About ShutDown of Windows(四)
天氣很冷,接著折騰
利用Windows Hooks注入
Windows系統給我們提供了一些掛鉤函數,
使得被掛鉤的進程可以在自己處理接收到的消息之前,
先執行我們的消息處理函數,
而這個消息處理函數一般會放在DLL中,
來讓目標進程加載,這實際上已經達到了注入代碼的效果。
一般情況下,我們把掛鉤函數和消息處理函數都放在dll中:
?所謂的注入,就是讓其它進程強制加載一個DLL的意思吧
二至四中,忽悠到了 SetHook... 的最后一個參數
WINUSERAPI
HHOOK
WINAPI
SetWindowsHookExW(
??? int idHook,
??? HOOKPROC lpfn,
??? HINSTANCE hmod,
??? DWORD dwThreadId);
最后一個是需要注入的 Thread ID
HOOKDLL_API?void?Hook(void)
{
????//?TODO:?Add?extra?initialization?here
#ifndef?WH_KEYBOARD_LL
#define?WH_KEYBOARD_LL?13
#endif
????g_Hook?=?SetWindowsHookEx(WH_KEYBOARD_LL,?MyKeyHook,?g_IT,?8800);
????
????if(?g_Hook?==?NULL?)
????{
????????char?szBuf[200]=?{0};
????????sprintf(szBuf,?"Failed?to?Set?Hook?(%d)",?GetLastError());
????????MessageBox(NULL,?szBuf,?NULL,?MB_OK);
????}
//????return?42;
}
返回的錯誤碼是 87
Google 告訴我,WH_KEYBOARD_LL 不支持線程,只能用 WH_KEYBOARD
修改了下代碼
//?HookDLL.cpp?:?Defines?the?entry?point?for?the?DLL?application.
//
#include?"stdafx.h"
#include?"HookDLL.h"
#include?<stdio.h>
HINSTANCE?g_IT;
BOOL?APIENTRY?DllMain(?HINSTANCE?hInstance,?
???????????????????????DWORD??ul_reason_for_call,?
???????????????????????LPVOID?lpReserved
?????????????????????)
{
????g_IT?=?hInstance;
????switch?(ul_reason_for_call)
????{
????????case?DLL_PROCESS_ATTACH:
????????????MessageBox(NULL,?"DLL_PROCESS_ATTACH",?"",?MB_OK);
????????????break;
????????case?DLL_THREAD_ATTACH:
????????????MessageBox(NULL,?"DLL_THREAD_ATTACH",?"",?MB_OK);
????????????break;
????????case?DLL_THREAD_DETACH:
????????????MessageBox(NULL,?"DLL_THREAD_DETACH",?"",?MB_OK);
????????????break;
????????case?DLL_PROCESS_DETACH:
????????????MessageBox(NULL,?"DLL_PROCESS_DETACH",?"",?MB_OK);
????????????break;
????}
????return?TRUE;
}
//?This?is?an?example?of?an?exported?variable
HOOKDLL_API?int?nHookDLL=0;
HHOOK?g_Hook?=?NULL;
LRESULT?CALLBACK?MyKeyHook(int?code,?WPARAM?wParam,?LPARAM?lParam)
{
#if?(_WIN32_WINNT?<?0x0400)
/*
*?Structure?used?by?WH_KEYBOARD_LL
????*/
????typedef?struct?tagKBDLLHOOKSTRUCT?{
????????DWORD???vkCode;
????????DWORD???scanCode;
????????DWORD???flags;
????????DWORD???time;
????????DWORD???dwExtraInfo;
????}?KBDLLHOOKSTRUCT,?FAR?*LPKBDLLHOOKSTRUCT,?*PKBDLLHOOKSTRUCT;
#endif
????
????PKBDLLHOOKSTRUCT?kbDLLHOOK?=?(PKBDLLHOOKSTRUCT)lParam;
????
????const?char?*info?=?NULL;
????
????if?(wParam?==?WM_KEYDOWN)
????????info?=?"key?down";????
????else?if?(wParam?==?WM_KEYUP)
????????info?=?"key?up";
????else?if?(wParam?==?WM_SYSKEYDOWN)
????????info?=?"sys?key?down";????
????else?if?(wParam?==?WM_SYSKEYUP)
????????info?=?"sys?key?up";
????
????//FILE*?f?=?fopen("hook.txt",?"a+");
????
????//CString?strLog;
????//strLog.Format("%s?-?vkCode?[%04x],?[%c]?scanCode?[%04x]\n",?info,?kbDLLHOOK->vkCode,?kbDLLHOOK->vkCode,?kbDLLHOOK->scanCode);
????
????//fwrite(strLog,?1,?strLog.GetLength(),?f);
????//fclose(f);
????
????//?always?call?next?hook
????//?return?CallNextHookEx(g_Hook,?code,?wParam,?lParam);
????return?TRUE;
}????
//?This?is?an?example?of?an?exported?function.
HOOKDLL_API?void?Hook(void)
{
????//?TODO:?Add?extra?initialization?here
#ifndef?WH_KEYBOARD_LL
#define?WH_KEYBOARD_LL?13
#endif
????g_Hook?=?SetWindowsHookEx(WH_KEYBOARD_LL,?MyKeyHook,?g_IT,?8800);
????
????if(?g_Hook?==?NULL?)
????{
????????char?szBuf[200]=?{0};
????????sprintf(szBuf,?"Failed?to?Set?Hook?(%d)",?GetLastError());
????????MessageBox(NULL,?szBuf,?NULL,?MB_OK);
????}
//????return?42;
}
//?This?is?the?constructor?of?a?class?that?has?been?exported.
//?see?HookDLL.h?for?the?class?definition
CHookDLL::CHookDLL()
{?
????return;?
}
void?CHookTestDlg::OnButton1()?
{
????TCHAR?szPath[MAX_PATH]?=?{0};
????GetModuleFileName(NULL,?szPath,?MAX_PATH);
?????PathRenameExtension(szPath,?_T(""));
????typedef?void?(*TYPE_pfnLoadLibrary)();
????TYPE_pfnLoadLibrary?pfnLoadLibrary?=?NULL;
????HMODULE?Module?=?LoadLibrary(szPath);
????pfnLoadLibrary?=?(TYPE_pfnLoadLibrary)GetProcAddress(Module,?"Hook");
????
????pfnLoadLibrary();
}
其中,8800 是另一個進程其中的一個線程,雖然沒返回錯誤碼,但到
8800那條線程所在的進程看了下,并沒有注入HookTest.dll (使用 syscheck)
原因是啥,還沒搞清楚
Google到的資料
http://bbs.pediy.com/showthread.php?p=445390http://edison.5d6d.com/thread-742-1-1.html明天再搞