Windows hacker BASICS (1): hook messages of the current process

1. functions to be used

If you have learned windows programming, you should know that the core mechanism of Windows is the message mechanism, and the message is the information that the operating system tells the application.ProgramWhat happened, for example, when the user moves the mouse or press the key, the operating system will notify the application

In fact, in windows, we can monitor the messages sent by the operating system to another process, and then decide how to process the message, such as continuing to send or changing the message, you can also prevent the application from sending the message to the application or notify the monitored process after the application completes processing the message,Setwindowshookex

 

Hhook winapi setwindowshookex (_ in _IntIdhook, _ in _ hookproc lpfn, _ in _ hinstance hmod, _ in _ DWORD dwthreadid );

Idhook is the message type we want to monitor
Lpfn is the function to be handed over to when we receive the message. The function type is hookproc. This function is defined in winuser. h. The prototype is
Typedef lresult (callback * hookproc) (INT code, wparam, lparam );

Hmod is the module where our function is located. If our function is in DLL, we need two APIs: loadlibrary and getprocaddress. The former maps a DLL to our process, the latter is from a DLL
Returns the functions we need.

Dwthreadid is the thread ID we want to monitor. If it is 0, it is the system hook, that is, all the messages of the process we monitor will be obtained.
For detailed explanations, refer to msdn:
Http://msdn.microsoft.com/en-us/library/windows/desktop/ms644990 (V = vs.85). aspx

After we intercept the message of the monitored process, we can callCallnexthookexYou can also choose not to transfer the message. If you do not like to transmit the message to the monitoring process, return 1 in the function.
If you want to send it to the monitored process, return 0
 

2. intercept messages of this Process

1. Create a project

We use vs to create a Win32 project. By default, a message receiving window is created for us. The procedure is as follows (in the vs2008 environment ):

File-> Create Project-> select Win32 project, and enter the name-> click OK

After entering the wizard, click Finish to create a Win32 default project. For debugging convenience, we need to modify some settings.

Select properties for the project, choose configuration Properties> linker> system> subsystem, and select Console

In this way, we can use cout to output debugging information directly.

2. Set it to facilitate debugging

After the settings are complete, the compilation will fail. Because the default main function of the Win32 project is different from the main function of C ++, we need to modify the main function, after the function prototype is changed to the default form of C ++GetmodulehandleObtain the hinstance of the process.

 

Next we will add the keyboard processing function in the message processing function of windows.Code:

 CaseWm_keydown: printf ("Press the button \ n");Break;
 

Next, we only need to call our function at the beginning of the program:

Lresult callback keyboardproc ( Int  Ncodec, wparam, lparam) {cout < "  Capture keyboard messages  " < Endl;  Return   1  ; //  Return callnexthookex (hkb, ncodec, wparam, lparam );  }  Void  Sethook (hinstance hmoudle ){  Hkb = Setwindowshookex (wh_keyboard_ll, (hookproc) keyboardproc, hmoudle,  0  );} 

After the program calls sethook, it can intercept the keyboard message of our process.
The code is not complicated to intercept messages of the current process. Over 10 lines of code can intercept keyboard messages of the process. There are many types of messages, such as debug messages and mouse messages, can be intercepted