Windows挂钩注入DLL

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Windows挂钩注入DLL相关的知识,希望对你有一定的参考价值。

注入DLL实现源码:
HINSTANCE g_hInstDll = NULL; HHOOK g_hHook = NULL; DWORD g_dwThreadId = 0; #ifdef _MANAGED #pragma managed(push, off) #endif BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: g_hInstDll = (HINSTANCE)hModule; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } #ifdef _MANAGED #pragma managed(pop) #endif INT_PTR WINAPI DipDlg_Proc(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam) { switch (uMsg) { case WM_CLOSE: { DestroyWindow(hWnd); } break; case WM_APP: if (lParam) { ShowWindow(hWnd, SW_SHOW); } break; } return(FALSE); } LRESULT CALLBACK ProcHookMsg(int nCode, WPARAM wp, LPARAM lp) { static BOOL bFirstTime = TRUE; if (bFirstTime) { bFirstTime = FALSE; // 从一个对话框模版资源创建一个无模式的对话框 CreateDialog(g_hInstDll, MAKEINTRESOURCE(IDD_DIPS), NULL, DipDlg_Proc); PostThreadMessage(g_dwThreadId, WM_NULL, 0, 0); } return (CallNextHookEx(g_hHook, nCode, wp, lp)); } // 设置钩子函数 DIPSLIB_API BOOL SetDipsHook(DWORD dThreadId) { BOOL bRet = FALSE; if (dThreadId != 0) { g_dwThreadId = dThreadId; g_hHook = SetWindowsHookEx(WH_GETMESSAGE, ProcHookMsg, g_hInstDll, dThreadId); if (NULL != g_hHook) { bRet = PostThreadMessage(dThreadId, WM_NULL, NULL, NULL); } } else { if (g_hHook != NULL) { bRet = UnhookWindowsHookEx(g_hHook); g_hHook = NULL; } } return bRet; }
代理进程实现源码:
HWND g_DestWindowWnd= NULL;

// 此代码模块中包含的函数的前向声明:
ATOM				MyRegisterClass(HINSTANCE hInstance);
BOOL				InitInstance(HINSTANCE, int);
LRESULT CALLBACK	WndProc(HWND, UINT, WPARAM, LPARAM);
INT_PTR CALLBACK	About(HWND, UINT, WPARAM, LPARAM);

BOOL CALLBACK ProcEnumChildWindows(HWND hWnd, LPARAM lp)
{
	CHAR pBuff[MAX_PATH] = {0};
	GetWindowText(hWnd, pBuff, MAX_PATH);

	if (0 == strcmp("FolderView", pBuff))
	{
		g_DestWindowWnd = hWnd;

		// 返回0就停止枚举
		return 0;    
	}
	
	return TRUE;
}
int APIENTRY _tWinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPTSTR    lpCmdLine,
                     int       nCmdShow)
{
	UNREFERENCED_PARAMETER(hPrevInstance);
	UNREFERENCED_PARAMETER(lpCmdLine);

 	// TODO: 在此放置代码。
	MSG msg;
	HACCEL hAccelTable;

	// 初始化全局字符串
	LoadString(hInstance, IDS_APP_TITLE, szTitle, MAX_LOADSTRING);
	LoadString(hInstance, IDC_DIPS, szWindowClass, MAX_LOADSTRING);
	MyRegisterClass(hInstance);

	// 执行应用程序初始化:
	if (!InitInstance (hInstance, nCmdShow))
	{
		return FALSE;
	}

	hAccelTable = LoadAccelerators(hInstance, MAKEINTRESOURCE(IDC_DIPS));

	HWND hPromanWnd = FindWindow("ProgMan", NULL);
	
	EnumChildWindows(hPromanWnd, ProcEnumChildWindows, NULL);
	
	DWORD nThreadId, nProcessId;
	nThreadId = GetWindowThreadProcessId(g_DestWindowWnd, &nProcessId);
	SetDipsHook(nThreadId);
	// 主消息循环:
	while (GetMessage(&msg, NULL, 0, 0))
	{
		HWND hWndDIPS = FindWindow(NULL, TEXT("Test Dips"));
		SendMessage(hWndDIPS, WM_APP, (WPARAM) g_DestWindowWnd, TRUE);
		Sleep(2000);
		SendMessage(hWndDIPS, WM_CLOSE, 0, 0);
		SetDipsHook(0); 
	}

	return 0;
}

  

 

  

以上是关于Windows挂钩注入DLL的主要内容,如果未能解决你的问题,请参考以下文章

在调用导入之前将挂钩 DLL 注入进程?

注入 dll 在 Windows XP 上不起作用

根据代码顺序,挂钩 sendto() 会导致崩溃

使用 KeyboardProc / SetWindowsHookEx 从注入的 DLL 中挂钩键盘

使用挂钩函数时应用程序崩溃

从注入的 DLL 挂钩 DirectX EndScene