//DLL文件
//GHook.cpp
#define _WIN32_WINNT 0x0400
#include <windows.h>
#include "HookAPI.h"
#include <Tlhelp32.h>
typedef HANDLE (_stdcall *OPENPROCESS_PROC)(DWORD, BOOL, DWORD);
OPENPROCESS_PROC pOpenProcess = NULL;
HWND g_hWnd;
HHOOK g_hHook;
HINSTANCE g_hInst;
HHOOK g_hHook_Key;
_declspec(dllexport) LRESULT CALLBACK HookKeyDownProc(int nCode,WPARAM wParam,LPARAM lParam);
DWORD FindProcessId(const char* name);
_declspec(dllexport) LRESULT CALLBACK HookFunction(int code, WPARAM wParam, LPARAM lParam);
HANDLE _stdcall OpenProcess_Handler(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId)
{
HANDLE RetValue = NULL;
DWORD ProcessId;
ProcessId=FindProcessId("ProcessID.exe"); //ProcessID.exe为欲防杀的进程名
if (dwProcessId != ProcessId)
{ //此处代码,未严加推敲,但防止了任务管理器出错,原因待查。
UnhookWindowsHookEx(g_hHook);
RetValue = pOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
g_hHook=SetWindowsHookEx(WH_SYSMSGFILTER,HookFunction,g_hInst,0);
}
return RetValue;
}
//_declspec(dllexport) LRESULT CALLBACK HookFunction(int code, WPARAM wParam, LPARAM lParam)
{
if (pOpenProcess == NULL)
pOpenProcess = (OPENPROCESS_PROC)HookAPIFunction(GetModuleHandle(NULL), "KERNEL32.DLL", "OpenProcess", (PROC)OpenProcess_Handler);
return CallNextHookEx(g_hHook,code,wParam,lParam);
// return FALSE;
}
BOOL WINAPI DllMain(/*HANDLE*/HINSTANCE hInst, DWORD dwReason, LPVOID lpReserved)
{
/* switch (dwReason)
{
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls(hInst);
break;
}*/
g_hInst=hInst;
return true;
}
//砞竚秈祘ň炳筥
extern "C" _declspec(dllexport) void _stdcall SetHook(HWND temphWnd)
{
g_hWnd=temphWnd;
g_hHook=SetWindowsHookEx(WH_SYSMSGFILTER,HookFunction,g_hInst,0);
}
//闽超秈祘ň炳筥
extern "C" _declspec(dllexport) void _stdcall UnHook()
{
UnhookWindowsHookEx(g_hHook);
}
//砞竚龄絃龄筥
extern "C" _declspec(dllexport) void _stdcall SetHook_Key()
{
g_hHook_Key=SetWindowsHookEx(WH_KEYBOARD_LL,HookKeyDownProc,g_hInst,0);
}
//
extern "C" _declspec(dllexport) void _stdcall UnHook_Key()
{
UnhookWindowsHookEx(g_hHook_Key);
}
//
_declspec(dllexport) LRESULT CALLBACK HookKeyDownProc(int nCode,WPARAM wParam,LPARAM lParam)
{
/* if(VK_F4==wParam && (1==(lParam>>29 & 1)))
return 1;
if(VK_TAB==wParam && (1==(lParam>>29 & 1)))
return 1;
if(VK_LWIN==wParam || VK_RWIN == wParam)
return 1;
if(VK_RETURN==wParam)
return 1;
return CallNextHookEx(g_hHook_Key,nCode,wParam,lParam);*/
BOOL fEatKeystroke = FALSE;
PKBDLLHOOKSTRUCT p = NULL;
if (nCode == HC_ACTION)
{
p = (PKBDLLHOOKSTRUCT) lParam;
switch (wParam)
{
case WM_KEYDOWN:
// Backdoor to user information
if (p->vkCode == VK_F8)
{
::MessageBox(NULL,"Apple Net Coffee Management System/n","Apple",MB_OK);
break;
}
case WM_SYSKEYDOWN:
case WM_KEYUP:
case WM_SYSKEYUP:
fEatKeystroke =
(p->vkCode == VK_LWIN) || (p->vkCode == VK_RWIN) || // 姜Win
// 姜Alt+Tab
((p->vkCode == VK_TAB) && ((p->flags & LLKHF_ALTDOWN) != 0)) ||
//ALT+f4
// ((p->vkCode == VK_F4) && ((p->flags & LLKHF_ALTDOWN) != 0))||
// 姜Alt+Esc
((p->vkCode == VK_ESCAPE) && ((p->flags & LLKHF_ALTDOWN) != 0)) ||
// 姜Ctrl+Esc
((p->vkCode == VK_ESCAPE) && ((GetKeyState(VK_CONTROL) & 0x8000) != 0));
break;
default:
break;
}
}
return (fEatKeystroke ? TRUE : CallNextHookEx(g_hHook_Key,nCode,wParam,lParam));
}
DWORD FindProcessId(const TCHAR *name) //琩т秈祘
{
DWORD dwID = 0;
HANDLE m_handle = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);
PROCESSENTRY32* Info = new PROCESSENTRY32;
Info->dwSize = sizeof(PROCESSENTRY32);
BOOL bFind = Process32First(m_handle, Info);
while (bFind)
{
if(stricmp(Info->szExeFile,name)==0)
{
dwID = Info->th32ProcessID;
bFind = FALSE;
break;
}
bFind = Process32Next(m_handle, Info);
}
delete Info;
Info = NULL;
CloseHandle(m_handle);
return dwID;
}
//Hookapi.cpp
// -----------------------------
// HOOKAPI - Matt Pietrek 1995
// -----------------------------
#include <windows.h>
#include "HookAPI.h"
// Macro for adding pointers/DWORDs together without C arithmetic interfering
#define MakePtr(cast, ptr, addValue) (cast)((DWORD)(ptr)+(DWORD)(addValue))
PROC HookAPIFunction(HMODULE hFromModule,
PSTR pszFunctionModule,
PSTR pszFunctionName,
PROC pfnNewProc)
{
PROC pfnOriginalProc;
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pNTHeader;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
PIMAGE_THUNK_DATA pThunk;
DWORD dwProtectionFlags;
DWORD dwScratch;
// Verify that a valid pfn was passed
if (IsBadCodePtr(pfnNewProc)) return 0;
// First, verify the the module and function names passed to use are valid
pfnOriginalProc = GetProcAddress(GetModuleHandle(pszFunctionModule), pszFunctionName);
if (!pfnOriginalProc) return 0;
pDosHeader = (PIMAGE_DOS_HEADER)hFromModule;
// Tests to make sure we're looking at a module image (the 'MZ' header)
if (IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER))) return 0;
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) return 0;
// The MZ header has a pointer to the PE header
pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew);
// More tests to make sure we're looking at a "PE" image
if (IsBadReadPtr(pNTHeader, sizeof(IMAGE_NT_HEADERS))) return 0;
if (pNTHeader->Signature != IMAGE_NT_SIGNATURE) return 0;
// We know have a valid pointer to the module's PE header.
// Now go get a pointer to its imports section
pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, pDosHeader,
pNTHeader->OptionalHeader.
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].
VirtualAddress);
// Bail out if the RVA of the imports section is 0 (it doesn't exist)
if (pImportDesc == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeader) return 0;
// Iterate through the array of imported module descriptors, looking
// for the module whose name matches the pszFunctionModule parameter
while (pImportDesc->Name)
{
PSTR pszModName = MakePtr(PSTR, pDosHeader, pImportDesc->Name);
if (stricmp(pszModName, pszFunctionModule) == 0) break;
// Advance to next imported module descriptor
pImportDesc++;
}
// Bail out if we didn't find the import module descriptor for the
// specified module. pImportDesc->Name will be non-zero if we found it.
if (pImportDesc->Name == 0) return 0;
// Get a pointer to the found module's import address table (IAT)
pThunk = MakePtr(PIMAGE_THUNK_DATA, pDosHeader, pImportDesc->FirstThunk);
// Blast through the table of import addresses, looking for the one
// that matches the address we got back from GetProcAddress above.
while (pThunk->u1.Function)
{
if (pThunk->u1.Function == (PDWORD)pfnOriginalProc)
{
dwProtectionFlags = PAGE_READWRITE;
VirtualProtect(&pThunk->u1.Function, 4096, dwProtectionFlags, &dwScratch);
// We found it! Overwrite the original address with the
// address of the interception function. Return the original
// address to the caller so that they can chain on to it.
pThunk->u1.Function = (PDWORD)pfnNewProc;
return pfnOriginalProc;
}
// Advance to next imported function address
pThunk++;
}
// Function not found
return 0;
}
//Hookapi.h
#ifndef HOOKAPI_H
#define HOOKAPI_H
PROC HookAPIFunction(HMODULE hFromModule,
PSTR pszFunctionModule,
PSTR pszFunctionName,
PROC pfnNewProc);
#endif