我的使用createremotethread控制excel右键的源程序

利用CreateRemoteThread将dll写进excel.exe.利用SetWindowLong()改变excel中右键消息。dll源程序：#include <windows.h> BOOL __stdcall DllMain(HANDLE,DWORD,LPVOID) { return TRUE; } /* #pragma data_seg("shared") #pragma data_seg() #pragma comment(linker,"/SECTION:shared,rws") */ WNDPROC g_lpfnOldWndProc; HWND g_hMsgWnd; LRESULT APIENTRY HookExcelWndProc(HWND hWnd, UINT wMessage , WPARAM wParam, LPARAM lParam) { try { switch (wMessage) { case WM_RBUTTONDOWN: MessageBox(g_hMsgWnd,"u click the r button","",MB_OK); return 1; break; case WM_CLOSE: ::ExitProcess (0); break; default: if (NULL == g_lpfnOldWndProc) return DefWindowProc(hWnd,wMessage,wParam,lParam); else return CallWindowProc(g_lpfnOldWndProc,hWnd,wMessage,wParam,lParam); } } catch(...) { } return 0; } LRESULT __stdcall HookExcelRightMenu(HWND hwnd) { g_hMsgWnd = hwnd; g_lpfnOldWndProc=(WNDPROC)::SetWindowLong(hwnd,GWL_WNDPROC,(LONG)HookExcelWndProc); MSG msg; while( ::GetMessage( &msg, NULL, 0, 0 )) { TranslateMessage(&msg); DispatchMessage(&msg); } return TRUE; } 注入进程源程序:#include <windows.h> #include <tlhelp32.h> const int MAXINJECTSIZE = 10240; typedef HMODULE (__stdcall * LPLOADLIBRARY)(LPCTSTR); typedef FARPROC (__stdcall * LPGETPROCADDRESS)(HMODULE,LPCTSTR); typedef BOOL (__stdcall * LPFREELIBRARY)(HMODULE); typedef LRESULT (__stdcall * LPHookExcelRightMenu)(HWND); typedef struct { LPLOADLIBRARY prcLoadLib; LPGETPROCADDRESS prcGetProcAddr; LPFREELIBRARY prcFreeLib; TCHAR szLibPath[MAX_PATH+1]; HWND hInjectWnd; }INJECT_DLL,*LPINJECT_DLL; DWORD GetProcessIdFromName(LPCTSTR name) { PROCESSENTRY32 pe; DWORD id = 0; HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); pe.dwSize = sizeof(PROCESSENTRY32); if( !Process32First(hSnapshot,&pe) ) return 0; do { pe.dwSize = sizeof(PROCESSENTRY32); if( Process32Next(hSnapshot,&pe)==FALSE ) break; if(stricmp(pe.szExeFile,name) == 0) { id = pe.th32ProcessID; break; } } while(1); CloseHandle(hSnapshot); return id; } void EnableDebugPriv( void ) { HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; if ( ! OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) ) return; if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) ) { CloseHandle( hToken ); return; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = sedebugnameValue; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) ) CloseHandle( hToken ); } #pragma check_stack(off) static DWORD __stdcall ControlExcelThread(LPVOID lpVoid) { try { LPINJECT_DLL lpInject = (LPINJECT_DLL)lpVoid; if (NULL == lpInject) return -1; HMODULE hMod = lpInject->prcLoadLib(lpInject->szLibPath); if (NULL == hMod) return -2; LPHookExcelRightMenu lpHookExcelRightMenu; lpHookExcelRightMenu = (LPHookExcelRightMenu)lpInject ->prcGetProcAddr (hMod,MAKEINTRESOURCE(1)); if ( !lpHookExcelRightMenu) { lpInject ->prcFreeLib (hMod); return -3; } lpHookExcelRightMenu(lpInject->hInjectWnd); lpInject ->prcFreeLib (hMod); } catch(...) { return -1; } return 0; } #pragma check_stack(on) LRESULT InJectDllIntoProcess(LPCSTR pstrProcessName,HWND hwnd) { DWORD dwProcessID = 0; // dwProcessID=GetProcessIdFromName(pstrProcessName); GetWindowThreadProcessId(hwnd,&dwProcessID); if ( dwProcessID < 1) return -1; EnableDebugPriv(); HANDLE hInjectTarget = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID); if (!hInjectTarget) return -2; INJECT_DLL pstInjectDll ; memset(&pstInjectDll,0x0,sizeof(INJECT_DLL)); HMODULE hModule = ::LoadLibrary (TEXT("kernel32")); if (!hModule) return -3; pstInjectDll.prcLoadLib = (LPLOADLIBRARY)::GetProcAddress(hModule,TEXT("LoadLibraryA")); pstInjectDll.prcFreeLib = (LPFREELIBRARY)::GetProcAddress(hModule,TEXT("FreeLibrary")); pstInjectDll.prcGetProcAddr = (LPGETPROCADDRESS)::GetProcAddress (hModule,TEXT("GetProcAddress")); pstInjectDll.hInjectWnd = hwnd; lstrcpy(pstInjectDll.szLibPath ,TEXT("E://KDCP//backup//dll//injectdll//debug//injectdll.dll")); LPBYTE lpExcelAddr = (LPBYTE)::VirtualAllocEx (hInjectTarget,NULL,MAXINJECTSIZE,MEM_COMMIT, PAGE_EXECUTE_READWRITE); LPINJECT_DLL param = (LPINJECT_DLL) VirtualAllocEx( hInjectTarget, 0, sizeof(INJECT_DLL), MEM_COMMIT, PAGE_READWRITE ); WriteProcessMemory(hInjectTarget,lpExcelAddr,&ControlExcelThread,MAXINJECTSIZE,0); WriteProcessMemory(hInjectTarget,param,&pstInjectDll,sizeof(INJECT_DLL),0); DWORD dwThreadId = 0; HANDLE hInjectThread; try { hInjectThread= ::CreateRemoteThread (hInjectTarget,NULL,0,(LPTHREAD_START_ROUTINE)lpExcelAddr,param,0,&dwThreadId); } catch(...) { } if (!hInjectThread) dwThreadId = ::GetLastError (); else CloseHandle(hInjectThread); CloseHandle(hInjectTarget); ::VirtualFreeEx (hInjectTarget,lpExcelAddr,0,MEM_RELEASE); ::VirtualFreeEx (hInjectTarget,param,0,MEM_RELEASE); return 0; } void main() { HWND hwnd; hwnd = FindWindowEx(NULL,NULL,"XLMAIN",NULL); if (hwnd) { hwnd = FindWindowEx(hwnd,NULL,"XLDESK",NULL); if (hwnd) { hwnd = FindWindowEx(hwnd,NULL,"EXCEL7",NULL); InJectDllIntoProcess("excel.exe",hwnd); } } }