Held:
The first step:
Compile the Detours project. In the installation directory C: Program Files Microsoft Research Detours Express 3.0src are the source Files of the project.
(1) Open the VS2013 command line tool and go to the SRC directory.
(2) use the nmake command to compile the static library
The principle of hijacking is to change the pointer of the target function to the address of the custom function. Functions are areas of code that are placed in memory, so hijacking is closely related to areas of code. You need to use Detours to implement hijacking.
Step 2: Place the required header static library file in the current project path
#include<stdlib.h>
#include<stdio.h>
#include<Windows.h>
#include “detours.h” // Load the header in step 3
#pragma comment(lib,”detours.lib”) // Indicates that static libraries are used
Step 4: Define the old function pointer to the old function
static int (*oldsystem)(const char *_Command) = system;
Step 5: Declare a new function with the same parameters as the original function
int newsystemA(char *_Command)
{
// This is equivalent to a lock: if it is a Tasklist, I will hijack it and not let you execute it.
//char *p = strstr(_Command, “tasklist”);
//if (p == NULL)
/ / {
//oldsystem(_Command);
/ /}
//else
/ / {
//printf(“%s”, _Command); // Found, disable execution
//return 0;
/ /}
printf(“%s”, _Command); // Found, disable execution
return 0;
}
// Step 6: Start intercepting
// Start intercepting
void Hook()
{
DetourRestoreAfterWith(); // Restore the original state,
DetourTransactionBegin(); // Interception begins
DetourUpdateThread(GetCurrentThread()); // Refresh the current thread
// We can call DetourAttach multiple times in a row to HOOK multiple functions
DetourAttach((void **)&oldsystem, newsystemA); // Implement function interception
DetourTransactionCommit(); // Interception is in effect
}
// Step 7: Cancel the intercept
// Cancel interception
void UnHook()
{
DetourTransactionBegin(); // Interception begins
DetourUpdateThread(GetCurrentThread()); // Refresh the current thread
// DetourDetach can be called multiple times in a row, indicating that multiple function hooks can be undone
DetourDetach((void **)&oldsystem, newsystemA); // Undo the interceptor function
DetourTransactionCommit(); // Interception is in effect
}
// Step 8: run the main function, and you are done
void main()
{
system(“calc”);
Hook();
system(“calc”);
system(“tasklist”);
//UnHook();
getchar();
}
Of course we can also hijack other processes using the following methods
Injection method:
_declspec(dllexport)void go()
{
Hook();
}
Note here: You need to change Debug mode to Release mode when hijacking.
Finally, you can hijack the system, that is, prevent the system creation process. Hijacking the system is hijacking the system function.
\