Mfc:win32-dll and Mfc-dll Write calls

First, Win32-dll

1. Write

The code is as follows:

Math.h

#ifdef math_exports#define Math_api __declspec (dllexport) #else # define MATH_API __declspec (dllimport) #endifextern Math_api double PI; MATH_API int Add (int a, int b); MATH_API int Sub (int a, int b); MATH_API int Mod (int a, int b);

Math.cpp

#include "stdafx.h" #include "Math.h" math_api double PI = 3.1415926; MATH_API int Add (int a,int b) {    return a + b;} MATH_API int Sub (int a, int b) {return a-A;} MATH_API int Mod (int a, int b) {return a% B;}

Math.def (This needs to be added manually in the new item)

LIBRARY "Math" DESCRIPTION "ADD SUB MOD" Exportsadd @1sub @2mod @3pi  DATA

2. Call

Initialize these:

typedef int (*M_ADD) (int, int), typedef int (*m_sub) (int, int), typedef int (*M_MOD) (int, int); M_add Myadd; M_sub mysub; M_mod Mymod;

HINSTANCE hinst;

Hinst =:: LoadLibrary (_t ("Math.dll"));

void Cmathtestdlg::onbnclickedadd () {ASSERT (hinst); myadd = (M_add):: GetProcAddress (Hinst, "add"); int a = n, b = 6;int Res = Myadd (A, b); CString Str;str. Format (_t ("a+b=%d"), res); AfxMessageBox (str);}  void Cmathtestdlg::onbnclickedsub () {ASSERT (hinst); mysub = (m_sub):: GetProcAddress (hinst, "sub"); int a = n, b = 6;int Res = MySub (A, b); CString Str;str. Format (_t ("a-b=%d"), res); AfxMessageBox (str);}  void Cmathtestdlg::onbnclickedmod () {ASSERT (hinst); mymod = (m_mod):: GetProcAddress (hinst, "mod"); int a = n, b = 6;int Res = Mymod (A, b); CString Str;str. Format (_t ("A for remainder b=%d"), res); AfxMessageBox (str);}

Second, Mfc-dll

1. Mfc-dll will call code in InitInstance when loading, exit loading, call code in ExitInstance

2. Declaration part

This variable is shared by different instance Hinst#pragma data_seg ("shared") static hinstance hinst = NULL; The instance handle of this DLL (MFCMath.dll) #pragma data_seg () #pragma comment (linker, "/SECTION:SHARED,RWS") HANDLE hprocess = NULL; Handle of the process bool Bhook = false;//hook the function bool inject_status = FALSE; Whether the API is Hookbyte oldcode[5];//old system API entry code byte newcode[5];//to jump API code (JMP xxxx) typedef int (*M_ADD) (int a, int b);// The Add function in Math.dll defines the Add function Farproc Pf_add in M_add m_add;//math.dll;  A far pointer to the Add function void Hookon (); Open hook void Hookoff (); Close hook void Inject (); the function int myadd (int a, int b) that is injected in detail, replacing the entrance; The new Add () function that we define

3, the code in InitInstance, loading in the execution

BOOL cmfcmathapp::initinstance () {hinst = AfxGetInstanceHandle ();//the DLL handle hprocess = OpenProcess (process_all_access, Null,::getcurrentprocessid ()); Inject (); return CWinApp::InitInstance ();}

4. Code in ExitInstance, execute on exit

int Cmfcmathapp::exitinstance () {if (Bhook) Hookoff (); return cwinapp::exitinstance ();}

5. Other Codes

void Inject () {if (Inject_status = = FALSE) {inject_status = TRUE; Hmodule hmod =:: LoadLibrary (_t ("Math.dll"));//load Original Math.dllm_add = (M_add):: GetProcAddress (Hmod, "add");p F_add = ( FARPROC) m_add;if (Pf_add = = NULL) {AfxMessageBox (L "injection Failed");} _asm{lea EDI, Oldcodemov esi, pf_addcldmovsdmovsb}newcode[0] = 0xe9;//The first byte 0xe9 corresponds to the relative address of the JMP instruction//Get Myadd () _asm{lea eax, Myaddmov ebx, pf_addsub eax, ebxsub eax, 5mov DWORD Ptr[newcode + 1], Eax}hookon (); AfxMessageBox (L "inject Success");}} void Hookon () {ASSERT (hprocess! = NULL);D Word dwtemp = 0;dword dwoldprotect;//Change the memory-protected mode to writable, Old mode saved into Dwoldprotectvirtualprotectex (hprocess, Pf_add, 5, Page_readwrite, &dwoldprotect);//Change the first 5 bytes of add in the owning process to JMP Myadd writeprocessmemory (hprocess, Pf_add, Newcode, 5, 0);//change the memory protection mode back to Dwoldprotectvirtualprotectex (hprocess, Pf_add, 5, Dwoldprotect, &dwtemp); bhook = TRUE;} Restores the entry code for Add () in the owning process to void Hookoff () {ASSERT (hprocess! = NULL);D Word dwtemp = 0;dword dwoldprotect; Virtualprotectex (hprocess, Pf_add, 5, Page_readwrite, &dwoldprotect); WritEprocessmemory (hprocess, Pf_add, Oldcode, 5, 0); Virtualprotectex (hprocess, Pf_add, 5, Dwoldprotect, &dwtemp); bhook = FALSE;} int Myadd (int a, int b) {//intercept the call to add (), we give A, b all plus 1a = a + 1;b = a + 1; Hookoff ();//Turn off Myadd () hook to prevent dead loop int ret = M_add (A, b); Hookon ();//Open Myadd () hook return ret;}

6. Method of Invocation

:: LoadLibrary (_t ("MFCMath.dll"));

This will replace the entrance of the Math.dll with the Myadd.

Assuming that the Add function in Math.dll is used in Myadd, remember to change the entry back to Hookoff. After the call, and then Hookon back.

:: FreeLibrary (). The ability to release the loaded DLL

Third, spoof MessageBoxW function

This variable is shared by different instance Hinst#pragma data_seg ("shared") static hinstance hinst = NULL; The instance handle of this DLL (MFCMath.dll) #pragma data_seg () #pragma comment (linker, "/SECTION:SHARED,RWS") HANDLE hprocess = NULL; Handle of the process bool Bhook = false;//hook the function bool inject_status = FALSE; Whether the API is Hookbyte oldcode[5];//old system API entry code byte newcode[5];//to jump API code (JMP xxxx) typedef int (WINAPI *mymsg) (HWND  HWnd, LPCTSTR Lptext, LPCTSTR lpcaption, UINT utype); the Add function in//math.dll defines the Add function mymsg M_msg;//math.dll in Farproc Pf_add; A far pointer to the Add function void Hookon (); Open hook void Hookoff (); Close hook void Inject (); For detailed injections, replace the entry function int WINAPI Myadd (HWND hwnd, LPCTSTR Lptext, LPCTSTR lpcaption, UINT utype); We define the new Add () function bool Cmfcmathapp::initinstance () {hinst = AfxGetInstanceHandle ();//This DLL handle hprocess = OpenProcess ( Process_all_access,null,::getcurrentprocessid ()); Inject (); return CWinApp::InitInstance ();} int Cmfcmathapp::exitinstance () {if (Bhook) Hookoff (); return cwinapp::exitinstance ();} void Inject () {if (Inject_status = = FALSE) {Inject_status= TRUE; Hmodule hmod =:: LoadLibrary (_t ("User32.dll"));//load Original math.dllm_msg = (mymsg):: GetProcAddress (Hmod, "MessageBoxW");p f_ Add = (FARPROC) M_msg;_asm{lea edi, Oldcodemov esi, pf_addcldmovsdmovsb}newcode[0] = 0xe9;//The first byte 0xe9 the equivalent of the JMP command//Get Myadd ( ) Relative address _asm{lea eax, Myaddmov ebx, pf_addsub eax, ebxsub eax, 5mov DWORD Ptr[newcode + 1], Eax}hookon ();}} void Hookon () {ASSERT (hprocess! = NULL);D Word dwtemp = 0;dword dwoldprotect;//Change the memory-protected mode to writable, Old mode saved into Dwoldprotectvirtualprotectex (hprocess, Pf_add, 5, Page_readwrite, &dwoldprotect);//Change the first 5 bytes of add in the owning process to JMP Myadd writeprocessmemory (hprocess, Pf_add, Newcode, 5, 0);//change the memory protection mode back to Dwoldprotectvirtualprotectex (hprocess, Pf_add, 5, Dwoldprotect, &dwtemp); bhook = TRUE;} Restores the entry code for Add () in the owning process to void Hookoff () {ASSERT (hprocess! = NULL);D Word dwtemp = 0;dword dwoldprotect; Virtualprotectex (hprocess, Pf_add, 5, Page_readwrite, &dwoldprotect); WriteProcessMemory (hprocess, Pf_add, Oldcode, 5, 0); Virtualprotectex (hprocess, Pf_add, 5, Dwoldprotect, &dwtemp); BHOok = FALSE;} int WINAPI Myadd (HWND hwnd, LPCTSTR Lptext, LPCTSTR lpcaption, UINT utype) {lptext = _t ("Switched, haha"); Hookoff ();//Turn off Myadd () hook to prevent dead loop int ret = M_MSG (hWnd, Lptext, Lpcaption, Utype); Hookon ();//Open Myadd () hook return ret;}

Mfc:win32-dll and Mfc-dll Write calls