Windows MiniHook HookAPIDemo
2024-06-23 20:16:17
远程注入DLL部分
// InjectTestDlg.h : 头文件
//#pragma once
#include "UUBaseDefine.h"// CInjectTestDlg 对话框
class CInjectTestDlg : public CDialogEx
{
// 构造
public:CInjectTestDlg(CWnd* pParent = NULL); // 标准构造函数// 对话框数据
#ifdef AFX_DESIGN_TIMEenum { IDD = IDD_INJECTTEST_DIALOG };
#endifprotected:virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持// 实现
protected:HICON m_hIcon;DWORD m_processIDAry[100];int m_processCount;RefString m_dllPath;// 生成的消息映射函数virtual BOOL OnInitDialog();afx_msg void OnSysCommand(UINT nID, LPARAM lParam);afx_msg void OnPaint();afx_msg HCURSOR OnQueryDragIcon();DECLARE_MESSAGE_MAP()void clearProcessID();void injectByProcessName(const WCHAR* procesName);void injectByProcessID(DWORD processID, PTHREAD_START_ROUTINE loadLibraryFunction);void uninjectAllProcess();
public:afx_msg void OnBnClickedInject(); afx_msg void OnBnClickedUninject();void log(const WCHAR* data);
};
// InjectTestDlg.cpp : 实现文件
//#include "stdafx.h"
#include "InjectTest.h"
#include "InjectTestDlg.h"
#include "afxdialogex.h"
#include "UUBaseDefine.h"
#include <shlwapi.h>
#include <Tlhelp32.h>#ifdef _DEBUG
#define new DEBUG_NEW
#endif// 用于应用程序“关于”菜单项的 CAboutDlg 对话框class CAboutDlg : public CDialogEx
{
public:CAboutDlg();// 对话框数据
#ifdef AFX_DESIGN_TIMEenum { IDD = IDD_ABOUTBOX };
#endifprotected:virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持// 实现
protected:DECLARE_MESSAGE_MAP()
};CAboutDlg::CAboutDlg() : CDialogEx(IDD_ABOUTBOX)
{
}void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{CDialogEx::DoDataExchange(pDX);
}BEGIN_MESSAGE_MAP(CAboutDlg, CDialogEx)
END_MESSAGE_MAP()// CInjectTestDlg 对话框CInjectTestDlg::CInjectTestDlg(CWnd* pParent /*=NULL*/): CDialogEx(IDD_INJECTTEST_DIALOG, pParent)
{m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}void CInjectTestDlg::DoDataExchange(CDataExchange* pDX)
{CDialogEx::DoDataExchange(pDX);
}BEGIN_MESSAGE_MAP(CInjectTestDlg, CDialogEx)ON_WM_SYSCOMMAND()ON_WM_PAINT()ON_WM_QUERYDRAGICON()ON_BN_CLICKED(ID_INJECT, &CInjectTestDlg::OnBnClickedInject)ON_BN_CLICKED(ID_UNINJECT, &CInjectTestDlg::OnBnClickedUninject)
END_MESSAGE_MAP()// CInjectTestDlg 消息处理程序//
//提升进程特权
//
bool AdjustProcessPrivileges(HANDLE hProcess, LPCTSTR PrivilegeName)
{HANDLE hToken;bool bRet = false;TOKEN_PRIVILEGES tkp = { 0 }; ////得到进程的令牌句柄;//if (!OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)){ goto Exit;}//获得本地机唯一的标识,查询权限//LookupPrivilegeValue(NULL, PrivilegeName, &tkp.Privileges[0].Luid);tkp.PrivilegeCount = 1;tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), (PTOKEN_PRIVILEGES)NULL, 0); //调整获得的权限bRet = true;
Exit:return bRet;
}BOOL CInjectTestDlg::OnInitDialog()
{CDialogEx::OnInitDialog();// 将“关于...”菜单项添加到系统菜单中。// IDM_ABOUTBOX 必须在系统命令范围内。ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);ASSERT(IDM_ABOUTBOX < 0xF000);CMenu* pSysMenu = GetSystemMenu(FALSE);if (pSysMenu != NULL){BOOL bNameValid;CString strAboutMenu;bNameValid = strAboutMenu.LoadString(IDS_ABOUTBOX);ASSERT(bNameValid);if (!strAboutMenu.IsEmpty()){pSysMenu->AppendMenu(MF_SEPARATOR);pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);}}// 设置此对话框的图标。 当应用程序主窗口不是对话框时,框架将自动// 执行此操作SetIcon(m_hIcon, TRUE); // 设置大图标SetIcon(m_hIcon, FALSE); // 设置小图标// TODO: 在此添加额外的初始化代码CWnd* hWnd = GetDlgItem(ID_EDIT);//hWnd->SetWindowTextW(L"WindowsHookTest.exe");hWnd->SetWindowTextW(L"chrome.exe");//提权if (!AdjustProcessPrivileges(GetCurrentProcess(), L"UUDebugPrivilege")){MessageBoxW(L"提权失败", L"提示", MB_OK);}clearProcessID();m_dllPath = WKFileUtil::getFilePath(L"HookDLL.dll");return TRUE; // 除非将焦点设置到控件,否则返回 TRUE
}void CInjectTestDlg::OnSysCommand(UINT nID, LPARAM lParam)
{if ((nID & 0xFFF0) == IDM_ABOUTBOX){CAboutDlg dlgAbout;dlgAbout.DoModal();}else{CDialogEx::OnSysCommand(nID, lParam);}
}// 如果向对话框添加最小化按钮,则需要下面的代码
// 来绘制该图标。 对于使用文档/视图模型的 MFC 应用程序,
// 这将由框架自动完成。void CInjectTestDlg::OnPaint()
{if (IsIconic()){CPaintDC dc(this); // 用于绘制的设备上下文SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), 0);// 使图标在工作区矩形中居中int cxIcon = GetSystemMetrics(SM_CXICON);int cyIcon = GetSystemMetrics(SM_CYICON);CRect rect;GetClientRect(&rect);int x = (rect.Width() - cxIcon + 1) / 2;int y = (rect.Height() - cyIcon + 1) / 2;// 绘制图标dc.DrawIcon(x, y, m_hIcon);}else{CDialogEx::OnPaint();}
}//当用户拖动最小化窗口时系统调用此函数取得光标
//显示。
HCURSOR CInjectTestDlg::OnQueryDragIcon()
{return static_cast<HCURSOR>(m_hIcon);
}void CInjectTestDlg::clearProcessID()
{memset(m_processIDAry, 0, sizeof(DWORD) * 100);m_processCount = 0;
}void CInjectTestDlg::injectByProcessName(const WCHAR* procesName)
{PROCESSENTRY32 pe;HANDLE thSnapshot;const char *pPName = NULL;BOOL retval, bFind = false;thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (thSnapshot == INVALID_HANDLE_VALUE)return;pe.dwSize = sizeof(PROCESSENTRY32);retval = Process32First(thSnapshot, &pe);while (retval){RefString name = new WKString(pe.szExeFile);if (name->equalsIgnoreCase(procesName)){m_processIDAry[m_processCount] = pe.th32ProcessID;m_processCount++;}retval = Process32Next(thSnapshot, &pe);pe.dwSize = sizeof(PROCESSENTRY32);} if (thSnapshot)CloseHandle(thSnapshot);if (m_processCount == 0){log(L"目标程序还没有打开");return;}PTHREAD_START_ROUTINE function = NULL;function = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryW");if (function == NULL){log(L"找到函数LoadLibraryW错误");return;}for (int i = 0; i < m_processCount;i++){injectByProcessID(m_processIDAry[i], function);}
}void CInjectTestDlg::injectByProcessID(DWORD processID, PTHREAD_START_ROUTINE loadLibraryFunction)
{HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, processID); //CREATE_THREAD_ACCESSif (!hProcess){log(L"OpenProcess错误");return;}int size = (m_dllPath->length() + 1) * sizeof(WCHAR);LPVOID newBuf = VirtualAllocEx(hProcess, NULL, size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);BOOL success = WriteProcessMemory(hProcess, (LPVOID)newBuf, (LPVOID)m_dllPath->chars(), size, NULL);if (!success){log(L"WriteProcessMemory错误");return;}DWORD threadID = 0;HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, loadLibraryFunction, newBuf, NULL, &threadID);if (hThread)WaitForSingleObject(hThread, INFINITE);VirtualFreeEx(hProcess, newBuf, size, MEM_DECOMMIT);if (hThread)CloseHandle(hThread);if (hProcess)CloseHandle(hProcess);hThread = NULL;hProcess = NULL;
}void CInjectTestDlg::uninjectAllProcess()
{PTHREAD_START_ROUTINE function = NULL;function = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "FreeLibrary");for (int i = 0; i < m_processCount;i++){DWORD processID = m_processIDAry[i];HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, processID); //CREATE_THREAD_ACCESSif (!hProcess){log(L"OpenProcess错误");continue;}//创建进程快照 HMODULE module = NULL;HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, processID);MODULEENTRY32 ME32 = { 0 };ME32.dwSize = sizeof(MODULEENTRY32);BOOL isNext = Module32First(hSnap, &ME32);BOOL flag = FALSE;while (isNext){RefString moduleName = new WKString(ME32.szModule);if (moduleName->equalsIgnoreCase(L"HookDLL.dll")){module = ME32.hModule;flag = TRUE;break;}isNext = Module32Next(hSnap, &ME32);}CloseHandle(hSnap);if (flag == FALSE){continue; } DWORD threadID = 0;HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (PTHREAD_START_ROUTINE)function, (LPVOID)module, NULL, &threadID);if (hThread)WaitForSingleObject(hThread, INFINITE);CloseHandle(hThread);if (hProcess)CloseHandle(hProcess);} clearProcessID();
}void CInjectTestDlg::OnBnClickedInject()
{// TODO: 在此添加控件通知处理程序代码CWnd* hWnd = GetDlgItem(ID_EDIT);WCHAR buf[256] = { 0 };hWnd->GetWindowTextW(buf, 256);uninjectAllProcess();injectByProcessName(buf);
}void CInjectTestDlg::log(const WCHAR* data)
{MessageBoxW(data, L"提示", MB_OK);
}void CInjectTestDlg::OnBnClickedUninject()
{// TODO: 在此添加控件通知处理程序代码uninjectAllProcess();
}
DLL注入部分
#include <WinSock2.h>
#include "MinHook.h"void init();
void uninit();typedef int (WSAAPI* UUConnectFunction)(SOCKET, const struct sockaddr FAR *, int);
UUConnectFunction fpConnect = NULL;
int
WSAAPI
MyConnect(_In_ SOCKET s,_In_reads_bytes_(namelen) const struct sockaddr FAR * name,_In_ int namelen
)
{if (name->sa_family == AF_INET){SOCKADDR_IN* addr = (SOCKADDR_IN*)name;int port = htons(addr->sin_port);if (addr->sin_addr.S_un.S_un_b.s_b1 == 172&& addr->sin_addr.S_un.S_un_b.s_b2 == 16&& addr->sin_addr.S_un.S_un_b.s_b3 == 30&& addr->sin_addr.S_un.S_un_b.s_b4 == 20){return SOCKET_ERROR;}}return fpConnect(s, name, namelen);
}BOOL APIENTRY DllMain(HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved
)
{switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:{//MessageBoxW(NULL, L"注入", L"提示", MB_OK);init();break;}case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:{break;}case DLL_PROCESS_DETACH:{ uninit();break;}}return TRUE;
}void init()
{if (MH_Initialize() != MH_OK){MessageBoxW(NULL, L"MH_Initialize失败", L"提示", MB_OK);}// Create a hook for MessageBoxW, in disabled state.if (MH_CreateHook(&connect, &MyConnect,reinterpret_cast<void**>(&fpConnect)) != MH_OK){MessageBoxW(NULL, L"MH_CreateHook失败", L"提示", MB_OK);}// Enable the hook for MessageBoxW.if (MH_EnableHook(&connect) != MH_OK){MessageBoxW(NULL, L"MH_EnableHook失败", L"提示", MB_OK);}
}
void uninit()
{if (MH_DisableHook(&connect) != MH_OK){MessageBoxW(NULL, L"MH_DisableHook失败", L"提示", MB_OK);}if (MH_Uninitialize() != MH_OK){MessageBoxW(NULL, L"MH_Uninitialize失败", L"提示", MB_OK);}
}Hook Conect函数部分 不允许谷歌浏览器访问172.16.30.20网段
注入效果
Git地址 https://github.com/TsudaKageyu/minhook
Windows MiniHook HookAPIDemo相关推荐
- Windows桌面实现之八(DirectX HOOK 方式截取特殊的全屏程序之二)
by fanxiushu 2019-04-18 转载或引用请注明原始作者. 接上文. WIN7以上系统WDDM虚拟显卡开发(WDDM Filter/Hook Driver 显卡过滤驱动开发之一) 这篇 ...
- GCC 在 Linux、Windows 系统安装
1. GCC 简介 谈到 GCC,就不得不提 GNU 计划.GNU 全称 GNU's Not UNIX,又被称为"革奴计划",由理查德·斯托曼于 1983 年发起.GNU 计划的最 ...
- Windows 64位下安装Redis详细教程
Redis 是完全开源免费的,遵守BSD协议,是一个高性能的key-value数据库. 工具/原料 Windows 64位操作系统 Redis 安装包 方法/步骤 Redis 安装包下载 下载地址:h ...
- Go语言环境搭建(Windows+Linux)
目录 1. Windows安装配置 2. Linux安装配置 1. Windows安装配置 1️⃣ 下载SDK SDK 的全称是Software Development Kit(软件开发工具包) ,包 ...
- Nginx最新版安装教程(Windows+Linux)
目录 一.Nginx安装-Windows 1. 下载解压 2. 启动 3. 测试是否启动成功 4. 配置监听端口 二.Nginx安装-Linux 1. 下载解压 2. 上传到服务器 3. 配置 第一步 ...
- Linux 2 的 Windows 子系统上发布 CUDA
Linux 2 的 Windows 子系统上发布 CUDA 为响应大众需求,微软 宣布 在 2020 年 5 月的 建造 大会上推出了 建造 ( WSL 2 ) – GPU 加速功能.这一特性为许多计 ...
- 适用于Windows和Linux的Yolo-v3和Yolo-v2(下)
适用于Windows和Linux的Yolo-v3和Yolo-v2(下) 如何训练(检测自定义对象): (培养老YOLO V2 yolov2-voc.cfg,yolov2-tiny-voc.cfg,yo ...
- 适用于Windows和Linux的Yolo-v3和Yolo-v2(上)
适用于Windows和Linux的Yolo-v3和Yolo-v2(上) https://github.com/eric-erki/darknetAB (用于对象检测的神经网络)-Tensor Core ...
- 适用于Linux 2的Windows子系统上的CUDA
适用于Linux 2的Windows子系统上的CUDA Announcing CUDA on Windows Subsystem for Linux 2 为了响应大众的需求,微软在2020年5月的构建 ...
最新文章
- 回归评估+解释方差分
- 菲尔兹奖数学家丘成桐:人工智能中的数学理论尚无很大突破
- 项目管理知识体系实战专家胡立
- python实现定时发送qq消息
- 理解CMS GC日志
- ES6 let和const命令(3)
- Mysql(一)——基础知识
- 云服务器定时启动程序_过去、现在和未来:开发一款微信小程序的技术迭代全过程...
- T-Sql(一)简单语法
- db2 删除索引_程序员必须了解的知识点——你搞懂mysql索引机制了吗?
- 认知无线电matlab代码详解,Cognitive-Radio--Matlab-code 认知无线电, 通信, 仿真代码 238万源代码下载- www.pudn.com...
- 计算机硬件毕业论文题目,最新计算机硬件论文选题参考 计算机硬件论文题目哪个好...
- 计算机技术对高分子的意义,计算机技术在高分子材料工程中的应用.docx
- springboot集成ueditor百度富文本编辑器及上传图片到oss服务器
- 电脑公司 GHOST XP SP3 特别版1308
- 误人子弟的网络,谈谈HTTP协议中的短轮询、长轮询、长连接和短连接
- 计算机系统的cpu是指什么意思,电脑cpu参数是什么意思
- 用vb.net写一个简易的RSS阅读器
- 基于浙大MO平台的开发机器学习算法
- Backup And Recovery User's Guide-为长期存储而创建归档备份