((DWORD)Mydebug - (DWORD)funaddr);
如果是下跳,我们跳转指令的下一条指令地址==(DWORD)funaddr + 0xc。