偷樑換柱虛函數

• 作 者：安摧
• 時 間：2008-08-31 17:53
• 鏈 接：http://bbs.pediy.com/showthread.php?t=71775

hook類A的第三個函數

方法：比較麻煩，但是也是不難弄的。將類A的第三個虛函數指針替換成我們自己定義的地址。
如圖所示：

http://bbs.pediy.com/attachment.php?attachmentid=17704&d=1220176207

void* g_pAddr = 0;

int g_count = 0;

#include <iostream.h>

#pragma comment(linker,"/SECTION:.rdata,RW")

class A

{

public:

       int iVal1;

       int iVal2;

       virtual void print1()

       {

              cout<<"iVal1(A) = "<<iVal1<<endl;

       }

       virtual void print2()

       {

              cout<<"iVal2(A) = "<<iVal2<<endl;

       }

       virtual void print_all()

       {

              cout<<"iVal1(A) = "<<iVal1<<"/t/t"<<"iVal2(A) = "<<iVal2<<endl;

       }

       virtual void print_extern(int ext)

       {

              cout<<"ext(A) = "<<(ext+0)<<endl;

       }

};

class B

{

public:

       int iVal1;

       int iVal2;

       virtual void print1()

       {

              cout<<"iVal1(B) = "<<iVal1<<endl;

       }

       virtual void print2()

       {

              cout<<"iVal2(B) = "<<iVal2<<endl;

       }

       virtual void print_all()

       {

              cout<<"iVal1(B) = "<<iVal1<<"/t/t"<<"iVal2(B) = "<<iVal2<<endl;

       }

       virtual void print_extern(int ext)

       {

              cout<<"ext(B) = "<<(ext+100)<<endl;

       }

};

void load_hook(A* pA)

{

       _asm

       {

              push eax

              push ecx

              mov eax,dword ptr [pA]              //獲取對象指針

              mov eax,dword ptr [eax]              //獲取虛表地址

              add eax,8                             //獲取虛表中類A第三個函數指針的地址

              mov ecx,dword ptr [eax]              //取出類A第三個函數指針

              mov dword ptr [g_pAddr],ecx      //保存到g_pAddr變量中

              mov ecx,offset hook_proc     //替換爲hook_proc指針

              mov dword ptr [eax],ecx

     pop ecx

              pop eax

              jmp hook_end

       }

hook_proc:

       _asm

       {

              push ecx

       }

       g_count++;

       cout<<g_count<<" time(s) to invoke A::print_all()"<<endl;//A::print_all的記數

       _asm

       {

              pop ecx

              jmp dword ptr [g_pAddr]

       }

hook_end:

       cout<<"A::print_all() hooked!"<<endl;

}

void unload_hook(A* pA)

{

 _asm

    {

              push eax

              push ecx

              mov eax,dword ptr [pA]              //獲取對象指針

              mov eax,dword ptr [eax]              //獲取虛表地址

              add eax,8                             //獲取虛表中類A第三個函數指針的地址

              mov ecx,dword ptr [g_pAddr]      //取出事先保存的A::print_all()地址

              mov dword ptr [eax],ecx

              pop ecx

              pop eax

       }

       g_count = 0;

       cout<<"A::print_all() unhooked!"<<endl;

}

void main(void)

{

       A a;

       a.iVal1 = 0;

       a.iVal2 = 1;

       B b;

       b.iVal1 = 1000;

       b.iVal2 = 1001;

       A* pA = &a;

       B* pB = &b;

       load_hook(pA);

       pA->print1();

       pA->print_all();

       pA->print_all();

       pA->print_all();

       unload_hook(pA);

       pA->print1();

       pA->print_all();

       pA->print_all();

       pA->print_all();

}