Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
785 views
in Technique[技术] by (71.8m points)

c++ - finding a loaded dll using a CreateToolHelp32Snapshot, finding a function within the dll and then calling it, GetProcAddress

I'm trying to get a handle to a function within a .dll. I am creating a CreateToolHelp32Snapshot and then enumerating over the modules until I find the one I want, from that .dll I want to find a particular function. How do I call GetProcAddress() correctly so that I get the function within 'that' .dll rather than another instance that may be running?

The continuation from the above question would then be, ok so I have a handle to the function, how do I actually call it?

EDIT: As has already been pointed out. I am already in the 3rd party app address space. If getprocaddress will not work, how do I get the entry point for the function using readprocessmemory and necessary offset?

Thanks.

HANDLE h_th_32snap =  CreateToolhelp32Snapshot(0x8u, pid);
if( h_th_32snap == INVALID_HANDLE_VALUE )
  {
    printError( TEXT("CreateToolhelp32Snapshot (of modules)") );
    return( FALSE );
  }

  // Set the size of the structure before using it.
  me32.dwSize = sizeof( MODULEENTRY32 );

  // Retrieve information about the first module,
  // and exit if unsuccessful
  if( !Module32First( h_th_32snap, &me32 ) )
  {
    printError( TEXT("Module32First") );  // show cause of failure
    CloseHandle( h_th_32snap );           // clean the snapshot object
    return( FALSE );
  }

  // Now walk the module list of the process,
  // and display information about each module

  BYTE *d_pointer_qtgui4_dll = 0x0;
  do
  {
    _tprintf( TEXT("

     MODULE NAME:     %s"),   me32.szModule );
    _tprintf( TEXT("
     Executable     = %s"),     me32.szExePath );
    _tprintf( TEXT("
     Process ID     = 0x%08X"),         me32.th32ProcessID );
    _tprintf( TEXT("
     Ref count (g)  = 0x%04X"),     me32.GlblcntUsage );
    _tprintf( TEXT("
     Ref count (p)  = 0x%04X"),     me32.ProccntUsage );
    _tprintf( TEXT("
     Base address   = 0x%08X"), (DWORD) me32.modBaseAddr );
    _tprintf( TEXT("
     Base size      = %d"),             me32.modBaseSize );

    if(!wcsncmp(me32.szModule, L"QtGui4.dll", 255))
    {

              FARPROC test = GetProcAddress(GetModuleHandle( L"QtGui4.dll"),"?rowsInserted@QListView@@MAEXABVQModelIndex@@HH@Z");

    }

  } while( Module32Next( h_th_32snap, &me32 ) );

  CloseHandle( h_th_32snap );

Greg, I would be interested to know why this is wrong? It doesn't throw any errors but it doesn't work either!

function prototype:

QWidget * QWidget::find ( WId id )   [static];

My attempt to call it:

hDLL = GetModuleHandle( L"QtGui4.dll");
if (hDLL != NULL)
{

   func pointer_find = (func)GetProcAddress(hDLL,"?find@QWidget@@SAPAV1@PAUHWND__@@@Z");

   if (!pointer_find)
   {
      // handle the error
      FreeLibrary(hDLL);       
      //return SOME_ERROR_CODE;
   }
   else
   {
      // call the function
       widget = pointer_find(my_hwnd);
   }
}
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Not possible, GetProcAddress() requires a module handle. A HMODULE is only valid inside the process in which it was obtained. You would have to do the same kind of thing that GetProcAddress() does, iterating the IAT to find the entrypoint. And apply the base address offset. This is beyond painful to do for another process since you cannot directly access the memory to read the IAT. ReadProcessMemory is required.

Injecting code in the target process is the only reasonable approach. Which is also required to do what I presume you'd want to do next, call the function. Code injection techniques are covered well at codeproject.com


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...