Detours on Zayn's Bloghttps://blog.treesir.pub/tags/detours/Recent content in Detours on Zayn's BlogHugo -- gohugo.iozh-cnyangzun@treesir.pub (Zayn)yangzun@treesir.pub (Zayn)2021-2026 ZaynThu, 09 Apr 2026 00:00:00 +0800在 RDP 远程桌面中运行 PADS:从 API Hook 到 AppInit_DLLs 的工程实践https://blog.treesir.pub/posts/pads-rdp-bypass-hook-practice/Thu, 09 Apr 2026 00:00:00 +0800yangzun@treesir.pub (Zayn)https://blog.treesir.pub/posts/pads-rdp-bypass-hook-practice/<p>Author: <a href="https://github.com/cdryzun" target="_blank" >cdryzun</a> Updated: 2026-04-09</p> <p>本文项目地址:<a href="https://github.com/cdryzun/pads-rdp-bypass" target="_blank" >github.com/cdryzun/pads-rdp-bypass</a></p> <hr> <ul> <li><a href="#0-%e9%97%ae%e9%a2%98%e8%83%8c%e6%99%af">0. 问题背景</a> <ul> <li><a href="#01-pads-%e4%b8%8e%e8%bf%9c%e7%a8%8b%e6%a1%8c%e9%9d%a2%e7%9a%84%e5%86%b2%e7%aa%81">0.1 PADS 与远程桌面的冲突</a></li> <li><a href="#02-flexnet-%e7%9a%84%e6%a3%80%e6%b5%8b%e5%8e%9f%e7%90%86">0.2 FlexNet 的检测原理</a></li> </ul> </li> <li><a href="#1-%e6%8a%80%e6%9c%af%e9%80%89%e5%9e%8bapi-hook-%e4%b8%8e-microsoft-detours">1. 技术选型:API Hook 与 Microsoft Detours</a> <ul> <li><a href="#11-%e4%bb%80%e4%b9%88%e6%98%af-api-hook">1.1 什么是 API Hook</a></li> <li><a href="#12-hook-dll-%e7%9a%84%e5%ae%9e%e7%8e%b0">1.2 Hook DLL 的实现</a></li> </ul> </li> <li><a href="#2-%e6%b3%a8%e5%85%a5%e6%96%b9%e6%a1%88%e7%9a%84%e6%bc%94%e8%bf%9b%e4%b8%89%e6%ac%a1%e5%a4%b1%e8%b4%a5%e4%b8%8e%e4%b8%80%e6%ac%a1%e6%88%90%e5%8a%9f">2. 注入方案的演进:三次失败与一次成功</a> <ul> <li><a href="#21-%e7%ac%ac%e4%b8%80%e6%ac%a1detours-%e8%bf%9b%e7%a8%8b%e5%88%9b%e5%bb%ba%e6%b3%a8%e5%85%a5">2.1 第一次:Detours 进程创建注入</a></li> <li><a href="#22-%e7%ac%ac%e4%ba%8c%e6%ac%a1%e7%bb%95%e8%bf%87%e8%b7%b3%e6%9d%bf%e7%9b%b4%e6%8e%a5%e6%b3%a8%e5%85%a5%e4%b8%bb%e7%a8%8b%e5%ba%8f">2.2 第二次:绕过跳板直接注入主程序</a></li> <li><a href="#23-%e7%ac%ac%e4%b8%89%e6%ac%a1createremotethread-%e8%bf%90%e8%a1%8c%e6%97%b6%e6%b3%a8%e5%85%a5">2.3 第三次:CreateRemoteThread 运行时注入</a></li> <li><a href="#24-%e6%9c%80%e7%bb%88%e6%96%b9%e6%a1%88appinit_dlls-%e6%b3%a8%e5%86%8c%e8%a1%a8%e6%b3%a8%e5%85%a5">2.4 最终方案:AppInit_DLLs 注册表注入</a></li> </ul> </li> <li><a href="#3-pads-%e8%bf%9b%e7%a8%8b%e6%9e%b6%e6%9e%84%e9%80%86%e5%90%91%e5%88%86%e6%9e%90">3. PADS 进程架构逆向分析</a> <ul> <li><a href="#31-%e5%8f%8c-exe-%e6%9e%b6%e6%9e%84">3.1 双 EXE 架构</a></li> <li><a href="#32-eewrapper-%e8%b7%b3%e6%9d%bf%e7%9a%84%e4%ba%8c%e8%bf%9b%e5%88%b6%e5%88%86%e6%9e%90">3.2 EEWrapper 跳板的二进制分析</a></li> </ul> </li> <li><a href="#4-%e5%9c%a8-macos-%e4%b8%8a%e4%ba%a4%e5%8f%89%e7%bc%96%e8%af%91github-actions-cicd">4. 在 macOS 上交叉编译:GitHub Actions CI/CD</a> <ul> <li><a href="#41-%e4%b8%ba%e4%bb%80%e4%b9%88%e4%b8%8d%e8%83%bd%e6%9c%ac%e5%9c%b0%e7%bc%96%e8%af%91">4.1 为什么不能本地编译</a></li> <li><a href="#42-github-actions-%e5%b7%a5%e4%bd%9c%e6%b5%81">4.2 GitHub Actions 工作流</a></li> <li><a href="#43-%e9%9d%99%e6%80%81%e9%93%be%e6%8e%a5%e7%9a%84%e5%85%b3%e9%94%ae%e5%86%b3%e7%ad%96">4.3 静态链接的关键决策</a></li> </ul> </li> <li><a href="#5-%e9%83%a8%e7%bd%b2%e4%b8%80%e9%94%ae%e5%ae%89%e8%a3%85%e8%84%9a%e6%9c%ac">5. 部署:一键安装脚本</a> <ul> <li><a href="#51-%e5%ae%89%e8%a3%85">5.1 安装</a></li> <li><a href="#52-%e5%8d%b8%e8%bd%bd">5.2 卸载</a></li> </ul> </li> <li><a href="#6-%e8%b8%a9%e5%9d%91%e8%ae%b0%e5%bd%95%e4%b8%8e%e6%8e%92%e9%94%99%e7%bb%8f%e9%aa%8c">6. 踩坑记录与排错经验</a></li> <li><a href="#7-%e5%8f%82%e8%80%83%e8%b5%84%e6%96%99">7. 参考资料</a></li> </ul> <hr> <h2 class="relative group">0. 问题背景 <div id="0-问题背景" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100"> <a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#0-%e9%97%ae%e9%a2%98%e8%83%8c%e6%99%af" aria-label="锚点">#</a> </span> </h2> <h3 class="relative group">0.1 PADS 与远程桌面的冲突 <div id="01-pads-与远程桌面的冲突" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100"> <a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#01-pads-%e4%b8%8e%e8%bf%9c%e7%a8%8b%e6%a1%8c%e9%9d%a2%e7%9a%84%e5%86%b2%e7%aa%81" aria-label="锚点">#</a> </span> </h3> <p>PADS(现 Siemens EDA,原 Mentor Graphics)是硬件工程师日常使用的 PCB 设计工具。关于 PADS VX2.4 的安装配置,可参考 <a href="https://www.mcuzx.com/t-53-1.html" target="_blank" >这篇安装文档</a>。</p>