这并不是什么新技术,但还是写下,方便新手入门., 废话不多说了,毕竟...., 开始吧!:
我是以WH_KEYBOARD钩子来注入的,但我代码中仅用了系统自带的计算器来做实现,读者若想注入其它程序,只需把代码中的szWndName换成你想要注入的窗口名,
因为只是测试,我只是简单地在用户点击注入按钮后,再按下键盘第一个按钮后,此时Dll便映射到目标进程地址空间中,在钩子回调函数中,我只是通过目标窗口句柄以
GetWindowLong保存下原窗口过程,然后将Dll中自己写的窗口过程替换原窗口过程,Dll中的窗口过程很简单,只是拦截WM_COMMAND消息,弹出对话框,这样用户在用鼠标按下数字按钮时,弹出对话框显示Inject ok 字样,其他不处理的消息直接交给原窗口过程处理,下面直接上代码:
注视我也不多写了,有问题直接找我好了. zhong_sf@sina.com
下面是Dll代码:
.386p
.model flat ,stdcall
option casemap:none
include windows.inc
include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib
.data?
hWndMain dword ?
hHook dword ?
lpOldWndProc dword ?
.data
hInstance dword ?
.const
szHook byte "Hook",0
szHookOk byte "Inject OK",0
.code
DllEntry proc ,_hInstance ,_dwReason ,_dwReserved
push _hInstance
pop hInstance
mov eax ,TRUE
ret
DllEntry endp
_NewWndProc proc ,hWnd ,uMsg ,wParam ,lParam
mov eax ,uMsg
.IF eax == WM_COMMAND
invoke MessageBox ,hWndMain ,addr szHookOk ,addr szHookOk ,MB_OK
.ELSEIF eax == WM_CLOSE
invoke MessageBox ,hWndMain ,addr szHookOk ,addr szHookOk ,MB_OK
.ELSE
invoke CallWindowProc ,lpOldWndProc ,hWnd , uMsg , wParam ,lParam
.endif
ret
_NewWndProc endp
_HookProc proc , _dwCode ,wParam ,lParam
mov eax ,lParam
shr eax ,31
.if !eax
invoke MessageBox ,hWndMain ,addr szHook ,addr szHook ,MB_OK
invoke GetWindowLong ,hWndMain ,GWLP_WNDPROC
mov lpOldWndProc ,eax
invoke SetWindowLong ,hWndMain ,GWLP_WNDPROC ,offset _NewWndProc
.endif
ret
_HookProc endp
_InstallHook proc , _hWnd
push _hWnd
pop hWndMain
invoke SetWindowsHookEx ,WH_KEYBOARD ,offset _HookProc ,hInstance ,NULL
mov hHook ,eax
ret
_InstallHook endp
_UninstallHook proc
.if hHook
invoke UnhookWindowsHookEx ,hHook
.endif
ret
_UninstallHook endp
end
再下来是注入的小程序:
.386p .model flat ,stdcall option casemap:none ;equ define DLG_MAIN equ 101 IDC_EDIT equ 1000 IDC_INJECT equ 1001 ICO_MAIN equ 1002 ;include file include windows.inc include user32.inc include kernel32.inc include dll.inc includelib dll.lib includelib user32.lib includelib kernel32.lib .data hInstance dword ? hWndMain dword ? .const szInfo byte "Cannot find window!",0 szWndTitle byte "Dll Inject",0 szWndName byte "计算器",0 .code _DlgProc proc ,hWnd ,uMsg ,wParam ,lParam mov eax ,uMsg .IF eax == WM_CLOSE invoke _UninstallHook invoke EndDialog ,hWnd ,TRUE .ELSEIF eax == WM_COMMAND mov eax ,wParam .IF ax == IDC_INJECT invoke FindWindow ,NULL ,addr szWndName .if eax invoke _InstallHook ,eax .else invoke MessageBox ,hWnd ,addr szInfo ,addr szWndTitle ,MB_OK .endif .endif .ELSE mov eax ,FALSE ret .ENDIF mov eax ,TRUE ret _DlgProc endp start: invoke GetModuleHandle ,NULL mov hInstance ,eax invoke DialogBoxParam ,hInstance ,DLG_MAIN ,NULL ,offset _DlgProc ,NULL invoke ExitProcess ,NULL end start
献丑了
下篇教程再见
88