Detours implements hijacking

Held:

The first step:

Compile the Detours project. In the installation directory C: Program Files Microsoft Research Detours Express 3.0src are the source Files of the project.

(1) Open the VS2013 command line tool and go to the SRC directory.

(2) use the nmake command to compile the static library

The principle of hijacking is to change the pointer of the target function to the address of the custom function. Functions are areas of code that are placed in memory, so hijacking is closely related to areas of code. You need to use Detours to implement hijacking.

 

 

 

Step 2: Place the required header static library file in the current project path

 

 

#include<stdlib.h>

#include<stdio.h>

#include<Windows.h>

#include “detours.h” // Load the header in step 3

#pragma comment(lib,”detours.lib”) // Indicates that static libraries are used

Step 4: Define the old function pointer to the old function

static int (*oldsystem)(const char *_Command) = system;

 

Step 5: Declare a new function with the same parameters as the original function

int newsystemA(char *_Command)

{

// This is equivalent to a lock: if it is a Tasklist, I will hijack it and not let you execute it.

//char *p = strstr(_Command, “tasklist”); 

//if (p == NULL)

/ / {

//oldsystem(_Command);

/ /}

//else

/ / {

//printf(“%s”, _Command); // Found, disable execution

//return 0;

/ /}

printf(“%s”, _Command); // Found, disable execution

return 0;

}

 

// Step 6: Start intercepting

// Start intercepting

void Hook()

{

 

DetourRestoreAfterWith(); // Restore the original state,

DetourTransactionBegin(); // Interception begins

DetourUpdateThread(GetCurrentThread()); // Refresh the current thread

// We can call DetourAttach multiple times in a row to HOOK multiple functions

 

DetourAttach((void **)&oldsystem, newsystemA); // Implement function interception

 

DetourTransactionCommit(); // Interception is in effect

}

// Step 7: Cancel the intercept

// Cancel interception

void UnHook()

{

 

DetourTransactionBegin(); // Interception begins

DetourUpdateThread(GetCurrentThread()); // Refresh the current thread

// DetourDetach can be called multiple times in a row, indicating that multiple function hooks can be undone

DetourDetach((void **)&oldsystem, newsystemA); // Undo the interceptor function

DetourTransactionCommit(); // Interception is in effect

}

 

// Step 8: run the main function, and you are done

void main()

{

system(“calc”);

Hook();

system(“calc”);

system(“tasklist”);

//UnHook();

getchar();

}

 

 

Of course we can also hijack other processes using the following methods

Injection method:

_declspec(dllexport)void go()

{

 

Hook();

}

 

Note here: You need to change Debug mode to Release mode when hijacking.

 

Finally, you can hijack the system, that is, prevent the system creation process. Hijacking the system is hijacking the system function.

 

\