--------------------------------
dll.cpp
#include "stdafx.h"
#include "stdio.h"
HINSTANCE g_hInst;
#pragma data_seg ("shared")
static HHOOK gamehook=NULL;
#pragma data_seg ()
bool active;
LRESULT CALLBACK KeyboardProc(int iCode,WPARAM wParam,LPARAM lParam);
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
active=false;
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
// MessageBox(NULL,"inject dll","successful",MB_OK);
g_hInst = HINSTANCE(hModule);
gamehook=SetWindowsHookEx(WH_KEYBOARD,KeyboardProc,g_hInst,0);
if(gamehook==NULL)
{
MessageBox(NULL,"Hook faile","faile",MB_OK);
}
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
//ss
return TRUE;
}
LRESULT CALLBACK KeyboardProc(
int nCode, // hook code
WPARAM wParam, // virtual-key code
LPARAM lParam // keystroke-message information
)
{
int c;
c=wParam;
MessageBox(NULL,"press","OK",MB_OK);
if(lParam&0x80000000) //处理按键 按下处理
{
bool ctrl;
bool alt;
ctrl= (0x80000000 &(int) GetKeyState(VK_CONTROL )) ==0x80000000;
alt =(0x80000000 & (int)GetKeyState(VK_MENU )) ==0x80000000;
bool shift ;
shift=((int)GetKeyState(VK_LSHIFT) & 0x80000000)==0x80000000;
bool cpress;
cpress= (char)c =='W' ||(char)c =='w' ; //ctrl +alt +w
if (ctrl && shift && cpress) //alt)
{
active=!active;
/* if(active ) printf("%s /n","active");
else printf("%s /n"," not active");
*/
MessageBox(NULL,"c+a press","sucessful",MB_OK);
}
}
return CallNextHookEx(gamehook,nCode,wParam,lParam);
}
------------------------------------------
main.cpp
#include "windows.h"
#include <string>
#include <tlhelp32.h>
#include <iostream>
#include "stdio.h"
#define GAMENAME "hook.exe"
using namespace std;
DWORD Findprocess(string processname);
int EnableDebugPriv(const char * name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
//打开进程令牌环
OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
&hToken);
//获得进程本地唯一ID
LookupPrivilegeValue(NULL,name,&luid) ;
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luid;
//调整权限
AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
return 0;
}
int main()
{
char *DllFullPath="E://test//myself//dll.dll";
LoadLibrary(DllFullPath);
MSG msg;
DWORD pid=-1;
while(1)
{
if( 0< (pid=Findprocess(GAMENAME)))
{
break;
}
Sleep(500);
cout<<"Not Found "<<GAMENAME<<endl;
}
Sleep(1000);
EnableDebugPriv(SE_DEBUG_NAME) ;
HANDLE hRemoteProcess;
hRemoteProcess = OpenProcess( PROCESS_CREATE_THREAD | //允许远程创建线程
PROCESS_VM_OPERATION | //允许远程VM操作
PROCESS_VM_WRITE,//允许远程VM写
FALSE, pid );
char *pszLibFileRemote;
//使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名空间
pszLibFileRemote = (char *) VirtualAllocEx( hRemoteProcess, NULL, lstrlenA(DllFullPath)+1,
MEM_COMMIT, PAGE_READWRITE);
//使用WriteProcessMemory函数将DLL的路径名写入到远程进程的内存空间
WriteProcessMemory(hRemoteProcess,
pszLibFileRemote, (void *) DllFullPath, lstrlenA(DllFullPath)+1, NULL);
//计算LoadLibraryA的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
//启动远程线程LoadLibraryA,通过远程线程调用创建新的线程
HANDLE hRemoteThread;
if( (hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL) ) == NULL)
{
MessageBox(NULL,("CreateRemoteThread error!"),"",MB_OK);
//错误
return FALSE;
}
WaitForSingleObject(hRemoteThread, INFINITE);
VirtualFreeEx(hRemoteProcess, pszLibFileRemote , lstrlenA(DllFullPath)+1, MEM_RELEASE);
CloseHandle(hRemoteThread);
CloseHandle(hRemoteProcess);
while(GetMessage(&msg, 0, 0, 0)) //加的
{
TranslateMessage(&msg); //加的
DispatchMessage(&msg); //加的
}
return 0;
}
DWORD Findprocess(string processname)
{
string tem;
HANDLE handle = (HANDLE)CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);
PROCESSENTRY32 Info;
Info.dwSize = sizeof(PROCESSENTRY32);
if(Process32First(handle, &Info)) {
//printf("Process List:/n/n");
//printf("%-6s/t%s", "PID", "Process Name");
do {
// printf("/n%-6d/t%-10s", (int)Info.th32ProcessID, Info.szExeFile);
tem=Info.szExeFile;
if(tem==processname)
{
return Info.th32ProcessID ;
}
}while (Process32Next(handle, &Info));
}
CloseHandle(handle);
return 0;
}
dll.cpp
#include "stdafx.h"
#include "stdio.h"
HINSTANCE g_hInst;
#pragma data_seg ("shared")
static HHOOK gamehook=NULL;
#pragma data_seg ()
bool active;
LRESULT CALLBACK KeyboardProc(int iCode,WPARAM wParam,LPARAM lParam);
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
active=false;
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
// MessageBox(NULL,"inject dll","successful",MB_OK);
g_hInst = HINSTANCE(hModule);
gamehook=SetWindowsHookEx(WH_KEYBOARD,KeyboardProc,g_hInst,0);
if(gamehook==NULL)
{
MessageBox(NULL,"Hook faile","faile",MB_OK);
}
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
//ss
return TRUE;
}
LRESULT CALLBACK KeyboardProc(
int nCode, // hook code
WPARAM wParam, // virtual-key code
LPARAM lParam // keystroke-message information
)
{
int c;
c=wParam;
MessageBox(NULL,"press","OK",MB_OK);
if(lParam&0x80000000) //处理按键 按下处理
{
bool ctrl;
bool alt;
ctrl= (0x80000000 &(int) GetKeyState(VK_CONTROL )) ==0x80000000;
alt =(0x80000000 & (int)GetKeyState(VK_MENU )) ==0x80000000;
bool shift ;
shift=((int)GetKeyState(VK_LSHIFT) & 0x80000000)==0x80000000;
bool cpress;
cpress= (char)c =='W' ||(char)c =='w' ; //ctrl +alt +w
if (ctrl && shift && cpress) //alt)
{
active=!active;
/* if(active ) printf("%s /n","active");
else printf("%s /n"," not active");
*/
MessageBox(NULL,"c+a press","sucessful",MB_OK);
}
}
return CallNextHookEx(gamehook,nCode,wParam,lParam);
}
------------------------------------------
main.cpp
#include "windows.h"
#include <string>
#include <tlhelp32.h>
#include <iostream>
#include "stdio.h"
#define GAMENAME "hook.exe"
using namespace std;
DWORD Findprocess(string processname);
int EnableDebugPriv(const char * name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
//打开进程令牌环
OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
&hToken);
//获得进程本地唯一ID
LookupPrivilegeValue(NULL,name,&luid) ;
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luid;
//调整权限
AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
return 0;
}
int main()
{
char *DllFullPath="E://test//myself//dll.dll";
LoadLibrary(DllFullPath);
MSG msg;
DWORD pid=-1;
while(1)
{
if( 0< (pid=Findprocess(GAMENAME)))
{
break;
}
Sleep(500);
cout<<"Not Found "<<GAMENAME<<endl;
}
Sleep(1000);
EnableDebugPriv(SE_DEBUG_NAME) ;
HANDLE hRemoteProcess;
hRemoteProcess = OpenProcess( PROCESS_CREATE_THREAD | //允许远程创建线程
PROCESS_VM_OPERATION | //允许远程VM操作
PROCESS_VM_WRITE,//允许远程VM写
FALSE, pid );
char *pszLibFileRemote;
//使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名空间
pszLibFileRemote = (char *) VirtualAllocEx( hRemoteProcess, NULL, lstrlenA(DllFullPath)+1,
MEM_COMMIT, PAGE_READWRITE);
//使用WriteProcessMemory函数将DLL的路径名写入到远程进程的内存空间
WriteProcessMemory(hRemoteProcess,
pszLibFileRemote, (void *) DllFullPath, lstrlenA(DllFullPath)+1, NULL);
//计算LoadLibraryA的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
//启动远程线程LoadLibraryA,通过远程线程调用创建新的线程
HANDLE hRemoteThread;
if( (hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL) ) == NULL)
{
MessageBox(NULL,("CreateRemoteThread error!"),"",MB_OK);
//错误
return FALSE;
}
WaitForSingleObject(hRemoteThread, INFINITE);
VirtualFreeEx(hRemoteProcess, pszLibFileRemote , lstrlenA(DllFullPath)+1, MEM_RELEASE);
CloseHandle(hRemoteThread);
CloseHandle(hRemoteProcess);
while(GetMessage(&msg, 0, 0, 0)) //加的
{
TranslateMessage(&msg); //加的
DispatchMessage(&msg); //加的
}
return 0;
}
DWORD Findprocess(string processname)
{
string tem;
HANDLE handle = (HANDLE)CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);
PROCESSENTRY32 Info;
Info.dwSize = sizeof(PROCESSENTRY32);
if(Process32First(handle, &Info)) {
//printf("Process List:/n/n");
//printf("%-6s/t%s", "PID", "Process Name");
do {
// printf("/n%-6d/t%-10s", (int)Info.th32ProcessID, Info.szExeFile);
tem=Info.szExeFile;
if(tem==processname)
{
return Info.th32ProcessID ;
}
}while (Process32Next(handle, &Info));
}
CloseHandle(handle);
return 0;
}