如何从另一个注入同一程序的.dll调用函数？ [英] How can I call a function from another .dll which is injected to the same program?

问题描述

我的问题真的在上面，我会在下面给出更多的信息：

我有一个程序，首先需要我的falsed3d9.dll，这个DLL然后加载到游戏我是逆向工程。一段时间后，加载了.dll，以及所有其他的游戏依赖项，我想注入我的DLL，这将完成所有的逆向工程的脏工作。

我想我可以使用LoadLibrary将该DLL加载到程序中，但是当我使用我注入的DLL来运行主反向工程代码时。有没有一个功能可以用来从d3d9.dll调用某些东西？

这是因为我仍然需要访问d3d9库来渲染我可能想添加的东西在我注入的.dll的屏幕上。我也不想只使用d3d9.dll，因为这将导致加载时间的问题，以及内存更改的点。

我也不要t计划在DLL中使用DllMain，这意味着我还需要将d3d9.dll的远程函数调用到注入的DLL，以确保安全的进程启动。

对不起，如果这是一个愚蠢的问题，不过感谢任何答案。

解决方案

CreateRemoteThread并使用LoadLibraryA作为lpStartAddress的地址（这个地址在所有进程中都是一样的）。诀窍是使用 VirtualAllocEx 分配您要注入的DLL名称，并将其用作 lpParameter 。有效地，您的线程使用要注入的DLL名称调用LoadLibraryA。当Dll加载Dllmain被调用时，您可以在dll被附加的时间（DLL_PROCESS_ATTACH）中运行Dllmain中的代码。

这个链接有一些很好的信息，做这个。然而，这种技术依赖于Dllmain功能。如果可以使用Dllmain，那么这个机制可能会起作用。从该文章的步骤摘要概述：

现在，我们可以按照以下步骤总结此技术：

 将HANDLE检索到远程进程（OpenProces）。 
在远程进程的注册数据地址空间（VirtualAllocEx）中分配内存。 
将初始化的INJDATA结构的副本写入分配的内存（WriteProcessMemory）。 
在远程进程的地址空间中分配注入代码的内存。 
将ThreadFunc的副本写入分配的内存。 
通过CreateRemoteThread启动ThreadFunc的远程副本。 
等到远程线程终止（WaitForSingleObject）。 
从远程进程（ReadProcessMemory或GetExitCodeThread）获取结果。 
释放步骤＃2和＃4（VirtualFreeEx）中分配的内存。 
关闭在步骤＃6和＃1（CloseHandle）中检索的句柄。 
  

我看到您对于太多信息的评论。不确定我很明白然而，Dllmain有一些限制，像大多数Win32 API调用不能使用。有一些例外，一个是CreateThread。你有没有考虑脱线工作？如果您在Dllmain中使用CreateThread，它将有效地被阻止，直到Dllmain退出。所以一旦Dllmain返回Thread将执行。

My question is really above, I will give more information on this below however:

I have a program which first takes my "false" d3d9.dll, this DLL is then loaded into the game I am reverse engineering. After the some time and the .dll is loaded, along with all the other games dependencies I want to inject my DLL which will do all the dirty work of the reverse engineering.

I think I can load this DLL into the program using LoadLibrary, however when I'm using the DLL I injected to run the main reverse engineered code. Is there a function I can use to call something from the d3d9.dll?

This is because I still need access to the d3d9 library to render things I may want to add on the screen with my injected .dll. I also don't want to just use the d3d9.dll as this will cause problems with loading times, and the point at which memory is changed.

I also don't plan on using DllMain in the DLL, this means I will also need to call a remote function from the d3d9.dll to the injected DLL in order to ensure a safe process start.

Sorry if this is a stupid question, however thanks for any answers.

解决方案

Back in the old days we use to CreateRemoteThread and use LoadLibraryA as the address for lpStartAddress (This address happens to be the same in all processes). The trick was to allocate the DLL name you are injecting using VirtualAllocEx and use that as lpParameter. Effectively your thread calls LoadLibraryA with the DLL name you want to inject. When the Dll loads Dllmain gets called and you can run code in Dllmain during a time that the dll is being attached (DLL_PROCESS_ATTACH).

This link has some very good information on doing just that. However this technique relies on a Dllmain function. If you can use Dllmain then this mechanism may work. A summary of the steps from that article gives an overview:

Now, we can summarize this technique in the following steps:

Retrieve a HANDLE to the remote process (OpenProces).
Allocate memory in the remote process's address space for injected data (VirtualAllocEx).
Write a copy of the initialised INJDATA structure to the allocated memory (WriteProcessMemory).
Allocate memory in the remote process's address space for injected code.
Write a copy of ThreadFunc to the allocated memory.
Start the remote copy of ThreadFunc via CreateRemoteThread.
Wait until the remote thread terminates (WaitForSingleObject).
Retrieve the result from the remote process (ReadProcessMemory or GetExitCodeThread).
Free the memory allocated in Steps #2 and #4 (VirtualFreeEx).
Close the handles retrieved in Steps #6 and #1 (CloseHandle).

I saw your comment about too much information. Not sure I quite understand. However Dllmain has some restrictions like most Win32 API calls can't be used. There are some exceptions and one being CreateThread. Had you considered spinning off a thread to do work? If you use CreateThread in a Dllmain it effectively gets blocked until Dllmain exits. So once Dllmain returns the Thread will execute.

这篇关于如何从另一个注入同一程序的.dll调用函数？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！