By setting the message hook to achieve the same purpose as DLL injection, but this method and other DLL injection method is not the same, it will not load its own DLL into the target process, so it does not come to the hidden DLL, so it is easy to be killed soft kill off, pro-Test 360 seconds to kill, But the implementation is simple and there is a considerable application scenario, the following is a general message to check the main function, it will be the key message hook function SetWindowsHookEx function into the DLL, through the DLL call to implement the message check, because this logic is relatively simple, here is not detailed, directly paste code.
#include "stdafx.h"
#include "windows.h"
#define Def_dll_name "Keyhook_con.dll"
#define Def_hookstart " Hookstart "
#define DEF_HOOKSTOP" hookstop "
typedef void (*pfn_hookstart) ();
typedef void (*pfn_hookstop) ();
void _tmain (int argc, _tchar* argv[])
{
hmodule hdll = NULL;
Pfn_hookstart Hookstart = NULL;
Pfn_hookstop hookstop = NULL;
hDLL = LoadLibraryA (def_dll_name);
Gets the exported function address
hookstart= (pfn_hookstart) GetProcAddress (Hdll,def_hookstart);
Hookstop = (pfn_hookstop) GetProcAddress (hdll,def_hookstop);
Start to tick
Hookstart ();
Wait for user input "q" to end
printf ("Press Q to Quit\n");
while (GetChar ()! = ' Q ');
Terminate the
hookstop ();
Uninstall KeyHook.dll
FreeLibrary (hdll);
}
The following is a DLL function
#include "stdafx.h" #include "stdio.h" #include "windows.h" #define Def_process_name "notepad.exe" HInstance g_hinstance
= NULL;
Hhook G_hhook =null;
HWND G_hwnd = NULL;
#ifdef _DEBUG #define NEW debug_new #endif BOOL WINAPI DllMain (hinstance hinstDLL, DWORD dwreason, LPVoid lpreserved) {
Switch (dwreason) {case dll_process_attach:g_hinstance = hinstDLL;
Break
} return TRUE;
} LRESULT CALLBACK keyboardproc (int ncode,wparam wparam,lparam LPARAM) {char szpath[max_path]={0,};
char *p = NULL; if (! (
lparam&0x80000000)) {GetModuleFileNameA (Null,szpath,max_path);
p = strrchr (szpath, ' \ \ '); Compare the current process name to notepad.exe the message will not be passed to the application (or the next hook) if (!strcmp (p+1,def_process_name)) {//When I run the WIN10 64-bit machine
, it is easy to find that the target process card//live, do not know what the reason, and the XP 32 bit does not have this phenomenon printf ("Notepad keyboard message has been intercepted \ n");
return 1; }}//If not Notepad.exe, call the CallNextHookEx () function, pass the message to the application or the next hook returnNexthookex (G_hhook,ncode,wparam,lparam); } #ifdef __cplusplus extern "C" {#endif __declspec (dllexport) void Hookstart () {//key function of this one, install message hooks G_hhook
= SetWindowsHookEx (wh_keyboard,keyboardproc,g_hinstance,0);
} __declspec (dllexport) void Hookstop () {if (G_hhook) {UnhookWindowsHookEx (G_hhook);
G_hhook =null; }} #ifdef __cplusplus} #endifStart building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
