How to Use DLL to control processes in Windows

In Microsoft Windows, each process has its own private address space. When a pointer is used to reference the memory, the pointer value will reference a memory address in the address space of your own process. Your process cannot create a memory pointer that belongs to another process. Therefore, if your process has an error and a random address is replaced with the memory, this error will not affect the memory used by another process. Windows 98 processes running under Windows 98 share 2 GB address space, which ranges from 0x80000000 to 0 xFFFFFFFF. Only memory image files and system components can be mapped to this region.
Independent address spaces are very advantageous for programmers and users. For programmers, it is easier for the system to capture random memory read and write operations. For users, the operating system will become more robust, because one application cannot disrupt the operation of another process or operating system. Of course, the robustness of the operating system is costly because it is rare to write applications that can communicate with other processes or operate on other processes.
In some cases, you must break the process boundaries and access the address space of another process, including:
When you want to create a subclass for the window created by another process.
When you need debugging help, for example, when you need to determine which DLL is being used by another process ).
When you want to mount other processes.
Two methods are introduced here, which can be used to insert a DLL into the address space of another process. Once your DLL enters the address space of another process, you can do whatever you want for another process. This will make you very scared. Therefore, you have to think twice about what to do.
1 insert DLL: An Example
Suppose you want to create a subclass for the window created by another process. You may remember that creating a subclass can change the behavior characteristics of the window. To create a subclass, you only need to call the SetWindowLongPtr function, change the window process address in the handler in the window, and point to a new one.) WndProc. The Platform SDK documentation says that an application process scheduler can create subclasses for Windows created by another process. This is not completely correct. The key issue of creating a subclass for a window of another process is related to the boundary of the process address space.
When you call the SetWindowsLongPtr function shown below to create a subclass of a window, you will tell the system that all messages sent to or displayed in the window set by hwnd should be sent to MySubclassProc, instead of the normal Window Process for sending the Port:
Code in process:

EXE file: LRESUlT WndProc (HWND hend, UNIT uMsg ,...){.....} USER32.DLL file LONG DispatchMessage (const msg * msg) { LONG lRet; WNDPROC lpfnWndProc = (WNDPROC) GetWindowLongPtr (msg, hwnd, GWLP_WNDPROC ); LRet = lpfnWndProc (msg. hwnd, msg. message, msg. wParam, mag. LParam ); Return lRet; } Process B: EXE file Void Somefunc (void) { HWND hwnd = Findwindow ("class A", NULL ); SetWindowLongPtr (hwnd, GWLP_WNDPROC, MySubclassProc ); } USER32.DLL file ......

In other words, when the system needs to send a message to the WndProc in the specified window, it needs to view its address and then directly call WndProc. In this example, the system finds that the address of the MySubclassProc function is associated with the window, so the MySubclassProc function is called directly.
When creating a subclass for a window created by another process, the problem is that the process of creating a subclass is located in another address space. The following example shows how the window process accepts messages. Process A is running and A window has been created. The file User32.dll is mapped to the address space of process.
The ing of the User32.dll file is used to receive and send messages sent and displayed in any window created by any thread running in process. When the image of User32.dll discovers a message, it must first determine the WndProc address of the window, and then call this address to transmit the handle, message, and wParam and lParam values of the window port. After WndProc processes the message, User32.dll runs cyclically and waits for another window message to be processed.
The thread in process B tries to create A subclass for the window created by the thread in process A. Now suppose that your process is process B. You want to create A subclass for the window created by the thread in process. The code in process B must first determine the window handle of the subclass you want to create. This operation uses many methods. The above example only calls the FindWindow function to obtain the required window. Then, the thread in process B calls the SetWindowLongPtr function and tries to change the WndProc address of the window. Note the word "try. What operations does this function call callback? It only returns NULL. The code in the SetWindowLongPtr function should check whether a process is trying to change the WndProc address of the window created by another process, and then ignore the call of this function.
If the SetWindowLongPtr function can change the WndProc of the window, what will happen? The system associates the address of MySubclassProc with a specific window. Then, when A message is sent to this window, the User32 code in process A retrieves the message, obtains the address of MySubclassProc, and tries to call this address. However, there may be a major problem. MySubclassProc is located in the address space of process B, and process A is an active process. Obviously, if User32 wants to call this address, it needs to call an address in process A's address space, which may cause memory access violations.
To avoid this problem, let the system know that M y S u B c l a s P r o c is in the address space of process B. Then, before calling the subclass process, let the system perform a context conversion. M I c r o s o f t does not implement this helper function, because: Applications seldom need to create child classes for Windows created by threads of other processes. Most applications only create child classes for their own windows. The memory structure of Wi n d o w s does not prevent such creation operations.
Switching an active process takes a lot of c p u time.
The thread in process B must execute the code in M y S u B c l a s P r o c. Which thread should the system use? Is it an existing thread or a new thread?
How can U s e r 3 2. d l describe whether the address related to the window is used in another process or in the same process?
There is no solution to this problem, therefore, M I c r o s o f t decides not to let S e t Wi n d o w s L o n g P t r change the window process created by another process. However, you can still create a subclass for the window created by another process-you only need to use another method to perform this operation. This is not a subclass issue, but a process's address space boundary issue. If you can put the code of your subclass process into the address space of process A, you can conveniently call the S e t Wi n d o w L o n g P t r function, pass the address of process A to M y S u B c l a s P r o c function. I call this method to insert the address space of the D L "into" process.

There are several ways to perform this operation. The following describes them one by one.

2. Insert DLL through hook
You can use a hook to insert d l into the address space of the process. To enable the hooks to work as they do in 1 6-bit Wi n o w s, M I c r o s o f t has to design a method, so that d l can be inserted into the address space of another process.
Let's look at an example. Process A is similar to A Microsoft Spy ++ utility) installed with A hook w n _ g e t m e s a g e to view messages processed by various windows in the system. The hook is installed by calling the following S e t Wi n d o w s H o k E x function:
The first parameter w h _ g e t m e s a g e is used to specify the type of the hook to be installed. The second parameter G e t M s g P r o c is used to specify the address of the function that the system should call when the window is preparing to process a message. The address of the function occupies five three parameters in your primary data center. h I n s t D l is used to specify the D l that contains the G e t M s g P r o c function. In Wi n d o w s, the value of h I n t D L of D L is used to identify the virtual memory address in the address space of the process mapped to the DLL. The last parameter 0 is used to specify the thread to be mounted.
For a thread, it can call the S e t Wi n d o w s H o k E x function to pass the I D of another thread in the system. By passing 0 for this parameter, the system is told that we want to mount all g u I threads in the system.
Now let's take a look at what will happen:
1) A thread in process B is preparing to send a message to a window.
2) check whether the w h _ g e t m e s a g e hook has been installed on this thread.
3) The system checks whether the d l containing the G e t M s g P r o c function is mapped to the address space of process B.
4) if the d l has not been mapped, the system will force the d l to be mapped to the address space of process B, in addition, the automatic tracking count of the d l image in process B increases by 1.
5) when the h I n s t d l of D l is used in process B, the system checks this function, and check whether the h I n s t D L of the D L l is in the same position as it is used for process.
If two h I n s t D l are at the same position, then, the memory address of the G e t M s g P r o c function is the same in the address space of the two processes. In this case, the system only needs to call the G e t M s g P r o c function in process A's address space.
If the location of h I n t D l is different, the system must determine the virtual memory address of the G e t M s g P r o c function in the address space of process B. The following formula can be used to determine the address:
After the address of GetMsgProc A is subtracted from the address of hinstDll A, the address displacement of the G e t M s g P r o c function is measured in bytes ). Add this displacement to the address of hinstDll B, the location of the G e t M s g P r o c function in the address space used for process B for the D L image is obtained.
6) The system increases the automatic tracking count of the d l image in process B by 1.
7) The system calls the G e t M s g P r o c function in the address space of process B.
8) When the G e t M s g P r o c function is returned, the system will decrease the automatic tracking count of the d l image in process B by 1.
Note: When the system inserts or maps the d l that contains the hook filter function, the entire d l is mapped, but the hook filter function is mapped. This means that all or all functions contained in d l exist and can be called from the thread running in process B.
To create A subclass for A window created by A thread in another process, you can first set a w h _ g e t m e s a g e hook on the hook that creates the window, then, when the G e t M s g P r o c function is called, call the S e t Wi n d o w L o n g P t r function to create a subclass of the window. Of course, The subclass process must be in the same d ll as the G e t M s g P r o c function.
Unlike the Registry Method for inserting d l, This method allows you to delete the d l image when the dl l is no longer needed in the address space of another process, the method is to call the following function:
When a thread calls the U n h o k Wi n d o w s H o k E x function, the system will traverse the internal list of each process to which d l must be inserted, and the automatic tracking count of d l will be decreased. When the automatic count is tracked, d l is automatically deleted from the address space of the process. Remember that before the system calls G e t M s g P r o c, it increases the automatic tracking count of d l according to the above 6th steps ).
When the thread of process B tries to execute the token in the G e t M s g P r o c function, another thread running in the system can call the U n l o k Wi n d o w s H o k E x function.
All this means that you cannot undo the subclass of the window and immediately undo the hook. The hook must be valid during the lifetime of the subclass.
3. Use a remote thread to insert a DLL

Another way to insert d l is to use a remote thread. This method is more flexible. It requires you to understand several features of Wi n d o w s, such as process, thread, thread synchronization, virtual memory management, d l and U n I c o d e. these features are unclear, see the relevant chapters in this book ). Most function market members of Wi n d o w s are involved in killing themselves.
This is a good feature because it can prevent one process from damaging the operation of another process. However, some functions allow one process to operate on another process. Most of these functions were originally for debugging programs and other tools. However, any function can call these functions.
This d l insertion method basically requires the thread in the target process to call the L o a d L I B r a r y function to load the necessary D L.
In addition to threads in our own processes, we cannot easily control threads in other processes. Therefore, this solution requires us to create a new thread in the target process. Because this thread is created by ourselves, we can control what code to execute. Fortunately, Wi n d o w s provides a function called C r e a t e R e m o t T h r e a d, this allows us to easily create threads in another process:
C r e a t e R e m o t e T h r e a d is very similar to C r e a t e T h r e a d, the difference is that it adds a parameter h P r o c e s. This parameter indicates the process that owns the newly created thread. The p f n S t a r t A d r parameter specifies the memory address of the thread function. Of course, the memory address is related to the remote process. The code of the thread function cannot be in the address space of your own process.
Windows 98 in Windows 98, the C r e a t e R e m o t h r e a d function does not have any useful implementation code. It only returns n u l. Call the G e t L a s t E r o r O r function to return e r o r _ c a l _ N o T _ I M P L E M E N T e dc r e a t e T h r e a d function contains the complete implementation code used to create a thread in the calling process ). Because C r e a t e R e m o t e T h r e a d is not implemented, in Windows 98, this method cannot be used to insert d l.
Now you know how to create a thread in another process. But how can we let this thread load our d l? The answer is simple, that is, the thread needs to call the L o a d L I B r a r y function.
The detailed steps are described as follows:
1) Use the Vi r t u a l o c E x function to allocate memory in the address space of the remote process.
2) use the Wr I t e P r o c e s M e m o r y function to copy the path name of D L to the allocated memory in the first step.
3) use the G e t P r o c A d r e s function, obtain the real address of the L o a d L I B r a r y A or L o a dL I B r a t y W function in K e r n e l 3. in d l ).
4) use the C r e a t e R e m o t e T h r e a d function to create a thread in a remote process, it calls the correct L o a d L I B r a r y function and transmits the address of the memory allocated in the first step to it. At this time, d l has been inserted into the address space of the remote process, AT the same time, the d l l M a I n function of D l L _ P R O C E S _ AT TA C H notification, and can execute the required code. When the D l M a in function returns, the remote thread
It is returned from its call to L o a d L I B r a r y to B a s e T h r e a d S t a r t T t function chapter 6th. Then, B a s e T h r e a d S t a r t calls E x I t T h r e a d to terminate the remote thread.
At present, the remote process still keeps the address space in which the first one has been stored.
To delete a remote thread, follow these steps:
5) use the Vi r t u a l F r e E x function to release the memory allocated in the first step.
6) use the G e t P r o c A d r e s function, obtain the real address of the F r e L I B r a r y function in K e r n e l 3 2. in d l ).
7) use the C r e a t e R e m o t e T h r e a d function to create a thread in a remote process, it calls the F r e L I B r a r y function and transmits the remote d l h I N S TA N C E.
This is the basic procedure. The only drawback of inserting d l is that Windows 98 does not support such a function. This method can only be used on Windows 2000.