當一個可執行文件運行時,Windows加載器將可執行模塊映射到進程的地址空間中,加載器分析可執行模塊的輸入表,並設法找出任何需要的DLL,並將它們映射到進程的地址空間中。由於輸入表中只包含DLL名而沒有它的路徑名,因此加載程序必須在磁盤上搜索DLL文件。首先會嘗試從當前程序所在的目錄加載DLL,如果沒找到,則在Windows系統目錄查找,最后是在環境變量中列出的各個目錄下查找。利用這個特點,先偽造一個系統同名的DLL,提供同樣的輸出表,每個輸出函數轉向真正的系統DLL。程序調用系統DLL時會先調用當前目錄下偽造的DLL,完成相關功能后,再跳到系統DLL同名函數里執行。這個過程用個形象的詞來描述就是系統DLL被劫持
(hijack)了。
示例DELPHI源碼:
Library USP10;
uses
Windows,
SysUtils,
Classes;
{$R *.res}
ModHandle:
Cardinal
;
POldLpkPresent:
Pointer
;
POldScriptApplyDigitSubstitution:
Pointer
;
POldScriptApplyLogicalWidth:
Pointer
;
POldScriptBreak:
Pointer
;
POldScriptCPtoX:
Pointer
;
POldScriptCacheGetHeight:
Pointer
;
POldScriptFreeCache:
Pointer
;
POldScriptGetCMap:
Pointer
;
POldScriptGetFontProperties:
Pointer
;
POldScriptGetGlyphABCWidth:
Pointer
;
POldScriptGetLogicalWidths:
Pointer
;
POldScriptGetProperties:
Pointer
;
POldScriptIsComplex:
Pointer
;
POldScriptItemize:
Pointer
;
POldScriptJustify:
Pointer
;
POldScriptLayout:
Pointer
;
POldScriptPlace:
Pointer
;
POldScriptRecordDigitSubstitution:
Pointer
;
POldScriptShape:
Pointer
;
POldScriptStringAnalyse:
Pointer
;
POldScriptStringCPtoX:
Pointer
;
POldScriptStringFree:
Pointer
;
POldScriptStringGetLogicalWidths:
Pointer
;
POldScriptStringGetOrder:
Pointer
;
POldScriptStringOut:
Pointer
;
POldScriptStringValidate:
Pointer
;
POldScriptStringXtoCP:
Pointer
;
POldScriptString_pLogAttr:
Pointer
;
POldScriptString_pSize:
Pointer
;
POldScriptString_pcOutChars:
Pointer
;
POldScriptTextOut:
Pointer
;
POldScriptXtoCP:
Pointer
;
POldUspAllocCache:
Pointer
;
POldUspAllocTemp:
Pointer
;
POldUspFreeMem:
Pointer
;
procedure
LpkPresent;
asm
jmp POldLpkPresent
end
;
procedure
ScriptApplyDigitSubstitution;
asm
jmp POldScriptApplyDigitSubstitution
end
;
procedure
ScriptApplyLogicalWidth;
asm
jmp POldScriptApplyLogicalWidth
end
;
procedure
ScriptBreak;
asm
jmp POldScriptBreak
end
;
procedure
ScriptCPtoX;
asm
jmp POldScriptCPtoX
end
;
procedure
ScriptCacheGetHeight;
asm
jmp POldScriptCacheGetHeight
end
;
procedure
ScriptFreeCache;
asm
jmp POldScriptFreeCache
end
;
procedure
ScriptGetCMap;
asm
jmp POldScriptGetCMap
end
;
procedure
ScriptGetFontProperties;
asm
jmp POldScriptGetFontProperties
end
;
procedure
ScriptGetGlyphABCWidth;
asm
jmp POldScriptGetGlyphABCWidth
end
;
procedure
ScriptGetLogicalWidths;
asm
jmp POldScriptGetLogicalWidths
end
;
procedure
ScriptGetProperties;
asm
jmp POldScriptGetProperties
end
;
procedure
ScriptIsComplex;
asm
jmp POldScriptIsComplex
end
;
procedure
ScriptItemize;
asm
jmp POldScriptItemize
end
;
procedure
ScriptJustify;
asm
jmp POldScriptJustify
end
;
procedure
ScriptLayout;
asm
jmp POldScriptLayout
end
;
procedure
ScriptPlace;
asm
jmp POldScriptPlace
end
;
procedure
ScriptRecordDigitSubstitution;
asm
jmp POldScriptRecordDigitSubstitution
end
;
procedure
ScriptShape;
asm
jmp POldScriptShape
end
;
procedure
ScriptStringAnalyse;
asm
jmp POldScriptStringAnalyse
end
;
procedure
ScriptStringCPtoX;
asm
jmp POldScriptStringCPtoX
end
;
procedure
ScriptStringFree;
asm
jmp POldScriptStringFree
end
;
procedure
ScriptStringGetLogicalWidths;
asm
jmp POldScriptStringGetLogicalWidths
end
;
procedure
ScriptStringGetOrder;
asm
jmp POldScriptStringGetOrder
end
;
procedure
ScriptStringOut;
asm
jmp POldScriptStringOut
end
;
procedure
ScriptStringValidate;
asm
jmp POldScriptStringValidate
end
;
procedure
ScriptStringXtoCP;
asm
jmp POldScriptStringXtoCP
end
;
procedure
ScriptString_pLogAttr;
asm
jmp POldScriptString_pLogAttr
end
;
procedure
ScriptString_pSize;
asm
jmp POldScriptString_pSize
end
;
procedure
ScriptString_pcOutChars;
asm
jmp POldScriptString_pcOutChars
end
;
procedure
ScriptTextOut;
asm
jmp POldScriptTextOut
end
;
procedure
ScriptXtoCP;
asm
jmp POldScriptXtoCP
end
;
procedure
UspAllocCache;
asm
jmp POldUspAllocCache
end
;
procedure
UspAllocTemp;
asm
jmp POldUspAllocTemp
end
;
procedure
UspFreeMem;
asm
jmp POldUspFreeMem
end
;
exports
LpkPresent,
ScriptApplyDigitSubstitution,
ScriptApplyLogicalWidth,
ScriptBreak,
ScriptCPtoX,
ScriptCacheGetHeight,
ScriptFreeCache,
ScriptGetCMap,
ScriptGetFontProperties,
ScriptGetGlyphABCWidth,
ScriptGetLogicalWidths,
ScriptGetProperties,
ScriptIsComplex,
ScriptItemize,
ScriptJustify,
ScriptLayout,
ScriptPlace,
ScriptRecordDigitSubstitution,
ScriptShape,
ScriptStringAnalyse,
ScriptStringCPtoX,
ScriptStringFree,
ScriptStringGetLogicalWidths,
ScriptStringGetOrder,
ScriptStringOut,
ScriptStringValidate,
ScriptStringXtoCP,
ScriptString_pLogAttr,
ScriptString_pSize,
ScriptString_pcOutChars,
ScriptTextOut,
ScriptXtoCP,
UspAllocCache,
UspAllocTemp,
UspFreeMem;
begin
ModHandle:= LoadLibrary(
'C:\WINDOWS\system32\usp10.dll'
);
if
ModHandle >
0
then
begin
POldLpkPresent:= GetProcAddress(ModHandle,
'LpkPresent'
);
POldScriptApplyDigitSubstitution:= GetProcAddress(ModHandle,
'ScriptApplyDigitSubstitution'
);
POldScriptApplyLogicalWidth:= GetProcAddress(ModHandle,
'ScriptApplyLogicalWidth'
);
POldScriptBreak:= GetProcAddress(ModHandle,
'ScriptBreak'
);
POldScriptCPtoX:= GetProcAddress(ModHandle,
'ScriptCPtoX'
);
POldScriptCacheGetHeight:= GetProcAddress(ModHandle,
'ScriptCacheGetHeight'
);
POldScriptFreeCache:= GetProcAddress(ModHandle,
'ScriptFreeCache'
);
POldScriptGetCMap:= GetProcAddress(ModHandle,
'ScriptGetCMap'
);
POldScriptGetFontProperties:= GetProcAddress(ModHandle,
'ScriptGetFontProperties'
);
POldScriptGetGlyphABCWidth:= GetProcAddress(ModHandle,
'ScriptGetGlyphABCWidth'
);
POldScriptGetLogicalWidths:= GetProcAddress(ModHandle,
'ScriptGetLogicalWidths'
);
POldScriptGetProperties:= GetProcAddress(ModHandle,
'ScriptGetProperties'
);
POldScriptIsComplex:= GetProcAddress(ModHandle,
'ScriptIsComplex'
);
POldScriptItemize:= GetProcAddress(ModHandle,
'ScriptItemize'
);
POldScriptJustify:= GetProcAddress(ModHandle,
'ScriptJustify'
);
POldScriptLayout:= GetProcAddress(ModHandle,
'ScriptLayout'
);
POldScriptPlace:= GetProcAddress(ModHandle,
'ScriptPlace'
);
POldScriptRecordDigitSubstitution:= GetProcAddress(ModHandle,
'ScriptRecordDigitSubstitution'
);
POldScriptShape:= GetProcAddress(ModHandle,
'ScriptShape'
);
POldScriptStringAnalyse:= GetProcAddress(ModHandle,
'ScriptStringAnalyse'
);
POldScriptStringCPtoX:= GetProcAddress(ModHandle,
'ScriptStringCPtoX'
);
POldScriptStringFree:= GetProcAddress(ModHandle,
'ScriptStringFree'
);
POldScriptStringGetLogicalWidths:= GetProcAddress(ModHandle,
'ScriptStringGetLogicalWidths'
);
POldScriptStringGetOrder:= GetProcAddress(ModHandle,
'ScriptStringGetOrder'
);
POldScriptStringOut:= GetProcAddress(ModHandle,
'ScriptStringOut'
);
POldScriptStringValidate:= GetProcAddress(ModHandle,
'ScriptStringValidate'
);
POldScriptStringXtoCP:= GetProcAddress(ModHandle,
'ScriptStringXtoCP'
);
POldScriptString_pLogAttr:= GetProcAddress(ModHandle,
'ScriptString_pLogAttr'
);
POldScriptString_pSize:= GetProcAddress(ModHandle,
'ScriptString_pSize'
);
POldScriptString_pcOutChars:= GetProcAddress(ModHandle,
'ScriptString_pcOutChars'
);
POldScriptTextOut:= GetProcAddress(ModHandle,
'ScriptTextOut'
);
POldScriptXtoCP:= GetProcAddress(ModHandle,
'ScriptXtoCP'
);
POldUspAllocCache:= GetProcAddress(ModHandle,
'UspAllocCache'
);
POldUspAllocTemp:= GetProcAddress(ModHandle,
'UspAllocTemp'
);
POldUspFreeMem:= GetProcAddress(ModHandle,
'UspFreeMem'
);
end
;
begin
//添加自己的補丁內容!
end
;
end
.