bool injectdll_x64(const PROCESS_INFORMATION& pi, const std::wstring& dll) {
static unsigned char sc[] = {
0x9c, // pushfq
0x50, // push rax
0x51, // push rcx
0x52, // push rdx
0x53, // push rbx
0x55, // push rbp
0x56, // push rsi
0x57, // push rdi
0x41, 0x50, // push r8
0x41, 0x51, // push r9
0x41, 0x52, // push r10
0x41, 0x53, // push r11
0x41, 0x54, // push r12
0x41, 0x55, // push r13
0x41, 0x56, // push r14
0x41, 0x57, // push r15
0x48, 0x83, 0xEC, 0x28, // sub rsp, 0x28
0x49, 0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov r9, 0 // DllHandle
0x49, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov r8, 0 // DllPath
0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov rax,0 // LdrLoadDll
0x48, 0x31, // xor rcx,rcx
0xC9, 0x48, // xor rdx,rdx
0xFF, 0xD0, // call rax LdrLoadDll
0x48, 0x83, 0xC4, 0x28, // add rsp, 0x28
0x41, 0x5F, // pop r15
0x41, 0x5E, // pop r14
0x41, 0x5D, // pop r13
0x41, 0x5C, // pop r12
0x41, 0x5B, // pop r11
0x41, 0x5A, // pop r10
0x41, 0x59, // pop r9
0x41, 0x58, // pop r8
0x5F, // pop rdi
0x5E, // pop rsi
0x5D, // pop rbp
0x5B, // pop rbx
0x5A, // pop rdx
0x59, // pop rcx
0x58, // pop rax
0x9D, // popfq
0xFF, 0x25, 0x00, 0x00, 0x00, 0x00, // jmp offset
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 // rip
};
InitWow64ext();
DWORD64 pfLoadLibrary = (DWORD64)GetProcAddress64(GetModuleHandle64(L"ntdll.dll"), "LdrLoadDll");
if (!pfLoadLibrary) {
return false;
}
struct UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
DWORD64 Buffer;
};
SIZE_T memsize = sizeof(DWORD64) + sizeof(UNICODE_STRING) + (dll.size() + 1) * sizeof(wchar_t);
DWORD64 memory = VirtualAllocEx64(pi.hProcess, NULL, memsize, MEM_COMMIT, PAGE_READWRITE);
if (!memory) {
return false;
}
DWORD64 shellcode = VirtualAllocEx64(pi.hProcess, NULL, sizeof(sc), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!shellcode) {
return false;
}
UNICODE_STRING us;
us.Length = (USHORT)(dll.size() * sizeof(wchar_t));
us.MaximumLength = us.Length + sizeof(wchar_t);
us.Buffer = memory + sizeof(UNICODE_STRING);
SIZE_T written = 0;
BOOL ok = FALSE;
ok = WriteProcessMemory64(pi.hProcess, memory, &us, sizeof(UNICODE_STRING), &written);
if (!ok || written != sizeof(UNICODE_STRING)) {
return false;
}
ok = WriteProcessMemory64(pi.hProcess, us.Buffer, (void*)dll.data(), us.MaximumLength, &written);
if (!ok || written != us.MaximumLength) {
return false;
}
_CONTEXT64 ctx = { 0 };
ctx.ContextFlags = CONTEXT_CONTROL;
if (!GetThreadContext64(pi.hThread, &ctx)) {
return false;
}
DWORD64 handle = us.Buffer + us.MaximumLength;
memcpy(sc + 30, &handle, sizeof(handle));
memcpy(sc + 40, &memory, sizeof(memory));
memcpy(sc + 50, &pfLoadLibrary, sizeof(pfLoadLibrary));
memcpy(sc + 98, &ctx.Rip, sizeof(ctx.Rip));
ok = WriteProcessMemory64(pi.hProcess, shellcode, &sc, sizeof(sc), &written);
if (!ok || written != sizeof(sc)) {
return false;
}
ctx.ContextFlags = CONTEXT_CONTROL;
ctx.Rip = shellcode;
if (!SetThreadContext64(pi.hThread, &ctx)) {
return false;
}
return true;
}
BOOL WINAPI DllMain(HINSTANCE instance, DWORD reason, LPVOID lpReserved)
{
static bool bDllInited = false;
BOOL IsUnload = false, bEnableDW = true;
switch(reason) {
case DLL_PROCESS_ATTACH:
#ifdef DEBUG
//MessageBox(0, L"Load", NULL, MB_OK);
#endif
if (bDllInited)
return true;
bDllInited = true;
g_dllInstance = instance;
{
LPWSTR dllPath = new WCHAR[MAX_PATH + 1];
int nSize = GetModuleFileName(g_dllInstance, dllPath, MAX_PATH + 1);
WCHAR* p = &dllPath[nSize];
while (*--p != L'\\');
*p = L'\0';
#ifdef _WIN64
wcscat(dllPath, L"\\EasyHk64.dll");
#else
wcscat(dllPath, L"\\EasyHk32.dll");
#endif
HMODULE hEasyhk = LoadLibrary(dllPath);
delete[]dllPath;
if (!hEasyhk)
return false;
}
//弶婜壔弴彉
//DLL_PROCESS_DETACH偱偼偙傟偺媡弴偵偡傞
//1. CRT娭悢偺弶婜壔
//2. 僋儕僥傿僇儖僙僋僔儑儞偺弶婜壔
//3. TLS偺弨旛
//4. CGdippSettings偺僀儞僗僞儞僗惗惉丄INI撉傒崬傒
//5. ExcludeModule僠僃僢僋
// 6. FreeType儔僀僽儔儕偺弶婜壔
// 7. FreeTypeFontEngine偺僀儞僗僞儞僗惗惉
// 8. API傪僼僢僋
// 9. Manager偺GetProcAddress傪僼僢僋
//1
_CrtSetDbgFlag(_CrtSetDbgFlag(_CRTDBG_REPORT_FLAG) | _CRTDBG_LEAK_CHECK_DF);
_CrtSetReportMode(_CRT_ASSERT, _CRTDBG_MODE_DEBUG | _CRTDBG_MODE_WNDW);
//_CrtSetBreakAlloc(100);
//Opera傛巭傑傟乣
//Assert(GetModuleHandleA("opera.exe") == NULL);
setlocale(LC_ALL, "");
g_hinstDLL = instance;
//APITracer::Start(instance, APITracer::OutputFile);
//2, 3
CCriticalSectionLock::Init();
COwnedCriticalSectionLock::Init();
CThreadCounter::Init();
if (!g_TLInfo.ProcessInit()) {
return FALSE;
}
//4
{
CGdippSettings* pSettings = CGdippSettings::CreateInstance();
if (!pSettings || !pSettings->LoadSettings(instance)) {
CGdippSettings::DestroyInstance();
return FALSE;
}
IsUnload = IsProcessUnload();
bEnableDW = pSettings->DirectWrite();
}
if (!IsUnload) hook_initinternal(); //不加载的模块就不做任何事情
//5
if (!IsProcessExcluded() && !IsUnload) {
#ifndef _WIN64
InitWow64ext();
#endif
if (!FontLInit()) {
return FALSE;
}
g_pFTEngine = new FreeTypeFontEngine;
if (!g_pFTEngine) {
return FALSE;
}
//if (!AddEasyHookEnv()) return FALSE; //fail to load easyhook
InterlockedExchange(&g_bHookEnabled, TRUE);
if (hook_init()!=NOERROR)
return FALSE;
//hook d2d if already loaded
/*
DWORD dwSessionID = 0;
if (ProcessIdToSessionIdProc)
ProcessIdToSessionIdProc(GetCurrentThreadId(), &dwSessionID);
else
dwSessionID = 1;*/
if (IsRunAsUser() && bEnableDW && IsWindowsVistaOrGreater()) //vista or later
{
//ORIG_LdrLoadDll = LdrLoadDll;
//MessageBox(0, L"Test", NULL, MB_OK);
HookD2DDll();
//hook_demand_LdrLoadDll();
}
/*if (IsWindows8OrGreater()) {
*(DWORD_PTR*)&(ORIG_MySetProcessMitigationPolicy) = *(DWORD_PTR*)&(MySetProcessMitigationPolicy);
//hook_demand_MySetProcessMitigationPolicy();
}*/
// InstallManagerHook();
}
//获得当前加载模式
if (IsUnload)
{
HANDLE mutex_offical = OpenMutex(MUTEX_ALL_ACCESS, false, _T("{46AD3688-30D0-411e-B2AA-CB177818F428}"));
HANDLE mutex_gditray2 = OpenMutex(MUTEX_ALL_ACCESS, false, _T("Global\\MacType"));
if (!mutex_gditray2)
mutex_gditray2 = OpenMutex(MUTEX_ALL_ACCESS, false, _T("MacType"));
HANDLE mutex_CompMode = OpenMutex(MUTEX_ALL_ACCESS, false, _T("Global\\MacTypeCompMode"));
if (!mutex_CompMode)
mutex_CompMode = OpenMutex(MUTEX_ALL_ACCESS, false, _T("MacTypeCompMode"));
BOOL HookMode = (mutex_offical || (mutex_gditray2 && mutex_CompMode)) || (!mutex_offical && !mutex_gditray2); //是否在兼容模式下
CloseHandle(mutex_CompMode);
CloseHandle(mutex_gditray2);
CloseHandle(mutex_offical);
if (!HookMode) //非兼容模式下,拒绝加载
return false;
}
//APITracer::Finish();
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
g_TLInfo.ThreadTerm();
break;
case DLL_PROCESS_DETACH:
// RemoveManagerHook();
if (!bDllInited)
return true;
bDllInited = false;
if (InterlockedExchange(&g_bHookEnabled, FALSE) && lpReserved == NULL) { //如果是进程终止,则不需要释放
hook_term();
//delete AACacheFull;
//delete AACache;
// for (int i=0;i<CACHE_SIZE;i++)
// delete g_AACache2[i]; //清除缓存
//free(g_charmapCache);
}
#ifndef DEBUG
if (lpReserved != NULL) return true;
#endif
if (g_pFTEngine) {
delete g_pFTEngine;
}
//if (g_alterGUIFont)
// DeleteObject(g_alterGUIFont);
FontLFree();
/*
#ifndef _WIN64
__FUnloadDelayLoadedDLL2("easyhk32.dll");
#else
__FUnloadDelayLoadedDLL2("easyhk64.dll");
#endif*/
CGdippSettings::DestroyInstance();
g_TLInfo.ProcessTerm();
CCriticalSectionLock::Term();
COwnedCriticalSectionLock::Term();
break;
}
return TRUE;
}
