// dllmain.cpp : DllMain 的实现。 /*本源码由TC简单软件科技有限公司开源,功能可以自由修改、发布、 长沙简单软件科技有限公司对于源码不做后期维护,,请大家在使用过程中遵循开源协议 */ #include "stdafx.h" #include "resource.h" #include "TSPlug_i.h" #include "dllmain.h" #include "DXBind.h" #include "TSRuntime.h" #include #pragma comment ( lib, "psapi.lib" ) CTSPlugModule _AtlModule; TCHAR gDLLFolder[MAX_PATH + 1]; HHOOK g_hSetWindowsHook=NULL; HMODULE g_hInstance=NULL; extern bool g_Unbind; extern HWND g_InjectHWND; extern HWND g_currentHwnd; HANDLE g_hthread=NULL; extern int SySTpye; //卸载线程 void IMEUnLoadThread(void *para) { while(1) { if(TSRuntime::pData->InjectType==204)//203注入 { TSRuntime::pData->InjectType=205; TSRuntime::MyLoadLibrary(); FreeLibraryAndExitThread(g_hInstance,0); //卸载DLL return; } if(g_Unbind==true) //等待窗口解绑 { //TSRuntime::add_log( "卸载DLL,InjectType:%d",TSRuntime::pData->InjectType); if(TSRuntime::pData->InjectType==1||TSRuntime::pData->InjectType==202||TSRuntime::pData->InjectType==205) { //TSRuntime::add_log( "卸载DLL,InjectType:%d",TSRuntime::pData->InjectType); FreeLibraryAndExitThread(g_hInstance,0); //卸载DLL } return ; } //如果注入方进程异常退出,自我解绑,卸载DLL if(::IsWindow(g_InjectHWND)==false&&g_InjectHWND!=NULL) { if(TSRuntime::pData->InjectType==0) { //通知自身窗口解绑 SendMessage(g_currentHwnd,TS_UNBIND,0,0); ::UnhookWindowsHookEx(g_hSetWindowsHook); } else { //通知自身窗口解绑 SendMessage(g_currentHwnd,TS_UNBIND,0,0); FreeLibraryAndExitThread(g_hInstance,0); //卸载DLL } return ; } Sleep(10); //CString scd; } } DWORD CALLBACK CBFunA(DWORD calldata1, DWORD calldata2,DWORD calldata3) //输入法注入回调函数 { HINSTANCE my_hInstance=(HINSTANCE)calldata1; //输入法传入自身DLL基址和自身得到的基址验证后才开启线程 //TSRuntime::add_log( "IME注入"); if(my_hInstance) { if(my_hInstance==g_hInstance) g_hthread=(HANDLE)_beginthread(IMEUnLoadThread, 0 ,0 );//启动线程等待解绑卸载DLL } return 0; } static HMODULE ModuleFromAddress(PVOID pv) { MEMORY_BASIC_INFORMATION mbi; if(::VirtualQuery(pv, &mbi, sizeof(mbi)) != 0) { return (HMODULE)mbi.AllocationBase; } else { return NULL; } } static LRESULT WINAPI GetMsgProc(int code, WPARAM wParam, LPARAM lParam) { return ::CallNextHookEx(g_hSetWindowsHook, code, wParam, lParam); } BOOL WINAPI CBFunB(BOOL bInstall, DWORD dwThreadId) { BOOL bOk=FALSE; if(bInstall) { g_hSetWindowsHook = ::SetWindowsHookEx(WH_CALLWNDPROC, GetMsgProc,ModuleFromAddress(GetMsgProc), dwThreadId); //TSRuntime::add_log( "g_hSetWindowsHook:%x,PID:%d",GetCurrentProcessId()); if(g_hSetWindowsHook != NULL) { bOk = true; } } else { if(g_hSetWindowsHook) { //::MessageBox(0,L"Dll Main:UnhookWindowsHookEx",L"TS",0); bOk = ::UnhookWindowsHookEx(g_hSetWindowsHook); } } return bOk; } // DLL 入口点 extern "C" BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved) { switch(dwReason) { case DLL_PROCESS_ATTACH: { TSRuntime::InitKeyPressCharMap(); TSRuntime::InitVirtualToASCIIMap(); TSRuntime::InitKeyMap(); TSRuntime::InitKeyPressMap(); SySTpye=TSRuntime::InitialWindowsVersion(); g_hInstance=hInstance; //wcscpy(gDLLFolder,TSRuntime::GetComPath()); TSRuntime::GetComPath(gDLLFolder); //::MessageBox(0,gDLLFolder,L"TS",0); char pszMapName[MAX_PATH]={0}; sprintf( pszMapName,"%s%d",TS_MAPVIEW_NAME,GetCurrentProcessId()); HANDLE hFileMap = OpenFileMappingA(FILE_MAP_ALL_ACCESS, FALSE, pszMapName); //如果hFileMap句柄不为空说明DLL被注入,准备启动注入线程 if(hFileMap!=NULL) { //::MessageBox(0,L"Dll Main:DLL_PROCESS_ATTACH",L"TS",0); //// 这里先打开共享内存,共享内存和程序是一对一的关系 CShareMemory *sm=new CShareMemory(pszMapName); TSRuntime::pData=(CMessageData*)sm->GetBuffer(); //// 共享内存的初始化数据是不能为空的,为空就不正常 if(TSRuntime::pData!=NULL) { if(TSRuntime::pData->InjectType==BIND_201||TSRuntime::pData->InjectType==BIND_203)//201模式注入 { if(TSRuntime::pData->InjectType==BIND_201) TSRuntime::pData->InjectType=202; else if(TSRuntime::pData->InjectType==BIND_203) TSRuntime::pData->InjectType=204; //TSRuntime::add_log("201模式注入"); DWORD InternalCallWinProc_Addr=(DWORD)::GetModuleHandle(L"user32.dll"); if(SySTpye==1)//WinXP InternalCallWinProc_Addr+=USER32InternalCallWinProcXPoffse; else if(SySTpye==2)//Win2003 InternalCallWinProc_Addr+=USER32InternalCallWinProcWin2003offse; else if(SySTpye==4&&TSRuntime::IsWin7X64)//WIN7X64 InternalCallWinProc_Addr+=USER32InternalCallProcWin7x64offse; else if(SySTpye==4)//WIN7X86 InternalCallWinProc_Addr+=USER32InternalCallProcWin7offse; else if(SySTpye==5&&TSRuntime::IsWin8X64)//WIN8X64 InternalCallWinProc_Addr+=USER32InternalCallProcWin8x64offse; else if(SySTpye==5)//WIN8X86 InternalCallWinProc_Addr+=USER32InternalCallProcWin8offse; BYTE ori[5]={0x55,0x8b,0xec,0x56,0x57}; //注入完成还原钩子 memcpy((void*)InternalCallWinProc_Addr,ori,5); FlushInstructionCache(GetCurrentProcess(),(void*)InternalCallWinProc_Addr,5); ////TS_BIND201_NAME wchar_t pszEventName[MAX_PATH]={0}; ::wsprintf(pszEventName,L"%s%d",TS_BIND201_NAME,::GetCurrentProcessId()); HANDLE picEvent=::CreateEvent(NULL,TRUE,FALSE,pszEventName); ::WaitForSingleObject(picEvent,INFINITE); ::CloseHandle(picEvent); g_Unbind=false; _beginthread(IMEUnLoadThread, 0 ,0 ); if(TSRuntime::pData->InjectType==202) TSRuntime::g_DxObj.hookApi(); } else if(TSRuntime::pData->InjectType!=202&&TSRuntime::pData->InjectType!=204) //// 这里根据传入的模式进行函数拦截,兵起一个检测线程进行检测 { if(TSRuntime::pData->InjectType==205)//203绑定 _beginthread(IMEUnLoadThread, 0 ,0 ); TSRuntime::g_DxObj.hookApi(); } } } break; } } return _AtlModule.DllMain(dwReason, lpReserved); } TsMutex::TsMutex(char *pszEventName) { //InitializeCriticalSection(&m_mutex); hEvent=OpenEventA(EVENT_ALL_ACCESS,false,pszEventName); if(hEvent==NULL) { hEvent=CreateEventA(NULL,FALSE,FALSE,pszEventName); ::SetEvent(hEvent); } } TsMutex::~TsMutex() { //DeleteCriticalSection(&m_mutex); CloseHandle(hEvent); } void TsMutex::lock() { //::WaitForSingleObject(hEvent,INFINITE); ::WaitForSingleObject(hEvent,10000); //EnterCriticalSection(&m_mutex); } void TsMutex::unlock() { ::SetEvent(hEvent); //LeaveCriticalSection(&m_mutex); } TsMutexlock::TsMutexlock(TsMutex *ptcmutex) { m_ptcmutex= ptcmutex; m_ptcmutex->lock(); } TsMutexlock::~TsMutexlock() { m_ptcmutex->unlock(); }