有关DLL的远程注入之后如和拦截被注入程序的按键消息
发布网友
发布时间:2022-05-20 10:15
我来回答
共1个回答
热心网友
时间:2023-10-16 02:37
用Detours吧。这个比较简单。给你写个例子。Hook了删除文件API DeleteFile。
#include "stdafx.h"
#include <io.h>
#include <stdio.h>
#include "detours.h"#pragma data_seg("MySec")
HWND g_hMain=NULL; //主窗体句柄
#pragma data_seg()#pragma comment(linker,"/section:MySec,RWS")
#pragma comment(lib,"detours.lib")HHOOK g_MessageHook=NULL; //消息HOOK
HINSTANCE hInst=NULL; //dll实例
HWND g_hWnd=NULL; //目标句柄void Intercept();
void UnIntercept();DETOUR_TRAMPOLINE(BOOL WINAPI Real_DeleteFileW(
LPCWSTR lpFileName),DeleteFileW);LRESULT CALLBACK MessageProc(
int code, // hook code
WPARAM wParam, // not used
LPARAM lParam // message data
)
{
Intercept();
return CallNextHookEx(g_MessageHook,code,wParam,lParam);
}
BOOL SetAPIHook()
{ g_MessageHook=SetWindowsHookEx(WH_GETMESSAGE,(HOOKPROC)MessageProc,hInst,0);
if(g_MessageHook!=NULL)
{
return true;
}
else
{
return false;
}
}void UnAPIHook()
{
if(g_MessageHook!=NULL)
{
UnhookWindowsHookEx(g_MessageHook);
g_MessageHook=NULL;
}
}
BOOL WINAPI DllMain(
HINSTANCE hinstDLL, // handle to the DLL mole
DWORD fdwReason, // reason for calling function
LPVOID lpvReserved // reserved
)
{
switch(fdwReason)
{
case DLL_PROCESS_ATTACH:
hInst=hinstDLL;
g_hMain =FindWindowEx(NULL,NULL, NULL,"myexe");
if(g_hMain!=NULL)
{
SetAPIHook();
} break;
case DLL_PROCESS_DETACH:
UnIntercept();
break;
}
return true;
}
BOOL WINAPI Replace_DeleteFileW(LPCWSTR lpFileName)
{
BOOL bRet ;
//加入你的代码
bRet= Real_DeleteFileW(lpFileName);
return bRet;
}void Intercept()
{
DetourFunctionWithTrampoline((PBYTE)Real_DeleteFileW, (PBYTE)Replace_DeleteFileW);
}
void UnIntercept()
{
DetourRemove( (PBYTE)Real_DeleteFileW,(PBYTE)Replace_DeleteFileW);
}