About ShutDown of Windows(四)
天气很冷,接着折腾
利用Windows Hooks注入
Windows系统给我们提供了一些挂钩函数,
使得被挂钩的进程可以在自己处理接收到的消息之前,
先执行我们的消息处理函数,
而这个消息处理函数一般会放在DLL中,
来让目标进程加载,这实际上已经达到了注入代码的效果。
一般情况下,我们把挂钩函数和消息处理函数都放在dll中:
所谓的注入,就是让其它进程强制加载一个DLL的意思吧
二至四中,忽悠到了 SetHook... 的最后一个参数
WINUSERAPI
HHOOK
WINAPI
SetWindowsHookExW(
int idHook,
HOOKPROC lpfn,
HINSTANCE hmod,
DWORD dwThreadId);
最后一个是需要注入的 Thread ID
HOOKDLL_API void Hook(void)
{
// TODO: Add extra initialization here
#ifndef WH_KEYBOARD_LL
#define WH_KEYBOARD_LL 13
#endif
g_Hook = SetWindowsHookEx(WH_KEYBOARD_LL, MyKeyHook, g_IT, 8800);
if( g_Hook == NULL )
{
char szBuf[200]= {0};
sprintf(szBuf, "Failed to Set Hook (%d)", GetLastError());
MessageBox(NULL, szBuf, NULL, MB_OK);
}
// return 42;
}
返回的错误码是 87
Google 告诉我,WH_KEYBOARD_LL 不支持线程,只能用 WH_KEYBOARD
修改了下代码
// HookDLL.cpp : Defines the entry point for the DLL application.
//
#include "stdafx.h"
#include "HookDLL.h"
#include <stdio.h>
HINSTANCE g_IT;
BOOL APIENTRY DllMain( HINSTANCE hInstance,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
g_IT = hInstance;
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBox(NULL, "DLL_PROCESS_ATTACH", "", MB_OK);
break;
case DLL_THREAD_ATTACH:
MessageBox(NULL, "DLL_THREAD_ATTACH", "", MB_OK);
break;
case DLL_THREAD_DETACH:
MessageBox(NULL, "DLL_THREAD_DETACH", "", MB_OK);
break;
case DLL_PROCESS_DETACH:
MessageBox(NULL, "DLL_PROCESS_DETACH", "", MB_OK);
break;
}
return TRUE;
}
// This is an example of an exported variable
HOOKDLL_API int nHookDLL=0;
HHOOK g_Hook = NULL;
LRESULT CALLBACK MyKeyHook(int code, WPARAM wParam, LPARAM lParam)
{
#if (_WIN32_WINNT < 0x0400)
/*
* Structure used by WH_KEYBOARD_LL
*/
typedef struct tagKBDLLHOOKSTRUCT {
DWORD vkCode;
DWORD scanCode;
DWORD flags;
DWORD time;
DWORD dwExtraInfo;
} KBDLLHOOKSTRUCT, FAR *LPKBDLLHOOKSTRUCT, *PKBDLLHOOKSTRUCT;
#endif
PKBDLLHOOKSTRUCT kbDLLHOOK = (PKBDLLHOOKSTRUCT)lParam;
const char *info = NULL;
if (wParam == WM_KEYDOWN)
info = "key down";
else if (wParam == WM_KEYUP)
info = "key up";
else if (wParam == WM_SYSKEYDOWN)
info = "sys key down";
else if (wParam == WM_SYSKEYUP)
info = "sys key up";
//FILE* f = fopen("hook.txt", "a+");
//CString strLog;
//strLog.Format("%s - vkCode [%04x], [%c] scanCode [%04x]\n", info, kbDLLHOOK->vkCode, kbDLLHOOK->vkCode, kbDLLHOOK->scanCode);
//fwrite(strLog, 1, strLog.GetLength(), f);
//fclose(f);
// always call next hook
// return CallNextHookEx(g_Hook, code, wParam, lParam);
return TRUE;
}
// This is an example of an exported function.
HOOKDLL_API void Hook(void)
{
// TODO: Add extra initialization here
#ifndef WH_KEYBOARD_LL
#define WH_KEYBOARD_LL 13
#endif
g_Hook = SetWindowsHookEx(WH_KEYBOARD_LL, MyKeyHook, g_IT, 8800);
if( g_Hook == NULL )
{
char szBuf[200]= {0};
sprintf(szBuf, "Failed to Set Hook (%d)", GetLastError());
MessageBox(NULL, szBuf, NULL, MB_OK);
}
// return 42;
}
// This is the constructor of a class that has been exported.
// see HookDLL.h for the class definition
CHookDLL::CHookDLL()
{
return;
}
void CHookTestDlg::OnButton1()
{
TCHAR szPath[MAX_PATH] = {0};
GetModuleFileName(NULL, szPath, MAX_PATH);
PathRenameExtension(szPath, _T(""));
typedef void (*TYPE_pfnLoadLibrary)();
TYPE_pfnLoadLibrary pfnLoadLibrary = NULL;
HMODULE Module = LoadLibrary(szPath);
pfnLoadLibrary = (TYPE_pfnLoadLibrary)GetProcAddress(Module, "Hook");
pfnLoadLibrary();
}
其中,8800 是另一个进程其中的一个线程,虽然没返回错误码,但到
8800那条线程所在的进程看了下,并没有注入HookTest.dll (使用 syscheck)
原因是啥,还没搞清楚
Google到的资料
http://bbs.pediy.com/showthread.php?p=445390http://edison.5d6d.com/thread-742-1-1.html明天再搞