当一个可执行文件运行时,Windows加载器将可执行模块映射到进程的地址空间中,加载器分析可执行模块的输入表,并设法找出任何需要的DLL,并将它们映射到进程的地址空间中。由于输入表中只包含DLL名而没有它的路径名,因此加载程序必须在磁盘上搜索DLL文件。首先会尝试从当前程序所在的目录加载DLL,如果没找到,则在Windows系统目录查找,最后是在环境变量中列出的各个目录下查找。利用这个特点,先伪造一个系统同名的DLL,提供同样的输出表,每个输出函数转向真正的系统DLL。程序调用系统DLL时会先调用当前目录下伪造的DLL,完成相关功能后,再跳到系统DLL同名函数里执行。这个过程用个形象的词来描述就是系统DLL被劫持
(hijack)了。
示例DELPHI源码:
Library USP10;
uses
Windows,
SysUtils,
Classes;
{$R *.res}
ModHandle: Cardinal;
POldLpkPresent: Pointer;
POldScriptApplyDigitSubstitution: Pointer;
POldScriptApplyLogicalWidth: Pointer;
POldScriptBreak: Pointer;
POldScriptCPtoX: Pointer;
POldScriptCacheGetHeight: Pointer;
POldScriptFreeCache: Pointer;
POldScriptGetCMap: Pointer;
POldScriptGetFontProperties: Pointer;
POldScriptGetGlyphABCWidth: Pointer;
POldScriptGetLogicalWidths: Pointer;
POldScriptGetProperties: Pointer;
POldScriptIsComplex: Pointer;
POldScriptItemize: Pointer;
POldScriptJustify: Pointer;
POldScriptLayout: Pointer;
POldScriptPlace: Pointer;
POldScriptRecordDigitSubstitution: Pointer;
POldScriptShape: Pointer;
POldScriptStringAnalyse: Pointer;
POldScriptStringCPtoX: Pointer;
POldScriptStringFree: Pointer;
POldScriptStringGetLogicalWidths: Pointer;
POldScriptStringGetOrder: Pointer;
POldScriptStringOut: Pointer;
POldScriptStringValidate: Pointer;
POldScriptStringXtoCP: Pointer;
POldScriptString_pLogAttr: Pointer;
POldScriptString_pSize: Pointer;
POldScriptString_pcOutChars: Pointer;
POldScriptTextOut: Pointer;
POldScriptXtoCP: Pointer;
POldUspAllocCache: Pointer;
POldUspAllocTemp: Pointer;
POldUspFreeMem: Pointer;
procedure LpkPresent; asm jmp POldLpkPresent end;
procedure ScriptApplyDigitSubstitution; asm jmp POldScriptApplyDigitSubstitution end;
procedure ScriptApplyLogicalWidth; asm jmp POldScriptApplyLogicalWidth end;
procedure ScriptBreak; asm jmp POldScriptBreak end;
procedure ScriptCPtoX; asm jmp POldScriptCPtoX end;
procedure ScriptCacheGetHeight; asm jmp POldScriptCacheGetHeight end;
procedure ScriptFreeCache; asm jmp POldScriptFreeCache end;
procedure ScriptGetCMap; asm jmp POldScriptGetCMap end;
procedure ScriptGetFontProperties; asm jmp POldScriptGetFontProperties end;
procedure ScriptGetGlyphABCWidth; asm jmp POldScriptGetGlyphABCWidth end;
procedure ScriptGetLogicalWidths; asm jmp POldScriptGetLogicalWidths end;
procedure ScriptGetProperties; asm jmp POldScriptGetProperties end;
procedure ScriptIsComplex; asm jmp POldScriptIsComplex end;
procedure ScriptItemize; asm jmp POldScriptItemize end;
procedure ScriptJustify; asm jmp POldScriptJustify end;
procedure ScriptLayout; asm jmp POldScriptLayout end;
procedure ScriptPlace; asm jmp POldScriptPlace end;
procedure ScriptRecordDigitSubstitution; asm jmp POldScriptRecordDigitSubstitution end;
procedure ScriptShape; asm jmp POldScriptShape end;
procedure ScriptStringAnalyse; asm jmp POldScriptStringAnalyse end;
procedure ScriptStringCPtoX; asm jmp POldScriptStringCPtoX end;
procedure ScriptStringFree; asm jmp POldScriptStringFree end;
procedure ScriptStringGetLogicalWidths; asm jmp POldScriptStringGetLogicalWidths end;
procedure ScriptStringGetOrder; asm jmp POldScriptStringGetOrder end;
procedure ScriptStringOut; asm jmp POldScriptStringOut end;
procedure ScriptStringValidate; asm jmp POldScriptStringValidate end;
procedure ScriptStringXtoCP; asm jmp POldScriptStringXtoCP end;
procedure ScriptString_pLogAttr; asm jmp POldScriptString_pLogAttr end;
procedure ScriptString_pSize; asm jmp POldScriptString_pSize end;
procedure ScriptString_pcOutChars; asm jmp POldScriptString_pcOutChars end;
procedure ScriptTextOut; asm jmp POldScriptTextOut end;
procedure ScriptXtoCP; asm jmp POldScriptXtoCP end;
procedure UspAllocCache; asm jmp POldUspAllocCache end;
procedure UspAllocTemp; asm jmp POldUspAllocTemp end;
procedure UspFreeMem; asm jmp POldUspFreeMem end;
exports
LpkPresent,
ScriptApplyDigitSubstitution,
ScriptApplyLogicalWidth,
ScriptBreak,
ScriptCPtoX,
ScriptCacheGetHeight,
ScriptFreeCache,
ScriptGetCMap,
ScriptGetFontProperties,
ScriptGetGlyphABCWidth,
ScriptGetLogicalWidths,
ScriptGetProperties,
ScriptIsComplex,
ScriptItemize,
ScriptJustify,
ScriptLayout,
ScriptPlace,
ScriptRecordDigitSubstitution,
ScriptShape,
ScriptStringAnalyse,
ScriptStringCPtoX,
ScriptStringFree,
ScriptStringGetLogicalWidths,
ScriptStringGetOrder,
ScriptStringOut,
ScriptStringValidate,
ScriptStringXtoCP,
ScriptString_pLogAttr,
ScriptString_pSize,
ScriptString_pcOutChars,
ScriptTextOut,
ScriptXtoCP,
UspAllocCache,
UspAllocTemp,
UspFreeMem;
begin
ModHandle:= LoadLibrary('C:\WINDOWS\system32\usp10.dll');
if ModHandle > 0 then
begin
POldLpkPresent:= GetProcAddress(ModHandle, 'LpkPresent');
POldScriptApplyDigitSubstitution:= GetProcAddress(ModHandle,'ScriptApplyDigitSubstitution');
POldScriptApplyLogicalWidth:= GetProcAddress(ModHandle,'ScriptApplyLogicalWidth');
POldScriptBreak:= GetProcAddress(ModHandle, 'ScriptBreak');
POldScriptCPtoX:= GetProcAddress(ModHandle, 'ScriptCPtoX');
POldScriptCacheGetHeight:= GetProcAddress(ModHandle, 'ScriptCacheGetHeight');
POldScriptFreeCache:= GetProcAddress(ModHandle, 'ScriptFreeCache');
POldScriptGetCMap:= GetProcAddress(ModHandle, 'ScriptGetCMap');
POldScriptGetFontProperties:= GetProcAddress(ModHandle,'ScriptGetFontProperties');
POldScriptGetGlyphABCWidth:= GetProcAddress(ModHandle, 'ScriptGetGlyphABCWidth');
POldScriptGetLogicalWidths:= GetProcAddress(ModHandle, 'ScriptGetLogicalWidths');
POldScriptGetProperties:= GetProcAddress(ModHandle, 'ScriptGetProperties');
POldScriptIsComplex:= GetProcAddress(ModHandle, 'ScriptIsComplex');
POldScriptItemize:= GetProcAddress(ModHandle, 'ScriptItemize');
POldScriptJustify:= GetProcAddress(ModHandle, 'ScriptJustify');
POldScriptLayout:= GetProcAddress(ModHandle, 'ScriptLayout');
POldScriptPlace:= GetProcAddress(ModHandle, 'ScriptPlace');
POldScriptRecordDigitSubstitution:= GetProcAddress(ModHandle,'ScriptRecordDigitSubstitution');
POldScriptShape:= GetProcAddress(ModHandle, 'ScriptShape');
POldScriptStringAnalyse:= GetProcAddress(ModHandle, 'ScriptStringAnalyse');
POldScriptStringCPtoX:= GetProcAddress(ModHandle, 'ScriptStringCPtoX');
POldScriptStringFree:= GetProcAddress(ModHandle, 'ScriptStringFree');
POldScriptStringGetLogicalWidths:= GetProcAddress(ModHandle,'ScriptStringGetLogicalWidths');
POldScriptStringGetOrder:= GetProcAddress(ModHandle, 'ScriptStringGetOrder');
POldScriptStringOut:= GetProcAddress(ModHandle, 'ScriptStringOut');
POldScriptStringValidate:= GetProcAddress(ModHandle, 'ScriptStringValidate');
POldScriptStringXtoCP:= GetProcAddress(ModHandle, 'ScriptStringXtoCP');
POldScriptString_pLogAttr:= GetProcAddress(ModHandle, 'ScriptString_pLogAttr');
POldScriptString_pSize:= GetProcAddress(ModHandle, 'ScriptString_pSize');
POldScriptString_pcOutChars:= GetProcAddress(ModHandle,'ScriptString_pcOutChars');
POldScriptTextOut:= GetProcAddress(ModHandle, 'ScriptTextOut');
POldScriptXtoCP:= GetProcAddress(ModHandle, 'ScriptXtoCP');
POldUspAllocCache:= GetProcAddress(ModHandle, 'UspAllocCache');
POldUspAllocTemp:= GetProcAddress(ModHandle, 'UspAllocTemp');
POldUspFreeMem:= GetProcAddress(ModHandle, 'UspFreeMem');
end;
begin
//添加自己的补丁内容!
end;
end.