更新时间:2023-02-10 18:28:04
FYI得到这个解决。要查看哪些进程是32位,只需ctrl-alt删除并转到任务管理器; 32位进程以* 32旁边列出。也有我的钩子工作;这里是代码。我放弃了CreateRemoteThread方法,只使用了一个系统范围的钩子。我将代码拼接在一起:
如何使用SetWindowsHookEx和WH_KEYBOARD挂钩外部进程
http://www.codingthewheel.com/archives/how-i-built-a-working-online-poker-bot-4
http:// www.codingthewheel.com/archives/how-i-built-a-working-online-poker-bot-7
此程式只会将文字翻转32位进程(如上面最后一个链接所示)。例如。打开文本和悬停在菜单上;
dll:
#include < windows.h>
#include< detours.h>
#include< stdio.h>
#include< iostream>
using namespace std;
//初始化的东西
#ifdef _MANAGED
#pragma managed(push,off)
#endif
# pragma注释(lib,Ws2_32.lib)
#pragma注释(lib,detours.lib)
#pragma data_seg(Shared)
HHOOK g_hHook =空值;
#pragma data_seg()
//全局
HINSTANCE g_hInstance = NULL;
// ExtTextOut - original
BOOL(WINAPI * Real_ExtTextOut)(HDC hdc,int X,int Y,UINT options,const RECT * lprc,LPCTSTR text,UINT cbCount ,const INT * lpSpacingValues)= ExtTextOut;
// ExtTextOut - 覆盖
BOOL WINAPI Mine_ExtTextOut(HDC hdc,int X,int Y,UINT options,const RECT * lprc,LPCTSTR text,UINT cbCount,const INT * lpSpacingValues)
{
if(!text)
return TRUE;
//复制所提供的string..safely
LPWSTR szTemp =(LPWSTR)LocalAlloc(0,(cbCount + 1)* 2);
memcpy(szTemp,text,cbCount * 2); // can not use strcpy here
szTemp [cbCount] = L'\0'; // append terminate null
//反向...
wcsrev(szTemp);
//将它传递给windows ...
BOOL rv = Real_ExtTextOut(hdc,X,Y,options,lprc,szTemp,cbCount,lpSpacingValues);
//清除
LocalFree(szTemp);
return TRUE;
}
// DLLMain
BOOL APIENTRY DllMain(HANDLE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
g_hInstance =(HINSTANCE)hModule;
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)Real_ExtTextOut,Mine_ExtTextOut); //< - magic
DetourTransactionCommit();
break;
case DLL_PROCESS_DETACH:
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)Real_ExtTextOut,Mine_ExtTextOut);
DetourTransactionCommit();
break;
}
return TRUE;
}
// CBT Hook - dll被挂接到所有进程(我的机器上只有32位进程)
LRESULT CALLBACK CBTProc(int nCode,WPARAM wParam ,LPARAM lParam)
{
if(nCode 返回CallNextHookEx(g_hHook,nCode,wParam,lParam);
//返回0以允许窗口创建/销毁/激活正常进行。
return 0;
}
//安装钩子
externC__declspec(dllexport)bool install()
{
g_hHook = SetWindowsHookEx WH_CBT,(HOOKPROC)CBTProc,g_hInstance,0);
return g_hHook!= NULL;
}
//卸载钩子
externC__declspec(dllexport)void uninstall()
{
if(g_hHook)
{
UnhookWindowsHookEx(g_hHook);
g_hHook = NULL;
}
}
主程序:
#include< Windows.h>
#include< stdio.h>
#include< tchar.h>
#include< iostream>
using namespace std;
// Main
int _tmain(int argc,_TCHAR * argv [])
{
//加载dll
HINSTANCE hinst = LoadLibrary(_T(C:\\Users \\PM\\Documents\\Programs\\C Code\\Test\\DLLTesterFinal\\Debug\\ \\\DLLTesterFinal.dll));
if(hinst)
{
//获取函数
typedef bool(* Install)();
typedef void(* Uninstall)();
Install install =(Install)GetProcAddress(hinst,install);
卸载uninstall =(卸载)GetProcAddress(hinst,uninstall);
cout<< GetLastError1:<< GetLastError()<< endl<< endl;
//安装钩子
bool hookInstalledSuccessfully = install();
cout<< GetLastError2:< GetLastError()<< endl;
cout<< Hook installed successfully?< hookInstalledSuccessfully<< endl<< endl;
//此时,转到32位进程(例如,textpad,chrome)并将鼠标悬停在菜单上;他们的文本应该被转换
cout<< 现在应该在32位处理中颠倒文本< endl;
系统(暂停);
//卸载钩子
uninstall();
cout<< endl GetLastError3:<< GetLastError()<< endl;
cout<< 完成<< endl;
system(Pause);
}
return 0;然而,当在一个java应用程序中试图绕过ExtTextOut时,java应用程序崩溃了;需要调查。
I'm trying to do some basic hooking with microsoft detours and I can't get it to work. I've used essentially the code that was posted in this thread:
How can I hook Windows functions in C/C++?
but no dice. I updated the send/receive functions in the DLL code to simply log the data to a file, and I tried having the main program hook into the "internet checkers" program, but a log file never gets created, so it appears that the dll wasn't injected.
I'm running Windows 7 64-bit, Visual Studio 10.0, Detours 3.0 (my environment appears to be set up correctly, no issues building or anything). I created a DLL project, pasted in the DLL code from the link above, with send/recv updated as such:
FILE * pSendLogFile;
fopen_s(&pSendLogFile, "C:\\SendLog.txt", "a+");
fprintf(pSendLogFile, "%s\n", buf);
fclose(pSendLogFile);
and compiled. Then created another project, pasted in the main code from the link above, set it to look for the chkrzm.exe
program (checkers), and hardcoded the DLL path to:
fullPath = "C:\\Users\\PM\\Documents\\Programs\\C Code\\Test\\DLLTester2\\Debug\\DLLTester2.dll";
and ran it, but no dice. Any idea why I can't get this to work?
FYI got this solved. To see which processes are 32-bit, just ctrl-alt-delete and go to the task manager; 32-bit processes are listed with *32 next to them. Also got my hook working; here is the code. I abandoned the CreateRemoteThread approach and just used a system-wide hook. I stitched the code together from:
How to hook external process with SetWindowsHookEx and WH_KEYBOARD
http://www.codingthewheel.com/archives/how-i-built-a-working-online-poker-bot-4
http://www.codingthewheel.com/archives/how-i-built-a-working-online-poker-bot-7
This program simply reverses text in 32-bit processes (as shown in the last link above). Eg. open up textpad and hover over menus; their text should get reversed.
The dll:
#include <windows.h>
#include <detours.h>
#include <stdio.h>
#include <iostream>
using namespace std;
// Initial stuff
#ifdef _MANAGED
#pragma managed(push, off)
#endif
#pragma comment( lib, "Ws2_32.lib" )
#pragma comment( lib, "detours.lib" )
#pragma data_seg("Shared")
HHOOK g_hHook = NULL;
#pragma data_seg()
// Globals
HINSTANCE g_hInstance = NULL;
// ExtTextOut - original
BOOL (WINAPI * Real_ExtTextOut)(HDC hdc, int X, int Y, UINT options, const RECT* lprc, LPCTSTR text, UINT cbCount, const INT* lpSpacingValues) = ExtTextOut;
// ExtTextOut - overridden
BOOL WINAPI Mine_ExtTextOut(HDC hdc, int X, int Y, UINT options, const RECT* lprc, LPCTSTR text, UINT cbCount, const INT* lpSpacingValues)
{
if (!text)
return TRUE;
// Make a copy of the supplied string..safely
LPWSTR szTemp = (LPWSTR)LocalAlloc(0, (cbCount+1) * 2);
memcpy(szTemp, text, cbCount*2); // can't use strcpy here
szTemp[cbCount] = L'\0'; // append terminating null
// Reverse it..
wcsrev(szTemp);
// Pass it on to windows...
BOOL rv = Real_ExtTextOut(hdc, X, Y, options, lprc, szTemp, cbCount, lpSpacingValues);
// Cleanup
LocalFree(szTemp);
return TRUE;
}
// DLLMain
BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved )
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
g_hInstance = (HINSTANCE) hModule;
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)Real_ExtTextOut, Mine_ExtTextOut); // <- magic
DetourTransactionCommit();
break;
case DLL_PROCESS_DETACH:
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)Real_ExtTextOut, Mine_ExtTextOut);
DetourTransactionCommit();
break;
}
return TRUE;
}
// CBT Hook - dll is hooked into all processes (only 32 bit processes on my machine)
LRESULT CALLBACK CBTProc(int nCode, WPARAM wParam, LPARAM lParam)
{
if (nCode < 0)
return CallNextHookEx(g_hHook, nCode, wParam, lParam);
// Return 0 to allow window creation/destruction/activation to proceed as normal.
return 0;
}
// Install hook
extern "C" __declspec(dllexport) bool install()
{
g_hHook = SetWindowsHookEx(WH_CBT, (HOOKPROC) CBTProc, g_hInstance, 0);
return g_hHook != NULL;
}
// Uninstall hook
extern "C" __declspec(dllexport) void uninstall()
{
if (g_hHook)
{
UnhookWindowsHookEx(g_hHook);
g_hHook = NULL;
}
}
The main program:
#include <Windows.h>
#include <stdio.h>
#include <tchar.h>
#include <iostream>
using namespace std;
// Main
int _tmain(int argc, _TCHAR* argv[])
{
// Load dll
HINSTANCE hinst = LoadLibrary(_T("C:\\Users\\PM\\Documents\\Programs\\C Code\\Test\\DLLTesterFinal\\Debug\\DLLTesterFinal.dll"));
if (hinst)
{
// Get functions
typedef bool (*Install)();
typedef void (*Uninstall)();
Install install = (Install) GetProcAddress(hinst, "install");
Uninstall uninstall = (Uninstall) GetProcAddress(hinst, "uninstall");
cout << "GetLastError1: " << GetLastError () << endl << endl;
// Install hook
bool hookInstalledSuccessfully = install ();
cout << "GetLastError2: " << GetLastError () << endl;
cout << "Hook installed successfully? " << hookInstalledSuccessfully << endl << endl;
// At this point, go to a 32-bit process (eg. textpad, chrome) and hover over menus; their text should get reversed
cout << "Text should now be reversed in 32-bit processes" << endl;
system ("Pause");
// Uninstall hook
uninstall();
cout << endl << "GetLastError3: " << GetLastError () << endl;
cout << "Done" << endl;
system ("Pause");
}
return 0;
}
However upon trying to detour ExtTextOut in a java application, the java app crashes; need to investigate that.