複制内容到剪貼闆
代碼://使記憶體可讀寫執行100個位元組
int gvfix_mprotect(int address)
{
int ret;
int i;
for(i=0; i<100; i++){
ret = mprotect((void*)((address + i)& ~(4096-1)), 4096, PROT_WRITE | PROT_EXEC | PROT_READ);
if(ret){
printf("mprotect Error!\n");
}
}
return ret;
}
//萬用劫持函數 原函數、新函數、新構造的原函數、劫持深度預設是0劫持5個位元組,如果劫持失敗導緻程式崩潰改成1或2就可以了,不要打斷彙編指令
void gvfix_detourfun(unsigned int srcfun,unsigned int desfun,char* srcfun_new,int delength)
{
//使數組可以執行
gvfix_mprotect((int)srcfun_new);
int i;
for (i=0;i
{
*(char*)(srcfun_new + i ) = *(char*)(srcfun + i );
}
*(char*)(srcfun_new + delength+5) = 0xE9; //jmp
*(unsigned int*)(srcfun_new + delength+6 ) = srcfun -((unsigned int)srcfun_new + delength+6);
gvfix_mprotect((int)srcfun);
*(char*)(srcfun+ 0 ) = 0xE9; //jmp
*(unsigned int* )(srcfun+ 1 ) = desfun -4 -(srcfun+ 1 );
return;
}
//新構造的原函數
char NF_PETMAIL_CenterCheck_new[128];//0809F870
//劫持後指向的函數(這個函數在mainloop當中 什麼都沒做加了一個usleep)
//帶參數傳回值的寫法(*(int ( *)(char*, int, int, int, int, int, int))(int)NF_somefunction_new)(a, b, c, d, e, f, g)
NF_PETMAIL_CenterCheck()
{
usleep(10000);
(*(void( *)())(int)NF_PETMAIL_CenterCheck_new)();
}
//LD_PRELOAD自動劫持getpid()
pid_t getpid(void)
{
static pid_t(* realgetpid)(void)=NULL;
if(realgetpid==NULL)
{
void *handle=NULL;
char *error=NULL;
handle = dlopen("libc.so.6", RTLD_LAZY);
if ((error = dlerror()) != NULL)
{
puts(error);
return -1;
}
realgetpid = dlsym(handle, "getpid");
if ((error = dlerror()) != NULL)
{
puts(error);
return -1;
}
//todo:劫持其他函數
printf("already hack\n");
gvfix_detourfun(0x0809F870,(int )NF_PETMAIL_CenterCheck,NF_PETMAIL_CenterCheck_new,0);
//endtodo
}
return realgetpid();
}