這段時間研究了一下注入技術,今天有空來寫一下心得,以免以後忘記.
用HOOK進行注入的思路主要如下:
1.首先,寫一個鉤子,放在DLL中,然後,導出設置鉤子的函數SetHook。
2.在我的應用程序中,通過FindWindow來找出要注入的目標進程的ThreadId;
3.在自己的程序中調用SetHook,傳入ThreadId;
4.在SetHook中設置目標進程的線程鉤子,設置完成之後,通過 PostThreadMessage來對注入的線程發一個WM_NULL消息,激活鉤子過程,在鉤子過程中創建一個窗口,用於接受我的應用程序發送給他的消息。這樣基本的模型就是這樣。
然後給部分代碼這裏。
首先是DLL中的代碼:
// InjectDLL.cpp : 定義 DLL 應用程序的入口點。
//
#include "stdafx.h"
#include "resource.h"
#define INJECT_API
#include "InjectDLL.h"
#include <fstream>
using namespace std;
////////////////////////////////////////
fstream fReport(TEXT("d:/TraceInfo.txt"), ios::out);
#pragma data_seg("Shared")
HHOOK g_hHook = NULL;
DWORD g_dwThreadID = 0;
HINSTANCE g_hInst = NULL;
DWORD g_dwCurrThreadID = 0;//當前線程ID
#pragma data_seg()
#pragma comment(linker,"/SECTION:Shared,rws")
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
g_hInst = hModule;
break;
default:
break;
}
return TRUE;
}
LRESULT CALLBACK GetMsgProc(int code ,WPARAM wParam,LPARAM lParam);
INT_PTR CALLBACK DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam);
/////////////////////////////////////////////////////////////////////////////
void SetHook(DWORD dwThreadID)
{
if(dwThreadID == 0)//卸載鉤子
{
if(g_hHook != NULL)
{
::UnhookWindowsHookEx(g_hHook);
fReport<<"Has UnhookWindow "<<endl;
fReport.close();
}
return ;
}
g_dwCurrThreadID = ::GetCurrentThreadId();//獲取調用線程ID
g_dwThreadID = dwThreadID;
g_hHook = ::SetWindowsHookExW(WH_GETMESSAGE,GetMsgProc,g_hInst,dwThreadID);
if(g_hHook != NULL)
{
::PostThreadMessageW(dwThreadID,WM_NULL,0,0);//觸發鉤子過程
}
else
{
if(g_hHook != NULL)
::UnhookWindowsHookEx(g_hHook);
}
}
//////////////////////////////////////////////////////////////////////////////////
LRESULT CALLBACK GetMsgProc(int code ,WPARAM wParam,LPARAM lParam)
{
static BOOL bIsFirstLoad = TRUE;
static unsigned long nCount = 0;
int x,y;
x = lParam & 0x0000FFFF;
y = lParam & 0xFFFF0000;
fReport<<"X-Cordinary:"<<x<<"/n/t"<<"Y-Cordinary:"<<y<<endl;
//fReport<<"Get Message nCount:"<<nCount++<<endl;
if(bIsFirstLoad)
{
bIsFirstLoad = FALSE;
HWND hDlg = NULL;
DWORD dwErr = 0 ;
hDlg = ::CreateDialog(g_hInst,MAKEINTRESOURCE(IDD_DLG_INJECT),NULL,DialogProc);
fReport<<"hDlg:"<<hDlg<<endl;
::PostThreadMessageW(g_dwCurrThreadID,WM_NULL,0,0);//告訴我們DLL已經創建好了對話框,準備接受消息了
}
return ::CallNextHookEx(g_hHook,code,wParam,lParam);
}
////////////////////////////////////////////////////////////////////////////////////////
INT_PTR CALLBACK DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
switch(uMsg)
{
case WM_APP:
fReport<<"WM_APP: I has Hooked iexplore/n"<<endl;
break;
case WM_CLOSE:
fReport<<"WM_CLOSE"<<endl;
::DestroyWindow(hwndDlg);
break;
default:
break;
}
return FALSE;
}
控制DLL行爲的應用程序主要代碼:
OnInitDialog中:
HWND hParent = NULL, hChild = NULL;
DWORD dwThreadId = 0, dwProcessId = 0;
hParent = ::FindWindow(TEXT("Progman"),NULL);
hChild = ::FindWindowEx(::FindWindowEx(hParent,NULL,NULL,NULL),NULL,NULL,NULL);
m_hDesktop = hChild;
dwThreadId = ::GetWindowThreadProcessId(hChild, &dwProcessId);
SetHook(dwThreadId);
MSG msg;
::GetMessageW(&msg,NULL,0,0);
::SetWindowTextW(::GetDlgItem(m_hWnd,IDC_STC_READY),TEXT("已經成功注入/n可以開始操作"));
m_bOK = TRUE;
void CTestInjectDLLDlg::OnBnClickedBtnSend()
{
// TODO: 在此添加控件通知處理程序代碼
if(m_bOK)
{
HWND hInject =::FindWindow(NULL,TEXT("INJECTDLG"));
::SendMessage(hInject,WM_APP,(WPARAM)m_hDesktop,0);
}
}
void CTestInjectDLLDlg::OnBnClickedBtnUnhook()
{
if(m_bOK)
{
HWND hInject = ::FindWindow(NULL,TEXT("INJECTDLG"));
::SendMessage(hInject,WM_CLOSE,0,0);
SetHook(0);
}
// TODO: 在此添加控件通知處理程序代碼
}
這樣運行,然後在
點擊對話框上的按鈕,發現D盤中TraceInfo.txt中出現了我想要的結果,注入成功O(∩_∩)O哈哈~