DLL Inject -- 一、Windows 鉤子(Hooks) - (1)
之前搞復雜了,其實可以很簡單
有個要點:
The global hooks are a shared resource, and installing one affects all applications in the same desktop as the calling thread. All global hook functions must be in libraries. Global hooks should be restricted to special-purpose applications or to use as a development aid during application debugging. Libraries that no longer need a hook should remove its hook procedure.
作為一個全局或跨進程的鉤子,鉤子的實現(xiàn)函數(shù)必須在DLL中實現(xiàn),不然目標程序觸發(fā)到鉤子時就會掛掉
DLL實現(xiàn)
//?DLLInject.cpp?:?Defines?the?entry?point?for?the?DLL?application.
//
#include?"stdafx.h"
#include?<stdio.h>
LRESULT?CALLBACK?CallWndProc(int?code,?WPARAM?wParam,?LPARAM?lParam)
{?
????return?CallNextHookEx?(NULL,?code,?wParam,?lParam);
}
BOOL?APIENTRY?DllMain(?HANDLE?hModule,?
??????????????????????DWORD??ul_reason_for_call,?
??????????????????????LPVOID?lpReserved
??????????????????????)
{
????switch?(?ul_reason_for_call?)
????{
????case?DLL_PROCESS_ATTACH:
????????{
????????????char?szDllName[MAX_PATH]={0};
????????????GetModuleFileName((HMODULE)hModule,?szDllName,?MAX_PATH);
????????????LoadLibrary(szDllName);????????
????????????break;
????????}
????case?DLL_PROCESS_DETACH:
????????{
????????}
????????break;
????}
????
????return?TRUE;
????
}
在DLL加載時,調(diào)用多一次,LoadLibrary的目的,是為了增加引用計數(shù),這樣即使我們的程序關掉了,系統(tǒng)也不會卸載掉DLL,DLL還在內(nèi)存中(所以通常情況下 LoadLibrary 和 FreeLibrary 要成對調(diào)用, 具體可以了解下 Windows 的內(nèi)存管理機制)
調(diào)用代碼:
HHOOK?g_hHook?=?NULL;
UINT??g_nHOOKMsg?=?0;
//---------------------------------------------------------------------------
//?ModuleFromAddress
//
//?Returns?the?HMODULE?that?contains?the?specified?memory?address
//---------------------------------------------------------------------------
static?HMODULE?ModuleFromAddress(PVOID?pv)?
{
????MEMORY_BASIC_INFORMATION?mbi;
????
????return?((::VirtualQuery(pv,?&mbi,?sizeof(mbi))?!=?0)???(HMODULE)?mbi.AllocationBase?:?NULL);
}
void?CDLLInjectBySetHookDlg::OnButton1()?
{????
????HMODULE?hModule?=?::LoadLibrary("DLLInject.dll");
????if?(?hModule?==?NULL?)
????{
????????AfxMessageBox("Failed?to?LoadLibrary!");
????????return?;
????}
????typedef?LRESULT?(CALLBACK?*CallWndProc)(int?code,?WPARAM?wParam,?LPARAM?lParam);
????CallWndProc?pfnCallWndProc?=?(CallWndProc)::GetProcAddress(hModule,?"CallWndProc");
????if?(?pfnCallWndProc?==?NULL?)
????{
????????AfxMessageBox("Failed?to?GetProcAddress!");
????????return?;
????}
????HWND?hWnd?=?::FindWindow(NULL,?"testHooked");
????if?(hWnd?==?NULL)
????{
????????AfxMessageBox("Failed?to?Find?Window!");
????????return?;
????}
????DWORD?dwThreadID?=?::GetWindowThreadProcessId(hWnd,?NULL);
????if?(?dwThreadID?==?0?)
????{
????????AfxMessageBox("Failed?to?Get?Window?Thread?Process?ID");
????????return?;
????}
????g_hHook?=?::SetWindowsHookEx(WH_CALLWNDPROC,?(HOOKPROC)(pfnCallWndProc),?ModuleFromAddress(pfnCallWndProc),?dwThreadID);
????if?(?g_hHook?==?NULL?)
????{
????????AfxMessageBox("Failed?to?Set?Windows?Hook");
????????return?;
????}
????::SendMessage(::FindWindow(NULL,?"testHooked"),?WM_USER,?0,?0);
????::UnhookWindowsHookEx(g_hHook);
}
按下按鈕,使用工具查看,目標程序的加載模塊列表中已經(jīng)有了 DLLInject.dll ,注入成功!