Windows 7 64位 HookApi例子
本程序HOOK的API是DispatchMessageA和DispatchMessageW。在HOOK的方法内会还原ESP,调用user32.DispathMessage(A或W)之后再修改ESP,实现的功能是记录消息的详细日志,记录哪个窗口处理过哪些消息。
1、新建一个win32 console项目,取名为DoInjection,新建一个DoInjectionMain.h,代码如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege);BOOL IsVistaOrLater();BOOL InjectProcess();BOOL InjectCreateProcess();void HookGetMessage();BOOL InjectCreateThread(HANDLE hProcess, LPTHREAD_START_ROUTINE pThreadProc, LPVOID pRemoteBuf);HANDLE MsicCreateRemoteThread(HANDLE hProcess,LPTHREAD_START_ROUTINE lpStartAddress,LPVOIDlpParameter);typedef void*(__stdcall*LPFN_KernelBaseGetGlobalData)(void);typedef DWORD (WINAPI *PFNTCREATETHREADEX)( PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, LPVOID ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, BOOL CreateSuspended, DWORD dwStackSize, DWORD dw1, DWORD dw2, LPVOID Unknown ); |
2、新建一个DoInjectionMain.c(不是CPP),代码如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
|
#include <windows.h>#include <stdio.h>#include <tlhelp32.h>#include <tchar.h>#include "DoInjection.h"#pragma comment(lib,"th32.lib")#pragma comment(lib,"Advapi32.lib")//这个路径很有意思,这个路径是相对于目标进程的,而不是自身进程。//所以要嘛写成绝对路径,要嘛写成相对于目标进程的相对路径。//如果写成相对于自身的路径就要麻烦了,本程序就找不到DLL文件了。const char *pcDllName="MfcHookApi.dll"; //DLL文件的路径HANDLE hSnap=0,hThreadHandle=0,hRemoteProcess32=0,hTokenHandle=0;PROCESSENTRY32 procEntry32;BOOL bNext=FALSE,bWrittenResult=FALSE;TOKEN_PRIVILEGES tokenPower;LUID luidPower;LPVOID pRemoteBuf=NULL;FARPROC fnDllKernel32;size_t sizeWritten=0;DWORD dwThreadId=0;char* pcProsessName="DoWin32Test.exe"; //要注入的进程名(目标进程名)int main(){ IsVistaOrLater(); SetPrivilege(SE_DEBUG_NAME,TRUE); //InjectProcess(); InjectCreateProcess(); getchar(); return 0;}BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) { TOKEN_PRIVILEGES tp; HANDLE hToken; LUID luid; if( !OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken) ) { _tprintf("OpenProcessToken error: %u\r\n", GetLastError()); return FALSE; } if( !LookupPrivilegeValue(NULL, lpszPrivilege, &luid) ) { _tprintf("LookupPrivilegeValue error: %u\r\n", GetLastError() ); return FALSE; } tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; if( bEnablePrivilege ) tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; else tp.Privileges[0].Attributes = 0; if( !AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL) ) { _tprintf("AdjustTokenPrivileges error: %u\r\n", GetLastError() ); return FALSE; } if( GetLastError() == ERROR_NOT_ALL_ASSIGNED ) { _tprintf("The token does not have the specified privilege. \r\n"); return FALSE; } return TRUE;}BOOL IsVistaOrLater(){ OSVERSIONINFO osvi; ZeroMemory(&osvi, sizeof(OSVERSIONINFO)); //OSVERSIONINFOEX osvix; //ZeroMemory(&osvix,sizeof(OSVERSIONINFOEX)); osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx(&osvi); printf("network terminal v%ld.%ld,%s,platform:%ld,build number:%ld\r\n",osvi.dwMajorVersion,osvi.dwMinorVersion,osvi.szCSDVersion,osvi.dwPlatformId,osvi.dwBuildNumber); if( osvi.dwMajorVersion >= 6 ) return TRUE; return FALSE;}BOOL InjectProcess(){ procEntry32.dwSize = sizeof(PROCESSENTRY32); hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); bNext=Process32First(hSnap, &procEntry32); while(bNext) { if(!stricmp(procEntry32.szExeFile,pcProsessName)) //--->> { hRemoteProcess32=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_WRITE|PROCESS_VM_OPERATION,1,procEntry32.th32ProcessID); break; } bNext=Process32Next(hSnap, &procEntry32); } CloseHandle(hSnap); pRemoteBuf=VirtualAllocEx(hRemoteProcess32,NULL,strlen(pcDllName),MEM_COMMIT,PAGE_READWRITE); bWrittenResult=WriteProcessMemory(hRemoteProcess32,pRemoteBuf,pcDllName,strlen(pcDllName),(ULONG*)&sizeWritten); if (bWrittenResult) { printf("InjectCreate()-->WriteProcessMemory() Success,written size:%ld,buffer address:%16X\r\n",sizeWritten,pRemoteBuf); } else { printf("InjectCreate()-->WriteProcessMemory() Error:%ld\r\n",GetLastError()); } fnDllKernel32=GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA"); //hThreadHandle=CreateRemoteThread(hRemoteProcess32,NULL,0,(LPTHREAD_START_ROUTINE)fnDllKernel32,pAllocMemory,0,&dwThreadId); //if (hThreadHandle&&dwThreadId) //{ // printf("CreateRemoteThread Success,Handle:%ld,Thread Id:%ld\r\n",hThreadHandle,dwThreadId); //} //else //{ // printf("CreateRemoteThread Error:%ld\r\n",GetLastError()); //} InjectCreateThread(hRemoteProcess32, (LPTHREAD_START_ROUTINE)fnDllKernel32, pRemoteBuf); //MsicCreateRemoteThread(hRemoteProcess32,(LPTHREAD_START_ROUTINE)fnDllKernel32,pRemoteBuf); VirtualFreeEx(hRemoteProcess32, pRemoteBuf, 0, MEM_RELEASE);; CloseHandle(hRemoteProcess32); return TRUE;}BOOL InjectCreateProcess(){ PROCESS_INFORMATION pi; STARTUPINFO si; procEntry32.dwSize = sizeof(PROCESSENTRY32); ZeroMemory(&pi,sizeof(PROCESS_INFORMATION)); ZeroMemory(&si,sizeof(STARTUPINFO)); si.cb=sizeof(STARTUPINFO); CreateProcess(NULL,pcProsessName,NULL,NULL,false,0,NULL,NULL,&si,&pi); hRemoteProcess32=pi.hProcess; printf("waiting for 30 seconds please.\r\n"); for (int i=0;i<30;i++) { Sleep(1000); printf("."); } printf("\r\n"); pRemoteBuf=VirtualAllocEx(hRemoteProcess32,NULL,strlen(pcDllName),MEM_COMMIT,PAGE_READWRITE); bWrittenResult=WriteProcessMemory(hRemoteProcess32,pRemoteBuf,pcDllName,strlen(pcDllName),(ULONG*)&sizeWritten); if (bWrittenResult) { printf("InjectCreate()-->WriteProcessMemory() Success,written size:%ld,buffer address:%16X\r\n",sizeWritten,pRemoteBuf); } else { printf("InjectCreate()-->WriteProcessMemory() Error:%ld\r\n",GetLastError()); } fnDllKernel32=GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA"); //hThreadHandle=CreateRemoteThread(hRemoteProcess32,NULL,0,(LPTHREAD_START_ROUTINE)fnDllKernel32,pAllocMemory,0,&dwThreadId); //if (hThreadHandle&&dwThreadId) //{ // printf("CreateRemoteThread Success,Handle:%ld,Thread Id:%ld\r\n",hThreadHandle,dwThreadId); //} //else //{ // printf("CreateRemoteThread Error:%ld\r\n",GetLastError()); //} //InjectCreateThread(hRemoteProcess32, (LPTHREAD_START_ROUTINE)fnDllKernel32, pRemoteBuf); MsicCreateRemoteThread(hRemoteProcess32,(LPTHREAD_START_ROUTINE)fnDllKernel32,pRemoteBuf); //VirtualFreeEx(hRemoteProcess32, pRemoteBuf, 0, MEM_RELEASE);; //CloseHandle(hRemoteProcess32); return TRUE;}BOOL InjectCreateThread(HANDLE hProcess, LPTHREAD_START_ROUTINE pThreadProc, LPVOID pRemoteBuf){ HANDLE hThread = NULL; FARPROC pFunc = NULL; if( IsVistaOrLater() ) // Vista, 7, Server2008 { pFunc = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateThreadEx"); if( pFunc == NULL ) { printf("InjectCreateThread()-->GetProcAddress(\"NtCreateThreadEx\") Error %d\r\n",GetLastError()); return FALSE; } ((PFNTCREATETHREADEX)pFunc)(&hThread, 0x1FFFFF, NULL, hProcess, pThreadProc, pRemoteBuf, FALSE, NULL, NULL, NULL, NULL); if( hThread == NULL ) { printf("InjectCreateThread()-->NtCreateThreadEx() Error: %d\r\n", GetLastError()); return FALSE; } else { printf("InjectCreateThread()-->NtCreateThreadEx() Success,Thread Id:%ld\r\n",hThread); } } else // 2000, XP, Server2003 { hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL); if( hThread == NULL ) { printf("InjectCreateThread()-->CreateRemoteThread() Error: %d\r\n", GetLastError()); return FALSE; } else { printf("InjectCreateThread()-->CreateRemoteThread() Success,Thread Id:%ld\r\n",hThread); } } if( WAIT_FAILED == WaitForSingleObject(hThread, INFINITE) ) { printf("InjectCreateThread() : WaitForSingleObject() Error: %d\r\n", GetLastError()); return FALSE; } return TRUE;}typedef void*(__stdcall*LPFN_KernelBaseGetGlobalData)(void);HANDLE MsicCreateRemoteThread(HANDLE hProcess,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter){ OSVERSIONINFOEX stOSVersionInfoEx= {0}; FARPROC pCreateRemoteThreadEx=NULL; LPFN_KernelBaseGetGlobalData pKernelBaseGetGlobalData=NULL; UCHAR *pCreateRemoteThread=NULL; UCHAR *pGlobalData=NULL; UCHAR *pMisc=NULL; HMODULE hKernelBase=NULL; HMODULE hKernel32=NULL; HANDLE hNewThread=NULL; ULONG ulIndex=0; WORD wCode=0; do { stOSVersionInfoEx.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX); if(!GetVersionEx((OSVERSIONINFO*)&stOSVersionInfoEx)) { break; }//vista以前的系统不存在这个问题 if((stOSVersionInfoEx.dwMajorVersion<6)||(GetCurrentProcess()==hProcess)) { hNewThread=CreateRemoteThread(hProcess,NULL,0,lpStartAddress,lpParameter,0,&dwThreadId); if (dwThreadId) { printf("MsicCreateRemoteThread()-->CreateRemoteThread() Success,Thread Id:%08X\r\n",dwThreadId); } else { printf("MsicCreateRemoteThread()-->CreateRemoteThread() Error:%ld\r\n",GetLastError()); } break; } if((stOSVersionInfoEx.dwMajorVersion==6)&&(0==stOSVersionInfoEx.dwMinorVersion)) {//vista hKernel32=LoadLibraryA("Kernel32.dll"); pCreateRemoteThread=(UCHAR*)GetProcAddress(hKernel32,"CreateRemoteThread"); for(ulIndex=0; ulIndex<0x300; ulIndex+=1) { wCode=*((USHORT*)(pCreateRemoteThread+ulIndex));#ifdef _WIN64 if(0x3D80==wCode) { pMisc=(*((ULONG*)(pCreateRemoteThread+ulIndex+2)))+(pCreateRemoteThread+ulIndex+7); break; }#else if(0x1D38==wCode) { pMisc=(UCHAR*)(*((ULONG*)(pCreateRemoteThread+ulIndex+2))); break; }#endif } } else if((stOSVersionInfoEx.dwMajorVersion==6)&&(1==stOSVersionInfoEx.dwMinorVersion)) {//win7 hKernelBase=LoadLibraryW(L"KernelBase.dll"); if(NULL==hKernelBase) { break; } pKernelBaseGetGlobalData=(LPFN_KernelBaseGetGlobalData)GetProcAddress(hKernelBase,"KernelBaseGetGlobalData"); printf("MsicCreateRemoteThread()-->KernelBaseGetGlobalData:%08X\r\n",pKernelBaseGetGlobalData); if(NULL==pKernelBaseGetGlobalData) { break; } pGlobalData=(UCHAR*)pKernelBaseGetGlobalData(); if(NULL==pGlobalData) { break; }#ifdef _WIN64 pMisc=pGlobalData+0x5C;#else pMisc=pGlobalData+0x30;#endif } else {//手上的win8 Build 8250 没有session 隔离 }////////////////////////////////////////////////////////////////////////// if(NULL==pMisc) { break; } printf("MsicCreateRemoteThread()-->pMisc: %08X\r\n",pMisc);//Patch *pMisc=1;//xx hNewThread=CreateRemoteThread(hProcess,NULL,0,lpStartAddress,lpParameter,0,&dwThreadId); if (dwThreadId) { printf("MsicCreateRemoteThread()-->CreateRemoteThread() Success,Thread Id:%08X\r\n",dwThreadId); } else { printf("MsicCreateRemoteThread()-->CreateRemoteThread() Error:%ld\r\n",GetLastError()); }//UnPatch *pMisc=0; } while(FALSE); if(NULL!=hKernelBase) { printf("MsicCreateRemoteThread()-->hKernelBase:%08X\r\n",hKernelBase); FreeLibrary(hKernelBase); hKernelBase=NULL; } return hNewThread;}void HookGetMessage(){ HOOKPROC hp; //SetWindowsHookEx(WH_GETMESSAGE,hp,)} |
3、新建一个mfc的DLL项目,命名为 MfcHookApi.dll,MfcHookApi.h的代码如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
// MfcHookApi.h : main header file for the MFCHOOKAPI DLL//#if !defined(AFX_MFCHOOKAPI_H__6A8FC5E5_0E77_4B74_8344_CB9CA22141E5__INCLUDED_)#define AFX_MFCHOOKAPI_H__6A8FC5E5_0E77_4B74_8344_CB9CA22141E5__INCLUDED_#if _MSC_VER > 1000#pragma once#endif // _MSC_VER > 1000#ifndef __AFXWIN_H__ #error include 'stdafx.h' before including this file for PCH#endif#include "resource.h" // main symbols/////////////////////////////////////////////////////////////////////////////// CMfcHookApiApp// See MfcHookApi.cpp for the implementation of this class//class CMfcHookApiApp : public CWinApp{public: CMfcHookApiApp();// Overrides // ClassWizard generated virtual function overrides //{{AFX_VIRTUAL(CMfcHookApiApp) public: virtual BOOL InitInstance(); //}}AFX_VIRTUAL //{{AFX_MSG(CMfcHookApiApp) // NOTE - the ClassWizard will add and remove member functions here. // DO NOT EDIT what you see in these blocks of generated code ! //}}AFX_MSG DECLARE_MESSAGE_MAP()};extern "C" __declspec(dllexport) void ActiveHook();extern "C" __declspec(dllexport) void InstallHook4Api(HWND hwnd);int* addrMsgBoxA=(int*)MessageBoxA;int* addrMsgBoxW=(int*)MessageBoxW;int WINAPI HookMessageBoxA(HWND hWnd, LPCSTR lpText,LPCSTR lpCaption, UINT uType);int WINAPI HookMessageBoxW(HWND hWnd, LPCWSTR lpText,LPCWSTR lpCaption, UINT uType);void SetHookMessageBox(HMODULE hModule);typedef int(WINAPI* PfnMessageBox)(HWND,LPCSTR,LPCSTR,UINT);int* addrDispatchA=(int*)DispatchMessageA;int* addrDispatchW=(int*)DispatchMessageW;LRESULT WINAPI HookDispatchMessageA(MSG* msg);LRESULT WINAPI HookDispatchMessageW(MSG* msg);void SetHookDispatchMessage(HMODULE hModule);typedef LRESULT (WINAPI* DLLDISPATCHMESSAGE)(MSG* msg);///////////////////////////////////////////////////////////////////////////////{{AFX_INSERT_LOCATION}}// Microsoft Visual C++ will insert additional declarations immediately before the previous line.#endif // !defined(AFX_MFCHOOKAPI_H__6A8FC5E5_0E77_4B74_8344_CB9CA22141E5__INCLUDED_) |
5、MfcHookApi.cpp代码如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
|
// MfcHookApi.cpp : Defines the initialization routines for the DLL.//#include "stdafx.h"#include "MfcHookApi.h"#include <TlHelp32.h>#include <stdio.h>#include <Shlwapi.h>#pragma comment(lib,"shlwapi.lib")#pragma comment(lib,"th32.lib")#ifdef _DEBUG#define new DEBUG_NEW#undef THIS_FILEstatic char THIS_FILE[]=__FILE__;#endif//// Note!//// If this DLL is dynamically linked against the MFC// DLLs,any functions exported from this DLL which// call into MFC must have the AFX_MANAGE_STATE macro// added at the very beginning of the function.//// For example://// extern "C" BOOL PASCAL EXPORT ExportedFunction()// {// AFX_MANAGE_STATE(AfxGetStaticModuleState());// // normal function body here// }//// It is very important that this macro appear in each// function,prior to any calls into MFC. This means that// it must appear as the first statement within the // function,even before any object variable declarations// as their constructors may generate calls into the MFC// DLL.//// Please see MFC Technical Notes 33 and 58 for additional// details.///////////////////////////////////////////////////////////////////////////////// CMfcHookApiAppBEGIN_MESSAGE_MAP(CMfcHookApiApp,CWinApp) //{{AFX_MSG_MAP(CMfcHookApiApp) // NOTE - the ClassWizard will add and remove mapping macros here. // DO NOT EDIT what you see in these blocks of generated code! //}}AFX_MSG_MAPEND_MESSAGE_MAP()/////////////////////////////////////////////////////////////////////////////// CMfcHookApiApp constructionCMfcHookApiApp::CMfcHookApiApp(){ // TODO: add construction code here, // Place all significant initialization in InitInstance}/////////////////////////////////////////////////////////////////////////////// The one and only CMfcHookApiApp objectCMfcHookApiApp theApp;HHOOK hHook=0;HINSTANCE hinstDll=0;DWORD dwCurrentPid=0;DWORD TargetPid=0;BOOL bApiHook=false; FARPROC fpApiAddrA=NULL,fpApiAddrW=NULL;BYTE btOldCodeA[5]={0,0,0,0,0};BYTE btNewCodeA[5]={0,0,0,0,0};BYTE btOldCodeW[5]={0,0,0,0,0};BYTE btNewCodeW[5]={0,0,0,0,0};DWORD dwProtect=0;HANDLE hRemoteProcess32=0,hSnap=0;//#pragma data_seg()//#pragma comment(linker,"/SECTION:YuKai,rws")int nHookCount=0;char* pcProsessName="DoWin32Test.exe"; //---------------------------------------------------------------------------// 空的钩子函数LRESULT WINAPI HookProc(int nCode,WPARAM wParam,LPARAM lParam){ return CallNextHookEx(hHook,nCode,wParam,lParam);}extern "C" __declspec(dllexport) void ActiveHook(){ AFX_MANAGE_STATE(AfxGetStaticModuleState());}//---------------------------------------------------------------------------//本函数一定要用WINAPI(即__stdcall),表示本函数自己平衡堆栈(和win32 API一致)int WINAPI HookMessageBoxA(HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType) { nHookCount++; printf("HookMessageBoxA hook Success......%d\r\n",nHookCount); return 1; //return ((PfnMessageBox)(addrMsgBoxA))(NULL,"HOOK成功","HOOK成功",MB_ICONINFORMATION);}//---------------------------------------------------------------------------//本函数一定要用WINAPI(即__stdcall),表示本函数自己平衡堆栈(和win32 API一致)int WINAPI HookMessageBoxW(HWND hWnd,LPCWSTR lpText,LPCWSTR lpCaption,UINT uType) { nHookCount++; printf("HookMessageBoxW hook Success......%d\r\n",nHookCount); return 1; //return ((PfnMessageBox)(addrMsgBoxW))(NULL,"HOOK成功","HOOK成功",MB_ICONINFORMATION);}//---------------------------------------------------------------------------// 安装卸载空钩子(ProcessID=NULL:卸载)extern "C" __declspec(dllexport) void InstallHook4Api(HWND hwnd){ AFX_MANAGE_STATE(AfxGetStaticModuleState()); //GetWindowThreadProcessId(hwnd,&TargetPid); //只hook窗口句柄为hwnd的线程 if(hwnd) hHook=SetWindowsHookEx(WH_GETMESSAGE,(HOOKPROC)HookProc,hinstDll,GetWindowThreadProcessId(hwnd,&TargetPid)); else { if(hHook) UnhookWindowsHookEx(hHook); }}void SetHookMessageBox(HMODULE hModule){ HMODULE hModuleUser32=0; char cArrDllName[256]; hinstDll=(HINSTANCE)hModule; BOOL bNext=FALSE; PROCESSENTRY32 procEntry32; //获取目标进程句柄。 procEntry32.dwSize=sizeof(PROCESSENTRY32); hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); bNext=Process32First(hSnap,&procEntry32); while(bNext) { if(!stricmp(procEntry32.szExeFile,pcProsessName)) //--->> { hRemoteProcess32=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_WRITE|PROCESS_VM_OPERATION,1,procEntry32.th32ProcessID); break; } bNext=Process32Next(hSnap,&procEntry32); } CloseHandle(hSnap); dwCurrentPid=procEntry32.th32ProcessID; //载入需要HOOK的DLL并保存原始ESP hModuleUser32=LoadLibrary("user32.dll"); fpApiAddrA=GetProcAddress(hModuleUser32,"MessageBoxA"); if(fpApiAddrA==NULL) return; /*MessageBoxA原前5字节存至OldCode[5]*/ _asm { pushad lea edi,btOldCodeA mov esi,fpApiAddrA cld movsd movsb popad } /*MessageBoxA新前5字节存至 NewCode[5]*/ btNewCodeA[0]=0xe9; _asm { lea eax,HookMessageBoxA mov ebx,fpApiAddrA sub eax,ebx sub eax,5 mov dword ptr [btNewCodeA+1],eax } //修改ESP /*改写MessageBoxA()的前5个字节*/ VirtualProtectEx(hRemoteProcess32,fpApiAddrA,5,PAGE_READWRITE,&dwProtect); WriteProcessMemory(hRemoteProcess32,fpApiAddrA,btNewCodeA,5,0); VirtualProtectEx(hRemoteProcess32,fpApiAddrA,5,dwProtect,&dwProtect); //载入需要HOOK的DLL并保存原始ESP fpApiAddrW=GetProcAddress(hModuleUser32,"MessageBoxW"); if(fpApiAddrW==NULL) return; /*MessageBoxA原前5字节存至OldCode[5]*/ _asm { pushad lea edi,btOldCodeW mov esi,fpApiAddrW cld movsd movsb popad } /*MessageBoxW新前5字节存至 NewCode[5]*/ btNewCodeW[0]=0xe9; _asm { lea eax,HookMessageBoxW mov ebx,fpApiAddrW sub eax,ebx sub eax,5 mov dword ptr [btNewCodeW+1],eax } /*改写MessageBoxA()的前5个字节*/ //修改ESP VirtualProtectEx(hRemoteProcess32,fpApiAddrW,5,PAGE_READWRITE,&dwProtect); WriteProcessMemory(hRemoteProcess32,fpApiAddrW,btNewCodeW,5,0); VirtualProtectEx(hRemoteProcess32,fpApiAddrW,5,dwProtect,&dwProtect); bApiHook=true; //增加引用次数后立即卸钩(目的:卸钩后保留该dll存在于目标进程中) GetModuleFileName((HINSTANCE)hModule,cArrDllName,256); LoadLibrary(cArrDllName); //只能由目标程序卸钩,否则目标程序有可能来不及加载Hook进来的dll if(hHook && (dwCurrentPid==TargetPid)) UnhookWindowsHookEx(hHook); }void SetHookDispatchMessage(HMODULE hModule){ HMODULE hModuleUser32=0; char cArrDllName[256]; hinstDll=(HINSTANCE)hModule; BOOL bNext=FALSE; PROCESSENTRY32 procEntry32; //获取目标进程句柄。 procEntry32.dwSize=sizeof(PROCESSENTRY32); hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); bNext=Process32First(hSnap,&procEntry32); while(bNext) { if(!stricmp(procEntry32.szExeFile,pcProsessName)) { hRemoteProcess32=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_WRITE|PROCESS_VM_OPERATION,1,procEntry32.th32ProcessID); break; } bNext=Process32Next(hSnap,&procEntry32); } CloseHandle(hSnap); dwCurrentPid=procEntry32.th32ProcessID; //载入需要HOOK的DLL并保存原始ESP hModuleUser32=LoadLibrary("user32.dll"); fpApiAddrA=GetProcAddress(hModuleUser32,"DispatchMessageA"); if(fpApiAddrA==NULL) return; /*MessageBoxA原前5字节存至OldCode[5]*/ _asm { pushad lea edi,btOldCodeA mov esi,fpApiAddrA cld movsd movsb popad } /*MessageBoxA新前5字节存至 NewCode[5]*/ btNewCodeA[0]=0xe9; _asm { lea eax,HookDispatchMessageA mov ebx,fpApiAddrA sub eax,ebx sub eax,5 mov dword ptr [btNewCodeA+1],eax } //修改ESP /*改写MessageBoxA()的前5个字节*/ VirtualProtectEx(hRemoteProcess32,fpApiAddrA,5,PAGE_READWRITE,&dwProtect); WriteProcessMemory(hRemoteProcess32,fpApiAddrA,btNewCodeA,5,0); VirtualProtectEx(hRemoteProcess32,fpApiAddrA,5,dwProtect,&dwProtect); //载入需要HOOK的DLL并保存原始ESP fpApiAddrW=GetProcAddress(hModuleUser32,"DispatchMessageW"); if(fpApiAddrA==NULL) return; /*MessageBoxA原前5字节存至OldCode[5]*/ _asm { pushad lea edi,btOldCodeW mov esi,fpApiAddrW cld movsd movsb popad } /*MessageBoxW新前5字节存至 NewCode[5]*/ btNewCodeW[0]=0xe9; _asm { lea eax,HookDispatchMessageW mov ebx,fpApiAddrW sub eax,ebx sub eax,5 mov dword ptr [btNewCodeW+1],eax } /*改写MessageBoxA()的前5个字节*/ //修改ESP VirtualProtectEx(hRemoteProcess32,fpApiAddrW,5,PAGE_READWRITE,&dwProtect); WriteProcessMemory(hRemoteProcess32,fpApiAddrW,btNewCodeW,5,0); VirtualProtectEx(hRemoteProcess32,fpApiAddrW,5,dwProtect,&dwProtect); bApiHook=true; //增加引用次数后立即卸钩(目的:卸钩后保留该dll存在于目标进程中) GetModuleFileName((HINSTANCE)hModule,cArrDllName,256); LoadLibrary(cArrDllName); //只能由目标程序卸钩,否则目标程序有可能来不及加载Hook进来的dll if(hHook && (dwCurrentPid==TargetPid)) UnhookWindowsHookEx(hHook); }LRESULT WINAPI HookDispatchMessageA(MSG* msg){ CString szFormat=""; CString szLog=""; CTime time; CString szFileName=""; DWORD dwFlag=0; RECT rc; TCHAR szCaption[128]; //HMODULE hDll=0; //DLLDISPATCHMESSAGE dispatch; LRESULT lr=0; //hDll=LoadLibrary("user32.dll"); //if (hDll) //{ // dispatch=(DLLDISPATCHMESSAGE)GetProcAddress(hDll,"DispatchMessageA"); // if (dispatch) // { // lr=(dispatch)(msg); // } //} VirtualProtectEx(hRemoteProcess32,fpApiAddrA,5,PAGE_READWRITE,&dwProtect); WriteProcessMemory(hRemoteProcess32,fpApiAddrA,btOldCodeA,5,0); VirtualProtectEx(hRemoteProcess32,fpApiAddrA,5,dwProtect,&dwProtect); lr=DispatchMessageA(msg); //写日志 szFormat="%-16X%-16X%-16X%-16X%-16d%-16d%-16X%-16d%-16d%-128s\r\n"; memset(szCaption,0,128); if (IsWindow(msg->hwnd)) { GetWindowRect(msg->hwnd,&rc); GetWindowText(msg->hwnd,szCaption,128); szLog.Format(szFormat,msg->hwnd,msg->message,msg->wParam,msg->wParam,msg->pt.x,msg->pt.y,msg->time,rc.right,rc.bottom,szCaption); } else { szLog.Format(szFormat,msg->hwnd,msg->message,msg->wParam,msg->wParam,msg->pt.x,msg->pt.y,msg->time,-1,-1,szCaption); } time=CTime::GetCurrentTime(); szFileName=time.Format("%Y%m%d%H"); szFileName.Insert(0,"C:\\DM"); szFileName+=".log"; dwFlag=CFile::modeReadWrite|CFile::shareDenyRead; if (!PathFileExists(szFileName)) { dwFlag|=CFile::modeCreate; } CFile fileLog(szFileName,dwFlag); fileLog.SeekToEnd(); fileLog.Write(szLog,szLog.GetLength()); fileLog.Flush(); fileLog.Close(); //重新HOOK以便写日志 VirtualProtectEx(hRemoteProcess32,fpApiAddrA,5,PAGE_READWRITE,&dwProtect); WriteProcessMemory(hRemoteProcess32,fpApiAddrA,btNewCodeA, 5, 0); VirtualProtectEx(hRemoteProcess32,fpApiAddrA,5,dwProtect,&dwProtect); return lr;}LRESULT WINAPI HookDispatchMessageW(MSG* msg){ CString szFormat=""; CString szLog=""; CTime time; CString szFileName=""; DWORD dwFlag=0; RECT rc; DWORD dwThreadId=0; TCHAR szCaption[128]; //HMODULE hDll=0; //DLLDISPATCHMESSAGE dispatch; LRESULT lr=0; //hDll=LoadLibrary("user32.dll"); //if (hDll) //{ // dispatch=(DLLDISPATCHMESSAGE)GetProcAddress(hDll,"DispatchMessageW"); // if (dispatch) // { // lr=(dispatch)(msg); // } //} //恢复HOOK VirtualProtectEx(hRemoteProcess32,fpApiAddrW,5,PAGE_READWRITE,&dwProtect); WriteProcessMemory(hRemoteProcess32,fpApiAddrW,btOldCodeW,5,0); VirtualProtectEx(hRemoteProcess32,fpApiAddrW,5,dwProtect,&dwProtect); lr=DispatchMessageW(msg); szFormat="%-16X%-16X%-16X%-16X%-16d%-16d%-16X%-16d%-16d%-16d%-128s\r\n"; memset(szCaption,0,128); dwThreadId=GetCurrentThreadId(); if (IsWindow(msg->hwnd)) { GetWindowRect(msg->hwnd,&rc); GetWindowText(msg->hwnd,szCaption,128); szLog.Format(szFormat,msg->hwnd,msg->message,msg->wParam,msg->wParam,msg->pt.x,msg->pt.y,msg->time,rc.right,rc.bottom,dwThreadId,szCaption); } else { szLog.Format(szFormat,msg->hwnd,msg->message,msg->wParam,msg->wParam,msg->pt.x,msg->pt.y,msg->time,-1,-1,dwThreadId,szCaption); } time=CTime::GetCurrentTime(); szFileName=time.Format("%Y%m%d%H"); szFileName.Insert(0,"C:\\DM"); szFileName+=".log"; dwFlag=CFile::modeReadWrite|CFile::shareDenyRead; if (!PathFileExists(szFileName)) { dwFlag|=CFile::modeCreate; } CFile fileLog(szFileName,dwFlag); fileLog.SeekToEnd(); fileLog.Write(szLog,szLog.GetLength()); fileLog.Flush(); fileLog.Close(); //重新HOOK以便写日志 VirtualProtectEx(hRemoteProcess32,fpApiAddrW,5,PAGE_READWRITE,&dwProtect); WriteProcessMemory(hRemoteProcess32,fpApiAddrW,btNewCodeW, 5, 0); VirtualProtectEx(hRemoteProcess32,fpApiAddrW,5,dwProtect,&dwProtect); return lr;}BOOL CMfcHookApiApp::InitInstance() { // TODO: Add your specialized code here and/or call the base class SetHookDispatchMessage(GetModuleHandle(NULL)); //SetHookMessageBox(GetModuleHandle(NULL)); CString szFormat=""; CString szLog=""; CTime time; CString szFileName=""; DWORD dwFlag=0; szFormat="%-16s%-16s%-16s%-16s%-16s%-16s%-16s%-16s%-16s%-16s%-128s\r\n"; szLog.Format(szFormat,"hwnd","message","wparam","lparam","mouse.x","mouse.y","message.time","client.width","client.height","thread id","window.caption"); time=CTime::GetCurrentTime(); szFileName=time.Format("%Y%m%d%H"); szFileName.Insert(0,"C:\\DM"); szFileName+=".log"; dwFlag=CFile::modeReadWrite|CFile::shareDenyRead; if (!PathFileExists(szFileName)) { dwFlag|=CFile::modeCreate; } CFile fileLog(szFileName,dwFlag); fileLog.SeekToEnd(); fileLog.Write(szLog,szLog.GetLength()); fileLog.Flush(); fileLog.Close(); return CWinApp::InitInstance();} |
5、新建一个测试程序:WIN32项目,取名为:DoWin32Test,代码如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
|
// DoWin32Test.cpp : Defines the entry point for the application.//#include "stdafx.h"#include "resource.h"#define MAX_LOADSTRING 100// Global Variables:HINSTANCE hInst; // current instanceTCHAR szTitle[MAX_LOADSTRING]; // The title bar textTCHAR szWindowClass[MAX_LOADSTRING]; // The title bar text// Foward declarations of functions included in this code module:ATOM MyRegisterClass(HINSTANCE hInstance);BOOL InitInstance(HINSTANCE, int);LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);LRESULT CALLBACK About(HWND, UINT, WPARAM, LPARAM);int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow){ // TODO: Place code here. MSG msg; HACCEL hAccelTable; // Initialize global strings LoadString(hInstance, IDS_APP_TITLE, szTitle, MAX_LOADSTRING); LoadString(hInstance, IDC_DOWIN32TEST, szWindowClass, MAX_LOADSTRING); MyRegisterClass(hInstance); // Perform application initialization: if (!InitInstance (hInstance, nCmdShow)) { return FALSE; } hAccelTable = LoadAccelerators(hInstance, (LPCTSTR)IDC_DOWIN32TEST); // Main message loop: while (GetMessage(&msg, NULL, 0, 0)) { if (!TranslateAccelerator(msg.hwnd, hAccelTable, &msg)) { TranslateMessage(&msg); DispatchMessage(&msg); } } return msg.wParam;}//// FUNCTION: MyRegisterClass()//// PURPOSE: Registers the window class.//// COMMENTS://// This function and its usage is only necessary if you want this code// to be compatible with Win32 systems prior to the 'RegisterClassEx'// function that was added to Windows 95. It is important to call this function// so that the application will get 'well formed' small icons associated// with it.//ATOM MyRegisterClass(HINSTANCE hInstance){ WNDCLASSEX wcex; wcex.cbSize = sizeof(WNDCLASSEX); wcex.style = CS_HREDRAW | CS_VREDRAW; wcex.lpfnWndProc = (WNDPROC)WndProc; wcex.cbClsExtra = 0; wcex.cbWndExtra = 0; wcex.hInstance = hInstance; wcex.hIcon = LoadIcon(hInstance, (LPCTSTR)IDI_DOWIN32TEST); wcex.hCursor = LoadCursor(NULL, IDC_ARROW); wcex.hbrBackground = (HBRUSH)(COLOR_WINDOW+1); wcex.lpszMenuName = (LPCSTR)IDC_DOWIN32TEST; wcex.lpszClassName = szWindowClass; wcex.hIconSm = LoadIcon(wcex.hInstance, (LPCTSTR)IDI_SMALL); return RegisterClassEx(&wcex);}//// FUNCTION: InitInstance(HANDLE, int)//// PURPOSE: Saves instance handle and creates main window//// COMMENTS://// In this function, we save the instance handle in a global variable and// create and display the main program window.//BOOL InitInstance(HINSTANCE hInstance, int nCmdShow){ HWND hWnd; hInst = hInstance; // Store instance handle in our global variable hWnd = CreateWindow(szWindowClass, szTitle, WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, 0, CW_USEDEFAULT, 0, NULL, NULL, hInstance, NULL); if (!hWnd) { return FALSE; } ShowWindow(hWnd, nCmdShow); UpdateWindow(hWnd); return TRUE;}//// FUNCTION: WndProc(HWND, unsigned, WORD, LONG)//// PURPOSE: Processes messages for the main window.//// WM_COMMAND - process the application menu// WM_PAINT - Paint the main window// WM_DESTROY - post a quit message and return////LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam){ int wmId, wmEvent; PAINTSTRUCT ps; HDC hdc; TCHAR szHello[MAX_LOADSTRING]; LoadString(hInst, IDS_HELLO, szHello, MAX_LOADSTRING); switch (message) { case WM_COMMAND: wmId = LOWORD(wParam); wmEvent = HIWORD(wParam); // Parse the menu selections: switch (wmId) { case IDM_ABOUT: DialogBox(hInst, (LPCTSTR)IDD_ABOUTBOX, hWnd, (DLGPROC)About); break; case IDM_EXIT: DestroyWindow(hWnd); break; default: return DefWindowProc(hWnd, message, wParam, lParam); } break; case WM_PAINT: hdc = BeginPaint(hWnd, &ps); // TODO: Add any drawing code here... RECT rt; GetClientRect(hWnd, &rt); DrawText(hdc, szHello, strlen(szHello), &rt, DT_CENTER); EndPaint(hWnd, &ps); break; case WM_DESTROY: PostQuitMessage(0); break; default: return DefWindowProc(hWnd, message, wParam, lParam); } return 0;}// Mesage handler for about box.LRESULT CALLBACK About(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam){ switch (message) { case WM_INITDIALOG: return TRUE; case WM_COMMAND: if (LOWORD(wParam) == IDOK || LOWORD(wParam) == IDCANCEL) { EndDialog(hDlg, LOWORD(wParam)); return TRUE; } break; } return FALSE;} |
最后,记得修改所有项目的生成目录,令所有项目生成到一个目录。我设置的方法是直接在默认生成目录前加“..\”。祝你成功。