Environment:
- VS 2019
- x64dbg
I use visual studio to compile a dll and run an injector to attach this dll to target thread, the target thread debugged by x64dbg.
And I use detour to hack it, when I try to install a hook on a function, it always/often tell me 9L ERROR_INVALID_BLOCK.
The solution is remove the breakpoints in x64dbg!
Because the breakpoints was on the address we will hack, and the x64dbg will hold on this memory, to make the program stop.
So we cannot write into our hacking code into target memory.
为什么detours总在告诉我 ERROR 9 ERROR_INVALID_BLOCK
因为我用x64dbg在将要hack的地方下了个断点,所以detour写不进去这块内存了。
去掉 or disable 这个断点即可!
我猜测是调试器把我的断点这块儿的代码改成INT 3了,反正是有他的加持,我是写不进去。。。
试了好久都失败,自己写了个hook结果调试才发现的这个坑!
才疏学浅技艺不精了 Σ(lliд゚ノ)ノ ┳━┳ノ( OωOノ)
顺便分享一个我刚编的hooker
这个钩子适用于覆盖掉目标函数的头push ebp;,跳转到我们的处理函数。
LPVOID target;
void f_myhookfunc(LPVOID param) {
LOG("Hooked!");
}
void __declspec(naked) f_myhooker(LPVOID param) {
__asm { //backup register
push ebp;
mov ebp, esp;
pushfd;
pushad;
}
f_myhookfunc(param);
__asm { //restore register
mov eax, ebp;
sub eax, 0x24;
mov esp, eax;
popad;
popfd;
mov esp, ebp;
pop ebp;
}
__asm{ //trampline, the original asm code we covered.
push ebp;
......
}
__asm { //continue to next instruction in original section
push target;
add [esp], 5;
ret;
}
}
* 同理,如果需要inline hook,即hook任意部分,把代码的开头```push ebp;```改掉就可。
* 钩子开头另起stack是为了传参param好写,同样也是为了定位pushfd/pushad在stack中的位置(上文0x24)。
* 最后的return部分不能直接```jmp target+5```,因为target是个pointer,加五就跑去别的地址了(可不是值加五)