Analysis of the technology principle of dynamic Chinese windows

Trap "Technology exploration--the analysis of dynamic Chinese-typed Windows technology

Richwin, Chinese star (Cstar) is widely known in the Chinese-language Windows products, "trap" technology that is dynamically modify the Windows code, has been its foreign claims of extraordinary technology. This paper introduces the realization of "trap" technology from the view of the module call mechanism and the relocation concept of Windows, and gives the example source program of dynamically modifying the Windows code by using "trap" technology.

One, what did you find?

The author has been engaged in the software development work under Windows for many years, experienced Windows 2.0, 3.0, 3.1, until Windows 95, NT growth process, also traversed the evergreen window, the Great Wall window, DbWin, Cstar, Richwin, such as several Windows Chinese products. From now on, the most influential and most successful, when pushing the richwin of the four-pass, in addition, the Chinese star Cstar and Richwin teacher out of a door, its core technology is naturally similar. Its external propaganda uses the unique "trap" technology namely dynamically modifies the Windows code, has been the author interest place.

EXEHDR is a useful program in the Microsoft Visual C + + development tool that examines the NE (new-exe cutable) format file to analyze Richwin WSENGINE.DLL or Cstar CHINESE.DLL , you will find two distinct points (take Cstar 1.20 as an example):

C:\CSTAR>EXEHDR chinese.dll/v

..................................
6 Type offset target
BASE 060a seg 2 offset 0000
PTR 047e imp GDI. Getcharabcwidths
PTR 059b imp GDI. EnumFontFamilies
PTR 0451 Imp display.14 (exttextout)
PTR 0415 Imp Keyboard.4 (TOASCII)
PTR 04ba Imp Keyboard.5 (ansitooem)
PTR 04c9 Imp Keyboard.6 (OemToAnsi)
PTR 04d8 Imp keyboard.134 (ansitooembuff)
PTR 05f5 Imp user.430 (lstrcmp)
PTR 04e7 Imp keyboard.135 (oemtoansibuff)
PTR 0514 Imp user.431 (ansiupper)
PTR 0523 Imp user.432 (ansilower)
PTR 05AA Imp gdi.56 (createfont)
PTR 056e Imp user.433 (ischaralpha)
PTR 05b9 Imp gdi.57 (createfontindirect)
PTR 057d Imp user.434 (ischaralphanumeric)
PTR 049c Imp user.179 (getsystemmetrics)
PTR 0550 Imp user.435 (ischarupper)
PTR 055f Imp user.436 (ischarlower)
PTR 0532 Imp user.437 (ansiupperbuff)
PTR 0541 Imp user.438 (ansilowerbuff)
PTR 05c8 Imp gdi.69 (DeleteObject)
PTR 058c Imp gdi.70 (enumfonts)
PTR 04ab imp KERNEL. Isdbcsleadbyte
PTR 05d7 Imp gdi.82 (GETOBJECT)
PTR 048d Imp kernel.74 (openfile)
PTR 0460 Imp gdi.91 (gettextextent)
PTR 05e6 Imp gdi.92 (gettextface)
PTR 046f Imp gdi.350 (getcharwidth)
PTR 0442 Imp gdi.351 (exttextout)
PTR 0604 Imp user.471 (LSTRCMPI)
PTR 04f6 Imp user.472 (ansinext)
PTR 0505 imp user.473 (Ansiprev)
PTR 0424 Imp user.108 (GETMESSAGE)
PTR 0433 Imp user.109 (peekmessage)
KM relocationS