The common injection Method IV, SETWINDOWSHOOKEX global hook injection. As well as inject QQ32 bit combat.

The common injection Method IV, SETWINDOWSHOOKEX global hook injection. As well as inject QQ32 bit combat.

PS: Above is the operation. and finally the principle.

One, need to understand the API

Use global hook injection. We need to know a few windowsapi. Don't need too much.

1. Setting the Hook API

　　

hhook WINAPI SetWindowsHookEx (  _in_  int    idhook, sets the type of the hook. That means I'm going to set the hook for what the hook is. can be Monitor window procedures. Can be a monitoring message queue.  _in_ HOOKPROC LPFN, depending on the hook type. Set different callback functions.  _in_ hinstance Hmod, the hook sets the DLL instance handle, which is the DLL's handle  _in_ DWORD dwthreadid   set the thread ID of the hook. If 0 is set to the global hook.);
Hhook the return value. is a handle to a hook procedure.

2. Get the module handle API

　　

Hmodule WINAPI GetModuleHandle (  _in_opt_ lpctstr lpmodulename           Gets the file name of the instance handle. Can be DLL can make EXE  if null this is the current dll/ EXE's instance handle);                                       The return value returns the instance handle.

3. Cancel the Settings Hook API

　　

BOOL WINAPI UnhookWindowsHookEx (  _in_ hhook hhk                        parameter One is the return value of the Setwindowhookex. That is, the handle of the hook process.);                                      Return value: The return value is of type bool. Indicates whether the setting was successful or failed.

4. Continue to call the hook process in the hook chain.

　　

LRESULT WINAPI CallNextHookEx (  _in_opt_ hhook hhk, the saved hook process, which is the SetWindowsHookEx return value.  _in_      int     nCode,            different NCode code generated according to SetWindowsHookEx set Hook callback. What do you mean? This means that if you set the hook type to be a mouse message. Then the ncode is a mouse message. If it's a keyboard this is the keyboard  _in_ WPARAM WPARAM,                 same as 2 parameters. Additional parameters. Depending on the hook callback type. Additional parameters have different meanings. For example, if it is a mouse. This may represent the x position of the mouse. The keyboard may be the key code  _in_ LPARAM LPARAM is the                  same as the 3 parameter. Additional parameters.

　　

5. Hook callback

The hook callback is set according to the SetWindowsHookEx parameter. For example, if we set WH_CBT then the callback function we set is the CBT callback. Specific Query MSDN

LRESULT CALLBACK Cbtproc (         This callback function writes our code.  ) _in_  int     nCode,  _in_ WPARAM WPARAM,  _in_ LPARAM LPARAM);

Second, global hook injection step.

Actually look at the above several APIs actually inject is not difficult.

So in view of the study. Say the steps to inject.

1. Call SetWindowsHookEx to set the hook.

2. During the setup process. A callback is required. So we fill in a callback.

3. Call the CallNextHookEx function in the callback function. If you do not call. Then we set a non-return. The program may have a problem. Of course, it's on-demand return.

4. Cancel the hook settings.

Step is four steps. So let's start.

1. Build the DLL project. Building DLL projects can be used with vc++6.0 or with the VS series. It's not a liability here. Building a DLL project is simple. If you don't have internet Baidu.

2. Add a HOOK.h header file to the project. and a HOOK.cpp implementation file.

3. Write the code.

The code in the HOOK.h.

#pragma once#define mywindapiexport __declspec (dllexport)hhook g_hookproc;   //                      the hook procedure defined as the global hook returns void mywindapiexport sethook (); // set hook hooks.          Our startup function. The export function. External settings hookvoid  mywindapiexport unhook ();                         Cancel Settings Hooklresult CALLBACK MyProc (int nCode, WPARAM WPARAM, LPARAM LPARAM); Set the callback function required during the hook

The HOOK.cpp code.

#include <Windows.h>#include"Hooks. H"voidMywindapiexport sethook () {G_hookproc=:: SetWindowsHookEx (WH_CBT, Myproc,getmodulehandle (TEXT ("Win32Project1.dll")),0);//parameter 1. The type of hook. The callback address module handle for the hook. Thread ID, 0 for global hooks    }voidmywindapiexport unhook ()//Cancel Settings hook{if(NULL! =g_hookproc):: UnhookWindowsHookEx (G_hookproc);} LRESULT CALLBACK MyProc (intNCode, WPARAM WPARAM, LPARAM LPARAM)//our own procedures for processing{    /*to execute our program*/:: MessageBox (NULL, NULL, NULL, NULL); returnCallNextHookEx (G_hookproc, NCode, WParam, LParam); Continue calling the hook procedure}

The. h + CPP above is our code. Then we need an external program to call our export function Sethook () and unhook.

Because the Sethook and unhook export functions are used in DLLs. There are two ways we want to use these two functions.

1. Static call: When the DLL is generated, the corresponding Lib will be generated. We need to add the. h header file to our program. Use the macro directive to include the. lib file.

2. Dynamic invocation. A dynamic call involves two APIs. One is Loadlibaray () GetProcAddress () The first is an instance handle to get the DLL. The second is to get the address of the function based on the instance handle and the function name. Also known as a function pointer.

The first method is used here. If the second method is used. But our code needs to be extends "C" to export. Otherwise the name is crushed. Then the function pointer is not obtained by filling in the function name with GetProcAddress.

New MFC Project.

1. Add the HOOK.h header file.

2. Use the macro command to include our DLL's lib #pragam comment (lib, "Xxxx.lib")

3. Call the Export function Sethook in the hook button click position.

4. In the Unhook button point position. Call the export function Unhook.

1. Interface:

　　

2. Our original HOOK.H file.

3. Static use of Lib library.

4. Click on the function call inside the button.

5. Use the tool to see if DLL injection is recommended as a pchunter tool.

Can see that it has been injected.

PS: Because we are writing a 32-bit DLL, the injected program is 32-bit. If it is a 64-bit DLL then the injection into the program should be 64. For more information, please inquire at MSDN Setwindoshookex.

Three, the principle of explanation

So much of the operation. The principle should not be too understanding.

In fact, SetWindowsHookEx is in the process of application execution. Add a layer for us. And we provide a callback address so when the operation comes, we will notify us of the callback. We can do our thing with the callback function at this time.

Like what:

A functions, B functions, and C functions. The normal execution process is a function call b b called C.

And we added a layer.

A-we (using CallNextHookEx to decide whether to call the next procedure) is->b->c

A-We (not the case) do not call B.

DLL How to inject doubt?

We write so much. No DLL is injected for QQ or any other 32-bit program. Why is the DLL injected?

Principle:

The principle is our window program. A callback is set directly using the SetWindowsHookEx inside the DLL. This API sets this callback for all applications globally. If a 32-bit program triggers a callback, then our DLL will be injected into it.

 

The

Common injection technique, IV, SETWINDOWSHOOKEX global hook injection. And inject QQ32 bit in combat.