关于HOOK的问题。 用SetWindowsHookEx把一个DLL插入一个进程后,怎么样取得这个DLL里面的函数在被插入的进程里面的地址,谢谢 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 楼上的应该是一个可行的办法,只要是dll里的public函数都应该可以得到的 #include <windows.h>#include <process.h>//#include <>typedef struct _RemotePara{//参数结构 char pMessageBox[12]; DWORD dwMessageBox;}RemotePara;//远程线程DWORD __stdcall ThreadProc (RemotePara *lpPara){ typedef int (__stdcall *MMessageBoxA)(HWND,LPCTSTR,LPCTSTR,DWORD);//定义MessageBox函数 MMessageBoxA myMessageBoxA; myMessageBoxA =(MMessageBoxA) lpPara->dwMessageBox ;//得到函数入口地址 myMessageBoxA(NULL,lpPara->pMessageBox ,lpPara->pMessageBox,0);//call return 0;}void EnableDebugPriv();//提升应用级调试权限int main(int argc, char* argv[]){ const DWORD THREADSIZE=1024*4; DWORD byte_write; EnableDebugPriv();//提升权限 HANDLE hWnd = ::OpenProcess (PROCESS_ALL_ACCESS,FALSE,2324); //3272为当前进程ID号,可通过CreateToolHelp32Snapshot/Process32First/Process32Next 或 EnumProcess等 if(!hWnd) return 0; void *pRemoteThread =::VirtualAllocEx(hWnd,0,THREADSIZE,MEM_COMMIT| MEM_RESERVE,PAGE_EXECUTE_READWRITE); if(!pRemoteThread)return 0; if(!::WriteProcessMemory(hWnd,pRemoteThread,&ThreadProc,THREADSIZE,0)) return 0; //再付值 RemotePara myRemotePara; ::ZeroMemory(&myRemotePara,sizeof(RemotePara)); HINSTANCE hUser32 = ::LoadLibrary ("user32.dll"); myRemotePara.dwMessageBox =(DWORD) ::GetProcAddress (hUser32 , "MessageBoxA"); strcat(myRemotePara.pMessageBox,"hello\0"); //写进目标进程 RemotePara *pRemotePara =(RemotePara *) ::VirtualAllocEx (hWnd ,0,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE);//注意申请空间时的页面属性 if(!pRemotePara) return 0; if(!::WriteProcessMemory (hWnd ,pRemotePara,&myRemotePara,sizeof myRemotePara,0)) return 0; //启动线程 HANDLE hThread = ::CreateRemoteThread (hWnd ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pRemotePara,0,&byte_write); if(!hThread) { return 0; } return 0;}//提升权限void EnableDebugPriv( void ){ HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; if ( ! OpenProcessToken( GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) ) return; if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) ) { CloseHandle( hToken ); return; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = sedebugnameValue; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) ) CloseHandle( hToken );} 内存泄漏, 请教问题 关于商店POS机上扫描枪的一点问题 怎样取得CEditbox 输入的值?怎样取得CCombobox 输入的值? 19和20之间 哪里有win32 API的书? 如何知道一个文件对象是否可读? 在VB中调用VC开发的API出现的问题 请各位帮忙,哪里有vc6下?(光盘让我给坐崩了) 在html文件中怎样使用javascript编写调用com组件中的连接点 内存不释放会有什么后果 全局钩子的问题 请教大家关于SOCKET I/O模式的问题
#include <process.h>
//#include <>typedef struct _RemotePara
{//参数结构
char pMessageBox[12];
DWORD dwMessageBox;
}RemotePara;//远程线程
DWORD __stdcall ThreadProc (RemotePara *lpPara)
{
typedef int (__stdcall *MMessageBoxA)(HWND,LPCTSTR,LPCTSTR,DWORD);//定义MessageBox函数
MMessageBoxA myMessageBoxA;
myMessageBoxA =(MMessageBoxA) lpPara->dwMessageBox ;//得到函数入口地址
myMessageBoxA(NULL,lpPara->pMessageBox ,lpPara->pMessageBox,0);//call
return 0;
}void EnableDebugPriv();//提升应用级调试权限int main(int argc, char* argv[])
{
const DWORD THREADSIZE=1024*4;
DWORD byte_write;
EnableDebugPriv();//提升权限
HANDLE hWnd = ::OpenProcess (PROCESS_ALL_ACCESS,FALSE,2324); //3272为当前进程ID号,可通过CreateToolHelp32Snapshot/Process32First/Process32Next 或 EnumProcess等
if(!hWnd)
return 0; void *pRemoteThread =::VirtualAllocEx(hWnd,0,THREADSIZE,MEM_COMMIT| MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(!pRemoteThread)return 0;
if(!::WriteProcessMemory(hWnd,pRemoteThread,&ThreadProc,THREADSIZE,0))
return 0; //再付值
RemotePara myRemotePara;
::ZeroMemory(&myRemotePara,sizeof(RemotePara));
HINSTANCE hUser32 = ::LoadLibrary ("user32.dll");
myRemotePara.dwMessageBox =(DWORD) ::GetProcAddress (hUser32 , "MessageBoxA");
strcat(myRemotePara.pMessageBox,"hello\0"); //写进目标进程
RemotePara *pRemotePara =(RemotePara *) ::VirtualAllocEx (hWnd ,0,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE);//注意申请空间时的页面属性
if(!pRemotePara)
return 0;
if(!::WriteProcessMemory (hWnd ,pRemotePara,&myRemotePara,sizeof myRemotePara,0))
return 0; //启动线程
HANDLE hThread = ::CreateRemoteThread (hWnd ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pRemotePara,0,&byte_write);
if(!hThread)
{
return 0;
}
return 0;
}
//提升权限
void EnableDebugPriv( void )
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp; if ( ! OpenProcessToken( GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
return;
if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) )
{
CloseHandle( hToken );
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
CloseHandle( hToken );
}