原帖地址:https://www.cnblogs.com/daxingxing/archive/2011/12/16/2290353.html
1. lpk.dll、usp10.dll、msimg32.dll、midimap.dll、ksuser.dll、comres.dll、ddraw.dll
以lpk爲例,在win7下由於lpk被加入KnownDLLs且該註冊表值不可修改,使得lpk強制從系統目錄加載,
不過可以將lpk.dll加入ExcludeFromKnownDlls來解決,具體可以創建一個lpk.reg文件:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"ExcludeFromKnownDlls"=hex(7):6c,00,70,00,6b,00,2e,00,64,00,6c,00,6c,00,00,00,\
00,00
成功導入後需要重新啓動電腦才能生效。
參考:http://support.microsoft.com/?scid=kb%3Ben-us%3B164501&x=4&y=12
另外win7下的lpk在編寫方面需要注意:
WIN7有的程序調用LPK.DLL的LpkInitialize輸出函數在LPK的初始化前面. 要在LpkInitialize這個函數中加入一些處理,並且這部分代碼不能加密.
因此爲了兼容各個系統,可以在DllMain和LpkInitialize裏均做判斷,如果沒有初始化就進行初始化。下面貼出完整代碼:
// lpk.cpp : Defines the entry point for the DLL application.
//
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 頭文件
#include "stdafx.h"
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 導出函數
#pragma comment(linker, "/EXPORT:LpkInitialize=_AheadLib_LpkInitialize,@1")
#pragma comment(linker, "/EXPORT:LpkTabbedTextOut=_AheadLib_LpkTabbedTextOut,@2")
#pragma comment(linker, "/EXPORT:LpkDllInitialize=_AheadLib_LpkDllInitialize,@3")
#pragma comment(linker, "/EXPORT:LpkDrawTextEx=_AheadLib_LpkDrawTextEx,@4")
//#pragma comment(linker, "/EXPORT:LpkEditControl=_AheadLib_LpkEditControl,@5")
#pragma comment(linker, "/EXPORT:LpkExtTextOut=_AheadLib_LpkExtTextOut,@6")
#pragma comment(linker, "/EXPORT:LpkGetCharacterPlacement=_AheadLib_LpkGetCharacterPlacement,@7")
#pragma comment(linker, "/EXPORT:LpkGetTextExtentExPoint=_AheadLib_LpkGetTextExtentExPoint,@8")
#pragma comment(linker, "/EXPORT:LpkPSMTextOut=_AheadLib_LpkPSMTextOut,@9")
#pragma comment(linker, "/EXPORT:LpkUseGDIWidthCache=_AheadLib_LpkUseGDIWidthCache,@10")
#pragma comment(linker, "/EXPORT:ftsWordBreak=_AheadLib_ftsWordBreak,@11")
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 宏定義
#define EXTERNC extern "C"
#define NAKED __declspec(naked)
#define EXPORT __declspec(dllexport)
#define ALCPP EXPORT NAKED
#define ALSTD EXTERNC EXPORT NAKED void __stdcall
#define ALCFAST EXTERNC EXPORT NAKED void __fastcall
#define ALCDECL EXTERNC NAKED void __cdecl
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//LpkEditControl導出的是數組,不是單一的函數(by Backer)
EXTERNC void __cdecl AheadLib_LpkEditControl(void);
EXTERNC __declspec(dllexport) void (*LpkEditControl[14])() = {AheadLib_LpkEditControl};
////////////////////////////////////////////////////////////////////////////////////////////////
//添加全局變量
BOOL g_bInited = FALSE;
////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// AheadLib 命名空間
namespace AheadLib
{
HMODULE m_hModule = NULL; // 原始模塊句柄
// 加載原始模塊
BOOL WINAPI Load()
{
TCHAR tzPath[MAX_PATH];
TCHAR tzTemp[MAX_PATH * 2];
GetSystemDirectory(tzPath, MAX_PATH);
lstrcat(tzPath, TEXT("\\lpk.dll"));
OutputDebugString(tzPath);
m_hModule=LoadLibrary(tzPath);
if (m_hModule == NULL)
{
wsprintf(tzTemp, TEXT("無法加載 %s,程序無法正常運行。"), tzPath);
MessageBox(NULL, tzTemp, TEXT("AheadLib"), MB_ICONSTOP);
};
return (m_hModule != NULL);
}
// 釋放原始模塊
VOID WINAPI Free()
{
if (m_hModule)
{
FreeLibrary(m_hModule);
}
}
// 獲取原始函數地址
FARPROC WINAPI GetAddress(PCSTR pszProcName)
{
FARPROC fpAddress;
CHAR szProcName[16];
TCHAR tzTemp[MAX_PATH];
fpAddress = GetProcAddress(m_hModule, pszProcName);
if (fpAddress == NULL)
{
if (HIWORD(pszProcName) == 0)
{
wsprintf(szProcName, "%d", pszProcName);
pszProcName = szProcName;
}
wsprintf(tzTemp, TEXT("無法找到函數 %hs,程序無法正常運行。"), pszProcName);
MessageBox(NULL, tzTemp, TEXT("AheadLib"), MB_ICONSTOP);
ExitProcess(-2);
}
return fpAddress;
}
}
using namespace AheadLib;
////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////
//函數聲明
void WINAPIV Init(LPVOID pParam);
////////////////////////////////////////////////////////////////////////////////////////////////
void WINAPIV Init(LPVOID pParam)
{
//在這裏添加DLL加載代碼
return;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 入口函數
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved)
{
if (dwReason == DLL_PROCESS_ATTACH)
{
DisableThreadLibraryCalls(hModule);
if ( g_bInited==FALSE ){
Load();
g_bInited = TRUE;
}
//LpkEditControl這個數組有14個成員,必須將其複製過來
memcpy((LPVOID)(LpkEditControl+1), (LPVOID)((int*)GetAddress("LpkEditControl") + 1),52);
_beginthread(Init,NULL,NULL);
}
else if (dwReason == DLL_PROCESS_DETACH)
{
Free();
}
return TRUE;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 導出函數
ALCDECL AheadLib_LpkInitialize(void)
{
if ( g_bInited==FALSE ){
Load();
g_bInited = TRUE;
}
GetAddress("LpkInitialize");
__asm JMP EAX;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 導出函數
ALCDECL AheadLib_LpkTabbedTextOut(void)
{
GetAddress("LpkTabbedTextOut");
__asm JMP EAX;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 導出函數
ALCDECL AheadLib_LpkDllInitialize(void)
{
GetAddress("LpkDllInitialize");
__asm JMP EAX;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 導出函數
ALCDECL AheadLib_LpkDrawTextEx(void)
{
GetAddress("LpkDrawTextEx");
__asm JMP EAX;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 導出函數
ALCDECL AheadLib_LpkEditControl(void)
{
GetAddress("LpkEditControl");
__asm jmp DWORD ptr [EAX];//這裏的LpkEditControl是數組,eax存的是函數指針
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 導出函數
ALCDECL AheadLib_LpkExtTextOut(void)
{
GetAddress("LpkExtTextOut");
__asm JMP EAX;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 導出函數
ALCDECL AheadLib_LpkGetCharacterPlacement(void)
{
GetAddress("LpkGetCharacterPlacement");
__asm JMP EAX;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 導出函數
ALCDECL AheadLib_LpkGetTextExtentExPoint(void)
{
GetAddress("LpkGetTextExtentExPoint");
__asm JMP EAX;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 導出函數
ALCDECL AheadLib_LpkPSMTextOut(void)
{
GetAddress("LpkPSMTextOut");
__asm JMP EAX;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 導出函數
ALCDECL AheadLib_LpkUseGDIWidthCache(void)
{
GetAddress("LpkUseGDIWidthCache");
__asm JMP EAX;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// 導出函數
ALCDECL AheadLib_ftsWordBreak(void)
{
GetAddress("ftsWordBreak");
__asm JMP EAX;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
2.通過CreateRemoteThread創建遠程線程。
XP以下使用代碼:
BOOL WINAPI RemoteLoadLibrary(LPCTSTR pszDllName, DWORD dwProcessId)
{
// 打開目標進程
HANDLE hProcess = ::OpenProcess(
PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION, FALSE, dwProcessId);
if(hProcess == NULL)
return FALSE;
// 在目標進程申請空間,存放字符串pszDllName,作爲遠程線程的參數
int cbSize = (::lstrlen(pszDllName) + 1);
LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, NULL, cbSize, MEM_COMMIT, PAGE_READWRITE);
::WriteProcessMemory(hProcess, lpRemoteDllName, pszDllName, cbSize, NULL);
// 取得LoadLibraryA函數的地址,我們將以它作爲遠程線程函數啓動
HMODULE hModule=::GetModuleHandle (_T("kernel32.dll"));
LPTHREAD_START_ROUTINE pfnStartRoutine =
(LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, "LoadLibraryA");
// 啓動遠程線程
HANDLE hRemoteThread = ::CreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, lpRemoteDllName, 0, NULL);
if(hRemoteThread == NULL)
{
::CloseHandle(hProcess);
return FALSE;
}
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
return TRUE;
}
這段代碼在vista,win7下不能成功,需要改進,參考:http://bbs.pediy.com/showthread.php?t=101469&highlight=Vista+Win7+CreateRemoteThread
我參考上面資料和代碼,稍作整理使之編譯通過並能使用,目標進程打開時最好使用PROCESS_ALL_ACCESS權限。
vista的較爲簡單些,只要修改一個內存裏的數值,這裏不再實現。
typedef struct _CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID,*PCLIENT_ID;
typedef struct _INITIAL_TEB
{
PVOID PreviousStackBase;
PVOID PreviousStackLimit;
PVOID StackBase;
PVOID StackLimit;
PVOID AllocatedStackBase;
} INITIAL_TEB, *PINITIAL_TEB;
typedef NTSTATUS (NTAPI *TZwAllocateVirtualMemory)(
__in HANDLE ProcessHandle,
__inout PVOID *BaseAddress,
__in ULONG_PTR ZeroBits,
__inout PSIZE_T RegionSize,
__in ULONG AllocationType,
__in ULONG Protect
);
static TZwAllocateVirtualMemory ZwAllocateVirtualMemory = (TZwAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwAllocateVirtualMemory");
typedef NTSYSAPI NTSTATUS (NTAPI *TZwWriteVirtualMemory) ( IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN PVOID Buffer,
IN SIZE_T NumberOfBytesToWrite,
OUT PSIZE_T NumberOfBytesWritten
);
static TZwWriteVirtualMemory ZwWriteVirtualMemory = (TZwWriteVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwWriteVirtualMemory");
typedef NTSYSAPI NTSTATUS (NTAPI *TZwProtectVirtualMemory) ( IN HANDLE ProcessHandle,
IN PVOID * BaseAddress,
IN SIZE_T * NumberOfBytesToProtect,
IN ULONG NewAccessProtection,
OUT PULONG OldAccessProtection
);
static TZwProtectVirtualMemory ZwProtectVirtualMemory = (TZwProtectVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwProtectVirtualMemory");
typedef NTSYSAPI NTSTATUS (NTAPI *TZwGetContextThread) ( IN HANDLE ThreadHandle,
OUT PCONTEXT Context
);
static TZwGetContextThread ZwGetContextThread = (TZwGetContextThread)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwGetContextThread");
typedef NTSYSAPI NTSTATUS (NTAPI *TZwCreateThread) ( OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,
IN PINITIAL_TEB UserStack,
IN BOOLEAN CreateSuspended
);
static TZwCreateThread ZwCreateThread = (TZwCreateThread)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwCreateThread");
typedef NTSYSAPI NTSTATUS (NTAPI *TZwResumeThread) ( IN HANDLE ThreadHandle,
OUT PULONG SuspendCount
);
static TZwResumeThread ZwResumeThread = (TZwResumeThread)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwResumeThread");
HANDLE WINAPI myCreateRemoteThread(
HANDLE hProcess,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
SIZE_T dwStackSize,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
DWORD dwCreationFlags,
LPDWORD lpThreadId)
{
//by 80695073(QQ)
//email [email protected]
CONTEXT context = {CONTEXT_FULL};
CLIENT_ID cid={hProcess};
DWORD ret;
HANDLE hThread = NULL;
DWORD StackReserve;
DWORD StackCommit = 0x1000;
ULONG_PTR Stack = 0;
INITIAL_TEB InitialTeb={};
ULONG x;
const CHAR myBaseThreadInitThunk[] =
{
// 00830000 8BFF mov edi, edi
'\x8B','\xFF',
// 00830002 55 push ebp
'\x55',
// 00830003 8BEC mov ebp, esp
'\x8B','\xEC',
// 00830005 51 push ecx //ntdll.RtlExitUserThread
'\x51',
// 00830006 53 push ebx //參數
'\x53',
// 00830007 FFD0 call eax //函數地址
'\xFF','\xD0',
// 00830009 59 pop ecx //恢復結束函數地址
'\x59',
// 0083000A 50 push eax //將剛纔的結果壓棧
'\x50',
// 0083000B FFD1 call ecx //調用RtlExitUserThread 結束
'\xFF','\xD1',
// 0083000D 90 nop
'\x90'
};
PVOID pBaseThreadThunk = NULL; //不能釋放
//0、分配非OS的加載函數
StackReserve = 0x1000;
ret = ZwAllocateVirtualMemory(hProcess,
/*&stack.ExpandableStackBottom*/(PVOID*)&pBaseThreadThunk,
0,
&StackReserve,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
if (ret >= 0x80000000)
{
//失敗
TRACE("Error IN myCreateRemoteThread ZwAllocateVirtualMemory0 !\n");
goto myCreateRemoteThreadRet;
//end
}
ret = ZwWriteVirtualMemory(hProcess,
pBaseThreadThunk,
(LPVOID)myBaseThreadInitThunk,
sizeof(myBaseThreadInitThunk),&x);
if (ret >= 0x80000000)
{
//失敗
TRACE("Error IN myCreateRemoteThread ZwAllocateVirtualMemory0 !\n");
goto myCreateRemoteThreadRet;
//end
}
//1、準備堆棧
StackReserve = 0x10000;
ret = ZwAllocateVirtualMemory(hProcess,
/*&stack.ExpandableStackBottom*/(PVOID*)&Stack,
0,
&StackReserve,
MEM_RESERVE,
PAGE_READWRITE);
if (ret >= 0x80000000)
{
//失敗
TRACE("Error IN myCreateRemoteThread ZwAllocateVirtualMemory1!\n");
goto myCreateRemoteThreadRet;
//end
}
TRACE("OK myCreateRemoteThread:ZwAllocateVirtualMemory 0x%08x\n",Stack);
InitialTeb.AllocatedStackBase = (PVOID)Stack;
InitialTeb.StackBase = (PVOID)(Stack + StackReserve);
/* Update the Stack Position */
Stack += StackReserve - StackCommit;
Stack -= 0x1000;
StackCommit += 0x1000;
/* Allocate memory for the stack */
ret = ZwAllocateVirtualMemory(hProcess,
(PVOID*)&Stack,
0,
&StackCommit,
MEM_COMMIT,
PAGE_READWRITE);
if (ret >= 0x80000000)
{
//失敗
TRACE("Error IN myCreateRemoteThread ZwAllocateVirtualMemory2!\n");
goto myCreateRemoteThreadRet;
//end
}
TRACE("OK myCreateRemoteThread:ZwAllocateVirtualMemory 2 0x%08x\n",Stack);
InitialTeb.StackLimit = (PVOID)Stack;
StackReserve = 0x1000;
ret = ZwProtectVirtualMemory(hProcess, (PVOID*)&Stack, &StackReserve, PAGE_READWRITE | PAGE_GUARD, &x);
if (ret >= 0x80000000)
{
//失敗
TRACE("Error IN myCreateRemoteThread ZwProtectVirtualMemory!\n");
goto myCreateRemoteThreadRet;
//end
}
/* Update the Stack Limit keeping in mind the Guard Page */
InitialTeb.StackLimit = (PVOID)((ULONG_PTR)InitialTeb.StackLimit - 0x1000);
//2、準備CONTEXT
// CONTEXT context = {CONTEXT_FULL};
ret = ZwGetContextThread(GetCurrentThread(),&context);
if (ret >= 0x80000000)
{
//失敗
TRACE("Error IN myCreateRemoteThread ZwGetContextThread!\n");
goto myCreateRemoteThreadRet;
//end
}
context.Esp = (DWORD)InitialTeb.StackBase;
context.Eip = (DWORD)pBaseThreadThunk; //這裏填寫需要加載的地址,不過需要自己終結自己
context.Ebx = (DWORD)lpParameter;
//other init
//must
context.Eax = (DWORD)lpStartAddress;
context.Ecx = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"),"RtlExitUserThread");//0x778B0859;/*win7*///0x77AEEC01;/*vista*/ //ntdll.RtlExitUserThread
context.Edx = 0x00000000; //nouse
ret = ZwCreateThread(&hThread, THREAD_ALL_ACCESS, 0, hProcess, &cid, &context, &InitialTeb, TRUE);
if (ret >= 0x80000000)
{
//失敗
TRACE("Error %d\n",GetLastError());
goto myCreateRemoteThreadRet;
//end
}
if(lpThreadId)
{
*lpThreadId = (DWORD)cid.UniqueThread;
}
if (!(dwCreationFlags & CREATE_SUSPENDED))
{
ZwResumeThread(hThread, NULL);
}
myCreateRemoteThreadRet:
return hThread;
}
最後通用的使用方法是:
// 啓動遠程線程
HANDLE hRemoteThread = NULL;
OSVERSIONINFO svex = {sizeof(OSVERSIONINFO)};
GetVersionEx(&svex);
if( svex.dwMajorVersion<=5 ){
hRemoteThread = ::CreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, lpRemoteDllName, 0, NULL);
}else{
hRemoteThread = myCreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, lpRemoteDllName, 0, NULL);
}
3.通過SetWindowsHookEx安裝鉤子,如WH_CALLWNDPROC,WH_KEYBOARD,WH_MOUSE,WH_GETMESSAGE鉤子可以實現全局注入。
SetWindowsHookEx(WH_MOUSE,(HOOKPROC)MouseProc,AfxGetInstanceHandle(),dwThreadId);
4.AppInit_DLLs方式:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs注入到所有加載了user32.dll的進程。
win7下會被映射到:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows,
並且需要設置LoadAppInit_DLLs爲1時AppInit_DLLs纔會被啓用,默認爲0。
例如在xp下創建一個.reg文件:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="c:\\message.dll"
手動導入後是可以加載指定dll的,但是在win7下面就不行,通過該.reg文件操作的註冊表子鍵路徑並沒有被重定向到
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows,
但是通過寫代碼的方式是成功的:
void LoadLibByAppInit_DLLs(LPCTSTR pszDllName,BOOL bInstall)
{
HKEY hKey = NULL;
DWORD dwRet = 0;
//win7下會被映射到:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
if ( RegCreateKeyEx(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"), 0, 0, 0, KEY_ALL_ACCESS, 0, &hKey, 0)!=ERROR_SUCCESS ){
return;
}
dwRet = RegSetValueEx(hKey,_T("LoadAppInit_DLLs"),0,REG_DWORD,(const BYTE *)&bInstall,sizeof(bInstall));
if ( bInstall ){
dwRet = RegSetValueEx(hKey,_T("AppInit_Dlls"),0,REG_SZ,(const BYTE *)pszDllName,lstrlen(pszDllName));
}else{
dwRet = RegSetValueEx(hKey,_T("AppInit_DLLs"),NULL,REG_SZ,NULL,0);
}
RegCloseKey(hKey);
}
在win7下還有一個值RequireSignedAppInit_DLLs,如果爲1表示則只加載有簽名的dll,默認爲0表示不對dll進行驗證。
參見:http://msdn.microsoft.com/en-us/library/dd744762(v=vs.85).aspx
5.ShellExecuteHooks方式:
local_machine\software\microsoft\windows\currentversion\Explorer\ShellExecuteHooks注入到explorer.exe進程。
6.輸入法注入:http://code.google.com/p/windows-config/wiki/Win32IME
7.lsp,SPI過濾注入網絡進程:http://www.vckbase.com/document/viewdoc/?id=643
http://www.vckbase.com/document/viewdoc/?id=808
8.BHO。
9.輸入表方式注入,原理就是爲目標pe文件增加一個導入函數,這個導入的函數是在要注入的dll中。
這樣當目標PE文件被加載時會由系統來完成它的導入庫的裝載工作,這樣你的DLL就能被加載進去了。
可以使用類似DIYTools的PE工具來完成,代碼我就不寫了。
10.CreateProcess以掛起的方式創建目標進程,修改入口代碼加載指定dll,恢復入口代碼喚醒進程。
11.使用微軟提供的detours庫函數DetourCreateProcessWithDll創建進程併爲進程加載指定dll,這個方法原理上就是上面的CreateProcess方法,
只不過更簡單更穩定了,拿來主義嘛。
12.通過DXG方式注入使用DirectX的進程,暫無資料。
13.RegisterUserApiHook