dllMain 劫持 实验 代码:
// dllmain.cpp : 定义 DLL 应用程序的入口点。 //#include "stdafx.h" #include//将输出函数直接转发给lpkOrg.dll #pragma comment(linker, "/EXPORT:LpkInitialize=lpkOrg.LpkInitialize,@1") #pragma comment(linker, "/EXPORT:LpkTabbedTextOut=lpkOrg.LpkTabbedTextOut,@2") #pragma comment(linker, "/EXPORT:LpkDllInitialize=lpkOrg.LpkDllInitialize,@3") #pragma comment(linker, "/EXPORT:LpkDrawTextEx=lpkOrg.LpkDrawTextEx,@4") #pragma comment(linker, "/EXPORT:LpkEditControl=lpkOrg.LpkEditControl,@5") #pragma comment(linker, "/EXPORT:LpkExtTextOut=lpkOrg.LpkExtTextOut,@6") #pragma comment(linker, "/EXPORT:LpkGetCharacterPlacement=lpkOrg.LpkGetCharacterPlacement,@7") #pragma comment(linker, "/EXPORT:LpkGetTextExtentExPoint=lpkOrg.LpkGetTextExtentExPoint,@8") #pragma comment(linker, "/EXPORT:LpkPSMTextOut=lpkOrg.LpkPSMTextOut,@9") #pragma comment(linker, "/EXPORT:LpkUseGDIWidthCache=lpkOrg.LpkUseGDIWidthCache,@10") #pragma comment(linker, "/EXPORT:ftsWordBreak=lpkOrg.ftsWordBreak,@11") //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// DWORD WINAPI TreadWorking(LPVOID lpParameters); //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// DWORD WINAPI ThreadWorking(LPVOID lpParameters) { MessageBox(NULL, L"Fake lpk loaded!", L"Notice", MB_OK); OutputDebugString(L"LPK.dll is working.\n"); return 0; } BOOL APIENTRY DllMain( HMODULE hModule, DWORD dwReason, LPVOID lpReserved ) { if(dwReason == DLL_PROCESS_ATTACH) { CreateThread(NULL, 0, ThreadWorking, NULL, 0, NULL); DisableThreadLibraryCalls(hModule); } else if(dwReason == DLL_PROCESS_DETACH) { } return TRUE; } 编译32位的dll后,将
1. C:\Windows\SysWOW64 中的lpk.dll 重命名为lpkOrg.dll ,一定要重启操作系统,
否则看到运行的WinHex.exe使用的是重命名后的动态库,popexizhi的实验在win7上做的
到现在也不明白why,难道os对这个级别的dll做动态跟踪了?!也没什么意义啊,重启系统后就
用新的了
2.在WinHex.exe运行的文件夹下放编译后的lpk.dll
ok了
纪念一下:)
没有评论:
发表评论