能力值:
( LV9,RANK:170 )
2 楼
am.dll的原代码:
===============================================
// am.cpp : Defines the entry point for the DLL application.
//
#include typedef HANDLE WINAPI _LoadLibraryA_t
(
LPCTSTR lpLibraryName
); typedef HANDLE WINAPI _GetProcAddress_t
(
HMODULE hModule,
LPCTSTR lpFunctionName
); typedef HANDLE WINAPI _CreateFile_t(
LPSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
);
static char g_szGame[MAX_PATH + 1];
static long g_szGameLen = 0;
static char* g_szHooksPointersFile = "am_hooks.bin"; DWORD g_pfnCreateFile_ORIG = 0;
DWORD g_pfnLoadLibraryA_ORIG = 0;
DWORD g_pfnGetProcAddress_ORIG = 0;
DWORD g_bLoadingKernel32 = FALSE; HANDLE WINAPI xCreateFile(LPSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
HANDLE WINAPI xLLA(LPCTSTR lpLibraryName);
HANDLE WINAPI xGPA(HMODULE hModule, LPCTSTR lpFunctionName);
void FixPointers()
{
DWORD dwDummy;
DWORD dwLLA = 0;
DWORD dwGPA = 0; HANDLE hFile = CreateFile(g_szHooksPointersFile,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (INVALID_HANDLE_VALUE != hFile)
{
ReadFile(hFile, &dwLLA, 4, &dwDummy, NULL);
ReadFile(hFile, &dwGPA, 4, &dwDummy, NULL);
CloseHandle(hFile);
*((DWORD*)dwLLA) = (DWORD)xLLA;
*((DWORD*)dwGPA) = (DWORD)xGPA;
}
} BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
// initialize the pointers
g_pfnCreateFile_ORIG = (DWORD)CreateFileA;
g_pfnLoadLibraryA_ORIG = (DWORD)LoadLibraryA;
g_pfnGetProcAddress_ORIG = (DWORD)GetProcAddress;
g_szGame[0] = '\0';
// Get self name
g_szGameLen = GetModuleFileName(GetModuleHandle(NULL), g_szGame, MAX_PATH);
// mark pointers in the game
FixPointers();
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
} HANDLE WINAPI xLLA(LPCTSTR lpLibraryName)
{
long k, nLen;
for (k = nLen = 0; !IsBadReadPtr(&lpLibraryName[k], 1) && lpLibraryName[k] != '\0'; k++)
nLen++;
if (nLen == 12)
{
if (lpLibraryName[0] | 0x20 == 'k' &&
lpLibraryName[1] | 0x20 == 'e' &&
lpLibraryName[2] | 0x20 == 'r' &&
lpLibraryName[3] | 0x20 == 'n' &&
lpLibraryName[4] | 0x20 == 'e' &&
lpLibraryName[5] | 0x20 == 'l' &&
lpLibraryName[6] | 0x20 == '3' &&
lpLibraryName[7] | 0x20 == '2' &&
lpLibraryName[8] | 0x20 == '.' &&
lpLibraryName[9] | 0x20 == 'd' &&
lpLibraryName[10] | 0x20 == 'l' &&
lpLibraryName[11] | 0x20 == 'l')
{
g_bLoadingKernel32 = 1;
}
else
{
g_bLoadingKernel32 = 0;
}
}
_LoadLibraryA_t* pfnMyLoadLibraryA = (_LoadLibraryA_t*)g_pfnLoadLibraryA_ORIG;
return (*pfnMyLoadLibraryA)(lpLibraryName);
}
HANDLE WINAPI xGPA(HMODULE hModule, LPCTSTR lpFunctionName)
{
if (g_bLoadingKernel32)
{
long k, nLen;
for (k = nLen = 0; !IsBadReadPtr(&lpFunctionName[k], 1) && lpFunctionName[k] != '\0'; k++)
nLen++;
if (11 == nLen)
{
if ((lpFunctionName[0] | 0x20) == 'c' &&
(lpFunctionName[1] | 0x20) == 'r' &&
(lpFunctionName[2] | 0x20) == 'e' &&
(lpFunctionName[3] | 0x20) == 'a' &&
(lpFunctionName[4] | 0x20) == 't' &&
(lpFunctionName[5] | 0x20) == 'e' &&
(lpFunctionName[6] | 0x20) == 'f' &&
(lpFunctionName[7] | 0x20) == 'i' &&
(lpFunctionName[8] | 0x20) == 'l' &&
(lpFunctionName[9] | 0x20) == 'e' &&
(lpFunctionName[10] | 0x20) == 'a')
{
return xCreateFile;
}
}
}
_GetProcAddress_t* pfnMyGetProcAddress = (_GetProcAddress_t*)g_pfnGetProcAddress_ORIG;
return (*pfnMyGetProcAddress)(hModule, lpFunctionName);
} HANDLE WINAPI xCreateFile(LPSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
{
if (IsBadReadPtr(lpFileName, 1))
return INVALID_HANDLE_VALUE;
long k, nLen;
for (k = nLen = 0; lpFileName[k] != '\0'; k++)
nLen++;
if (g_szGameLen == nLen)
{
for (k = 0; k < nLen; k++)
{
if ((lpFileName[k] | 0x20) != (g_szGame[k] | 0x20))
break;
}
if (k == nLen)
{
lpFileName[k -1] = '_';
}
}
_CreateFile_t* pfnMyCreateFile = (_CreateFile_t*)g_pfnCreateFile_ORIG;
return (*pfnMyCreateFile)(lpFileName,
dwDesiredAccess,
dwShareMode,
lpSecurityAttributes,
dwCreationDisposition,
dwFlagsAndAttributes,
hTemplateFile);
}
--------------------------------------------------------------- and the "optimised", DIRTY too, routine for fixing imports : bool FixImports(char* pszFileName)
{
CString strOrigGame = CString(pszFileName);
char* szFileName = (LPSTR)(LPCSTR)strOrigGame;
HANDLE hFile = CreateFile(szFileName,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN,
NULL);
if (INVALID_HANDLE_VALUE == hFile)
{
return false;
}
DWORD dwDummy;
DWORD dwSize = GetFileSize(hFile, &dwDummy); HANDLE hMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, dwSize, "__KRNL32OFFS_SCAN2");
if (!hMap)
{
printf("CreateFileMapping failed\n");
} DWORD* pMapMem = (DWORD*)MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);
ULONG _bFound = 0;
ULONG _nOffset = 0;
if (pMapMem)
{
__asm
{
cld
mov _bFound, 0
mov ecx, dwSize
shr ecx, 2
mov edi, pMapMem
_loop:
mov eax, 0x4e52454b // 'KERN'
repnz scasd
cmp ecx, 0
jnz _found1
jmp _notfound
_found1: cmp [edi], 0x32334c45 // 'EL32'
jz _found2
jmp _notfound
_found2: cmp [edi + 4], 0x4c4c442e // '.DLL'
jnz _notfound
inc ecx
shl ecx, 2
mov eax, dwSize
and eax, 0xfffffffc
sub eax, ecx
mov _nOffset, eax
jmp _done
_notfound:
cmp ecx, 8
ja _loop
_done:
}
}
else
{
return false;
}
UnmapViewOfFile(pMapMem); DWORD dwAddressOffset = _nOffset - 0x70;
CloseHandle(hMap);
CloseHandle(hFile); char buff[512];
char libbuff[1024];
GetSystemDirectory(buff, 512); DWORD a[24];
HINSTANCE h;
memset(a, 0, 24 * sizeof(DWORD));
a[0] = (DWORD)LoadLibrary;
a[1] = (DWORD)GetProcAddress;
a[2] = (DWORD)ExitProcess;
a[4] = (DWORD)RegCloseKey;
strcpy(libbuff, buff);
strcat(libbuff, "\\comdlg32.dll");
h = LoadLibrary(libbuff);
if (h)
{
a[6] = (DWORD)GetProcAddress(h, "PrintDlgA");;
FreeLibrary(h);
}
strcpy(libbuff, buff);
strcat(libbuff, "\\crypt32.dll");
h = LoadLibrary(libbuff);
if (h)
{
a[8] = (DWORD)GetProcAddress(h, "CertOpenStore");;
FreeLibrary(h);
}
a[10] = (DWORD)::DPtoLP;
strcpy(libbuff, buff);
strcat(libbuff, "\\netapi32.dll");
h = LoadLibrary(libbuff);
if (h)
{
a[12] = (DWORD)GetProcAddress(h, "Netbios");
FreeLibrary(h);
}
a[14] = (DWORD)CoInitialize;
a[16] = (DWORD)ExtractIconA;
a[18] = (DWORD)::GetDC;
strcpy(libbuff, buff);
strcat(libbuff, "\\wininet.dll");
h = LoadLibrary(libbuff);
if (h)
{
a[20] = (DWORD)GetProcAddress(h, "InternetOpenA");;
FreeLibrary(h);
}
strcpy(libbuff, buff);
strcat(libbuff, "\\winmm.dll");
h = LoadLibrary(libbuff);
if (h)
{
a[22] = (DWORD)GetProcAddress(h, "joyGetPos");;
FreeLibrary(h);
} CFile f;
if (f.Open(strOrigGame, CFile::modeReadWrite))
{
f.Seek(dwAddressOffset, CFile::begin);
f.Write(a, 24 * sizeof(DWORD));
f.Close();
}
else
{
return false;
} return true;
}