RT:新手不明白,请高手解答下!
--------------------------------------注入程序-------------------------------------------
#include <Windows.h>
#include <stdlib.h>
#include <malloc.h>
#include <memory.h>
#include <tchar.h>
void debug(const char * name);
BOOL inDLL(const char *path,const HANDLE hnd);
int WINAPI WinMain(
HINSTANCE hInstance,
HINSTANCE hprevInstance,
LPSTR lpCmdLine,
int nShowCmd)
{
char mzpath[MAX_PATH]={0};
STARTUPINFO si; //一些必备参数设置
memset(&si, 0, sizeof(STARTUPINFO)); //memset函数常用于内存空间初始化
si.cb = sizeof(STARTUPINFO);
si.dwFlags = STARTF_USESHOWWINDOW;
si.cb = sizeof(STARTUPINFO);
si.dwFlags = STARTF_USESHOWWINDOW;
PROCESS_INFORMATION pi;
GetCurrentDirectoryA(MAX_PATH,mzpath);//获取程序运行目录
char mzfilename[]="\\a.exe";
strcat(mzpath,mzfilename);//组合程序路径
//以CREATE_SUSPENDED模式启动进程
CreateProcess(NULL, mzpath, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si ,&pi);
//返回线程执行流程
ResumeThread(pi.hThread);
//等待主进程启动
WaitForInputIdle(pi.hProcess, 1000);
//写入进程
inDLL("F:\\windows开发\\regdll\\release\\regdll.dll",pi.hProcess);
//退出
exit(0);
return 0;
}
/****************************************************************/
/* 权限提升 */
/****************************************************************/
void debug(const char * name)
{
HANDLE hToken;//句柄
TOKEN_PRIVILEGES tp;//特权令牌
LUID luid;
OpenProcessToken(
GetCurrentProcess(),//获取当前进程的一个伪句柄
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
&hToken);
//获得进程本地唯一ID
LookupPrivilegeValueA(NULL,name,&luid);
tp.PrivilegeCount=1;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;//特权使能
tp.Privileges[0].Luid=luid;
//调整权限
AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
CloseHandle(hToken);
return ;
}
/****************************************************************/
/* 插入DLL */
/****************************************************************/
BOOL inDLL(const char *path,const HANDLE hnd)
{
debug(SE_DEBUG_NAME);
//使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名缓冲区
char *dllLib=(char *)VirtualAllocEx(hnd,NULL,lstrlenA(path)+1,MEM_COMMIT,PAGE_READWRITE);
//写入远程线程
WriteProcessMemory(hnd,dllLib,(void *) path,lstrlenA(path)+1,NULL);
//计算LoadLibraryA的入口地址
PTHREAD_START_ROUTINE mstat=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32.dll"),"LoadLibraryA");
//启动远程线程
CreateRemoteThread(hnd,NULL,0,mstat,dllLib,0,NULL);
return TRUE;
}
--------------------------------------------------------------------------------------------------
主程序主要是启动一个本地程序,并将DLL注入进去!
---------------------------------------dll程序---------------------------------------------------
#include <Windows.h>
#include <stdlib.h>
#include <malloc.h>
#include <memory.h>
#include <tchar.h>
void WINAPI HOOK();
LRESULT CALLBACK HOOKCL(int a,WPARAM wp,LPARAM lp);
HINSTANCE hmodule;//所模块句柄
static HHOOK myhook=NULL;
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
hmodule=hModule;
CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE)HOOK,NULL,NULL,NULL);
//启动HOOK主程序;
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
#ifdef _MANAGED
#pragma managed(pop)
#endif
void WINAPI HOOK()
{
myhook=SetWindowsHookEx(
WH_KEYBOARD,//钩子类型
(HOOKPROC)HOOKCL,//钩子函数地址
hmodule,//钩子函数所在DLL的实例句柄
0);//安装钩子后想监控的线程的ID号
//返回参数为钩子句柄
//UnhookWindowsHookEx 参数只有一个,为要卸载的钩子句柄
//WaitForInputIdle(myhook, 1000);
Sleep(1000);//等待1000秒
}
LRESULT CALLBACK HOOKCL(int a,WPARAM wp,LPARAM lp)
{
//钩子函数(名称任意), 三个参数, 具体意义与钩子类型有关
if(((DWORD)lp&0x40000000)&&(HC_ACTION==a))
{
switch(wp)
{
case '1':
MessageBoxA(NULL,"1","HOOK",0);
break;
case '2':
MessageBoxA(NULL,"2","HOOK",0);
break;
}
}
return CallNextHookEx(myhook, a, wp, lp );
}
----------------------------------------------------------------------------------------------
程序非常简单!调试也通过了!不过问题来了!
HOOK()函数中SetWindowsHookEx如果不等待1000毫秒,那就啥也HOOK不到!
可是就算sleep(1000)后,也只能获取到一次键盘输入,第二次敲击键盘就没反应了!
不明白这是为什么?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)