《逆向工程核心原理》Windows訊息鉤取
DLL注入——使用SetWindowsHookEx函式實現訊息鉤取
MSDN:
SetWindowsHookEx Function
The SetWindowsHookEx function installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread.
Syntax
HHOOKSetWindowsHookEx(
intidHook, HOOKPROClpfn, HINSTANCEhMod, DWORDdwThreadId//為0時表示全域性鉤取 );
Parameters
- idHook
- [in]Specifies the type of hook procedure to be installed. This parameter can be one of the following values.
- WH_CALLWNDPROC
- Installs a hook procedure that monitors messages before the system sends them to the destination window procedure. For more information, see the CallWndProc
hook procedure.- WH_CALLWNDPROCRET
- Installs a hook procedure that monitors messages after they have been processed by the destination window procedure. For more information, see the CallWndRetProc hook procedure.
- WH_CBT
- Installs a hook procedure that receives notifications useful to a computer-based training (CBT) application. For more information, see the CBTProc
hook procedure.- WH_DEBUG
- Installs a hook procedure useful for debugging other hook procedures. For more information, see the DebugProc hook procedure.
- WH_FOREGROUNDIDLE
- Installs a hook procedure that will be called when the application's foreground thread is about to become idle. This hook is useful for performing low priority tasks during idle time. For more information, see the ForegroundIdleProc hook procedure.
- WH_GETMESSAGE
- Installs a hook procedure that monitors messages posted to a message queue. For more information, see the GetMsgProc hook procedure.
- WH_JOURNALPLAYBACK
- Installs a hook procedure that posts messages previously recorded by a WH_JOURNALRECORD hook procedure. For more information, see the JournalPlaybackProc hook procedure.
- WH_JOURNALRECORD
- Installs a hook procedure that records input messages posted to the system message queue. This hook is useful for recording macros. For more information, see the JournalRecordProc hook procedure.
- WH_KEYBOARD
- Installs a hook procedure that monitors keystroke messages. For more information, see the KeyboardProc hook procedure.
- WH_KEYBOARD_LL
- Windows NT/2000/XP: Installs a hook procedure that monitors low-level keyboard input events. For more information, see the LowLevelKeyboardProc hook procedure.
- WH_MOUSE
- Installs a hook procedure that monitors mouse messages. For more information, see the MouseProc hook procedure.
- WH_MOUSE_LL
- Windows NT/2000/XP: Installs a hook procedure that monitors low-level mouse input events. For more information, see the LowLevelMouseProc hook procedure.
- WH_MSGFILTER
- Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. For more information, see the MessageProc hook procedure.
- WH_SHELL
- Installs a hook procedure that receives notifications useful to shell applications. For more information, see the ShellProc hook procedure.
- WH_SYSMSGFILTER
- Installs a hook procedure that monitors messages generated as a result of an input event in a dialog box, message box, menu, or scroll bar. The hook procedure monitors these messages for all applications in the same desktop as the calling thread. For more information, see the SysMsgProc hook procedure.
- lpfn
- [in]Pointer to the hook procedure. If the dwThreadId parameter is zero or specifies the identifier of a thread created by a different process, the lpfn parameter must point to a hook procedure in a DLL. Otherwise, lpfn can point to a hook procedure in the code associated with the current process.
- hMod
- [in]Handle to the DLL containing the hook procedure pointed to by the lpfn parameter. The hMod parameter must be set to NULL if the dwThreadId parameter specifies a thread created by the current process and if the hook procedure is within the code associated with the current process.
- dwThreadId
- [in]Specifies the identifier of the thread with which the hook procedure is to be associated. If this parameter is zero, the hook procedure is associated with all existing threads running in the same desktop as the calling thread.
Return Value
If the function succeeds, the return value is the handle to the hook procedure.
If the function fails, the return value is NULL. To get extended error information, call GetLastError.
Remarks
SetWindowsHookEx can be used to inject a DLL into another process. A 32-bit DLL cannot be injected into a 64-bit process, and a 64-bit DLL cannot be injected into a 32-bit process. If an application requires the use of hooks in other processes, it is required that a 32-bit application call SetWindowsHookEx to inject a 32-bit DLL into 32-bit processes, and a 64-bit application call SetWindowsHookEx to inject a 64-bit DLL into 64-bit processes. The 32-bit and 64-bit DLLs must have different names.
An error may occur if the hMod parameter is NULL and the dwThreadId parameter is zero or specifies the identifier of a thread created by another process.
Calling the CallNextHookEx function to chain to the next hook procedure is optional, but it is highly recommended; otherwise, other applications that have installed hooks will not receive hook notifications and may behave incorrectly as a result. You should call CallNextHookEx unless you absolutely need to prevent the notification from being seen by other applications.
Before terminating, an application must call the UnhookWindowsHookEx function to free system resources associated with the hook.
The scope of a hook depends on the hook type. Some hooks can be set only with global scope; others can also be set for only a specific thread, as shown in the following table.
Hook Scope WH_CALLWNDPROC Thread or global WH_CALLWNDPROCRET Thread or global WH_CBT Thread or global WH_DEBUG Thread or global WH_FOREGROUNDIDLE Thread or global WH_GETMESSAGE Thread or global WH_JOURNALPLAYBACK Global only WH_JOURNALRECORD Global only WH_KEYBOARD Thread or global WH_KEYBOARD_LL Global only WH_MOUSE Thread or global WH_MOUSE_LL Global only WH_MSGFILTER Thread or global WH_SHELL Thread or global WH_SYSMSGFILTER Global only For a specified hook type, thread hooks are called first, then global hooks.
The global hooks are a shared resource, and installing one affects all applications in the same desktop as the calling thread. All global hook functions must be in libraries. Global hooks should be restricted to special-purpose applications or to use as a development aid during application debugging. Libraries that no longer need a hook should remove its hook procedure.
Windows 95/98/Me:SetWindowsHookEx is supported by the Microsoft Layer for Unicode (MSLU). However, it does not make conversions. To see Unicode messages, notifications, and so forth, you must subclass the window. To use this version of the API, you must add certain files to your application, as outlined in Installing and Releasing Hook Procedures.
HOOK 記事本鍵盤輸入:
主程式:
#include <iostream> #include "windows.h" #define DEF_DLL_NAME "KeyHook.dll" #define DEF_HOOKSTART "HookStart" #define DEF_HOOKSTOP "HookStop" typedef void (*PFN_HOOKSTART)(); typedef void (*PFN_HOOKSTOP)(); void main() { HMODULE hDll = NULL; PFN_HOOKSTART HookStart = NULL; PFN_HOOKSTOP HookStop = NULL; char ch = 0; // 載入KeyHook.dll HMODULE —— Handle to a module. hDll = LoadLibraryA(DEF_DLL_NAME); if (hDll == NULL) { printf("LoadLibrary(%s) failed!!! [0x%08X]\n", DEF_DLL_NAME, GetLastError()); return; } //printf("hDll(0x%08X)\n", hDll); // 獲取匯出函式地址 HookStart = (PFN_HOOKSTART)GetProcAddress(hDll, DEF_HOOKSTART); //printf("HookStart(0x%08X)\n", HookStart); HookStop = (PFN_HOOKSTOP)GetProcAddress(hDll, DEF_HOOKSTOP); //printf("HookStop(0x%08X)\n", HookStop); // 開始勾取 HookStart(); // 等待直到使用者輸入q printf("input 'q' to quit!\n"); while (getchar() != 'q') ;//迴圈空 // 停止勾取 HookStop(); // 解除安裝KeyHook.dll FreeLibrary(hDll); }
全域性DLL:(hook中篩選記事本程序)
#include "pch.h" #include <windows.h> #define DEF_PROCESS_NAME "notepad.exe" HINSTANCE g_hInstance = NULL; HHOOK g_hHook = NULL; HWND g_hWnd = NULL; BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: g_hInstance = hModule; break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } LRESULT CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam) { char szPath[MAX_PATH] = { 0, }; char* p = NULL; TCHAR tempChar[256] = { 0}; if (nCode == HC_ACTION) { /* wParam [in] Specifies the virtual-key code of the key that generated the keystroke message. lParam [in] Specifies the repeat count, scan code, extended-key flag, context code, previous key-state flag, and transition-state flag. For more information about the lParam parameter, see Keystroke Message Flags. This parameter can be one or more of the following values. 0-15//低2位元組 指定重複計數。該值是由於使用者按住鍵而重複擊鍵的次數。 Specifies the repeat count. The value is the number of times the keystroke is repeated as a result of the user's holding down the key. 16-23//第三位元組 指定掃描碼。其值取決於OEM。 Specifies the scan code. The value depends on the OEM. 24//高位元組最低位 指定該鍵是擴充套件鍵,例如功能鍵或者數字鍵盤上的鍵。如果鍵是擴充套件鍵,則值為1;否則,它是0。&0x01000000 Specifies whether the key is an extended key, such as a function key or a key on the numeric keypad. The value is 1 if the key is an extended key; otherwise, it is 0. 25-28//高位元組 第2位到第5位 保留 Reserved. 29高位元組的第6位 指定上下文程式碼。如果ALT鍵按下,則值為1;否則,它是0。 Specifies the context code. The value is 1 if the ALT key is down; otherwise, it is 0. 30高位元組的第7位 指定前一個鍵的狀態。如果在訊息傳送之前鍵down,則值為1;如果鍵是up的,則為0。 &0x40000000==0時釋放,1時按下 Specifies the previous key state. The value is 1 if the key is down before the message is sent; it is 0 if the key is up. 31高位元組的第8位(最高位) 指定轉換狀態。如果鍵被按下,值為0,如果鍵被釋放,值為1。 &0x80000000==0時釋放,1時按下 Specifies the transition state. The value is 0 if the key is being pressed and 1 if it is being released. */ if ((lParam & 0x80000000)) {//最高位0表示按下,1表示釋放 GetModuleFileNameA(NULL, szPath, MAX_PATH); p = strrchr(szPath, '\\'); tempChar[0] = MapVirtualKey(wParam, MAPVK_VK_TO_CHAR); tempChar[1] = TEXT('\0'); if (!_stricmp(p + 1, DEF_PROCESS_NAME)) { if (isalpha(tempChar[0]) || isalnum(tempChar[0])) { MessageBox(NULL, tempChar, TEXT("input"), 0); } else { wsprintf(tempChar, TEXT("0x%02X"), wParam); MessageBox(NULL, tempChar, TEXT("special"), 0); } //return 1;//返回大於1則結束此訊息 } } } return CallNextHookEx(g_hHook, nCode, wParam, lParam); } #ifdef __cplusplus extern "C" { #endif __declspec(dllexport) void HookStart() { g_hHook = SetWindowsHookEx(WH_KEYBOARD, KeyboardProc, g_hInstance, 0); } __declspec(dllexport) void HookStop() { if (g_hHook) { UnhookWindowsHookEx(g_hHook); g_hHook = NULL; } } #ifdef __cplusplus } #endif
指定程序注入:
1、獲取程序ID 通過程序名稱
2、編寫DLL,將需要的函式進行匯出
3、獲取目標程序中的執行緒ID,為了保證執行緒ID的有效性,把所有的執行緒ID都獲取出來,一一注入,直到注入成功
4、SetWindowsHookEx,實現鉤子注入
DLL:
// dllmain.cpp : 定義 DLL 應用程式的入口點。 #include "pch.h" #include <windows.h> #include <Tlhelp32.h> #include <tchar.h> #include <vector> using std::vector; #define DEF_PROCESS_NAME "notepad.exe" HINSTANCE g_hInstance = NULL; HHOOK g_hHook = NULL; HWND g_hWnd = NULL; BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: g_hInstance = hModule; break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } LRESULT CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam) { char szPath[MAX_PATH] = { 0, }; char* p = NULL; TCHAR tempChar[256] = { 0}; if (nCode == HC_ACTION) { /* wParam [in] Specifies the virtual-key code of the key that generated the keystroke message. lParam [in] Specifies the repeat count, scan code, extended-key flag, context code, previous key-state flag, and transition-state flag. For more information about the lParam parameter, see Keystroke Message Flags. This parameter can be one or more of the following values. 0-15//低2位元組 指定重複計數。該值是由於使用者按住鍵而重複擊鍵的次數。 Specifies the repeat count. The value is the number of times the keystroke is repeated as a result of the user's holding down the key. 16-23//第三位元組 指定掃描碼。其值取決於OEM。 Specifies the scan code. The value depends on the OEM. 24//高位元組最低位 指定該鍵是擴充套件鍵,例如功能鍵或者數字鍵盤上的鍵。如果鍵是擴充套件鍵,則值為1;否則,它是0。&0x01000000 Specifies whether the key is an extended key, such as a function key or a key on the numeric keypad. The value is 1 if the key is an extended key; otherwise, it is 0. 25-28//高位元組 第2位到第5位 保留 Reserved. 29高位元組的第6位 指定上下文程式碼。如果ALT鍵按下,則值為1;否則,它是0。 Specifies the context code. The value is 1 if the ALT key is down; otherwise, it is 0. 30高位元組的第7位 指定前一個鍵的狀態。如果在訊息傳送之前鍵down,則值為1;如果鍵是up的,則為0。 &0x40000000==0時釋放,1時按下 Specifies the previous key state. The value is 1 if the key is down before the message is sent; it is 0 if the key is up. 31高位元組的第8位(最高位) 指定轉換狀態。如果鍵被按下,值為0,如果鍵被釋放,值為1。 &0x80000000==0時釋放,1時按下 Specifies the transition state. The value is 0 if the key is being pressed and 1 if it is being released. */ if ((lParam & 0x80000000)) {//最高位0表示按下,1表示釋放 GetModuleFileNameA(NULL, szPath, MAX_PATH); p = strrchr(szPath, '\\'); tempChar[0] = MapVirtualKey(wParam, MAPVK_VK_TO_CHAR); tempChar[1] = TEXT('\0'); if (!_stricmp(p + 1, DEF_PROCESS_NAME)) { if (isalpha(tempChar[0]) || isalnum(tempChar[0])) { MessageBox(NULL, tempChar, TEXT("input"), 0); } else { wsprintf(tempChar, TEXT("0x%02X"), wParam); MessageBox(NULL, tempChar, TEXT("special"), 0); } //return 1;//返回大於1則結束此訊息 } } } return CallNextHookEx(g_hHook, nCode, wParam, lParam); } DWORD GetProcessIDByName(const TCHAR* pName) { HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (INVALID_HANDLE_VALUE == hSnapshot) { return NULL; } PROCESSENTRY32 pe = { sizeof(pe) };//等同於dwSize賦值 for (BOOL ret = Process32First(hSnapshot, &pe); ret; ret = Process32Next(hSnapshot, &pe)) { if (_tcsicmp(pe.szExeFile, pName) == 0) { CloseHandle(hSnapshot); return pe.th32ProcessID; } //printf("%-6d %s\n", pe.th32ProcessID, pe.szExeFile); } CloseHandle(hSnapshot); return 0; } vector<HANDLE> GetThreadIDByPID(DWORD pID) { //DWORD pID = GetProcessIDByName(pName); vector<HANDLE> ThreadIdentify; THREADENTRY32 te; te.dwSize = sizeof(te);//必須,否則失敗 HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); if (Thread32First(h, &te)) { do { if (te.th32OwnerProcessID == pID) { ThreadIdentify.emplace_back((HANDLE)te.th32ThreadID); } } while (Thread32Next(h, &te)); } CloseHandle(h); return ThreadIdentify; } /* vector<HANDLE> GetThreadIDByName(const TCHAR* pName) { DWORD pID = GetProcessIDByName(pName); vector<HANDLE> ThreadIdentify; THREADENTRY32 te; te.dwSize = sizeof(te); HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); if (Thread32First(h, &te)) { do { if (te.th32OwnerProcessID == pID) { ThreadIdentify.emplace_back((HANDLE)te.th32ThreadID); } } while (Thread32Next(h, &te)); } CloseHandle(h); return ThreadIdentify; } */ #ifdef __cplusplus extern "C" { #endif __declspec(dllexport) void HookStart() { vector<HANDLE> ThreadIdentify; DWORD pID = GetProcessIDByName(_T(DEF_PROCESS_NAME)); ThreadIdentify= GetThreadIDByPID(pID); for (int i = 0; i < ThreadIdentify.size(); ++i) { g_hHook = SetWindowsHookEx(WH_KEYBOARD, KeyboardProc, g_hInstance, (DWORD)ThreadIdentify[i]); if (g_hHook != NULL) { break; } } } __declspec(dllexport) void HookStop() { if (g_hHook) { UnhookWindowsHookEx(g_hHook); g_hHook = NULL; } } #ifdef __cplusplus } #endif
Remarks
The calling application must set the dwSize member of THREADENTRY32 to the size, in bytes, of the structure.
Thread32First changes dwSize to the number of bytes written to the structure.
This number is never greater than the initial value of dwSize, but it can be smaller. If the value is smaller, do not rely on the values of members whose offsets are greater than this value.
To retrieve information about other threads recorded in the same snapshot, use the Thread32Next function.
注意:32位要使用32位程式注入32位的dll,否則會造成程式卡死