📄 揭开木马的神秘面纱5.htm
字号:
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><span style="mso-tab-count:
1"> </span>WH_CBT<o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"><span style="mso-tab-count:1"> </span><span style="mso-tab-count:
1"> </span>WH_DEBUG<o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><span style="mso-tab-count:
1"> </span>WH_FOREGROUNDIDLE<o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"><span style="mso-tab-count:1"> </span><span style="mso-tab-count:
1"> </span>WH_GETMESSAGE<o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><span style="mso-tab-count:
1"> </span>WH_JOURNALPLAYBACK<o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"><span style="mso-tab-count:1"> </span><span style="mso-tab-count:
1"> </span>WH_JOURNALRECORD<o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><span style="mso-tab-count:
1"> </span>WH_KEYBOARD<o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"><span style="mso-tab-count:1"> </span><span style="mso-tab-count:
1"> </span>WH_KEYBOARD_LL<o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><span style="mso-tab-count:
1"> </span>WH_MOUSE<o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"><span style="mso-tab-count:1"> </span><span style="mso-tab-count:
1"> </span>WH_MOUSE_LL<o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><span style="mso-tab-count:
1"> </span>WH_MSGFILTER<o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"><span style="mso-tab-count:1"> </span><span style="mso-tab-count:
1"> </span>WH_SHELL<o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><span style="mso-tab-count:
1"> </span>WH_SYSMSGFILTER<o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span style="font-size:10.5pt;
mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">一般来说,需要根据目标钩进程的特性选用特定的钩子类型,对于支持鼠标的进程,可以选用鼠标钩子,对于使用键盘输入的钩子,可以使用键盘钩子,在这里我们选用消息钩子,即</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">WH_GETMESSAGE</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">;</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"> <o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span style="font-size:10.5pt;
mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">第二个参数</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">HOOKPROC
lpfn</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">用来指定钩子回调函数,这个函数将在钩子事件发生时被调用,因为这个函数是由我们木马</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">所提供的,所以被钩进程会自动加载木马</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">模块;</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span style="font-size:10.5pt;
mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:"Times New Roman";
mso-hansi-font-family:"Times New Roman"">第三个参数</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">HINSTANCE
hMod</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">是包含钩子函数的</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的句柄;</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span style="mso-tab-count: 1; font-size: 10.5pt; mso-bidi-font-size: 10.0pt" lang="EN-US">
</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">第四个参数</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DWORD
dwThreadId </span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">是与钩子函数相关联的线程</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">ID</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,如果这个参数设为</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">0</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,那么钩子函数将与本桌面上的所有线程关联。</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:
10.0pt"> <o:p>
</o:p>
</span></p>
<p class="MsoNormal"><span style="mso-tab-count: 1; font-size: 10.5pt; mso-bidi-font-size: 10.0pt" lang="EN-US">
</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">假设我们的钩子</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">的句柄为</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">g_hinstDll</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,我们需要钩住的线程</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">ID</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">为</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">dwThread</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,钩子回调函数为</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">GetMsgProc()</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">,那么通过下面的代码,就可以为目标进程加载一个</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">MESSAGE</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">钩子,也就是说,我们向目标进程嵌入了包含钩子函数的</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">DLL</span><span style="font-size:10.5pt;mso-bidi-font-size:10.0pt;font-family:宋体;mso-ascii-font-family:
"Times New Roman";mso-hansi-font-family:"Times New Roman"">:</span><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt"><o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">SetWindowsHookEx(
<span style="mso-tab-count:1"> </span>WH_GETMESSAGE,
<o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="margin-left:108.0pt;text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">GetMsgProc,
<o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="margin-left:108.0pt;text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">g_hinstDll,
<o:p>
</o:p>
</span></p>
<p class="MsoNormal" style="margin-left:108.0pt;text-indent:36.0pt"><span lang="EN-US" style="font-size:10.5pt;mso-bidi-font-size:10.0pt">dwThreadId
<span style="mso-spacerun: yes"> </span>);<o:p>
</o:p>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -