Feel Microsoft outsourcing project (2)

HOOK API

After the Dragon Boat Festival holiday, we started our initial project pre-study. The first step was api hook. There are countless technical documents for reference on how to implement WinAPI HOOK. However, basic technical implementation almost requires an additional independent service process. The advantage of doing so is that it is simple, however, the target application is associated with a pre-started EXE file, which makes it unnatural. In addition, once the service process crashes, it will cause serious problems, therefore, this idea can be used for experiments, but in the end it is not an advisable solution.

For MSN, there are currently two outstanding shells, one is the famous MSN Shell, and the other may be the MSN Plus developed by a Canadian born in France. MSN Shell provides a copy of CRYPTNET. dll to implement api hook, while MSN Plus adopts a similar technology (MSN Plus provides a copy of msimg32.dll ). If we have installed these two shells, we will find copies of these dynamic link libraries in the MSN installation directory, and the corresponding dynamic link inventory originally required by MSN is in the Windows/System32 system folder, if you are interested, you can directly compare the relevant original and copy to see their differences (use the utility DEPENDS provided by Visual Studio. EXE ). The results show that MSN Shell and MSN Plus may be used for reference. We cannot find out who has used them for reference, however, these features of the two software certainly give us some inspiration, but Office Communicator is very different from MSN after all, therefore, we must select the appropriate DLL to achieve similar results. The above analysis is ultimately to implement a way to HOOK the API, while ensuring that this way does not affect other processes, nor rely on other processes. So what database is selected as the entry point?

It may be wise to choose a proper "DLL" for proper replacement, but the candidate dll should be concise enough, in this way, it is relatively easy to re-implement the corresponding copy. The reason why MSN Plus chooses msimg32.dll may be that the original msimg32.dll is small (4,608 bytes), while MSN Shell selects CRYPTNET. dll, which is probably required to encrypt the session. After installing Office communicator, the directory where communicator.exe is located contains only a limited number of dll libraries. We chose RTMPLTFM. dll, which contains only four output functions, although the size of the library is relatively large (5.07 M ).

Once the principles are clearly analyzed, the specific implementation work will be much more practical. The specific implementation work came into being in the first day of the experiment. When a friend of Microsoft called me, we successfully realized the work we expected in the first step ,:

(Through HOOK LoadResource/FindResource/SizeofResource and other API functions, we quickly create a new UI element on OC)

This part of work is implemented in detail. As for me, I just proposed the original idea.