background
Because it is necessary to crack the anti-multiple-opening restriction of a certain piece of software, there is a need to do so.
But changing the window class name is not as simple as changing the window title (directly SetWindowText), and there is no direct API to use. After several days of research, I summarized two ways to modify the window class name:
- Modify the pe file (suitable for programs without shelling)
- hook RegisterClass (suitable for packed programs)
Modify the pe file
Take dbgview.exe as an example, you can see that it is shellless:
After the program is opened, the main window class is named dbgviewClass:
View hex directly in die, search for dbgviewClass:
Modify directly, save, and open the process again to view the class name:
Has been changed!
hook RegisterClass
As we all know, the role of the shell is nothing more than the following functions
- compression
- Anti-dynamic debugging
- Anti-static analysis
Therefore, if the software has been shelled, we will not be able to find the class name string by using the first method (because the real code is only decrypted when the program is running, and what you see with the hex tool is ciphertext)
Let's first look at a piece of code to create a window:
//1、设计窗口
WNDCLASS wc;
wc.cbClsExtra = 0; //类额外的内存,通常为零
wc.cbWndExtra = 0; //窗口额外的内存,通常为零
wc.hbrBackground = (HBRUSH)GetStockObject(WHITE_BRUSH); //设置背景
wc.hCursor = LoadCursor(NULL, IDC_HAND); //设置光标,如果第一个参数为NULL,代表使用系统提供的默认光标
wc.hIcon = LoadIcon(NULL, IDI_WARNING);
wc.hInstance = hInstance; //当前实例句柄,WinMain函数中形参即可
wc.lpfnWndProc = WindowProc; //窗口过程函数,回调函数,名称可以随便起
wc.lpszClassName = TEXT("WINDOW"); //指定窗口类名
wc.lpszMenuName = NULL; //菜单名,没有填NULL
wc.style = 0; //0代表默认风格
//2、注册窗口类
RegisterClass(&wc);
//3、创建窗口
HWND hwnd = CreateWindow(wc.lpszClassName, TEXT("TEXT WINDOW"), WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT ,
NULL, NULL, hInstance, NULL);
//4、显示和更新
ShowWindow(hwnd, SW_SHOWNORMAL);
UpdateWindow(hwnd);
//5、通过循环取消息
MSG msg;
while(1)
{
if (GetMessage(&msg, NULL,0,0) == FALSE)
{
break;
}
TranslateMessage(&msg);
DispatchMessage(&msg);
}
I have tried Hook CreateWindowEx or CreateWindow to modify its lpClassName parameter, but this will cause the function to return a 1047 error (cannot find the window category)
I tried to set a breakpoint on RegisterClass again, but it was called many times and it was difficult for me to tell which one I wanted
Finally, I set a breakpoint in LoadCursor, LoadIcon, and found a suitable place to modify the window class name:
Run the program after modification:
I successfully changed it.
Because this game has file md5 verification, there is no way to modify the class name by modifying the file address after the file address is calculated by the memory address, so I can only give up this idea:
Summary :
Because there is no breakpoint for RegisterClassEx (I only thought of RegisterClass) So much time was wasted. The import table hook can be used to implement the need to modify the class name.
