Use DLL Remote injection to skin over notepad

Source code download AbstractYesDescribes in detail how to useDLLRemote InjectionWindowsNotepad for skin replacement, explainedDLLThe concept and steps of remote injection. KeywordsDLLRemote injection and skin replacement I. Overview 1. dllRemote injection Principle DLLRemote injection is to use a remote thread to insert data.DLLIs to require the thread in the target process to callLoadlibraryFunction to load the necessaryDLL. In addition to threads in our own processes, we cannot easily control threads in other processes. Therefore, this solution requires us to create a new thread in the target process. Since this thread is created by ourselves, we can control what it executesCode. WindowsProvidesCreaeremotethreadSo that we can easily create a thread in another process: Handle createremotethread (handle hprocess, psecurity_arrtributes PSA, DWORD dwstacksize, Pthread_start_routine pfnstartaddr, pvoid pvparam, DWORD fdwcreate, pdowrd pdwthreadid ); How can we let this thread load ourDLLWhat about it? This thread is required to callLoadlibraryFunction: Hinstance loadlibrarya (lpcstr pszlibfilename); // ANSIVersion Hinstance loadlibraryw (lpcwstr pszlibfilename); // UnicodeVersion What we need to do now is to create a new thread and make the address of the thread functionLoadlibraryaOrLoadlibrarywThe address of the function. Pthread_start_routine pfnthreadrtn = (pthread_start_routine) Getprocaddress (getmodulehandle (text ("Kernel32"), "loadlibrarya "); Handle hthread = createremotethread (hprocessremote, null, 0, pfnthreadrtn, "C:" mylib. dll ", 0, null ); Careful readers should pay attention to the following problem: String"C:" "mylib. dll"In the address space of the calling process, the remote process thread may cause access violations. Therefore, we mustDLLIn the address space of the remote process. // Write to target process address space DLL Name DWORD dwsize, dwwritten; Dwsize = lstrlena (lpszdll) + 1; Lpvoid lpbuf = virtualallocex (hprocess, null, dwsize, mem_commit, page_readwrite ); Writeprocessmemory (hprocess, lpbuf, (lpvoid) lpszdll, dwsize, & dwwritten) ; Handle hthread = createremotethread (hprocessremote, null, 0, pfnthreadrtn, Lpbuf , 0, null ); //WaitLoadlibraryLoaded,Reclaim string Space Virtualfreeex (hprocess, lpbuf, dwsize, mem_decommit ); DLL has been inserted into the remote address space, DLL dllmain the function receives a dll_process_attach notifications, and the required code can be executed. Note that this type of insertDLLIs,Windows 98This function is not supported. Can be used onlyWindow2000And later versions. 2.Skin replacement for notepad To replace notepad, you need to solve it.2Problem: First, find the correctProgramSkin replacementDLLFile. Here we useSkin ++ (www.uipower.com)As skin replacementDLL; 2.DLLThe method for remotely injecting data to notepad is described above. II. Key part of skin replacement code Tchar szlibfilename [_ max_path]; Getmodulefilename (null, szlibfilename, _ max_path ); Cstring strlibfilename (szlibfilename ); Strlibfilename = strlibfilename. Left (strlibfilename. reversefind (_ T ('""') + 1 ); Strlibfilename + = _ T ("skinplusplus. dll "); _ Tcscpy (szlibfilename, strlibfilename ); Hwnd hnotepad =: findwindow (_ T ("Notepad"), null ); If (hnotepad = NULL) return; DWORD dwremoteprocessid; : Getwindowthreadprocessid (hnotepad, (DWORD *) & dwremoteprocessid ); Handle hremoteprocess = OpenProcess (process_create_thread | process_query_information | Process_vm_operation | process_vm_write | process_vm_read, false, dwremoteprocessid ); //ComputingDLLMemory space required by the path name Int cb = (1 + _ tcslen (szlibfilename) * sizeof (tchar ); //UseVirtualallocexThe function allocates the memory address space of the remote process.DLLFile Name Buffer Byte * pszlibfileremote = (byte *) virtualallocex (hremoteprocess, null, CB, mem_commit, page_execute_readwrite ); //UseWriteprocessmemoryFunction willDLLTo the memory space of the remote process. Int ireturncode = writeprocessmemory (hremoteprocess, pszlibfileremote, (pvoid) szlibfilename, CB, null ); //ComputingLoadlibrarywEntry address Pthread_start_routine pfnstartaddr = (pthread_start_routine) getprocaddress (getmodulehandle (text ("Kernel32"), "loadlibrarya "); //Start a remote threadLoadlibrarywTo call the user'sDLLFile Handle hthread = createremotethread (hremoteprocess, null, 0, pfnstartaddr, pszlibfileremote, 0, null ); Waitforsingleobject (hthread, infinite ); DWORD dwhandle; Getexitcodethread (hthread, & dwhandle ); Virtualfreeex (hremoteprocess, pszlibfileremote, CB, mem_decommit ); Closehandle (hthread ); : Setforegroundwindow (hnotepad ); 3. Conclusion DLL current Windows very popular 2 technology, you can see the 2 , for example, msnshell . Interested readers can go to http://www.msnshell.com/ .