The principle of this method is to write a DLL with the same interface function as the DLL called by the original process, and then replace the original DLL with our DLL. During the replacement process, we will write functions of interest to replace the original functions, while functions of the original dll will be called in the form of function forwarding for functions of no interest. There is a premise that you must know the functions in the original DLL when writing the DLL, so that the corresponding API functions cannot be found when other processes call the DLL, especially when replacing system DLL files, be careful.
This method is demonstrated below. I did this. First, write a DLL as the replaced DLL named dlllib. DLL (last renamed as _ dlllib. DLL), and then write the trojan dll named troydll. DLL (renamed as the original DLL name, that is, dlllib. DLL), and dlllib. DLL has the same API function process, but changes an API function to complete our work, because another API function needs to forward the function, to the original DLL (renamed as _ dlllib. DLL dlllib. DLL ). At this time, our test program was originally called dlllib. DLL, but because dlllib. the dll has been troydll. the DLL is replaced, so the test program actually calls troydll. DLL, and for the function for forwarding, it is through troydll. DLL calls dlllib. DLL (renamed _ dlllib. DLL. At this point, our trojan dll has actually been injected into the process space of our test program.
1. Compile the original DLL. The code for dlllib. dll (renamed as _ dlllib. dll) is as follows:
// ================================================ ============================================
// File: unitlib. cpp
// Description: This shows how to use the trojan dll for DLL injection. This is its own DLL, and another trojan dll will
// Perform Function forwarding and implement other functions.
// Author: edification (innocent)
// ================================================ ============================================
// Function declaration
Extern "C" _ declspec (dllexport) _ stdcall void about ();
Extern "C" _ declspec (dllexport) _ stdcall int add (int A, int B );
Int winapi dllentrypoint (hinstance hinst, unsigned long reason, void * lpreserved)
{
Return 1;
}
//---------------------------------------------------------------------------
Void _ declspec (dllexport) _ stdcall about ()
{
Try
{
MessageBox (null, "this is the original DLL file! "," Original DLL ",
Mb_iconinformation + mb_ OK );
} Catch (exception & E)
{
MessageBox (null, E. Message. c_str (), "dlllib", mb_ OK );
}
}
// Add two numbers (Note: Here is the sum of two numbers)
Int _ declspec (dllexport) _ stdcall add (int A, int B)
{
Return (A + B );
}
2. Compile the trojan dll. The code for troydll. dll is as follows:
// ================================================ ============================================
// File: unittroy. cpp
// Note: this is the trojan dll, which will change its DLL file to the DLL file name to be replaced.
// Prepared by: cultivate
// ================================================ ============================================
Extern "C" _ declspec (dllexport) _ stdcall void about ();
Extern "C" _ declspec (dllexport) _ stdcall int add (int A, int B );
Int multiply (int A, int B );
// Declaration of the function prototype in DLL
Typedef void (winapi * about )();
Typedef int (winapi * Add) (int A, int B );
Static string szdllname;
Int winapi dllentrypoint (hinstance hinst, unsigned long reason, void * lpreserved)
{
Szdllname = Application-> exename;
Szdllname = szdllname. substring (0, szdllname. Length ()
-String (strrscan (szdllname. c_str (), '/'). Length ());
// Name of the renamed dlllib. dll file
Szdllname = szdllname + "/_ dlllib. dll ";
Return 1;
}
//---------------------------------------------------------------------------
Void _ declspec (dllexport) _ stdcall about ()
{
// Directly forward Functions
Handle hdll = NULL;
Hdll = loadlibrary (szdllname. c_str ());
About about;
Try
{
If (hdll! = NULL)
{
About = (about) getprocaddress (hdll, "about ");
If (about! = NULL)
About ();
}
Else
MessageBox (null, "loading the original DLL error! "," Trojan dll ",
Mb_iconinformation + mb_ OK );
} Catch (exception & E)
{
MessageBox (null, E. Message. c_str (), "dlltroy", mb_ OK );
}
}
Int _ declspec (dllexport) _ stdcall add (int A, int B)
{
Int nret;
Handle hdll = NULL;
Add add;
Hdll = loadlibrary (szdllname. c_str ());
If (hdll! = NULL)
{
// For the convenience of demonstration, the forward function is forwarded here to see the value that should have been returned.
Add = (ADD) getprocaddress (hdll, "add ");
If (add! = NULL)
Nret = add (A, B );
Showmessage ("this is the call result in the original dll:" + inttostr (nret ));
}
Else
MessageBox (null, "An error occurred while loading the original DLL! "," Trojan dll ", mb_ OK );
// Change the sum of the two numbers to multiply them, and return the product of the two numbers.
Nret = multiply (A, B );
Return nret;
}
Int multiply (int A, int B)
{
Return (A * B );
}
3. Compile a test project. Add two buttons in the form to call the two API functions in dlllib. dll. The Code is as follows:
Typedef (winapi * about )();
Typedef int (winapi * Add) (int A, int B );
//---------------------------------------------------------------------------
_ Fastcall tfrmmain: tfrmmain (tcomponent * owner)
: Tform (owner)
{
}
//---------------------------------------------------------------------------
Void _ fastcall tfrmmain: formcreate (tobject * sender)
{
M_szdllname = Application-> exename;
M_szdllname = m_szdllname.substring (0, m_szdllname.length ()
-String (strrscan (m_szdllname.c_str (), '/'). Length ());
M_szdllname = m_szdllname + "/dlllib. dll ";
}
//---------------------------------------------------------------------------
// Call the about () function
Void _ fastcall tfrmmain: button1click (tobject * sender)
{
Handle hdll;
About about;
Try
{
Hdll = loadlibrary (m_szdllname.c_str ());
If (hdll! = NULL)
{
About = (about) getprocaddress (hdll, "about ");
If (about! = NULL)
About ();
}
} Catch (exception & E)
{
MessageBox (handle, E. Message. c_str (), "error", mb_ OK );
}
}
//---------------------------------------------------------------------------
// Call the add () function
Void _ fastcall tfrmmain: button2click (tobject * sender)
{
Handle hdll;
Add add;
Int nret;
Hdll = loadlibrary (m_szdllname.c_str ());
If (hdll! = NULL)
{
Add = (ADD) getprocaddress (hdll, "add ");
If (add! = NULL)
Nret = add (10, 2 );
Showmessage ("result returned from the trojan dll:" + inttostr (nret ));
}
}
4. Test. Change dlllib. DLL to _ dlllib. dll, and change troydll. DLL to dlllib. dll. Next, run our test project and click the button to call the about () function, because about () is implemented through dlllib. DLL (that is, troydll. DLL) to forward the function (to the original DLL, that is, _ dlllib. DLL), so the original DLL (that is, _ dlllib. DLL. In this case, use the tool of the Process Module to view the process space. You will find that your trojan dll (the renamed dlllib. DLL) has been successfully injected into the process space of the test program.
Click the button to call the add () function. You will see that the result of adding two numbers is the product of the two numbers, because we have already done it in the trojan dll. This is the key to using it. Gina at Windows login, do you know? Do you want someone else's login password? This method is used to replace MSGINA. dll with its own DLL, and the complicated password is also obtained ~. (Do you want to write it yourself? Check Winlogon logon management and Gina introduction)
Environment:
Win2000 Server + BCB 6.0
Appendix: related program code in this article
Reference: Windows core programming