环境:Windows7(其他同理)
开发环境:VC6
原理:全局钩子,消息回调中查找是否是目标进程,如果是目标进程则执行对应函数或者注入操作
使用函数:
HHOOK SetWindowsHookEx(
int idHook, // 指定钩子的类型
HOOKPROC lpfn, // 钩子函数的地址,如果使用的是远程钩子,钩子函数必须放在一个DLL中
HINSTANCE hMod, // 钩子函数所在DLL的实例句柄,如果是一个局部的钩子,该函数的值为NULL
DWORD dwThreadId // 指定要为那个线程安装钩子,如果为0则被截石位系统范围内的
);
钩子类型:
WH_CALLWNDPROC
WH_CALLWNDPROCRET
WH_CBT
WH_DEBUG
WH_FOREGROUNDIDLE
WH_GETMESSAGE
WH_JOURNALPLAYBACK
WH_JOURNALRECORD
WH_KEYBOARD
WH_KEYBOARD_LL
WH_MOUSE
WH_MOUSE_LL
WH_MSGFILTER
WH_SHELL
WH_SYSMSGFILTER
// 钩子函数
LRESULT CALLBACK HookProc(int nCode, WPARAM wParam, LPARAM lParam)
{
return ::CallNextHookEx(hHook,nCode,wParam,lParam);
}
LRESULT CallNextHookEx(
HHOOK hhk, // SetWindowsHookEx 返回值
int nCode,
WPARAM wParam,
LPARAM lParam
);
实现:
HOOK相关DLL
// Hook.cpp
#include <windows.h>
#include <stdio.h>
#define HM_KEY WM_USER+101
BOOL __declspec(dllexport) WINAPI SetKeyHook(BOOL bInstall, DWORD dwThreadId, HWND hWndCaller);// 要导出的函数
//------------------------------------------
// 在def文件中需要写的
// EXPORTS
// SetKeyHook
// SECTIONS
// YCIShared Read Write Shared
//------------------------------------------
#pragma data_seg("YCIShared")
HWND g_hWndCaller = NULL;
HHOOK g_hHook = NULL;
BYTE g_open = 0;
#pragma data_seg()
HMODULE WINAPI ModuleFromAddress(PVOID pv)
{
MEMORY_BASIC_INFORMATION mbi;
if (::VirtualQuery(pv,&mbi,sizeof(mbi))!=0)
{
return (HMODULE)mbi.AllocationBase;
}
else
{
return NULL;
}
}
LRESULT WINAPI KeyHookProc(int nCode,WPARAM wParam,LPARAM lParam)
{
char szStr[MAX_PATH] = {0};
GetModuleFileName((HMODULE)GetModuleHandle(NULL),szStr,MAX_PATH - 1);
if (NULL != strstr(szStr,"XX.exe") && g_open == 0)// 判断被映射到的进程是否是需要注入的进程
{
g_open = 1;
LoadLibraryA("F:\\MessageBoxDll.dll");// 注入需要的DLL
}
return ::CallNextHookEx(g_hHook,nCode,wParam,lParam);
}
// 导出函数,HOOK的实现
BOOL WINAPI SetKeyHook(BOOL bInstall, DWORD dwThreadId)
{
BOOL bOk;
if (bInstall)
{
g_hHook = ::SetWindowsHookEx(WH_KEYBOARD,KeyHookProc,
ModuleFromAddress(KeyHookProc),dwThreadId);
bOk = (g_hHook != NULL);
}
else
{
bOk = ::UnhookWindowsHookEx(g_hHook);
g_hHook = NULL;
}
return bOk;
}
// DLL入口函数,不做任何处理
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
return TRUE;
}
调用动态链接库函数:
// 篇幅限制,这应该是单独的.h文件,写入DLL的导出函数
#define HM_KEY WM_USER+101
BOOL __declspec(dllexport) WINAPI SetKeyHook(BOOL bInstall, DWORD dwThreadId);
#pragma comment(lib,"HookDll.lib")
// 然后主动调用HOOK,实现全局HOOK
SetKeyHook(TRUE,0);
执行之后,目标窗口按下按键即可被注入相应动态链接库DLL
关键的代码就是上面这些,
完整例子下载