Dll Injection Using hook

Source: Internet
Author: User

Use a single dll(inject.dll(and a calling program (caller.exe)

Procedure TestHook;
Var pwnd, hChild, hwndInject: hwnd;
Msg: tmsg;
// Use FindWindow in the window title to find the main window handle pwnd of the program to be injected
Pwnd: = findwindow (Progman, nil );
// Use finddomainwex (hMain, 0, nil, nil) to find the subwindow handle to be processed hChild
HChild: = find1_wex (pwnd, 0, nil, nil );
// Use getwindowThreadProcessid (hChild, nil) to find the thread to be injected
DwThreadID: = getwindowThreadProcessid (hChild, nil );
// Call the SetInjectHook method of inject. dll
SetInjectHook (dwThreadID );
// Wait for the message to return
Getmessage (msg, 0, 0 );
// Find the injection window
HwndInject: = findwindow (nil, InjectForm );
// Send a control message. The handle of the target form is used as wparam, and the control parameter is passed in as lparam.
SendMessage (hwndInject, wm_app, hChild, integer (true ));
// Close the injection window
SendMessage (hwndInject, wm_close, 0, 0 );
// Wait for the window to close
Sleep (500 );
// Check whether the service is disabled successfully
Assert (not iswindow (hwndInject ));
// Remove the hook
SetDipsHook (0 );
// The following describes the specific operations of Inject. dll SetInjectHook.
Define the following variables globally

G_hhook: Hhook = 0;
G_dwThreadidInject: dword = 0;
G_hInjectfrm: hwnd;

Function SetInjectHook (dwThreadid: DWORD): boolean;
Result: = false;
// If the thread flag is 0, the hook is removed; otherwise, dynamic library injection is performed.
If dwThreadid <> 0 then
Assert (g_hhook = 0 );
// Save the ID of the current thread to g_dwThreadidInject
G_dwThreadidInject: = getCurrentThreadid;
// Hook the next GetMessage to the target thread
// GetMsgProc is a function defined below. During the first call, the custom form is created in the target thread.
// You can use this custom form to control the target thread in the process.
G_hhook: = setWindowsHookEx (wh_getMessage, GetMsgProc, hInstance, dwThreadid );
Result: = g_hhook <> null;
If result then
// Send an empty message to create the custom form immediately
Result: = postThreadMessage (dwThreadid, wm_Null, 0, 0 );
// Wait for half a second to ensure that the caller can find the newly created form
Sleep (500 );
End else
Assert (g_hhook <> 0 );
// Remove the hook
Result: = unHookWindowsHookEx (g_hhook );
G_Hhook: = 0;

// Define whether a global flag is the first message
FFirstTime: boolean = true;
// This function is used to create a custom form when the first message is received for remote control.
Function GetMsgProc (code: Integer; wparam: WPARAM; lparam: LPARAM): LRESULT; stdcall;
// If it is the first time
If fFirstTime then
FFirstTime: = false;
// Create a form
InjectFrm: = TinjectFrm. create (nil );
// Save the form handle
G_hInjectfrm: = InjectFrm. handle;
// Call the default processing, which cannot be forgotten
Result: = callNexthookEx (g_hhook, code, wparam, lparam );

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.