Screen word Extraction

The following is an excerpt from someone else. I forgot to say sorry to the author. ?
? ?
? ?
? The text on the screen is mostly displayed by the following functions of gdi32.dll: textouta, textoutw, exttextouta, and exttextoutw. Implement screen-based word capturing?
? The key is to intercept calls to these functions and obtain the parameters that the program sends to them. ? ?
? ?
? My method has the following three steps :? ?
? ?
? 1. Get the current cursor position? ?
? ?
? Use setwindowshookex. ? ?
? ?
? 2. Send a re-draw message to the window under the mouse to call the system function re-draw? ?
? ?
? Through windowfrompoint, screentoclient, invalidaterect? . ? ?
? ?
? 3. Intercept calls to system functions and obtain parameters (take textouta as an example )? ?
? ?
? 1. Create your own function mytextouta, which has the same parameters and return values as textouta and is placed in the DLL where the system hook is located. ? ?
? ?
? Sysfunc1 = (DWORD) getprocaddress (getmodulehandle ("gdi32.dll"), "textouta ");? ?
? ?
? Bool? Winapi? Mytextouta (HDC? HDC ,? Int? Nxstart ,? Int? Nystart ,? Lpcstr? Lpszstring, Int? Cbstring )? ?
? ?
? {? // Process the output lpszstring? ?
? ?
? Return? (Farproc) sysfunc1) (HDC, nxstart, nystart, lpszstring, cbstring );}? ?
? ?
? 2. Because the system mouse Hook has completed the injection of other GUI processes, we do not need to do any further work for the injection. ? ?
? ?
? If you know that all system hook functions must be in the dynamic library, you will not be surprised by "injection. When a process implicitly or explicitly calls a function in a dynamic library?
? The system maps the dynamic library to the virtual address space of the process (hereinafter referred to as "address space "). This makes the DLL a part of the process?
? Identity execution, using the stack of this process (see figure 1 ). ? ?
? ?
? ?
? Figure 1? Is the DLL mapped to the virtual address space? ?
? ?
? For system hooks, the system automatically maps the DLL containing the "hook callback function" to the address space of all processes affected by the hook function. Will this DLL be injected?
? The processes. ? ?
? ?
? 3. After the DLL containing the hook is injected into other processes, find the base address of each module (exe and DLL) mapped to the virtual memory of the process. EXE and DLL are mapped?
? The virtual memory space is determined by its base address. Their base addresses are determined by the linker during the link. When you create a Win32 project, VC ++?
? The linker uses the default base address 0x00400000. You can use the base option of the linker to change the base address of the module. EXE is usually mapped to the virtual memory 0x00400000 ,?
? DLL also has different base addresses, which are usually mapped to the same virtual address space of different processes. ? ?
? ?
? How do I know where EXE and DLL are mapped? ? ?
? ?
? In Win32, hmodule and hinstance are the same. These are the base addresses of the virtual memory space of the modules loaded into the process. For example :? ?
? ?
? Hmodule? Hmodule = getmodulehandle (〃 gdi32.dll handle 〃);? ?
? ?
? After the returned module handle is forcibly converted to a pointer, it is the base address mounted to gdi32.dll. ? ?
? ?
? How can I find the DLL mapped to the virtual memory space? I use the following method :? ?
? ?
? While (virtualquery? (Base ,? & MBI ,? Sizeof? (MBI)> 0 )? ?
? ?
? {? If (MBI. type = MEM-IMAGE )? ?
? ?
? Changefuncentry (DWORD) MBI. baseaddress, 1 );? ?
? ?
? Base = (DWORD) MBI. baseaddress + MBI. regionsize ;? }? ?
? ?
? 4. Get the base address of the module, according to the format of PE file exhaustive IMAGE-IMPORT-DESCRIPTOR array of this module to see whether the introduction of gdi32.dll. ?
? If so, let's look at the IMAGE-THUNK-DATA array to see if the textouta function is introduced. ? ?
? ?
? 5. If it is found, replace it with the corresponding function. ? ?
? ?
? The system maps the EXE and DLL to the virtual memory. Their memory structure is the same as the static file structure on the disk. That is, PE? (Portable? Executable )? File format. ? ?
? ?
? All calls to a given API function are always transferred in the same place of the executable file. That is the input Address Table (import? Address? Table ). There are all the function names and addresses of other DLL called by this module. Function calls to other DLL actually jump to the input address table, and then to the real function entry of DLL from the input address table. Example :? ?
? ?
? ?
? Figure 2? Call MessageBox () to jump to the input address table, and then to the MessageBox function? ?
? ?
? ?
? ?
? IMAGE-IMPORT-DESCRIPTOR and IMAGE-THUNK-DATA correspond to DLL and function respectively. They are the format of the input address table of the PE file (for data structure, see winnt. h ). ? ?
? ?
? Bool? Changefuncentry (hmodule? Hmodule )? ?
? ?
? {? PIMAGE-DOS-HEADER? Pdosheader ;? ?
? ?
? PIMAGE-NT-HEADERS? Pntheader ;? ?
? ?
? PIMAGE-IMPORT-DESCRIPTOR? Pimportdesc ;? ?
? ?
? /? Get? System? Functions? And? My? Functions 'entry? /? ?
? ?
? Psysfunc1 = (DWORD) getprocaddress (getmodulehandle (〃 gdi32.dll handle), 〃 textouta handle 〃);? ?
? ?
? Pmyfunc1 =? (DWORD) getprocaddress (getmodulehandle (export hookdll. dll success), export mytextouta success 〃);? ?
? ?
? Pdosheader = (PIMAGE-DOS-HEADER) hmodule ;? ?
? ?
? If? (Isbadreadptr (hmodule ,? Sizeof (PIMAGE-NT-HEADERS )))? ?
? ?
? ? Return? False ;? ?
? ?
? If? (Pdosheader-> E-Magic? ! =? Image-dos-signature )? ?
? ?
? ? Return? False ;? ?
? ?
? Pntheader = (PIMAGE-NT-HEADERS) (DWORD) pdosheader + (DWORD) pdosheader-> E-lfanew );? ?
? ?
? If? (Pntheader-> signature? ! =? IMAGE-NT-SIGNATURE )? ?
? ?
? ? Return? False ;? ?
? ?
? Pimportdesc? =? PIMAGE-IMPORT-DESCRIPTOR) (DWORD) hmodule + (DWORD) pntheader-> optionalheader. datadirectory? ?
? ?
? ? [Image-directory-entry-import]. virtualaddress );? ?
? ?
? If? (Pimportdesc? ==? (PIMAGE-IMPORT-DESCRIPTOR) pntheader )? ?
? ?
? Return? False ;? ?
? ?
? While? (Pimportdesc-> name )? ?
? ?
? {? PIMAGE-THUNK-DATA? Pthunk ;? ?
? ?
? Strcpy (buffer, (Char? ) (DWORD) hmodule + (DWORD) pimportdesc-> name ));? ?
? ?
? Charlower (buffer );? ?
? ?
? If (strcmp (buffer, "gdi32.dll "))? ?
? ?
? {? Pimportdesc ++ ;? ?
? ?
? Continue ;? ?
? ?
? } Else? ?
? ?
? {? Pthunk = (PIMAGE-THUNK-DATA) (DWORD) hmodule + (DWORD) pimportdesc-> firstthunk );? ?
? ?
? While? (Pthunk-> u1.function )? ?
? ?
? {? If? (Pthunk-> u1.function )? ==? Psysfunc1 )? ?
? ?
? {? Virtualprotect (lpvoid) (& pthunk-> u1.function ),? ?
? ?
? ? Sizeof (DWORD), PAGE-EXECUTE-READWRITE ,? & Dwprotect );? ?
? ?
? ? (Pthunk-> u1.function) = pmyfunc1 ;? ?
? ?
? ? Virtualprotect (lpvoid) (& pthunk-> u1.function ),? Sizeof (DWORD), dwprotect, & temp );? }? ?
? ?
? Pthunk ++ ;? }? Return? 1 ;}}}? ?
? ?
? After the entry of textouta in the input address table is mytextouta, the main part of the interception system function call is completed. When an injected process calls textouta, mytextouta is actually called, you only need to display the passed string in mytextouta and submit it to textouta for processing. ?