捕获FileProtocolHandler

元始天尊 · 发表于 2014-3-2 13:09:05

欢迎访问技术宅的结界，请注册或者登录吧。

您需要登录才可以下载或查看，没有账号？立即注册→加入我们

×

#include <windows.h>
#include <wininet.h>
#include <shlwapi.h>
#include <shellapi.h>
#pragma comment(lib,"shlwapi.lib")
HMODULE hURL=NULL;
BOOL APIENTRY DllMain( HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
{
if(!hURL)
{
hURL=LoadLibraryA("url_origin.dll");
if(hURL)
MessageBox(NULL,"loadsuccess","ok",MB_OK);
else
MessageBox(NULL,"loadfailed","ok",MB_OK);
}
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
//101
BOOL WINAPI Ordinal101(BOOL setflag)
{
FARPROC func=GetProcAddress(hURL,(LPCSTR)MAKELONG(0,101));
if(func)
{
_asm
{
push setflag;
call func;
}
}
return setflag;
}
//102
HRESULT WINAPI AddMIMEFileTypesPS(DWORD a1,DWORD a2)
{
FARPROC func=GetProcAddress(hURL,"AddMIMEFileTypesPS");
HRESULT retv;
if(func)
{
_asm
{
push a2;
push a1;
call func;
mov retv,eax;
}
}
return retv;
}
//103
VOID WINAPI AutodialHookCallback()
{
HMODULE hmod=LoadLibraryA("wininet.dll");
FARPROC proc=GetProcAddress(hmod,"InternetAutodialCallback");
((VOID (*)())proc)();
}
//104 105
VOID CALLBACK FileProtocolHandler(HWND hwnd,HINSTANCE hinst,LPSTR lpFile,INT nCmdShow)
{
LPSTR ptr=lpFile;
DWORD pcchPath=260;
MessageBox(NULL,lpFile,"FileProtocolHandler",MB_OK);
FARPROC func=GetProcAddress(hURL,"FileProtocolHandler");
if(func)
{
_asm
{
push nCmdShow;
push lpFile;
push hinst;
push hwnd;
call func;
}
}
}
//106
BOOL WINAPI InetIsOffline(DWORD dwFlags)
{
FARPROC func=GetProcAddress(hURL,"InetIsOffline");
BOOL retv;
if(func)
{
_asm
{
push dwFlags;
call func;
mov retv,eax;
}
}
return retv;
}
//107 108 117 118
HRESULT WINAPI URLAssociationDialogA(HWND hwndParent, DWORD dwInFlags, PCSTR pcszFile, PCSTR pcszURL, PSTR pszAppBuf, UINT ucAppBufLen)
{
SetLastError(ERROR_NOT_SUPPORTED );
return E_NOTIMPL;
}
//109 110
VOID WINAPI MailToProtocolHandler(HWND hwnd,HINSTANCE hinst, LPSTR lpCmdLine,INT nCmdShow)
{
MessageBox(NULL,lpCmdLine,"MailToProtocolHandler",MB_OK);
FARPROC func=GetProcAddress(hURL,"MailToProtocolHandler");
if(func)
{
_asm
{
push nCmdShow;
push lpCmdLine;
push hinst;
push hwnd
call func;
}
}
}
//111 112
VOID WINAPI OpenURL(HWND hwnd, HINSTANCE hinst, LPSTR lpCmdLine, INT nCmdShow)
{
MessageBox(NULL,lpCmdLine,"OpenURL",MB_OK);
ShellExecute(hwnd,NULL,lpCmdLine,NULL,NULL,nCmdShow);
}
//113 114
VOID TelnetProtocolHandler(HWND hwnd, HINSTANCE hinst, LPSTR lpCmdLine, INT nCmdShow)
{
MessageBox(NULL,lpCmdLine,"TelnetProtocolHandler",MB_OK);
FARPROC func=GetProcAddress(hURL,"TelnetProtocolHandler");
if(func)
{
_asm
{
push nCmdShow;
push lpCmdLine;
push hinst;
push hwnd
call func;
}
}
}
HRESULT WINAPI TranslateURLA(PCSTR pcszURL, DWORD dwInFlags, PSTR *ppszTranslatedURL)
{
MessageBoxA(NULL,pcszURL,"TranslateURL",MB_OK);
FARPROC func=GetProcAddress(hURL,"TranslateURLA");
HRESULT retv;
if(func)
{
_asm
{
push ppszTranslatedURL;
push dwInFlags;
push pcszURL;
call func;
mov retv,eax;
}
}
return retv;
}
HRESULT WINAPI TranslateURLW(PCWSTR pcszURL, DWORD dwInFlags, PWSTR *ppszTranslatedURL)
{
MessageBoxW(NULL,pcszURL,L"TranslateURL",MB_OK);
FARPROC func=GetProcAddress(hURL,"TranslateURLW");
HRESULT retv;
if(func)
{
_asm
{
push ppszTranslatedURL;
push dwInFlags;
push pcszURL;
call func;
mov retv,eax;
}
}
return retv;
}

复制代码

LIBRARY url
EXPORTS
Ordinal101 @101
AddMIMEFileTypesPS @102
AutodialHookCallback @103
FileProtocolHandler @104
FileProtocolHandlerA=FileProtocolHandler @105
InetIsOffline @106
URLAssociationDialogA @107
URLAssociationDialogW=URLAssociationDialogA @108
MailToProtocolHandler @109
MailToProtocolHandlerA=MailToProtocolHandler @110
OpenURL @111
OpenURLA =OpenURL @112
TelnetProtocolHandler @113
TelnetProtocolHandlerA=TelnetProtocolHandler @114
TranslateURLA @115
TranslateURLW @116
URLAssociationDialogA=URLAssociationDialogA @117
URLAssociationDialogW=URLAssociationDialogA @118

复制代码

编译成dll以后，替换system32下的url.dll，将原始dll改名为url_origin.dll，即可捕获url.dll中函数的执行，如果是64位系统需要编译成64位dll

账号		自动登录	找回密码
密码			立即注册→加入我们