http://www.tinpont.com/software/aheadlib.html
dll hijacking artifact - AheadLib 2.2.150 (source code)
Yonsm is a legendary god. The DebugTrack debug string display tool he released in 2004 is still very popular.
In 2005, he released AheadLib, an epoch-making software that was famous at the time. The main function of AheadLib is to analyze the output function of the dll, and generate the dll code containing the corresponding output function (only the function name, when it is called elsewhere, it will jump to the original DLL output function). There are two main usages:
1. Hijack the system dll: use the dll loading sequence of windows, put the dll written by yourself into the software directory, and load it first. Load the system dll in the dll written by yourself, and forward the corresponding output function to the system dll output function.
2. Hijack any dll: rename the original dll, and then rename the dll written by yourself to the same as the original dll, put it in the software directory, and the software will load the dll written by itself. Load the system dll in the dll written by yourself, and forward the corresponding output function to the system dll output function.
1. Introduction
AheadLib is used to generate a DLL analysis simulation tool, which is used to analyze the function parameter calls in the DLL (such as recording what the Socket sends, etc.), change the function function (do whatever you want:), change the interface function (such as generating a Hook inside a buttons, intercept events, etc.).
2. Use
1. Open the DLL to be simulated with AheadLib and generate a CPP file.
2. Create a DLL project with Visual Studio 6.0/.NET and add this CPP file to the project.
3. Use Release method to compile, the generated DLL will have exactly the same exported functions as the original DLL, and these functions can be smoothly forwarded to the original functions.
4. AheadLib can also generate Hook code for intercepting all messages of the current process, so that you can handle all kinds of messages as you like (a good assistant for modifying third-party program interface functions).
3. Remarks
1. If there are too many exported functions, in Visual Studio 6.0, if a compile error occurs, please turn off the compile header function in the project properties.
2. If it is exported in the way of C++, C __stdcall, and C __fastcall, the generated function declaration will be restored to the original code level (may need to be modified to compile, such as the case of exporting C++ classes). In this case use __declspec(dllexport) to export - the export ordinal cannot be specified.
3. If it is exported by NONAME or C_CDECL (such as DEF export, which is the case with most Windows DLLs, such as WS2_32, etc.), use #pragma comment(linker, “/EXPORT:…) to export, and specify the export serial number.
4. If there is no DbgHelp.dll in the system, the export of C++ mode will not be recognized.
sourceCode