hook对应的汇编码0x8B, 0xFF,0x55,0x8B, 0xEC, // mov ebp,esp

来源:互联网 发布:wireshark过滤端口抓包 编辑:程序博客网 时间:2024/03/29 16:24
void lockUnhandledExceptionFilter() {    HMODULE kernel32 = LoadLibraryA("kernel32.dll");    Assert(kernel32);    if (FARPROC gpaSetUnhandledExceptionFilter = GetProcAddress(kernel32, "SetUnhandledExceptionFilter")) {        unsigned char expected_code[] = {            0x8B, 0xFF, // mov edi,edi            0x55,       // push ebp            0x8B, 0xEC, // mov ebp,esp        };        // only replace code we expect        if (memcmp(expected_code, gpaSetUnhandledExceptionFilter, sizeof(expected_code)) == 0) {            unsigned char new_code[] = {                0x33, 0xC0,       // xor eax,eax                0xC2, 0x04, 0x00, // ret 4            };            BOOST_STATIC_ASSERT(sizeof(expected_code) == sizeof(new_code));            DWORD old_protect;            if (VirtualProtect(gpaSetUnhandledExceptionFilter, sizeof(new_code), PAGE_EXECUTE_READWRITE, &old_protect)) {                CopyMemory(gpaSetUnhandledExceptionFilter, new_code, sizeof(new_code));                DWORD dummy;                VirtualProtect(gpaSetUnhandledExceptionFilter, sizeof(new_code), old_protect, &dummy);                FlushInstructionCache(GetCurrentProcess(), gpaSetUnhandledExceptionFilter, sizeof(new_code));            }        }    }    FreeLibrary(kernel32);}
0 0