您正在查看: 2017年1月

Windows 下DLL注入的常用方式之一远程线程注入

#include <tlhelp32.h>

#pragma comment(lib,"th32.lib")

DWORD GetProcessId()
{
    char* targetFile = "notepad.exe";
    DWORD Pid=-1;
    HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    PROCESSENTRY32 lPrs;
    ZeroMemory(&lPrs,sizeof(lPrs));
    lPrs.dwSize=sizeof(lPrs);
    Process32First(hSnap,&lPrs);//取得系统快照里第一个进程信息
    if(strstr(targetFile,lPrs.szExeFile))
    {
    Pid=lPrs.th32ProcessID;
    return Pid;
    }

while(1)
{
    ZeroMemory(&lPrs,sizeof(lPrs));
    lPrs.dwSize=(&lPrs,sizeof(lPrs));
if(!Process32Next(hSnap,&lPrs))
{
Pid=-1;
break;
}
if(strstr(targetFile,lPrs.szExeFile))
{
    Pid=lPrs.th32ProcessID;
break;
}
}

return Pid;

}

BOOL EnabledDebugPrivilege()
{
    HANDLE hToken;
    TOKEN_PRIVILEGES tkp;

    if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) 
        return false;

    LookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&tkp.Privileges[0].Luid);

    tkp.PrivilegeCount = 1;
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    AdjustTokenPrivileges(hToken,false,&tkp,0,(PTOKEN_PRIVILEGES)NULL,0);

    if (GetLastError() != ERROR_SUCCESS)
        return false;

    return true;
}

int APIENTRY WinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPSTR     lpCmdLine,
                     int       nCmdShow)
{
     // TODO: Place code here.
    EnabledDebugPrivilege();

    char* dllName = "c:\\hook.dll";
    //HMODULE hDll = LoadLibrary(dllName);    

    FARPROC farLoadLibrary = GetProcAddress(GetModuleHandle("Kernel32.dll"),"LoadLibraryA");
    DWORD dwProcessID = GetProcessId();

    if(dwProcessID == -1)
    {
        MessageBox(NULL,"dw not found","",0);
        return 0;
    }
    //HWND hwNotePad  =  FindWindow(NULL,"QQ用户登录"); 
    //if(hwNotePad == NULL)
        //return 0;

    //GetWindowThreadProcessId(hwNotePad,   &dwProcessID); 
    char* pid = new char[10];
    sprintf(pid,"0x%x",dwProcessID);


    HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwProcessID);
    if(hProcess == INVALID_HANDLE_VALUE)
    {
        MessageBox(NULL,"open error","",0);
        CloseHandle(hProcess);
        return 0;
    }
    LPVOID   lpDllAddr   =   VirtualAllocEx(hProcess,   NULL, strlen(dllName),   MEM_COMMIT,   PAGE_READWRITE); 
    if(lpDllAddr == NULL)
    {
        MessageBox(NULL,"alloc error","",0);
        CloseHandle(hProcess);
        return 0;
    }
    if(!WriteProcessMemory(hProcess,   lpDllAddr,   dllName,   strlen(dllName) ,NULL))
    {
        MessageBox(NULL,"Write error","",0);
        CloseHandle(hProcess);
        return 0;
    }
    HANDLE   hT   =   CreateRemoteThread(hProcess,   NULL,   0,   (LPTHREAD_START_ROUTINE)farLoadLibrary,   lpDllAddr,   0,   NULL);   
    CloseHandle(hT);
    CloseHandle(hProcess);
    MessageBox(NULL,"finish","",0);
    return 0;
}

Windows下C++如可通过hook捕获鼠标

    #define _win32_WINNT 0x0500
    #include<windows.h>
    #include<cmath>
     
    LRESULT CALLBACK mouseHookProc(int nCode, WPARAM wParam, LPARAM lParam) 
{
       PMSLLHOOKSTRUCT p = (PMSLLHOOKSTRUCT) lParam;
     
       bool eat = false;
     
       // Screen resolution
       static float screen_cx = static_cast<float>( GetSystemMetrics(SM_CXSCREEN) );
       static float screen_cy = static_cast<float>( GetSystemMetrics(SM_CYSCREEN) );
     
       // Centre of screen
       static float screen_centre_x = screen_cx / 2.0f;
       static float screen_centre_y = screen_cy / 2.0f;
     
       // Calculate distance away from centre of screen
       float dx = p->pt.x - screen_centre_x;
       float dy = p->pt.y - screen_centre_y;
     
       float dist = sqrt(dx * dx + dy * dy);
     
       // Check if cursor is more than 300px away from centre of screen
       if (dist > 300) {
          float angle = atan2(dy, dx);
     
          // Trap cursor
          SetCursorPos(
             /* X */ int( screen_centre_x + cos(angle) * 300 ),
             /* Y */ int( screen_centre_y + sin(angle) * 300 )
          );
     
          // Stop windows handling event
          eat = true;
       }
     
       return (eat ? 1 : CallNextHookEx(NULL, nCode, wParam, lParam));
    }
     
    int WINAPI WinMain(HINSTANCE hInstance,
                       HINSTANCE hPrevInstance,
                       LPSTR lpCmdLine,
                       int nShowCmd) {
     
       // Set mouse hook
       HHOOK mouseHook = SetWindowsHookEx(
                      WH_MOUSE_LL,      /* Type of hook */
                      mouseHookProc,    /* Hook process */
                      hInstance,        /* Instance */
                      NULL);
     
       // Wait for user to exit
       MessageBox(NULL, "Press OK to close.", "", MB_OK);
       return 0;
    }

LoadLibrary加载动态库失败怎么办?

方式一 采用LoadLibraryEx

若DLL不在调用方的同一目录下,可以用LoadLibrary(L"DLL绝对路径")加载。但若调用的DLL内部又调用另外一个DLL,此时调用仍会失败。解决办法是用LoadLibraryEx:
LoadLibraryEx("DLL绝对路径", NULL, LOAD_WITH_ALTERED_SEARCH_PATH);
通过指定LOAD_WITH_ALTERED_SEARCH_PATH,让系统DLL搜索顺序从DLL所在目录开始。

方式二 采用SetCurrentDir

跨目录调用dll,你应该这样
1 用GetCurrentDir保存当前的工作目录
2 用SetCurrentDir将当前的工作目录,设置为你的DLL所在的路径,需要使用绝对路径
3 用LoadLibrary你的DLL
4 使用SetCurrentDir恢复到原来的工作路径

示例

TCHAR chCurDir[MAX_PATH] = {0};  
GetCurrentDirectory(MAX_PATH, chCurDir);  
SetCurrentDirectory(_T("c:\\testdll\\"));  
m_hDLL = LoadLibrary(_T("Test.dll"));  
SetCurrentDirectory(chCurDir);  

windows 如何获取当前的工作目录?

加载Dll时需要获取当前的工作目录?

通过以下代码就可以完成:

TCHAR chCurDir[MAX_PATH] = {0};  
GetCurrentDirectory(MAX_PATH, chCurDir);  //获取当前的工作目录
SetCurrentDirectory(chCurDir);  //设置当前的工作目录
m_hDLL = LoadLibrary(_T("MyTest.dll"));  //加载当前工作目录的dll

如何使用Windows的钩子函数

WinAPI: SetWindowsHookEx - 设置钩子

SetWindowsHookEx(
idHook: Integer; {钩子类型}
lpfn: TFNHookProc; {函数指针}
hmod: HINST; {包含钩子函数的模块(EXE、DLL)句柄; 一般是 HInstance; 如果是当前线程这里可以是 0}
dwThreadId: DWORD {关联的线程; 可用 GetCurrentThreadId 获取当前线程; 0 表示是系统级钩子}
): HHOOK; {返回钩子的句柄; 0 表示失败}

//钩子类型 idHook 选项:
WH_MSGFILTER = -1; {线程级; 截获用户与控件交互的消息}
WH_JOURNALRECORD = 0; {系统级; 记录所有消息队列从消息队列送出的输入消息, 在消息从队列中清除时发生; 可用于宏记录}
WH_JOURNALPLAYBACK = 1; {系统级; 回放由 WH_JOURNALRECORD 记录的消息, 也就是将这些消息重新送入消息队列}
WH_KEYBOARD = 2; {系统级或线程级; 截获键盘消息}
WH_GETMESSAGE = 3; {系统级或线程级; 截获从消息队列送出的消息}
WH_CALLWNDPROC = 4; {系统级或线程级; 截获发送到目标窗口的消息, 在 SendMessage 调用时发生}
WH_CBT = 5; {系统级或线程级; 截获系统基本消息, 譬如: 窗口的创建、激活、关闭、最大最小化、移动等等}
WH_SYSMSGFILTER = 6; {系统级; 截获系统范围内用户与控件交互的消息}
WH_MOUSE = 7; {系统级或线程级; 截获鼠标消息}
WH_HARDWARE = 8; {系统级或线程级; 截获非标准硬件(非鼠标、键盘)的消息}
WH_DEBUG = 9; {系统级或线程级; 在其他钩子调用前调用, 用于调试钩子}
WH_shell = 10; {系统级或线程级; 截获发向外壳应用程序的消息}
WH_FOREGROUNDIDLE = 11; {系统级或线程级; 在程序前台线程空闲时调用}
WH_CALLWNDPROCRET = 12; {系统级或线程级; 截获目标窗口处理完毕的消息, 在 SendMessage 调用后发生}