DLL劫持技术例子: HijackDll

控制台程序:DllLoader

Dll加载器,用于动态加载目标Dll,并动态调用目标函数

#include <cstdio>
#include <windows.h>

typedef int (*pAdd) (int a, int b);

int main()
{
    HMODULE hModule = GetModuleHandleA("Dll.dll") != NULL ? GetModuleHandleA("Dll.dll") : LoadLibraryA("Dll.dll");
    pAdd Add = (pAdd)GetProcAddress(hModule, "Add");
    if (NULL == Add)
        printf("Failed\n");
    else
        printf("Succeed\n1 + 1 = %d\n", Add(1, 1));

    system("pause > nul");
    return 0;
}

原Dll:Dll

很简单的一个Dll,只有一个隐式函数Add.仅仅是一个简单的加法..

#include <cstdio>
#include <windows.h>

#define EXTERNC extern "C"
#define EXPORT __declspec(dllexport)
#define ECEP EXTERNC EXPORT

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    switch(fdwReason)
    {
    case DLL_PROCESS_ATTACH:
        MessageBoxA(NULL, "Attach", "", MB_ICONINFORMATION);
        break;
    case DLL_PROCESS_DETACH:
        MessageBoxA(NULL, "Detach", "", MB_ICONINFORMATION);
        break;
    default:
        break;
    }

    return TRUE;
}

ECEP int Add(int a, int b)
{
    return a + b;
}

劫持Dll:HijackDll

用于劫持原Dll,并转发原程序的动态调用

//last code by gwsbhqt at 20150727

#include <cstdio>
#include <windows.h>

#define EXTERNC extern "C"
#define NAKED __declspec(naked)
#define EXPORT __declspec(dllexport)
#define ECEP EXTERNC EXPORT
#define ENCDECL EXTERNC NAKED void __cdecl
#define EENSTD EXTERNC EXPORT NAKED void __stdcall
#define EENFAST EXTERNC EXPORT NAKED void __fastcall
#define ENDEF ENCDECL

#define JMPFARPROC(lpModuleName, hProcName) \
    HMODULE hModule; \
    hModule = GetModuleHandleA((lpModuleName)); \
    if (NULL == hModule) hModule = LoadLibraryA((lpModuleName)); \
    if (NULL != GetProcAddress(hModule, (hProcName))) __asm JMP EAX;

#pragma comment (linker, "/EXPORT:Add=_Add,@1")

ENDEF Add()
{
    JMPFARPROC("Dll.tmp", "Add");
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    switch (fdwReason)
    {
    case DLL_PROCESS_ATTACH:
        MessageBoxA(NULL, "Hijack Dll Attach", "", MB_ICONINFORMATION);
        break;
    case DLL_PROCESS_DETACH:
        MessageBoxA(NULL, "Hijack Dll Detach", "", MB_ICONINFORMATION);
        break;
    default:
        break;
    }

    return TRUE;
}

此处的宏JMPFARPROC看起来似乎每次转发函数都会加载一次hModule,其实不会,先GetModuleHandle获得的hModule是不会增加引用计数的.

所以即使是大量的转发,也应该不会出现内存泄漏的问题.

都是些很简单的代码,仔细认真看看就好了

测试是只需要新建一个工程,工程下新建三个项目,分别是一个控制台程序和两个动态链接库,

在每个项目新建main.cpp文件,将代码贴入,生成工程之后.在Debug/Release文件夹下,将Dll.dll更名为Dll.tmp,将HijackDll.dll更名为Dll.dll...

即可完成Dll劫持...