The classic will be reproduced: alternative DLL injection method

Transferred from: http://blog.csdn.net/onevs1/article/details/5692680

Input method injection [reprint]

Baidu Search. The discussion is more detailed, but I still do not understand! Just paste it in the original!
----------------------------------------------------------------------------------------------The following is the original
Ring3 under the alternative method of injecting DLLs, can kill soft and game NP (source code)


Injecting DLLs is a technique that can be used to do global hooks or intercept software,

If we do plug-ins, we may also need to inject a DLL into the game process to do something "bad".

But we know it's getting harder to inject DLLs now.

Scenario 1:

The production of Mars text Input method plug-in, the principle is to use API hooks to intercept and modify input method related functions,

Need to inject a DLL into all processes, but later found that

After opening the rising account safe, users will not be able to enter the Martian text in QQ.

The reason is rising to protect the QQ process, it is forbidden to inject DLL, the solution is to prompt the user to close the account safe-_-|

Really is a way to reduce the user experience is not a way.


Scenario 2:

To make a game plug, you need to inject a DLL into the game process to directly call the game function to complete a function.

It is found that the game has NP protection, openprocess can not open, create a remote thread,

Trying other methods also failed.

In the case of the above, the experts naturally go under the RING0,

The use of drivers and other methods to deal with, but our rookie is the Sakai can not-_-|



But don't be too discouraged, there's always a way to do everything.

I think we need a long-lasting, stable DLL injection method that is not easily shielded by security software.

Later found that the Input method program is the ideal person to complete this task.

What exactly is an IME program?

It has no process of its own,

and is loaded when the system is not logged in (you can also call the input method in the Welcome screen),

It can be opened in the game, or it can be opened in a console program,

can also be in the rising protection of QQ in the open, in the killing of soft can also open,

Isn't that the trait we're looking for?

So, what is the input method exactly?

According to the rules of windows, the input method is actually a DLL,

But it's a special DLL,

It must have those interfaces specified by the standard IME program,

Input method is controlled by the Input Method Manager (Imm32.dll),

The Input method Manager is also controlled by user32.dll.

Input method in the system directory is an IME-extension file,

When an input method is activated in the application,

The Input method Manager will load the corresponding IME file in the process of that application,

Note that loading IME files is not fundamentally different from loading normal DLLs,

So, you can think that the input method is actually injected into the application of a DLL file,

And, this "injection" is not to be killed and the game NP-intercept (at least for now).

Now that we have an alternative method of injecting a DLL,

That's the use of input methods.


The specific process is this,

First make a standard input method file,

But this input method does not complete the text input work,

Its only task is to inject the DLL,

So called "service Input Method",

Then, make a control program,

To control the service input method, and, of course, a target DLL to inject.

So there are altogether 3 documents.


After starting work, the control program first installs the service input method into the system,

Then pass several parameters to the service input method,

parameter contains the name and path of the DLL file that needs to be injected.

The control program then sets the service input method to the default input method for the system.

As soon as the new program opens, the service input method will inject that program.

Of course, the program opened before the service input method is installed will not be injected,

You need to post a wm_inputlangchangerequest message to all the windows in the system,

The message can activate the service input method in the background in the specified window.

In this way, all processes that have windows in the system are injected by our service input method.

After the service input method is injected, the target DLL is loaded according to the parameters passed by the control program.

The target DLL is then injected into the target program along with the service input method.

Note that the service input method is the control program with wm_inputlangchangerequest messages automatically activated in all Windows,

If a window auto-activation fails, you need to manually switch to the service input method in that window,

So that it can be injected into the.

As for the injection, you can switch to another input method in the window,

This does not affect the DLLs that have been injected.

I've made this set of features into a complete example,

You can download it at the following address:Http://www.pen88.com/download/imehook.rar

The 6th and 8th folders in the package demonstrate this functionality and include all source code.

Where the file Imedllhost09.dll is the service input method, the runtime will be installed into the system,

The input method is automatically uninstalled when the control program exits, so the user is not easily aware,

You can also recompile the input method and change the name to "Chinese (Chinese)",

This is better concealment.

The file Hxwdllwx.dll is the target DLL for the demo,

You can replace it with your own DLL,

Then the EXE file is the control program.

Input method Imedllhost09.dll is copied to the system directory at runtime and renamed to Imedllhost09.ime.

It exports 2 functions for control.

In VB, the declaration is:

Public Declare Function imesetpubstring Lib "Imedllhost09.ime" (ByVal rundllstr as String, ByVal Unloaddll as Long, ByVal Loadnextime as Long, ByVal DllData1 as Long, ByVal DllData2 as Long, ByVal DllData3 as long) as long
Public Declare Function imeclearpubstring Lib "Imedllhost09.ime" () as Long


Where imesetpubstring is used to pass parameters such as DLLs to be injected into the input method.

RUNDLLSTR, the DLL command to inject and the full path.

Unloaddll, whether the target DLL 0-yes, 1-no is unloaded at the same time when the input method exits.

Loadnextime, when you switch to the service input method,

Whether to switch directly to the next input method (so that the service input method seems to be skipped, can minimize the impact of the user's input method order)

0-No, 1-yes.


DLLDATA1,DLLDATA2,DLLDATA3 is a parameter that is passed to the target DLL's callback function (the function name must be Rundllhostcallback).

You can export a function in the target DLL,

The name is Rundllhostcallback so that when the input method is injected, the callback function of the target DLL is called and passed these 3 parameters.

The function prototype is (VC):
DWORD Rundllhostcallback (DWORD calldata1, DWORD Calldata2,dword calldata3);


The Imeclearpubstring function is used to clear the configuration of the input method

When cleared,

The IME will stop injecting the target DLL into the new program,

But the injected DLLs are not unloaded.


Well, using input methods to inject DLLs is basically the case,

For detailed usage, you can look at the 8th folder in the zipped package,

Where the service input method is written by VC,

The control program is VB,

The code is commented.

The test found that the method can be used to kill all the current, but also to inject ice blade.

Of course, the shortcomings are still some, is the target program if you do not accept input method that there is no way,

But now the general game will not forbid the player to type in it,

and killing soft can not prohibit users to enter Chinese characters bar, haha, so the universality should be good.



**************************************************************************************

Finally, I'll introduce another method of injecting DLLs, which is rarely used.

is to use an registeruserapihook function,

The keyword "registeruserapihook" can be searched online,

I found someone tested successfully under Windows 2003, but I failed in the Windows XP test.
Then finally found the reason for the failure.
The Registeruserapihook function can register a global hook in the system,
You need to specify a DLL and a callback function in the hook.
Then, all programs loaded with User32.dll will load the DLL you specified at startup.
It's also nice to inject DLLs with this function.
But the test found that its ability to inject seemed to catch up with the method used to inject it with the input methods mentioned above.
Can inject general procedures and certain security procedures,
But not for the ice blade.
And it has a limit,
Is that only one such hook can exist in the system at the same time.
In fact, this hook is usually occupied by the themes service in the system.
The Themes service is using this hook to hook up the relevant API for drawing windows,
So that all program Windows become XP theme style.
So if we're going to use this hook,
The themes service must be closed first,
It can also be used under XP,
But then the system becomes the Windows 2000 style-_-|


The VB declaration of the Registeruserapihook function is as follows:
Public Declare Function registeruserapihookxp Lib "user32" Alias "Registeruserapihook" (ByVal hinstance as Long, ByVal fnu Serapis as long) as long
Public Declare Function RegisterUserApiHook2003 Lib "user32" Alias "Registeruserapihook" (Preginfo as HookAPIRegInfo2003 ) as Long


As you can see, the parameters of this function are not the same in XP and 2003.

For sample code for this function, see the 5th folder in the compact package.

*******************************************************
Last and last,
Introduce an undisclosed function initializelpkhooks,
This function can find less information on the web,
There is only one statement.
But the last "Hooks" in its name misled me,
I thought it was another nice function that could be used to inject a DLL.
Using OD to look back,
It turned out to be a local hook only.
It's not much use, though.
Let's just write it together,
Maybe someone will need it.
Initializelpkhooks, as the name implies, is Hook lpk,
Windows has a lpk.dll,
is a feature that supports multi-language packs.
Tests have found that many programs appear to call the relevant functions in Lpk.dll before textout.
It may be that a program that supports multiple languages needs to use this to determine exactly which language to display.
and Initializelpkhooks,
is used to hook the 4 functions inside the Lpk.dll,
These 4 functions are lpktabbedtextout,lpkpsmtextout,lpkdrawtextex,lpkeditcontrol.
Let's first open VB and add the following code to the form:
Private Sub Form_Load ()
Dllhwnd = LoadLibrary ("Lpk.dll") ' Load dll '
Dllfundre = GetProcAddress (Dllhwnd, "Lpkdrawtextex") ' Get callback function address

Lpkhooksinfo.lphookproc_lpktabbedtextout = 0
Lpkhooksinfo.lphookproc_lpkpsmtextout = 0
Lpkhooksinfo.lphookproc_lpkdrawtextex = getlocalprocadress (AddressOf HookProc1) ' Set the LPK function to hook
Lpkhooksinfo.lphookproc_lpkeditcontrol = 0
Initializelpkhooks Lpkhooksinfo
End Sub

Private Sub form_unload (Cancel as Integer)
Lpkhooksinfo.lphookproc_lpktabbedtextout = 0
Lpkhooksinfo.lphookproc_lpkpsmtextout = 0
Lpkhooksinfo.lphookproc_lpkdrawtextex = Dllfundre
Lpkhooksinfo.lphookproc_lpkeditcontrol = 0
Initializelpkhooks Lpkhooksinfo
FreeLibrary Dllhwnd
End Sub


Then create a new module and add the following code to the module:

Public Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal Lplibfilename as String) as Long
Public Declare Function GetProcAddress Lib "kernel32" (ByVal hmodule as Long, ByVal Lpprocname as String) as Long
Public Declare Function freelibrary Lib "kernel32" (ByVal Hlibmodule as long) as long
'----------------the function is not exposed--------------------------------------
Public Declare Sub initializelpkhooks Lib "user32" (Lpproctype as Any)

Type lpkhookssetting
Lphookproc_lpktabbedtextout as Long
Lphookproc_lpkpsmtextout as Long
Lphookproc_lpkdrawtextex as Long
Lphookproc_lpkeditcontrol as Long
End Type

‘ -------------------------------
Public Dllhwnd as Long, dllfundre as Long
Public Lpkhooksinfo as Lpkhookssetting

Public Function getlocalprocadress (ByVal lpproc as long) as long
Getlocalprocadress = Lpproc
End Function

Function HookProc1 (ByVal A1 as Long, ByVal A2 as Long, ByVal A3 as Long, ByVal A4 as Long, ByVal A5 as long, ByVal A6 as L Ong, ByVal A7 as long, ByVal A8 as Long, ByVal A9 as Long, ByVal A10 as long) as long
HookProc1 = 0
End Function

Run a look,
is not the text on the title bar and the button in the form,
Because we replace the function Lpkdrawtextex with our own function HookProc1.
This function has 10 parameters,
Several of them seem to be string pointers,
It seems to be used to intercept the text that the form will display.
And then change it into another language of words,
I guess that's probably the use of it.
Haha, purely speculation. The above is the use of function initializelpkhooks.

The above is all.
All sample code for this article is: Http://www.pen88.com/download/imehook.rar

My QQ511795070, welcome to the exchange. (Note: This QQ is the author of this article, not I this reprint person, the table misunderstanding)
--------------------------------------------------------------------------------------------------------------- --------above is the original

The classic will be reproduced: alternative DLL injection method