📄 beyondsecsign.cpp
字号:
// BeyondSecSign.cpp : Defines the initialization routines for the DLL.
//
#include "stdafx.h"
#include <afxdllx.h>
#include "WordMousehook.h"
///
#include <windows.h>
///
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
/********************************************************************************
*
* 利用CreateRemoteThread将dll写进Word.exe.
* 利用SetWindowLong()改变Word中右键消息。
* dll源程序
*
*********************************************************************************/
/*
#pragma data_seg("shared")
#pragma data_seg()
#pragma comment(linker,"/SECTION:shared,rws")
*/
#pragma data_seg("shared")
WNDPROC g_lpfnOldWndProc;
HWND g_WordWnd;
HHOOK glhHook=NULL; //安装的鼠标勾子句柄
HINSTANCE glhInstance=NULL; //DLL实例句柄
#pragma data_seg()
static AFX_EXTENSION_MODULE BeyondSecSignDLL = { NULL, NULL };
extern "C" int APIENTRY
DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
// Remove this if you use lpReserved
UNREFERENCED_PARAMETER(lpReserved);
if (dwReason == DLL_PROCESS_ATTACH)
{
TRACE0("BeyondSecSign.DLL Initializing!\n");
// Extension DLL one-time initialization
if (!AfxInitExtensionModule(BeyondSecSignDLL, hInstance))
return 0;
// Insert this DLL into the resource chain
// NOTE: If this Extension DLL is being implicitly linked to by
// an MFC Regular DLL (such as an ActiveX Control)
// instead of an MFC application, then you will want to
// remove this line from DllMain and put it in a separate
// function exported from this Extension DLL. The Regular DLL
// that uses this Extension DLL should then explicitly call that
// function to initialize this Extension DLL. Otherwise,
// the CDynLinkLibrary object will not be attached to the
// Regular DLL's resource chain, and serious problems will
// result.
new CDynLinkLibrary(BeyondSecSignDLL);
glhInstance=hInstance; //插入保存DLL实例句柄
}
else if (dwReason == DLL_PROCESS_DETACH)
{
TRACE0("MOUSEHOOK.DLL Terminating!\n");
// Terminate the library before destructors are called
AfxTermExtensionModule(BeyondSecSignDLL);
}
return 1; // ok
}
LRESULT APIENTRY HookWordWndProc(HWND hwnd, UINT wMessage, WPARAM wParam, LPARAM lParam)
{
try
{
switch (wMessage)
{
case WM_RBUTTONDOWN:
MessageBox(g_WordWnd,"u click the r button","",MB_OK);
return 1;
break;
case WM_CLOSE:
::ExitProcess (0);
break;
default:
if (NULL == g_lpfnOldWndProc)
return DefWindowProc(hwnd,wMessage,wParam,lParam);
else
// CallWindowProc调用以前的处理进程
return CallWindowProc(g_lpfnOldWndProc,hwnd,wMessage,wParam,lParam);
}
}
catch(...)
{
}
return 0;
}
LRESULT __stdcall HookWordRightMenu(HWND hwnd)
{
/*
* 补充资料:SetWindowLong
* 用新的进程入口地址代替旧的处理进程入口地址
* GWL_WNDPROC ———— Sets a new address for the window procedure
*
*/
g_lpfnOldWndProc=(WNDPROC)::SetWindowLong(hwnd,GWL_WNDPROC,(LONG)HookWordWndProc);
MSG msg;
/*
* 补充资料:GetMessage
* This function retrieves a message from the calling thread's message queue
* and places it in the specified structure.
*
* This function can retrieve both messages associated with a specified window
* and thread messages posted via the PostThreadMessage function.
*
* The function retrieves messages that lie within a specified range of message values.
* GetMessage does not retrieve messages for windows that belong to other threads or applications.
*
*/
while( ::GetMessage( &msg, NULL, 0, 0 ))
{
/*
* 补充资料: TranslateMessage
* The function translates virtual-key messages into character messages.
* The character messages are posted to the calling thread's message queue,
* to be read the next time the thread calls the GetMessage or PeekMessage function
*
*/
TranslateMessage(&msg);
/*
* 补充资料:DispatchMessage
* The function dispatches a message to a window procedure.
* It is typically used to dispatch a message retrieved by the GetMessage function.
*
*/
DispatchMessage(&msg);
}
return TRUE;
}
CBeyondSecSign::CBeyondSecSign()
{
}
CBeyondSecSign::~CBeyondSecSign()
{
}
/*
void EnableDebugPriv( void )
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
/*
* Function: OpenProcessToken
* opens the access token associated with a process.
*
* OKEN_ADJUST_PRIVILEGES
* --------- Required to change the privileges specified in an access token.
* TOKEN_QUERY
* ----------Required to query the contents of an access token.
*/
/* if ( ! OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
return;
/*
* Function: LookupPrivilegeValue
* retrieves the locally unique identifier (LUID)
* used on a specified system to locally represent the specified privilege name.
*
*
*/
/*
if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) )
{
CloseHandle( hToken );
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
CloseHandle( hToken );
}
//安装钩子
LRESULT CBeyondSecSign::StartHook(LPCSTR pstrProcessName,HWND hwnd)
{
DWORD dwProcessID = 0;
// dwProcessID=GetProcessIdFromName(pstrProcessName);
// Returns the identifier of the thread that created the window.
GetWindowThreadProcessId(hwnd,&dwProcessID);
if ( dwProcessID < 1) return -1;
EnableDebugPriv();
/*
* Function : OpenProcess()
* Get a handle to an existing process object
* PROCESS_ALL_ACCESS -----Specifies all possible access flags for the process object.
* FALSE --------specifies that the returned handle can not be inherited
* by a new process created by the current process.
*
*/
/*
HANDLE hInjectTarget = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID);
if (!hInjectTarget) return -2;
INJECT_DLL pstInjectDll ;
memset(&pstInjectDll,0x0,sizeof(INJECT_DLL));
HMODULE hModule = ::LoadLibrary (TEXT("kernel32"));
if (!hModule) return -3;
pstInjectDll.prcLoadLib = (LPLOADLIBRARY)::GetProcAddress(hModule,TEXT("LoadLibraryA"));
pstInjectDll.prcFreeLib = (LPFREELIBRARY)::GetProcAddress(hModule,TEXT("FreeLibrary"));
pstInjectDll.prcGetProcAddr = (LPGETPROCADDRESS)::GetProcAddress (hModule,TEXT("GetProcAddress"));
pstInjectDll.hInjectWnd = hwnd;
lstrcpy(pstInjectDll.szLibPath ,TEXT("E:\\KDCP\\backup\\dll\\injectdll\\debug\\injectdll.dll"));
LPBYTE lpExcelAddr = (LPBYTE)::VirtualAllocEx (hInjectTarget,NULL,MAXINJECTSIZE,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
LPINJECT_DLL param = (LPINJECT_DLL) VirtualAllocEx( hInjectTarget, 0, sizeof(INJECT_DLL), MEM_COMMIT, PAGE_READWRITE );
WriteProcessMemory(hInjectTarget,lpExcelAddr,&ControlExcelThread,MAXINJECTSIZE,0);
WriteProcessMemory(hInjectTarget,param,&pstInjectDll,sizeof(INJECT_DLL),0);
DWORD dwThreadId = 0;
HANDLE hInjectThread;
try
{
hInjectThread= ::CreateRemoteThread (hInjectTarget,NULL,0,(LPTHREAD_START_ROUTINE)lpExcelAddr,param,0,&dwThreadId);
}
catch(...)
{
}
if (!hInjectThread)
dwThreadId = ::GetLastError ();
else
CloseHandle(hInjectThread);
CloseHandle(hInjectTarget);
::VirtualFreeEx (hInjectTarget,lpExcelAddr,0,MEM_RELEASE);
::VirtualFreeEx (hInjectTarget,param,0,MEM_RELEASE);
return 0;
}
}
//卸载钩子
BOOL CBeyondSecSign::StopHook()
{
BOOL bResult=FALSE;
if(glhHook)
{
bResult= UnhookWindowsHookEx(glhHook);
if(bResult)
{
glhHook=NULL;
}
}
return bResult;
}
#include <tlhelp32.h>
const int MAXINJECTSIZE = 10240;
typedef HMODULE (__stdcall * LPLOADLIBRARY)(LPCTSTR);
typedef FARPROC (__stdcall * LPGETPROCADDRESS)(HMODULE,LPCTSTR);
typedef BOOL (__stdcall * LPFREELIBRARY)(HMODULE);
typedef LRESULT (__stdcall * LPHookExcelRightMenu)(HWND);
typedef struct
{
LPLOADLIBRARY prcLoadLib;
LPGETPROCADDRESS prcGetProcAddr;
LPFREELIBRARY prcFreeLib;
TCHAR szLibPath[MAX_PATH+1];
HWND hInjectWnd;
}INJECT_DLL,*LPINJECT_DLL;
#pragma check_stack(off)
static DWORD __stdcall ControlWordThread(LPVOID lpVoid)
{
try
{
LPINJECT_DLL lpInject = (LPINJECT_DLL)lpVoid;
if (NULL == lpInject) return -1;
HMODULE hMod = lpInject->prcLoadLib(lpInject->szLibPath);
if (NULL == hMod) return -2;
LPHookWordRightMenu lpHookWordRightMenu;
lpHookWordRightMenu = (LPHookWordRightMenu)lpInject ->prcGetProcAddr (hMod,MAKEINTRESOURCE(1));
if ( !lpHookWordRightMenu)
{
lpInject ->prcFreeLib (hMod);
return -3;
}
lpHookWordRightMenu(lpInject->hInjectWnd);
lpInject ->prcFreeLib (hMod);
}
catch(...)
{
return -1;
}
return 0;
}
#pragma check_stack(on)
DWORD GetProcessIdFromName(LPCTSTR name)
{
PROCESSENTRY32 pe;
DWORD id = 0;
/* Function: CreateToolhelp32Snapshot
* Takes a snapshot of the processes and the heaps,
* modules, and threads used by the processes.
*/
/* HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
pe.dwSize = sizeof(PROCESSENTRY32);
if( !Process32First(hSnapshot,&pe) )
return 0;
do
{
pe.dwSize = sizeof(PROCESSENTRY32);
if( Process32Next(hSnapshot,&pe)==FALSE )
break;
if(stricmp(pe.szExeFile,name) == 0)
{
id = pe.th32ProcessID;
break;
}
} while(1);
CloseHandle(hSnapshot);
return id;
}
*/
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -