?? hookwproc.cpp
字號:
// HookWProc.cpp.
#include "stdafx.h"
#include <stdio.h>
//---------------------------------------------------------------------
typedef LONG (WINAPI *SETWINDOWLONG) (HWND,int,LONG);
typedef BOOL (WINAPI *SETWINDOWTEXT) (HWND,LPCSTR);
typedef LRESULT (WINAPI *CALLWINDOWPROC) (WNDPROC,HWND,UINT,WPARAM,LPARAM);
typedef struct {
SETWINDOWLONG fnSetWindowLong;
CALLWINDOWPROC fnCallWindowProc;
SETWINDOWTEXT fnSetWindowText;
HWND hwnd;
WNDPROC fnNewProc;
char pszStr[20];
WNDPROC fnOldProc;
} INJDATA, *PINJDATA;
//---------------------------------------------------------------------
DWORD WINAPI InjectFunc (INJDATA *pData)
{
pData->fnOldProc = (WNDPROC)pData->fnSetWindowLong
( pData->hwnd, GWL_WNDPROC,(long)pData->fnNewProc );
return (pData->fnOldProc != NULL);
}
//---------------------------------------------------------------------
// 新的Windows過程函數(shù).
static LRESULT CALLBACK NewProc(HWND hwnd,
UINT uMsg,
WPARAM wParam,
LPARAM lParam )
{
// 計(jì)算INJDATA的位置,注意在遠(yuǎn)進(jìn)程中INJDATA緊放在NewProc前.
INJDATA* pData;
_asm {
call dummy
dummy:
pop ecx // 此時(shí)ECX 指向當(dāng)前 EIP (指示指針).
sub ecx, 14 // 此時(shí)ECX 指向 NewProc的地址.
mov pData, ecx
}
pData--;
switch (uMsg)
{
case WM_LBUTTONDOWN:
break;
case WM_PAINT:
pData->fnSetWindowText(hwnd,pData->pszStr);
break;
}
return pData->fnCallWindowProc
(pData->fnOldProc, hwnd,uMsg,wParam,lParam );
}
//---------------------------------------------------------------------
int InjectCode (HWND hWnd, char *pszText)
{
HANDLE hProcess;
HANDLE hThread;
DWORD dwPID;
BYTE *pCodeRemote;
BYTE *pDataRemote;
BYTE *pNewProcRemote;
DWORD dwThreadId;
DWORD dwNumBytes;
int nSuccess = 0;
int nNewProc = 250;
int nInjectFunc = 1024;
__try {
GetWindowThreadProcessId( hWnd, &dwPID );
hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, dwPID);
if (hProcess == NULL)
__leave;
int size = sizeof(INJDATA) + nNewProc;
pDataRemote = (BYTE*) VirtualAllocEx( hProcess, 0,
size, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if ( pDataRemote == NULL )
__leave;
pNewProcRemote = pDataRemote + sizeof(INJDATA);
WriteProcessMemory( hProcess, pNewProcRemote,
NewProc, nNewProc, &dwNumBytes);
// 初始化INJDATA結(jié)構(gòu).
HMODULE hUser32 = GetModuleHandle("user32");
INJDATA DataLocal = {
(SETWINDOWLONG) GetProcAddress(hUser32, "SetWindowLongA"),
(CALLWINDOWPROC)GetProcAddress(hUser32, "CallWindowProcA"),
(SETWINDOWTEXT) GetProcAddress(hUser32, "SetWindowTextA"),
hWnd,
(WNDPROC) (pNewProcRemote)
};
strcpy(DataLocal.pszStr,pszText);
if (DataLocal.fnSetWindowLong == NULL ||
DataLocal.fnCallWindowProc == NULL ||
DataLocal.fnSetWindowText == NULL)
__leave;
// 把初始化的INJDATA拷貝到遠(yuǎn)進(jìn)程中.
WriteProcessMemory( hProcess,pDataRemote,
&DataLocal, sizeof(INJDATA), &dwNumBytes);
pCodeRemote = (BYTE*) VirtualAllocEx(
hProcess, 0, nInjectFunc, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if ( pCodeRemote == 0 )
__leave;
WriteProcessMemory( hProcess, pCodeRemote,
InjectFunc, nInjectFunc, &dwNumBytes);
// Start execution of remote InjectFunc
hThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) pCodeRemote,
pDataRemote, 0 , &dwThreadId);
if ( hThread == 0 )
__leave;
WaitForSingleObject(hThread, INFINITE);
GetExitCodeThread(hThread, (PDWORD) &nSuccess);
}
__finally {
if( !nSuccess )
VirtualFreeEx( hProcess, pDataRemote, 0, MEM_RELEASE );
if ( pCodeRemote != NULL )
VirtualFreeEx( hProcess, pCodeRemote, 0, MEM_RELEASE );
if ( hThread != NULL )
CloseHandle(hThread);
if ( hProcess != NULL )
CloseHandle( hProcess );
}
return nSuccess;
}
void NewProcCode()
{
// 定義最大代碼長度.
#define Max_Sc_Len 45
char buffer[Max_Sc_Len];
// 復(fù)制代碼到buffer.
memcpy(buffer,(char *)NewProc,Max_Sc_Len);
// 顯示代碼.
for(int i=0;i<Max_Sc_Len;i++){
printf(" %02x", buffer[i]&0xff);
}
getchar();
}
void main()
{
// 調(diào)用顯示NewProc()函數(shù)代碼的函數(shù).
// NewProcCode();
HWND hWnd;
hWnd = FindWindow (NULL,TEXT("HookMsgbx"));
if(!hWnd) return;
hWnd = FindWindowEx (hWnd, NULL,TEXT("BUTTON"),"確定");
if(!hWnd) return;
InjectCode(hWnd,"Hello!");
}?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -