久久久久无码精品,久久伊人影视,久久国产色av免费看

About ShutDown of Windows（五）

Posted on 2009-11-20 00:29 S.l.e!ep.￠% 閱讀(279) 評論(0) 編輯收藏引用所屬分類: RootKit

About ShutDown of Windows（四）

天氣很冷，接著折騰
利用Windows Hooks注入

Windows系統給我們提供了一些掛鉤函數，
使得被掛鉤的進程可以在自己處理接收到的消息之前，
先執行我們的消息處理函數，
而這個消息處理函數一般會放在DLL中，
來讓目標進程加載，這實際上已經達到了注入代碼的效果。
一般情況下，我們把掛鉤函數和消息處理函數都放在dll中：

?所謂的注入，就是讓其它進程強制加載一個DLL的意思吧

二至四中，忽悠到了 SetHook... 的最后一個參數

WINUSERAPI
HHOOK
WINAPI
SetWindowsHookExW(
??? int idHook,
??? HOOKPROC lpfn,
??? HINSTANCE hmod,
??? DWORD dwThreadId);

最后一個是需要注入的 Thread ID

HOOKDLL_API?void?Hook(void)
{
????//?TODO:?Add?extra?initialization?here
#ifndef?WH_KEYBOARD_LL
#define?WH_KEYBOARD_LL?13
#endif

????g_Hook?=?SetWindowsHookEx(WH_KEYBOARD_LL,?MyKeyHook,?g_IT,?8800);
????
????if(?g_Hook?==?NULL?)
????{
????????char?szBuf[200]=?{0};
????????sprintf(szBuf,?"Failed?to?Set?Hook?(%d)",?GetLastError());
????????MessageBox(NULL,?szBuf,?NULL,?MB_OK);
????}
//????return?42;
}

返回的錯誤碼是 87
Google 告訴我，WH_KEYBOARD_LL 不支持線程，只能用 WH_KEYBOARD

修改了下代碼

//?HookDLL.cpp?:?Defines?the?entry?point?for?the?DLL?application.
//

#include?"stdafx.h"
#include?"HookDLL.h"
#include?<stdio.h>

HINSTANCE?g_IT;

BOOL?APIENTRY?DllMain(?HINSTANCE?hInstance,?
???????????????????????DWORD??ul_reason_for_call,?
???????????????????????LPVOID?lpReserved
?????????????????????)
{
????g_IT?=?hInstance;

????switch?(ul_reason_for_call)
????{
????????case?DLL_PROCESS_ATTACH:
????????????MessageBox(NULL,?"DLL_PROCESS_ATTACH",?"",?MB_OK);
????????????break;

????????case?DLL_THREAD_ATTACH:
????????????MessageBox(NULL,?"DLL_THREAD_ATTACH",?"",?MB_OK);
????????????break;

????????case?DLL_THREAD_DETACH:
????????????MessageBox(NULL,?"DLL_THREAD_DETACH",?"",?MB_OK);
????????????break;

????????case?DLL_PROCESS_DETACH:
????????????MessageBox(NULL,?"DLL_PROCESS_DETACH",?"",?MB_OK);
????????????break;
????}
????return?TRUE;
}

//?This?is?an?example?of?an?exported?variable
HOOKDLL_API?int?nHookDLL=0;

HHOOK?g_Hook?=?NULL;

LRESULT?CALLBACK?MyKeyHook(int?code,?WPARAM?wParam,?LPARAM?lParam)
{
#if?(_WIN32_WINNT?<?0x0400)
/*
*?Structure?used?by?WH_KEYBOARD_LL
????*/
????typedef?struct?tagKBDLLHOOKSTRUCT?{
????????DWORD???vkCode;
????????DWORD???scanCode;
????????DWORD???flags;
????????DWORD???time;
????????DWORD???dwExtraInfo;
????}?KBDLLHOOKSTRUCT,?FAR?*LPKBDLLHOOKSTRUCT,?*PKBDLLHOOKSTRUCT;
#endif
????
????PKBDLLHOOKSTRUCT?kbDLLHOOK?=?(PKBDLLHOOKSTRUCT)lParam;
????
????const?char?*info?=?NULL;
????
????if?(wParam?==?WM_KEYDOWN)
????????info?=?"key?down";????
????else?if?(wParam?==?WM_KEYUP)
????????info?=?"key?up";
????else?if?(wParam?==?WM_SYSKEYDOWN)
????????info?=?"sys?key?down";????
????else?if?(wParam?==?WM_SYSKEYUP)
????????info?=?"sys?key?up";
????
????//FILE*?f?=?fopen("hook.txt",?"a+");
????
????//CString?strLog;
????//strLog.Format("%s?-?vkCode?[%04x],?[%c]?scanCode?[%04x]\n",?info,?kbDLLHOOK->vkCode,?kbDLLHOOK->vkCode,?kbDLLHOOK->scanCode);
????
????//fwrite(strLog,?1,?strLog.GetLength(),?f);
????//fclose(f);
????
????//?always?call?next?hook
????//?return?CallNextHookEx(g_Hook,?code,?wParam,?lParam);

????return?TRUE;
}????

//?This?is?an?example?of?an?exported?function.
HOOKDLL_API?void?Hook(void)
{
????//?TODO:?Add?extra?initialization?here
#ifndef?WH_KEYBOARD_LL
#define?WH_KEYBOARD_LL?13
#endif

????g_Hook?=?SetWindowsHookEx(WH_KEYBOARD_LL,?MyKeyHook,?g_IT,?8800);
????
????if(?g_Hook?==?NULL?)
????{
????????char?szBuf[200]=?{0};
????????sprintf(szBuf,?"Failed?to?Set?Hook?(%d)",?GetLastError());
????????MessageBox(NULL,?szBuf,?NULL,?MB_OK);
????}
//????return?42;
}

//?This?is?the?constructor?of?a?class?that?has?been?exported.
//?see?HookDLL.h?for?the?class?definition
CHookDLL::CHookDLL()
{?
????return;?
}

void?CHookTestDlg::OnButton1()?
{
????TCHAR?szPath[MAX_PATH]?=?{0};
????GetModuleFileName(NULL,?szPath,?MAX_PATH);
?????PathRenameExtension(szPath,?_T(""));

????typedef?void?(*TYPE_pfnLoadLibrary)();
????TYPE_pfnLoadLibrary?pfnLoadLibrary?=?NULL;

????HMODULE?Module?=?LoadLibrary(szPath);
????pfnLoadLibrary?=?(TYPE_pfnLoadLibrary)GetProcAddress(Module,?"Hook");
????
????pfnLoadLibrary();
}

其中，8800 是另一個進程其中的一個線程，雖然沒返回錯誤碼，但到
8800那條線程所在的進程看了下，并沒有注入HookTest.dll （使用 syscheck）

原因是啥，還沒搞清楚

Google到的資料
http://bbs.pediy.com/showthread.php?p=445390
http://edison.5d6d.com/thread-742-1-1.html
明天再搞

只有注冊用戶登錄后才能發表評論。
【推薦】100%開源！大型工業跨平臺軟件C++源碼提供，建模，組態！

相關文章: Load Driver protect_pwd.txt Windows下Hook API技術 inline hook 對付API-splicing的一種簡單方法修改IAT實現API HOOK API-HOOK and ANTI-API-HOOK For Ring3 API Hook jmp 法 DirectX Input 鍵盤實現收藏一個反鍵盤記錄工具的分析不用hook 實現掛機鎖

網站導航: 博客園 IT新聞 BlogJava 博問 Chat2DB 管理

S.l.e!ep.￠%

About ShutDown of Windows（五）

日歷

公告

常用鏈接

留言簿(5)

隨筆分類(1107)

隨筆檔案(1098)

文章檔案(1)

相冊

收藏夾(3)

DataStruct

搜索

積分與排名

最新評論

閱讀排行榜

評論排行榜