Search the Community
Showing results for tags 'delayloadthunk'.
-
Hello everyone, I am currently working on an implementation of Win32 Darkmode for Autoit. Unfortunately I have reached my limits when translating. 😓 It is about the following code: void FixDarkScrollBar() { HMODULE hComctl = LoadLibraryExW(L"comctl32.dll", nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32); if (hComctl) { auto addr = FindDelayLoadThunkInModule(hComctl, "uxtheme.dll", 49); // OpenNcThemeData if (addr) { DWORD oldProtect; if (VirtualProtect(addr, sizeof(IMAGE_THUNK_DATA), PAGE_READWRITE, &oldProtect)) { auto MyOpenThemeData = [](HWND hWnd, LPCWSTR classList) -> HTHEME { if (wcscmp(classList, L"ScrollBar") == 0) { hWnd = nullptr; classList = L"Explorer::ScrollBar"; } return _OpenNcThemeData(hWnd, classList); }; addr->u1.Function = reinterpret_cast<ULONG_PTR>(static_cast<fnOpenNcThemeData>(MyOpenThemeData)); VirtualProtect(addr, sizeof(IMAGE_THUNK_DATA), oldProtect, &oldProtect); } } } } What does the code do? 1) FixDarkScrollBar() first opens comctl32.dll in LOAD_LIBRARY_SEARCH_SYSTEM32 mode. So far this is not a problem. 2) But then FindDelayLoadThunkInModule is used to search for / calculate the DelayLoadThunk for the OpenNcThemeData function call within comctl32.dll. 3) Once this is known, a callback function is stored, which makes a change in the ClassList of OpenNcThemeData. So actually nothing more than a DllCallbackRegister function. See also: 4) Then VirtualProtect is called, no idea if this finally works in autoit. But I have already written the function _WinAPI_VirtualProtect, after all it is no secret. Why? See also: So the biggest problem lies in the translation of IatHook.h (https://github.com/ysc3839/win32-darkmode/blob/master/win32-darkmode/IatHook.h) // This file contains code from // https://github.com/stevemk14ebr/PolyHook_2_0/blob/master/sources/IatHook.cpp // which is licensed under the MIT License. // See PolyHook_2_0-LICENSE for more information. #pragma once template <typename T, typename T1, typename T2> constexpr T RVA2VA(T1 base, T2 rva) { return reinterpret_cast<T>(reinterpret_cast<ULONG_PTR>(base) + rva); } template <typename T> constexpr T DataDirectoryFromModuleBase(void *moduleBase, size_t entryID) { auto dosHdr = reinterpret_cast<PIMAGE_DOS_HEADER>(moduleBase); auto ntHdr = RVA2VA<PIMAGE_NT_HEADERS>(moduleBase, dosHdr->e_lfanew); auto dataDir = ntHdr->OptionalHeader.DataDirectory; return RVA2VA<T>(moduleBase, dataDir[entryID].VirtualAddress); } PIMAGE_THUNK_DATA FindAddressByName(void *moduleBase, PIMAGE_THUNK_DATA impName, PIMAGE_THUNK_DATA impAddr, const char *funcName) { for (; impName->u1.Ordinal; ++impName, ++impAddr) { if (IMAGE_SNAP_BY_ORDINAL(impName->u1.Ordinal)) continue; auto import = RVA2VA<PIMAGE_IMPORT_BY_NAME>(moduleBase, impName->u1.AddressOfData); if (strcmp(import->Name, funcName) != 0) continue; return impAddr; } return nullptr; } PIMAGE_THUNK_DATA FindAddressByOrdinal(void *moduleBase, PIMAGE_THUNK_DATA impName, PIMAGE_THUNK_DATA impAddr, uint16_t ordinal) { for (; impName->u1.Ordinal; ++impName, ++impAddr) { if (IMAGE_SNAP_BY_ORDINAL(impName->u1.Ordinal) && IMAGE_ORDINAL(impName->u1.Ordinal) == ordinal) return impAddr; } return nullptr; } PIMAGE_THUNK_DATA FindIatThunkInModule(void *moduleBase, const char *dllName, const char *funcName) { auto imports = DataDirectoryFromModuleBase<PIMAGE_IMPORT_DESCRIPTOR>(moduleBase, IMAGE_DIRECTORY_ENTRY_IMPORT); for (; imports->Name; ++imports) { if (_stricmp(RVA2VA<LPCSTR>(moduleBase, imports->Name), dllName) != 0) continue; auto origThunk = RVA2VA<PIMAGE_THUNK_DATA>(moduleBase, imports->OriginalFirstThunk); auto thunk = RVA2VA<PIMAGE_THUNK_DATA>(moduleBase, imports->FirstThunk); return FindAddressByName(moduleBase, origThunk, thunk, funcName); } return nullptr; } PIMAGE_THUNK_DATA FindDelayLoadThunkInModule(void *moduleBase, const char *dllName, const char *funcName) { auto imports = DataDirectoryFromModuleBase<PIMAGE_DELAYLOAD_DESCRIPTOR>(moduleBase, IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT); for (; imports->DllNameRVA; ++imports) { if (_stricmp(RVA2VA<LPCSTR>(moduleBase, imports->DllNameRVA), dllName) != 0) continue; auto impName = RVA2VA<PIMAGE_THUNK_DATA>(moduleBase, imports->ImportNameTableRVA); auto impAddr = RVA2VA<PIMAGE_THUNK_DATA>(moduleBase, imports->ImportAddressTableRVA); return FindAddressByName(moduleBase, impName, impAddr, funcName); } return nullptr; } PIMAGE_THUNK_DATA FindDelayLoadThunkInModule(void *moduleBase, const char *dllName, uint16_t ordinal) { auto imports = DataDirectoryFromModuleBase<PIMAGE_DELAYLOAD_DESCRIPTOR>(moduleBase, IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT); for (; imports->DllNameRVA; ++imports) { if (_stricmp(RVA2VA<LPCSTR>(moduleBase, imports->DllNameRVA), dllName) != 0) continue; auto impName = RVA2VA<PIMAGE_THUNK_DATA>(moduleBase, imports->ImportNameTableRVA); auto impAddr = RVA2VA<PIMAGE_THUNK_DATA>(moduleBase, imports->ImportAddressTableRVA); return FindAddressByOrdinal(moduleBase, impName, impAddr, ordinal); } return nullptr; } Can anyone help me with this? Can this perhaps be outsourced to a dll? I actually have no idea how to implement this. When I tried to translate IatHook.h with ChatGPT I wasted hours. Hers what GPT Says: "Translating the given C++ code into AutoIt requires a series of adjustments, as AutoIt does not deal with concepts such as templates or direct memory access in the same way as C++. Additionally, AutoIt does not support direct work with PE structures (Portable Executable) or IAT (Import Address Table) at the same low level as C++. Therefore, the conversion must take some liberties in the implementation to achieve the goal in AutoIt." Here some Code/Hours i wrote/wasted:FixDarkScrollBar.zip Kind Regards NoNameCode