类型定义
typedef NTSTATUS( NTAPI * PLDR_MANIFEST_PROBER_ROUTINE )
(
IN HMODULE DllBase,
IN PCWSTR FullDllPath,
OUT PHANDLE ActivationContext
);
typedef NTSTATUS( NTAPI * PLDR_ACTX_LANGUAGE_ROURINE )
(
IN HANDLE Unk,
IN USHORT LangID,
OUT PHANDLE ActivationContext
);
typedef void( NTAPI * PLDR_RELEASE_ACT_ROUTINE )
(
IN HANDLE ActivationContext
);
typedef VOID( NTAPI* fnLdrSetDllManifestProber )
(
IN PLDR_MANIFEST_PROBER_ROUTINE ManifestProberRoutine,
IN PLDR_ACTX_LANGUAGE_ROURINE CreateActCtxLanguageRoutine,
IN PLDR_RELEASE_ACT_ROUTINE ReleaseActCtxRoutine
);
使用示范
NTSTATUS NTAPI ProbeCallback( IN HMODULE DllBase, IN PCWSTR FullDllPath, OUT PHANDLE ActivationContext )//Dll加载回调
{
wprintf( L"ProbeCallback: Base %p, path '%ls', context %p\r\n", DllBase, FullDllPath, *ActivationContext );
if (!*ActivationContext)
return STATUS_INVALID_PARAMETER;
HANDLE actx = NULL;
ACTCTXW act = { 0 };
act.cbSize = sizeof( act );
act.dwFlags = ACTCTX_FLAG_RESOURCE_NAME_VALID | ACTCTX_FLAG_HMODULE_VALID;
act.lpSource = FullDllPath;
act.hModule = DllBase;
act.lpResourceName = ISOLATIONAWARE_MANIFEST_RESOURCE_ID;
// Reset pointer, crucial for x64 version
*ActivationContext = 0;
actx = CreateActCtxW( &act );
// Report no manifest is present
if (actx == INVALID_HANDLE_VALUE)
return STATUS_RESOURCE_NAME_NOT_FOUND;
*ActivationContext = actx;
return STATUS_SUCCESS;
}
int _tmain(int argc, _TCHAR* argv[])
{
auto LdrSetDllManifestProber = (fnLdrSetDllManifestProber)GetProcAddress( GetModuleHandleW( L"ntdll.dll" ), "LdrSetDllManifestProber" );
if (LdrSetDllManifestProber);
LdrSetDllManifestProber( &ProbeCallback, NULL, &ReleaseActCtx );
LoadLibraryW( L"winhttp.dll" );//测试加载winhttp
return 0;
}
可能涉及的头文件与库
#include <ntstatus.h>
#pragma connect(lib,"ntdll.lib")
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
