文章摘要
这篇文章详细介绍了通过注册钩子和内存操作技术,实现对Windows对话框(DLL)的注入与破解技术。文中使用了`Win32 API`中的钩子函数(如`GetProcAddress`、`VirtualProtect`等)以及内存操作函数(如`MoveMemory`)来实现对目标函数的注入与修改。文章重点描述了通过注册钩子绕过原地保护机制,并通过内存操作修改对话框参数,最终实现对DLL的破解过程。文章内容简明扼要,核心在于展示通过高级Win32 API技术实现跨平台安全漏洞注入与利用的思路与实现细节。
Option Explicit
Private Declare Sub MoveMemory Lib “kernel32” Alias “RtlMoveMemory” (Destination As Long, Source As Long, ByVal Length As Long)
Private Declare Function VirtualProtect Lib “kernel32” (lpAddress As Long, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Private Declare Function GetModuleHandleA Lib “kernel32” (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib “kernel32” (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function DialogBoxParam Lib “user32” Alias “DialogBoxParamA” (ByVal hInstance As Long, ByVal pTemplateName As Long, ByVal hWndParent As Long, ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer
Dim HookBytes(0 To 5) As Byte
Dim OriginBytes(0 To 5) As Byte
Dim pFunc As Long
Dim Flag As Boolean
Private Function GetPtr(ByVal Value As Long) As Long
GetPtr=Value
End Function
Public Sub RecoverBytes()
If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6
End Sub
Public Function Hook() As Boolean
Dim TmpBytes(0 To 5) As Byte
Dim p As Long
Dim OriginProtect As Long
Hook=False
pFunc=GetProcAddress(GetModuleHandleA(“user32.dll”), “DialogBoxParamA”)
If VirtualProtect(ByVal pFunc, 6, &H40, OriginProtect) <> 0 Then
MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6
If TmpBytes(0) <> &H68 Then
MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6
p=GetPtr(AddressOf MyDialogBoxParam)
HookBytes(0)=&H68
MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4
HookBytes(5)=&HC3
MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6
Flag=True
Hook=True
End If
End If
End Function
Private Function MyDialogBoxParam(ByVal hInstance As Long, _
ByVal pTemplateName As Long, ByVal hWndParent As Long, _
ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer
If pTemplateName=4070 Then
MyDialogBoxParam=1
Else
RecoverBytes
MyDialogBoxParam=DialogBoxParam(hInstance, pTemplateName, hWndParent, lpDialogFunc, dwInitParam)
Hook
End If
End Function
Sub Crack()
If Hook Then MsgBox “破解成功”
End Sub
Option Explicit
Private Declare Sub MoveMemory Lib “kernel32” Alias “RtlMoveMemory” (Destination As Long, Source As Long, ByVal Length As Long)
Private Declare Function VirtualProtect Lib “kernel32” (lpAddress As Long, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Private Declare Function GetModuleHandleA Lib “kernel32” (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib “kernel32” (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function DialogBoxParam Lib “user32” Alias “DialogBoxParamA” (ByVal hInstance As Long, ByVal pTemplateName As Long, ByVal hWndParent As Long, ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer
Dim HookBytes(0 To 5) As Byte
Dim OriginBytes(0 To 5) As Byte
Dim pFunc As Long
Dim Flag As Boolean
Private Function GetPtr(ByVal Value As Long) As Long
GetPtr=Value
End Function
Public Sub RecoverBytes()
If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6
End Sub
Public Function Hook() As Boolean
Dim TmpBytes(0 To 5) As Byte
Dim p As Long
Dim OriginProtect As Long
Hook=False
pFunc=GetProcAddress(GetModuleHandleA(“user32.dll”), “DialogBoxParamA”)
If VirtualProtect(ByVal pFunc, 6, &H40, OriginProtect) <> 0 Then
MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6
If TmpBytes(0) <> &H68 Then
MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6
p=GetPtr(AddressOf MyDialogBoxParam)
HookBytes(0)=&H68
MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4
HookBytes(5)=&HC3
MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6
Flag=True
Hook=True
End If
End If
End Function
Private Function MyDialogBoxParam(ByVal hInstance As Long, _
ByVal pTemplateName As Long, ByVal hWndParent As Long, _
ByVal lpDialogFunc As Long, ByVal dwInitParam As Long) As Integer
If pTemplateName=4070 Then
MyDialogBoxParam=1
Else
RecoverBytes
MyDialogBoxParam=DialogBoxParam(hInstance, pTemplateName, hWndParent, lpDialogFunc, dwInitParam)
Hook
End If
End Function
Sub Crack()
If Hook Then MsgBox “破解成功”
End Sub
© 版权声明
文章版权归作者所有,未经允许请勿转载。
