如何在注入的dll中调用函数

时间:2015-04-29 12:46:44

标签: c++

我试图使用注入的dll从另一个进程获取键盘消息,但我不知道在我自己的程序中必须调用函数的位置。 这是我注入的dll函数:

//this is my dll main function  
BOOL APIENTRY DllMain(HANDLE hModule,DWORD  ul_reason_for_call,LPVOID   lpReserved)
      {
        /* open file */
        FILE *file;
        fopen_s(&file, "d:\\dll\\temp.txt", "a+");

        switch (ul_reason_for_call) {
        case DLL_PROCESS_ATTACH:
            hInst = (HINSTANCE)hModule;
// should be function calling be here????
            installhook(); 
            break;
        case DLL_PROCESS_DETACH:
            fprintf(file, "DLL detach function called.\n");
            break;
        case DLL_THREAD_ATTACH:
            fprintf(file, "DLL thread attach function called.\n");
            break;
        case DLL_THREAD_DETACH:
            fprintf(file, "DLL thread detach function called.\n");
            break;
        }
        hInst = (HINSTANCE)hModule;
        /* close file */
        fclose(file);
        return TRUE;
    }

这是我的安装钩子函数,用于安装keyboardproc进行处理

   BOOL __declspec(dllexport)__stdcall installhook()
        {
            HWND targetWnd;
            HANDLE hProcess;
            unsigned long processID = 0;
            hkb = SetWindowsHookEx(WH_KEYBOARD, (HOOKPROC)KeyboardProc, hInst, GetCurrentThreadId());
            return TRUE;
        }

这是我的keyboardproc函数体

LRESULT __declspec(dllexport)__stdcall  CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam)
{
    char ch;
    MessageBoxA(nullptr, "key touched\n", "DLL_PROCESS_ATTACH", MB_OK | MB_ICONWARNING);
    do
    {
        if (((DWORD)lParam & 0x40000000) && (HC_ACTION == nCode))
        {
            if ((wParam == VK_SPACE) || (wParam == VK_RETURN) || (wParam >= 0x2f) && (wParam <= 0x100))
            {
                FILE *file;
                fopen_s(&file, "d:\\dll\\temp.txt", "a+");
                fprintf(file, nCode + ".\n");
            }
        }
    } while (0);
    return CallNextHookEx(hkb, nCode, wParam, lParam);
}

最后这是我的主程序,我将dll注入目标进程

int procID = 9448;
    HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
    if (process == NULL) {
        printf("Error: the specified process couldn't be found.\n");
    }

    /*
    * Get address of the LoadLibrary function.
    */
    LPVOID addr = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");
    if (addr == NULL) {
        printf("Error: the LoadLibraryA function was not found inside kernel32.dll library.\n");
    }

    /*
    * Allocate new memory region inside the process's address space.
    */
    LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, strlen(buffer), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    if (arg == NULL) {
        printf("Error: the memory could not be allocated inside the chosen process.\n");
    }

    /*
    * Write the argument to LoadLibraryA to the process's newly allocated memory region.
    */
    int n = WriteProcessMemory(process, arg, buffer, strlen(buffer), NULL);
    if (n == 0) {
        printf("Error: there was no bytes written to the process's address space.\n");
    }

    cout << procID << "\nhandle:" << process << "\nAddress:" << addr << "\nVirtualArg:" << arg << "\nWM:"<<n<<"\n";


    /*
    * Inject our DLL into the process's address space.
    */
    HANDLE threadID = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)addr, arg, NULL, NULL);
    if (threadID == NULL) {
        printf("Error: the remote thread could not be created.\n");
    }
    else {
        printf("Success: the remote thread was successfully created.\n");
    }

    /*
    * Close the handle to the process, becuase we've already injected the DLL.
    */
    CloseHandle(process);

我的代码有什么问题,必须改变哪些才能获得所需的结果!

1 个答案:

答案 0 :(得分:1)

是的,可以从DLL_PROCESS_ATTACH调用它。 但根据msdn

  

hMod [in]类型:HINSTANCE包含钩子的DLL的句柄   lpfn参数指向的过程。 hMod参数必须是   如果dwThreadId参数指定由其创建的线程,则设置为NULL   当前进程以及钩子过程是否在代码中   与当前流程相关联。

所以将hMod更改为NULL

hkb = SetWindowsHookEx(WH_KEYBOARD, (HOOKPROC)KeyboardProc, NULL, GetCurrentThreadId());