procedure ScriptString_pSize; asm jmp POldScriptString_pSize end;
procedure ScriptString_pcOutChars; asm jmp POldScriptString_pcOutChars end; procedure ScriptTextOut; asm jmp POldScriptTextOut end; procedure ScriptXtoCP; asm jmp POldScriptXtoCP end;
procedure UspAllocCache; asm jmp POldUspAllocCache end; procedure UspAllocTemp; asm jmp POldUspAllocTemp end; procedure UspFreeMem; asm jmp POldUspFreeMem end;
exports LpkPresent,
ScriptApplyDigitSubstitution, ScriptApplyLogicalWidth, ScriptBreak, ScriptCPtoX,
ScriptCacheGetHeight, ScriptFreeCache, ScriptGetCMap,
ScriptGetFontProperties, ScriptGetGlyphABCWidth, ScriptGetLogicalWidths, ScriptGetProperties, ScriptIsComplex, ScriptItemize, ScriptJustify, ScriptLayout, ScriptPlace,
ScriptRecordDigitSubstitution, ScriptShape,
ScriptStringAnalyse, ScriptStringCPtoX, ScriptStringFree,
ScriptStringGetLogicalWidths, ScriptStringGetOrder, ScriptStringOut, ScriptStringValidate, ScriptStringXtoCP, ScriptString_pLogAttr, ScriptString_pSize,
ScriptString_pcOutChars, ScriptTextOut, ScriptXtoCP, UspAllocCache,
UspAllocTemp, UspFreeMem;
begin
ModHandle:= LoadLibrary('C:\\WINDOWS\\system32\%usp10.dll'); if ModHandle > 0 then begin
POldLpkPresent:= GetProcAddress(ModHandle, 'LpkPresent'); POldScriptApplyDigitSubstitution:= GetProcAddress(ModHandle,
'ScriptApplyDigitSubstitution');
POldScriptApplyLogicalWidth:= GetProcAddress(ModHandle,
'ScriptApplyLogicalWidth');
POldScriptBreak:= GetProcAddress(ModHandle, 'ScriptBreak'); POldScriptCPtoX:= GetProcAddress(ModHandle, 'ScriptCPtoX');
POldScriptCacheGetHeight:= GetProcAddress(ModHandle, 'ScriptCacheGetHeight'); POldScriptFreeCache:= GetProcAddress(ModHandle, 'ScriptFreeCache'); POldScriptGetCMap:= GetProcAddress(ModHandle, 'ScriptGetCMap'); POldScriptGetFontProperties:= GetProcAddress(ModHandle,
'ScriptGetFontProperties');
POldScriptGetGlyphABCWidth:= GetProcAddress(ModHandle, 'ScriptGetGlyphABCWidth'); POldScriptGetLogicalWidths:= GetProcAddress(ModHandle, 'ScriptGetLogicalWidths'); POldScriptGetProperties:= GetProcAddress(ModHandle, 'ScriptGetProperties'); POldScriptIsComplex:= GetProcAddress(ModHandle, 'ScriptIsComplex'); POldScriptItemize:= GetProcAddress(ModHandle, 'ScriptItemize'); POldScriptJustify:= GetProcAddress(ModHandle, 'ScriptJustify'); POldScriptLayout:= GetProcAddress(ModHandle, 'ScriptLayout'); POldScriptPlace:= GetProcAddress(ModHandle, 'ScriptPlace');
POldScriptRecordDigitSubstitution:= GetProcAddress(ModHandle,
'ScriptRecordDigitSubstitution');
POldScriptShape:= GetProcAddress(ModHandle, 'ScriptShape');
POldScriptStringAnalyse:= GetProcAddress(ModHandle, 'ScriptStringAnalyse'); POldScriptStringCPtoX:= GetProcAddress(ModHandle, 'ScriptStringCPtoX'); POldScriptStringFree:= GetProcAddress(ModHandle, 'ScriptStringFree'); POldScriptStringGetLogicalWidths:= GetProcAddress(ModHandle,
'ScriptStringGetLogicalWidths');
POldScriptStringGetOrder:= GetProcAddress(ModHandle, 'ScriptStringGetOrder'); POldScriptStringOut:= GetProcAddress(ModHandle, 'ScriptStringOut');
POldScriptStringValidate:= GetProcAddress(ModHandle, 'ScriptStringValidate'); POldScriptStringXtoCP:= GetProcAddress(ModHandle, 'ScriptStringXtoCP');
POldScriptString_pLogAttr:= GetProcAddress(ModHandle, 'ScriptString_pLogAttr'); POldScriptString_pSize:= GetProcAddress(ModHandle, 'ScriptString_pSize'); POldScriptString_pcOutChars:= GetProcAddress(ModHandle,
'ScriptString_pcOutChars');
POldScriptTextOut:= GetProcAddress(ModHandle, 'ScriptTextOut'); POldScriptXtoCP:= GetProcAddress(ModHandle, 'ScriptXtoCP');
POldUspAllocCache:= GetProcAddress(ModHandle, 'UspAllocCache'); POldUspAllocTemp:= GetProcAddress(ModHandle, 'UspAllocTemp'); POldUspFreeMem:= GetProcAddress(ModHandle, 'UspFreeMem'); end; begin
//添加自己的补丁内容! end; end.
第八种方法:
也是现在比较流行的注入方式
利用未公开函数InitializeLpkHooks,这个函数在网上能找到的资料更少,只有一个声明而已 。但是它名称中最后那个“Hooks”误导了我,我以为又是一个可以用来注入DLL的不错函数,用
OD反出来一看,原来只是个局部HOOK而已。虽然没太大用,还是一并写上吧,也许谁用得着呢。
InitializeLpkHooks顾名思义就是HOOK LPK的,Windows有个lpk.dll,就是支持多语言包的那么
个功能。测试发现好多程序在TextOut之前似乎是要调用lpk.dll里面的相关函数的,可能是支持
多语言的程序就需要用这个来判断到底要显示那种语言吧。而InitializeLpkHooks,就是用来
HOOK lpk.dll里面的4个函数的,这4个函数是LpkTabbedTextOut,LpkPSMTextOut,
LpkDrawTextEx,LpkEditControl。我们先打开VB,在窗体中加入以下代码吧: Private Sub Form_Load()
DLLhwnd = LoadLibrary(\ '加载DLL
DLLFunDre = GetProcAddress(DLLhwnd, \ '获取回调函数地址
LpkHooksInfo.lpHookProc_LpkTabbedTextOut = 0 LpkHooksInfo.lpHookProc_LpkPSMTextOut = 0
LpkHooksInfo.lpHookProc_LpkDrawTextEx = GetLocalProcAdress(AddressOf HookProc1) '设
置要HOOK的LPK函数
LpkHooksInfo.lpHookProc_LpkEditControl = 0 InitializeLpkHooks LpkHooksInfo End Sub
Private Sub Form_Unload(Cancel As Integer)
LpkHooksInfo.lpHookProc_LpkTabbedTextOut = 0 LpkHooksInfo.lpHookProc_LpkPSMTextOut = 0
LpkHooksInfo.lpHookProc_LpkDrawTextEx = DLLFunDre LpkHooksInfo.lpHookProc_LpkEditControl = 0 InitializeLpkHooks LpkHooksInfo FreeLibrary DLLhwnd End Sub
然后新建一个模块,在模块中加入以下代码:
Public Declare Function LoadLibrary Lib \
lpLibFileName As String) As Long
Public Declare Function GetProcAddress Lib \
lpProcName As String) As Long
Public Declare Function FreeLibrary Lib \' ----------------未公开函数--------------------------------------
Public Declare Sub InitializeLpkHooks Lib \
Type LpkHooksSetting
lpHookProc_LpkTabbedTextOut As Long lpHookProc_LpkPSMTextOut As Long lpHookProc_LpkDrawTextEx As Long lpHookProc_LpkEditControl As Long End Type
' -------------------------------
Public DLLhwnd As Long, DLLFunDre As Long Public LpkHooksInfo As LpkHooksSetting
Public Function GetLocalProcAdress(ByVal lpProc As Long) As Long GetLocalProcAdress = lpProc End Function
Function HookProc1(ByVal a1 As Long, ByVal a2 As Long, ByVal a3 As Long, ByVal a4 As
Long, ByVal a5 As Long, ByVal a6 As Long, ByVal a7 As Long, ByVal a8 As Long, ByVal
a9 As Long, ByVal a10 As Long) As Long HookProc1 = 0 End Function
运行一下看看,是不是窗体中标题栏和按钮上的文字都没有了,因为我们把函数LpkDrawTextEx替
换成自己的函数HookProc1了。这个函数有10个参数,其中几个好像是字符串指针,似乎可以用来
截获窗体要显示的文字,然后改成另一种语言的文字,我猜想,也许就是这个用途吧。哈哈,纯
属猜测。以上就是函数InitializeLpkHooks的用法了。
第九种方法:
利用输入法注入
注入DLL是做全局钩子或者拦截类软件都有可能用到的技术,如果做外挂的话我们也有可能需
要注入一个DLL到游戏进程中去干点什么“坏事”。 但我们知道现在要注入DLL是越来越难了。场
景1:制作火星文输入法外挂,原理是利用API HOOK拦截并修改输入法相关函数,需要注入一个
DLL到所有进程中,但是后来发现,在开启了瑞星的帐号保险箱后,用户将不能在QQ中输入火星文
。原因是瑞星保护了QQ进程,禁止对其注入DLL,解决方法是提示用户关闭帐号保险箱 -_-| 确
搜索“diyifanwen.net”或“第一范文网”即可找到本站免费阅读全部范文。收藏本站方便下次阅读,第一范文网,提供最新小学教育DLL的11种注入方法 (7)全文阅读和word下载服务。
相关推荐:
淡若清风