ordinal hint name 1 0 ActivateKeyboardLayout (00015F25) 2 1 AdjustWindowRect (0000ABC4) 3 2 AdjustWindowRectEx (0002AA7A) 4 3 AnyPopup (0003E44F) 5 4 AppendMenuA (0001080C) 6 5 AppendMenuW (00029A5A) 7 6 ArrangeIconicWindows (0002EE3D) 8 7 AttachThreadInput (000144FA) 9 8 BeginDeferWindowPos (0001067E) 10 9 BeginPaint (000023B4) 11 A BringWindowToTop (0000A7DC) 12 B BroadcastSystemMessage (0003F39D)With this complete list, simply make a very basic C file :
//--------------------------------------------------------------------------- // Function ActivateKeyboardLayout //--------------------------------------------------------------------------- __declspec ( naked ) void _my_ActivateKeyboardLayout(void) { __asm jmp far dword ptr ActivateKeyboardLayout; } //--------------------------------------------------------------------------- // Function AdjustWindowRect //--------------------------------------------------------------------------- __declspec ( naked ) void _my_AdjustWindowRect(void) { __asm jmp far dword ptr AdjustWindowRect; } //---------------------------------------------------------------------------etc...
LIBRARY USER33.DLL EXPORTS ActivateKeyboardLayout=_my_ActivateKeyboardLayout @1 AdjustWindowRect=_my_AdjustWindowRect @2 AdjustWindowRectEx=_my_AdjustWindowRectEx @3 AnyPopup=_my_AnyPopup @4 AppendMenuA=_my_AppendMenuA @5 AppendMenuW=_my_AppendMenuW @6 ArrangeIconicWindows=_my_ArrangeIconicWindows @7 AttachThreadInput=_my_AttachThreadInput @8 BeginDeferWindowPos=_my_BeginDeferWindowPos @9 BeginPaint=_my_BeginPaint @10 BringWindowToTop=_my_BringWindowToTop @11 BroadcastSystemMessage=_my_BroadcastSystemMessage @12Notice USER33.DLL. I urge you not to name your C file USER32.C or you're going into deep troubles with the linker =)
(*CascadeChildWindows)(); (*ClientThreadSetup)(); (*CreateDialogIndirectParamAorW)(); (*DdeGetQualityOfService)(); (*DeregisterShellHookWindow)(); (*DialogBoxIndirectParamAorW)(); (*DrawCaptionTempA)(); ... ... if (!UndocLoaded) { HInstance = hModule; hInstUser32 = LoadLibrary("MSUS32.DLL"); (FARPROC)WCSToMBEx = GetProcAddress(hInstUser32, "WCSToMBEx"); (FARPROC)MBToWCSEx = GetProcAddress(hInstUser32, "MBToWCSEx"); (FARPROC)CascadeChildWindows = GetProcAddress(hInstUser32, "CascadeChildWindows"); (FARPROC)ClientThreadSetup = GetProcAddress(hInstUser32, "ClientThreadSetup"); (FARPROC)CreateDialogIndirectParamAorW = GetProcAddress(hInstUser32, "CreateDialogIndirectParamAorW" (FARPROC)DdeGetQualityOfService = GetProcAddress(hInstUser32, "DdeGetQualityOfService"); (FARPROC)DeregisterShellHookWindow = GetProcAddress(hInstUser32, "DeregisterShellHookWindow"); (FARPROC)DialogBoxIndirectParamAorW = GetProcAddress(hInstUser32, "DialogBoxIndirectParamAorW"); (FARPROC)DrawCaptionTempA = GetProcAddress(hInstUser32, "DrawCaptionTempA"); (FARPROC)DrawCaptionTempW = GetProcAddress(hInstUser32, "DrawCaptionTempW"); ... ... UndocLoaded=-1; }Repeat that for all undocumented functions and you're done.
char *DLLName[DLLMAX]; BOOL DWPHookOk=FALSE; //--------------------------------------------------------------------------- LRESULT CALLBACK IPCWndProc(HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { switch (message) { case WM_COMMAND: switch (wParam) { case CMD_RESET_DLL_NAME: *DLLName = 0; break; case CMD_CAT_DLL_NAME: { char *p = DLLName; while (*p) p++; if (p > DLLName + DLLMAX) break; *p++ = (unsigned char)lParam; *p = 0; break; } case CMD_LOAD_DLL: if (DWPHookOK) UnloadDLL(); LoadDLL(); break; case CMD_UNLOAD_DLL: if (DWPHookOK) UnloadDLL(); break; } } return DefWindowProc(hwnd, message, wParam, lParam); } //--------------------------------------------------------------------------- void LoadDLL(void) { DLLInstance = LoadLibrary(DLLName); if (!DLLInstance) return; (FARPROC)MyDefWindowProcW = GetProcAddress(DLLInstance, "MyDefWindowProc"); if (MyDefWindowProcW == NULL) { FreeLibrary(DLLInstance); return; } DWPHookOK = TRUE; } //--------------------------------------------------------------------------- void UnloadDLL(void) { DWPHookOK=FALSE; FreeLibrary(DLLInstance); } DefWindowProc beeing split in two parts (A & W), we'll make a comon function for both: //--------------------------------------------------------------------------- // Function DefWindowProcW //--------------------------------------------------------------------------- LRESULT WINAPI _my_DefWindowProcW(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam) { return CommonDefWindowProc(hWnd, Msg, wParam, lParam, 1); } //--------------------------------------------------------------------------- // Function DefWindowProcA //--------------------------------------------------------------------------- LRESULT WINAPI _my_DefWindowProcA(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam) { return CommonDefWindowProc(hWnd, Msg, wParam, lParam, 0); }Note that these functions are not ( Naked ), because we retrieve parameters so we need a stack management. Here is the common code :
//--------------------------------------------------------------------------- LRESULT WINAPI CommonDefWindowProc(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam, int Wide) { if (DisableIPC) // DisableIPC is a security flag. If set, no more hook return Wide ? DefWindowProcW(hWnd, Msg, wParam, lParam) : DefWindowProcA(hWnd, Msg, wParam, lParam); // If the IPC Window does not exists create it. if (!IPCWindow) { WNDCLASS wc; memset(&wc,0,sizeof(wc)); wc.lpfnWndProc = IPCWndProc; wc.hInstance = HInstance; wc.lpszClassName = IPCWindowClass; wc.style = 0; RegisterClass(&wc); IPCWindow = CreateWindowEx( 0, IPCWindowClass, "", WS_POPUP, 0, 0, 100,100, NULL, NULL, HInstance, NULL); // If failed, no need to retry, disable hooks if (!IPCWindow) { DisableIPC=TRUE; return DefWindowProcW(hWnd, Msg, wParam, lParam); } } // If a receiver IPC window is found, tell it we're here if (FirstCheck) { HWND MainIPC; FirstCheck=FALSE; MainIPC = FindWindow("EMainIPC", NULL); if (MainIPC) SendMessage(MainIPC, WM_COMMAND, CMD_IMHERE, 0); } if (!DWPHookOK) // This flag is set once GetProcAddress is successfull, see above return Wide ? DefWindowProcW(hWnd, Msg, wParam, lParam) : DefWindowProcA(hWnd, Msg, wParam, lParam); else return MyDefWindowProcW(hWnd, Msg, wParam, lParam, Wide); }pre> VI. Finding out if eggs (and grandma) are ready.
------------------------------------------------
That's all, now our USER32.DLL with load its code and link dynamically to it at will. We just need to write a small application that will communication with it to tell it what to do:#include <windows.h> char ClassName[255]; char DllName[1024] = "C:\\DEV\\IPC2\\EFDll.DLL"; //--------------------------------------------------------------------------- // Tells an instance of USER32.DLL to load the DLL void SendLoadDll(HWND hwnd) { char *p=DllName; SendMessage(hwnd, WM_COMMAND, CMD_RESET_DLL_NAME, 0); while (*p) { SendMessage(hwnd, WM_COMMAND, CMD_CAT_DLL_NAME, (long)(*p)); p++; } SendMessage(hwnd, WM_COMMAND, CMD_LOAD_DLL, 0); } //--------------------------------------------------------------------------- // Enumerate all instances of USER32.DLL BOOL CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam) { GetClassName(hwnd, ClassName, 254); if (!strcmpi(ClassName, IPCWindowClass)) lParam ? SendLoadDll(hwnd) : SendMessage(hwnd, WM_COMMAND, CMD_UNLOAD_DLL, 0); return TRUE; } //--------------------------------------------------------------------------- int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { EnumWindows(EnumWindowsProc, 1); // Dll is loaded, your app is here //... //... // Your app has finished, unload the code now EnumWindows(EnumWindowsProc, 0); return 0; }
VII. Taste eggs and grandma
---------------------------
Ok now you should know what's necessary to make your own dynamic stub to USER32.DLL or KERNEL32.DLL. I hope that it can be usefull to anybody. I had big fun making it, hope you can have as much i did.
I'll try to clean a bit my code and release it. Its fully working. That would be a little kick in the ass of those companies that tries to sell you a Win32hooks API for ***ONLY $4999!*** =)
Peace, harmony.
Lone Runner/Aegis Corp Big hello to all the Fravias staff and gurus. You 0wn me
Advanced reversing
homepage links anonymity +ORC students' essays academy database bots wars
antismut tools cocktails javascript wars search_forms mail_fravia
Is reverse engineering illegal?