DLL Inject -- 一、Windows 鉤子(Hooks) - (1)
之前搞復雜了,其實可以很簡單
有個要點:
The global hooks are a shared resource, and installing one affects all applications in the same desktop as the calling thread. All global hook functions must be in libraries. Global hooks should be restricted to special-purpose applications or to use as a development aid during application debugging. Libraries that no longer need a hook should remove its hook procedure.
作為一個全局或跨進程的鉤子,鉤子的實現函數必須在DLL中實現,不然目標程序觸發到鉤子時就會掛掉
DLL實現
//?DLLInject.cpp?:?Defines?the?entry?point?for?the?DLL?application.
//
#include?"stdafx.h"
#include?<stdio.h>
LRESULT?CALLBACK?CallWndProc(int?code,?WPARAM?wParam,?LPARAM?lParam)
{?
????return?CallNextHookEx?(NULL,?code,?wParam,?lParam);
}
BOOL?APIENTRY?DllMain(?HANDLE?hModule,?
??????????????????????DWORD??ul_reason_for_call,?
??????????????????????LPVOID?lpReserved
??????????????????????)
{
????switch?(?ul_reason_for_call?)
????{
????case?DLL_PROCESS_ATTACH:
????????{
????????????char?szDllName[MAX_PATH]={0};
????????????GetModuleFileName((HMODULE)hModule,?szDllName,?MAX_PATH);
????????????LoadLibrary(szDllName);????????
????????????break;
????????}
????case?DLL_PROCESS_DETACH:
????????{
????????}
????????break;
????}
????
????return?TRUE;
????
}
在DLL加載時,調用多一次,LoadLibrary的目的,是為了增加引用計數,這樣即使我們的程序關掉了,系統也不會卸載掉DLL,DLL還在內存中(所以通常情況下 LoadLibrary 和 FreeLibrary 要成對調用, 具體可以了解下 Windows 的內存管理機制)
調用代碼:
HHOOK?g_hHook?=?NULL;
UINT??g_nHOOKMsg?=?0;
//---------------------------------------------------------------------------
//?ModuleFromAddress
//
//?Returns?the?HMODULE?that?contains?the?specified?memory?address
//---------------------------------------------------------------------------
static?HMODULE?ModuleFromAddress(PVOID?pv)?
{
????MEMORY_BASIC_INFORMATION?mbi;
????
????return?((::VirtualQuery(pv,?&mbi,?sizeof(mbi))?!=?0)???(HMODULE)?mbi.AllocationBase?:?NULL);
}
void?CDLLInjectBySetHookDlg::OnButton1()?
{????
????HMODULE?hModule?=?::LoadLibrary("DLLInject.dll");
????if?(?hModule?==?NULL?)
????{
????????AfxMessageBox("Failed?to?LoadLibrary!");
????????return?;
????}
????typedef?LRESULT?(CALLBACK?*CallWndProc)(int?code,?WPARAM?wParam,?LPARAM?lParam);
????CallWndProc?pfnCallWndProc?=?(CallWndProc)::GetProcAddress(hModule,?"CallWndProc");
????if?(?pfnCallWndProc?==?NULL?)
????{
????????AfxMessageBox("Failed?to?GetProcAddress!");
????????return?;
????}
????HWND?hWnd?=?::FindWindow(NULL,?"testHooked");
????if?(hWnd?==?NULL)
????{
????????AfxMessageBox("Failed?to?Find?Window!");
????????return?;
????}
????DWORD?dwThreadID?=?::GetWindowThreadProcessId(hWnd,?NULL);
????if?(?dwThreadID?==?0?)
????{
????????AfxMessageBox("Failed?to?Get?Window?Thread?Process?ID");
????????return?;
????}
????g_hHook?=?::SetWindowsHookEx(WH_CALLWNDPROC,?(HOOKPROC)(pfnCallWndProc),?ModuleFromAddress(pfnCallWndProc),?dwThreadID);
????if?(?g_hHook?==?NULL?)
????{
????????AfxMessageBox("Failed?to?Set?Windows?Hook");
????????return?;
????}
????::SendMessage(::FindWindow(NULL,?"testHooked"),?WM_USER,?0,?0);
????::UnhookWindowsHookEx(g_hHook);
}
按下按鈕,使用工具查看,目標程序的加載模塊列表中已經有了 DLLInject.dll ,注入成功!