资源管理器在 CreateProcess 挂钩上崩溃

Question

我在 explorer.exe 中注入一个 DLL 来挂钩 CreateProcess，这样我可以在用户打开一些可执行文件时进行拦截（我选择这个挂钩方法是因为我想了解更多关于挂钩的信息，我知道可以使用WMI 或其他方式）。 我用来挂钩的库是： DDetours

钩子正在工作，我执行的每个应用程序都会弹出我在 HookProc 中设置的消息框，但在消息框之后，explorer.exe 崩溃。 注入 DLL 的代码工作正常，如果我只注入一个空 dll 或只有一个消息框的 dll，一切正常。所以我相信问题出在钩子设置的某个地方。这是DLL代码：

library DLL;

uses
  Windows, DDetours;

{$R *.res}

var
  CreateProcessHook: function(var lpApplicationName:String;
            lpCommandLine:String;
            lpProcessAttributes:IntPtr;
            lpThreadAttributes:IntPtr;
            bInheritHandles:Boolean;
            dwCreationFlags:Int32;
            lpEnvironment:IntPtr;
            lpCurrentDirectory:IntPtr;
            lpStartupInfo:STARTUPINFO;
            lpProcessInformation:PROCESS_INFORMATION): Boolean; stdcall = nil;

function InterceptCreateProcess(lpApplicationName:String;
            lpCommandLine:String;
            lpProcessAttributes:IntPtr;
            lpThreadAttributes:IntPtr;
            bInheritHandles:Boolean;
            dwCreationFlags:Int32;
            lpEnvironment:IntPtr;
            lpCurrentDirectory:IntPtr;
            lpStartupInfo:STARTUPINFO;
            lpProcessInformation:PROCESS_INFORMATION): Boolean; stdcall;
  begin
    MessageBoxA(0, 'Process created :)', 'Hooked', 0);
  end;

procedure DLLMain(dwReason: DWORD);
begin
  case dwReason of
  DLL_PROCESS_ATTACH:
  begin
    MessageBoxA(0,'Injected', 'Injected', MB_OK);
    @CreateProcessHook:= InterceptCreate(@CreateProcess, @InterceptCreateProcess);
  end;
  end;
end;

begin
 DLLProc := @DLLMain;
 DLLMain(DLL_PROCESS_ATTACH);
end.

如您所见，InterceptCreateProcess 只显示一个消息框，当我打开一些可执行文件时，它正在工作，但如上所述，资源管理器崩溃。我认为这与 CreateProcess 函数变量的声明有关。有小费吗？ 一切都是 64 位

Answer 1

您的CreateProcess 绕道签名完全错误。该函数是一个 Win32 函数，不能对 Delphi 字符串进行操作。最后两个参数是指向结构的指针。

第一步是修复这些签名。使用 RTL 中 Windows 单元的签名。

看起来像这样：

function CreateProcessW(
  lpApplicationName: PWideChar;
  lpCommandLine: PWideChar;
  lpProcessAttributes: PSecurityAttributes;
  lpThreadAttributes: PSecurityAttributes;
  bInheritHandles: BOOL;
  dwCreationFlags: DWORD;
  lpEnvironment: Pointer;
  lpCurrentDirectory: PWideChar;
  const lpStartupInfo: STARTUPINFO;
  var lpProcessInformation: PROCESS_INFORMATION
): BOOL; stdcall;

Answer 2

您的钩子函数与CreateProcess() 的正确签名不匹配。试试这个：

library DLL;

uses
  Windows, DDetours;

{$R *.res}

var
  CreateProcessHook: function(lpApplicationName: PChar;
            lpCommandLine: PChar;
            lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
            bInheritHandles: BOOL;
            dwCreationFlags: DWORD;
            lpEnvironment: Pointer;
            lpCurrentDirectory: PChar;
            const lpStartupInfo: STARTUPINFO;
            var lpProcessInformation: PROCESS_INFORMATION): BOOL; stdcall = nil;

function InterceptCreateProcess(lpApplicationName: PChar;
            lpCommandLine: PChar;
            lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
            bInheritHandles: BOOL;
            dwCreationFlags: DWORD;
            lpEnvironment: Pointer;
            lpCurrentDirectory: PChar;
            const lpStartupInfo: STARTUPINFO;
            var lpProcessInformation: PROCESS_INFORMATION): BOOL; stdcall;
begin
  Result := CreateProcessHook(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);    
  MessageBox(0, 'CreateProcess', 'Hooked', 0);
end;

procedure DLLMain(dwReason: DWORD);
begin
  case dwReason of
    DLL_PROCESS_ATTACH:
    begin
      @CreateProcessHook := InterceptCreate(@CreateProcess, @InterceptCreateProcess);
      MessageBox(0, 'Injected', 'Injected', MB_OK);
    end;
    DLL_PROCESS_DETACH:
    begin
      InterceptRemove(@CreateProcessHook);
    end;
  end;
end;

begin
 DLLProc := @DLLMain;
 DLLMain(DLL_PROCESS_ATTACH);
end.