wn32拦截ExtTextOut屏幕取词
在windows下,要实现屏幕取词,可以通过拦截 ExtTextOutA,ExtTextOutW,TextOutA,TextOutW,这4个API来实现,另外4个DrawTextExA,DrawTextExW,DrawTextA,DrawTextW 貌似是调用前面4个去实现的,具体我没有去验证过。
本文示例为通过拦截 ExtTextOutW 这个API可以实现屏幕取词的部分功能。
它的函数定义为:
BOOL WINAPI ExtTextOutW(HDC hdc, int x, int y, UINT options, CONST RECT * lprect, LPCWSTR lpString, UINT c, CONST INT * lpDx);
其中lpString参数包含了字符串地址信息,我们只需要到目标进程拦截这个API,然后读取lpString里面的字符数据,然后显示到一个文本框里面,就行了。
要实现这个功能,需要做两件事:
1. 安装一个全局鼠标钩子,拦截WM_MOUSEMOVE消息。
2. 如果检查到鼠标在屏幕的某处停留时间超过1秒,则在鼠标所在的窗口进程挂上API钩子,取得所需信息后,立即摘掉API钩子。
注意:该程序必须在Release版本下运行,如果是DeBug版本的话,因为编译器没做优化和加了一些debug代码,所以会内存读写报错
===========================================
下面是生成mousehook.dll的代码:
// dllmain.cpp : 定义 DLL 的初始化例程。
//
#include "stdafx.h"
#include <afxwin.h>
#include <afxdllx.h>
#include "MyMouseHook.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
extern HINSTANCE hInstanceHook;
static AFX_EXTENSION_MODULE MouseHookDLL = { NULL, NULL };
extern "C" int APIENTRY
DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
// 如果使用 lpReserved,请将此移除
UNREFERENCED_PARAMETER(lpReserved);
if (dwReason == DLL_PROCESS_ATTACH)
{
TRACE0("MouseHook.DLL 正在初始化!\n");
// 扩展 DLL 一次性初始化
if (!AfxInitExtensionModule(MouseHookDLL, hInstance))
return 0;
// 将此 DLL 插入到资源链中
// 注意: 如果此扩展 DLL 由
// MFC 规则 DLL (如 ActiveX 控件)隐式链接到,
// 而不是由 MFC 应用程序链接到,则需要
// 将此行从 DllMain 中移除并将其放置在一个
// 从此扩展 DLL 导出的单独的函数中。使用此扩展 DLL 的
// 规则 DLL 然后应显式
// 调用该函数以初始化此扩展 DLL。否则,
// CDynLinkLibrary 对象不会附加到
// 规则 DLL 的资源链,并将导致严重的
// 问题。
new CDynLinkLibrary(MouseHookDLL);
hInstanceHook=hInstance;
// WM_MY_MOUSEMOVE=RegisterWindowMessage(WM_MY_MOUSEMOVE_MSG);
}
else if (dwReason == DLL_PROCESS_DETACH)
{
TRACE0("MouseHook.DLL 正在终止!\n");
// 在调用析构函数之前终止该库
AfxTermExtensionModule(MouseHookDLL);
}
return 1; // 确定
}
//MyMouseHook.h
//
#pragma once
#define WM_MY_MOUSEMOVE (WM_USER+10)
// CMyMoueHook 命令目标
class AFX_EXT_CLASS CMyMouseHook : public CObject
{
public:
CMyMouseHook();
virtual ~CMyMouseHook();
public:
BOOL StartHook(HWND hWnd); //安装钩子函数
BOOL StopHook(HWND hWnd); //卸载钩子函数
};
// MyMoueHook.cpp : 实现文件
//
#include "stdafx.h"
#include "MyMouseHook.h"
#pragma data_seg("mydata")
HWND hWnd_Mouse=NULL; //设置需要捕获鼠标消息的窗口句柄,即所有鼠标消息都会另外发送一份消息到该窗口
#pragma data_seg()
#pragma comment(linker,"/SECTION:mydata,RWS")
HHOOK hHook=NULL; //鼠标钩子句柄
HINSTANCE hInstanceHook=NULL; //插入保存DLL实例句柄
extern "C" LRESULT WINAPI MouseProc(int nCode, WPARAM wParam, LPARAM lParam)
{
if(nCode < 0)
{
CallNextHookEx(hHook, nCode, wParam, lParam);
return 0;
}
if(nCode>=0)
{
LPMSG msg=(LPMSG)lParam;
if(msg->message==WM_MOUSEMOVE || msg->message==WM_NCMOUSEMOVE)
{
PostMessage(hWnd_Mouse, WM_MY_MOUSEMOVE, 0, 0);
// PostMessage(hWnd_Mouse, WM_MOUSEMOVE, 0, 0);
}
}
return CallNextHookEx(hHook,nCode,wParam,lParam); //继续传递钩子信息
}
// CMyMoueHook
CMyMouseHook::CMyMouseHook()
{
}
CMyMouseHook::~CMyMouseHook()
{
// StopHook();
}
// CMyMoueHook 成员函数
BOOL CMyMouseHook::StartHook(HWND hWnd)
{
if(hHook==NULL)
{
hHook=SetWindowsHookExW(WH_GETMESSAGE,(HOOKPROC)MouseProc,hInstanceHook,0);
if(hHook!=NULL)
{
hWnd_Mouse=hWnd; //设置需要捕获鼠标消息的窗口句柄
return TRUE;
}
}else
{
if(hWnd_Mouse!=NULL)
{
if(hWnd_Mouse==hWnd)
{
return FALSE; //该窗口句柄已经hook了
}else
{
hWnd_Mouse=hWnd; //设置需要捕获鼠标消息的窗口句柄,这样将会覆盖前一个句柄
return TRUE;
}
}
}
return FALSE; //failed to set hook
}
BOOL CMyMouseHook::StopHook(HWND hWnd)
{
if(hWnd!=hWnd_Mouse || hWnd==NULL){return FALSE;}
BOOL bResult=UnhookWindowsHookEx(hHook);
if(bResult){hWnd_Mouse=NULL;hHook=NULL;}
return bResult;
}
==========================
下面是实现屏幕取词的代码:
// pingmuquciDlg.h : 头文件
//
#pragma once
#include "afxwin.h"
#include "../mousehook/MyMouseHook.h"
#define WM_HOOK_TEXTOUT (WM_USER+101)
typedef struct _RemoteParam
{
DWORD dwTextOut;
DWORD dwExtTextOut;
DWORD dwPostMessage;
DWORD dwSendMessage;
DWORD dwGetCurrentProcess;
DWORD dwWriteProcessMemory;
DWORD dwMessageBox;
unsigned char oldCode[10];
unsigned char newCode[10];
DWORD FunAddr;
BOOL bHookAlready; //是否挂上API钩子
HWND hwnd; //安放钩子的那个窗口句柄
LPCWSTR lpString; //专门用于保存TextOut的字符串地址
wchar_t info[260];
} RemoteParam, * pRemoteParam;
// CpingmuquciDlg 对话框
class CpingmuquciDlg : public CDialogEx
{
// 构造
public:
CpingmuquciDlg(CWnd* pParent = NULL); // 标准构造函数
// 对话框数据
enum { IDD = IDD_PINGMUQUCI_DIALOG };
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持
// 实现
protected:
HICON m_hIcon;
// 生成的消息映射函数
virtual BOOL OnInitDialog();
afx_msg void OnSysCommand(UINT nID, LPARAM lParam);
afx_msg void OnPaint();
afx_msg HCURSOR OnQueryDragIcon();
DECLARE_MESSAGE_MAP()
public:
CMyMouseHook m_mouse_hook;
CEdit m_edit;
BOOL is_quci_open;
CString m_edit_str;
HWND m_hwnd_hook;
BOOL bHookAlready; //是否挂钩子的标志
unsigned char oldcode[10]; //用来保存API的原始代码
unsigned char newcode[10]; //用来保存API修改后的代码
DWORD dwFunAddr;
DWORD dwPramaAddr;
HANDLE m_hProcess;
DWORD m_dwProcessId;
int size_Func;
int size_Pramam;
RemoteParam m_RParam;
public:
BOOL enableDebugPriv(); //提升进程访问权限
DWORD processNameToId(LPCTSTR lpszProcessName); //根据进程名称得到进程ID,如果有多个运行实例的话,返回第一个枚举到的进程的ID
BOOL ClearHook(HANDLE hProcess); //清理钩子代码
BOOL HookOn(HANDLE hProcess); //挂上API钩子
BOOL HookOff(HANDLE hProcess); //摘掉API钩子
BOOL InitHook(HANDLE hProcess); //初始化API钩子
public:
afx_msg void OnBnClickedButton1(); //开启屏幕取词
afx_msg void OnBnClickedButton2(); //关闭屏幕取词
afx_msg void OnTimer(UINT_PTR nIDEvent);
protected:
afx_msg LRESULT OnHookTextout(WPARAM wParam, LPARAM lParam);
afx_msg LRESULT OnMyMousemove(WPARAM wParam, LPARAM lParam);
};
// //拦截 ExtTextOut(...),并实现一个粗糙的屏幕取词功能 // //作者:过客 //邮箱:[email protected] //日期:2014.04.27 // // pingmuquciDlg.cpp : 实现文件 // #include "stdafx.h" #include "pingmuquci.h" #include "pingmuquciDlg.h" #include "afxdialogex.h" #include <TlHelp32.h> #ifdef _DEBUG #define new DEBUG_NEW #endif #define TIME_ID_1 1 #pragma comment(lib,"../Debug/mousehook.lib") // 用于应用程序“关于”菜单项的 CAboutDlg 对话框 class CAboutDlg : public CDialogEx { public: CAboutDlg(); // 对话框数据 enum { IDD = IDD_ABOUTBOX }; protected: virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持 // 实现 protected: DECLARE_MESSAGE_MAP() }; CAboutDlg::CAboutDlg() : CDialogEx(CAboutDlg::IDD) { } void CAboutDlg::DoDataExchange(CDataExchange* pDX) { CDialogEx::DoDataExchange(pDX); } BEGIN_MESSAGE_MAP(CAboutDlg, CDialogEx) END_MESSAGE_MAP() // CpingmuquciDlg 对话框 CpingmuquciDlg::CpingmuquciDlg(CWnd* pParent /*=NULL*/) : CDialogEx(CpingmuquciDlg::IDD, pParent) { m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME); is_quci_open=FALSE; m_edit_str=_T(""); m_hwnd_hook=NULL; bHookAlready=FALSE; dwFunAddr=NULL; dwPramaAddr=NULL; m_hProcess=NULL; m_dwProcessId=NULL; size_Func=0; size_Pramam=0; ::memset(oldcode,0,10); ::memset(newcode,0,10); } void CpingmuquciDlg::DoDataExchange(CDataExchange* pDX) { CDialogEx::DoDataExchange(pDX); DDX_Control(pDX, IDC_EDIT1, m_edit); } BEGIN_MESSAGE_MAP(CpingmuquciDlg, CDialogEx) ON_WM_SYSCOMMAND() ON_WM_PAINT() ON_WM_QUERYDRAGICON() ON_BN_CLICKED(IDC_BUTTON1, &CpingmuquciDlg::OnBnClickedButton1) ON_BN_CLICKED(IDC_BUTTON2, &CpingmuquciDlg::OnBnClickedButton2) ON_MESSAGE(WM_HOOK_TEXTOUT, &CpingmuquciDlg::OnHookTextout) ON_WM_TIMER() ON_MESSAGE(WM_MY_MOUSEMOVE, &CpingmuquciDlg::OnMyMousemove) END_MESSAGE_MAP() // CpingmuquciDlg 消息处理程序 BOOL CpingmuquciDlg::OnInitDialog() { CDialogEx::OnInitDialog(); // 将“关于...”菜单项添加到系统菜单中。 // IDM_ABOUTBOX 必须在系统命令范围内。 ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX); ASSERT(IDM_ABOUTBOX < 0xF000); CMenu* pSysMenu = GetSystemMenu(FALSE); if (pSysMenu != NULL) { BOOL bNameValid; CString strAboutMenu; bNameValid = strAboutMenu.LoadString(IDS_ABOUTBOX); ASSERT(bNameValid); if (!strAboutMenu.IsEmpty()) { pSysMenu->AppendMenu(MF_SEPARATOR); pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu); } } // 设置此对话框的图标。当应用程序主窗口不是对话框时,框架将自动 // 执行此操作 SetIcon(m_hIcon, TRUE); // 设置大图标 SetIcon(m_hIcon, FALSE); // 设置小图标 // TODO: 在此添加额外的初始化代码 return TRUE; // 除非将焦点设置到控件,否则返回 TRUE } void CpingmuquciDlg::OnSysCommand(UINT nID, LPARAM lParam) { if ((nID & 0xFFF0) == IDM_ABOUTBOX) { CAboutDlg dlgAbout; dlgAbout.DoModal(); } else { CDialogEx::OnSysCommand(nID, lParam); } } // 如果向对话框添加最小化按钮,则需要下面的代码 // 来绘制该图标。对于使用文档/视图模型的 MFC 应用程序, // 这将由框架自动完成。 void CpingmuquciDlg::OnPaint() { if (IsIconic()) { CPaintDC dc(this); // 用于绘制的设备上下文 SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), 0); // 使图标在工作区矩形中居中 int cxIcon = GetSystemMetrics(SM_CXICON); int cyIcon = GetSystemMetrics(SM_CYICON); CRect rect; GetClientRect(&rect); int x = (rect.Width() - cxIcon + 1) / 2; int y = (rect.Height() - cyIcon + 1) / 2; // 绘制图标 dc.DrawIcon(x, y, m_hIcon); } else { CDialogEx::OnPaint(); } } //当用户拖动最小化窗口时系统调用此函数取得光标 //显示。 HCURSOR CpingmuquciDlg::OnQueryDragIcon() { return static_cast<HCURSOR>(m_hIcon); } //========================================================================== //typedef HANDLE (__stdcall * PFN_CREATEFILE)(LPCWSTR,DWORD,DWORD,LPSECURITY_ATTRIBUTES,DWORD,DWORD,HANDLE); typedef int (__stdcall * PFN_MESSAGEBOX)(HWND, LPCWSTR, LPCWSTR, DWORD); typedef BOOL (__stdcall * PFN_WRITEPROCESSMEMORY)(HANDLE,LPVOID,LPCVOID,SIZE_T,SIZE_T*); typedef HANDLE (__stdcall * PFN_GETCURRENTPROCESS)(void); //typedef BOOL (__stdcall * PFN_TEXTOUT)(HDC, int, int, LPCSTR, int); typedef BOOL (__stdcall * PFN_TEXTOUT)(HDC, int, int, LPCWSTR, int); //typedef BOOL (__stdcall * PFN_EXTTEXTOUT)(HDC, int, int, UINT, CONST RECT*, LPCSTR, UINT, CONST INT*); typedef BOOL (__stdcall * PFN_EXTTEXTOUT)(HDC, int, int, UINT, CONST RECT*, LPCWSTR, UINT, CONST INT*); typedef BOOL (__stdcall * PFN_POSTMESSAGE)(HWND, UINT, WPARAM, LPARAM); typedef BOOL (__stdcall * PFN_SENDMESSAGE)(HWND, UINT, WPARAM, LPARAM); typedef int (__stdcall * PFN_MESSAGEBOX)(HWND, LPCWSTR, LPCWSTR, DWORD); void HookTextOut(LPVOID lParam) { RemoteParam* pRP=(RemoteParam*)lParam; DWORD dwParamaAddr=0; //自定义结构体的地址 DWORD NextIpAddr=0; //CPU下一个IP地址 HDC hdc=NULL; //设备描述表句柄,画图用的 int x=0; //字符串的开始位置 x坐标 int y=0; //字符串的开始位置 y坐标 UINT options=0; CONST RECT *lprect=NULL; LPCWSTR lpString=NULL; //字符串指针 int c=0; //字符串中字符的个数 CONST INT * lpDx=NULL; BOOL Res=FALSE; //API TextOut 的返回值 //下面的汇编代码是将TextOut(...)里面的6个参数和另外两个变量(dwParamaAddr和NextIpAddr)保存到变量中,以便后面调用 __asm { MOV EAX,[EBP+8] //注意是[EBP+8],而不是[EBP+4] MOV [dwParamaAddr], EAX MOV EAX,[EBP+12] MOV [NextIpAddr], EAX MOV EAX,[EBP+16] MOV [hdc], EAX MOV EAX,[EBP+20] MOV [x], EAX MOV EAX,[EBP+24] MOV [y], EAX MOV EAX,[EBP+28] MOV [options], EAX MOV EAX,[EBP+32] MOV [lprect], EAX MOV EAX,[EBP+36] MOV [lpString], EAX MOV EAX,[EBP+40] MOV [c], EAX MOV EAX,[EBP+44] MOV [lpDx], EAX } PFN_GETCURRENTPROCESS pfnGetCurrentProcess=(PFN_GETCURRENTPROCESS)pRP->dwGetCurrentProcess; PFN_WRITEPROCESSMEMORY pfnWriteProcessMemory=(PFN_WRITEPROCESSMEMORY)pRP->dwWriteProcessMemory; PFN_TEXTOUT pfnTextOut=(PFN_TEXTOUT)pRP->dwTextOut; PFN_EXTTEXTOUT pfnExtTextOut=(PFN_EXTTEXTOUT)pRP->dwExtTextOut; PFN_POSTMESSAGE pfnPostMessage=(PFN_POSTMESSAGE)pRP->dwPostMessage; PFN_SENDMESSAGE pfnSendMessage=(PFN_SENDMESSAGE)pRP->dwSendMessage; PFN_MESSAGEBOX pfnMessageBox=(PFN_MESSAGEBOX)pRP->dwMessageBox; //恢复API原来的样子,即摘掉API钩子 pfnWriteProcessMemory(pfnGetCurrentProcess(), (LPVOID)pfnExtTextOut, (LPCVOID)pRP->oldCode, 10, NULL); //调用正常的TextOut // Res=pfnTextOut(hdc, x, y, lpString, c); Res=pfnExtTextOut(hdc, x, y, options, lprect, lpString, c, lpDx); //下面的代码是将TextOut里面的lpString悄悄发送给我们挂钩子的windows应用程序 if(pRP->hwnd!=NULL) { pRP->lpString=lpString; // pfnPostMessage(pRP->hwnd, WM_HOOK_TEXTOUT, MAKELONG(0,0), MAKELONG(0,0)); //进程间通信 pfnSendMessage(pRP->hwnd, WM_HOOK_TEXTOUT, MAKELONG(0,0), MAKELONG(0,0)); //进程间通信 } // int allowFlag = pfnMessageBox(NULL, lpString, pRP->info, MB_ICONWARNING | MB_YESNO); //下面代码是善后工作,这个非常重要,如果没有的话,EIP将回不到调用TextOut(...)的下一条命令,这条命令在"notepad.exe"的领空 //而不是kernel32.dll的领空,要切记。 __asm { POP EDI POP ESI POP EBX MOV EDX, [NextIpAddr] //调用TextOut(...)这一命令的下一条命令地址 MOV EAX, [Res] //函数返回值要放到EAX寄存器里,这一句可省略,原因是pfnTextOut(...)会自动将结果存入EAX MOV ESP, EBP POP EBP // MOV ESP, EBP ADD ESP, 11*4 //此处为了平衡栈,可以进一步优化 PUSH EDX RET //ret指令用栈中的数据(即edx里面的地址),修改IP的内容,注意不修改CS的内容,retf才是 } } BOOL CpingmuquciDlg::enableDebugPriv() { HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { return FALSE; } if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) { CloseHandle(hToken); return FALSE; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = sedebugnameValue; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; //特权启用 if(!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) //启用指定访问令牌的特权 { CloseHandle(hToken); return FALSE; } return TRUE; } DWORD CpingmuquciDlg::processNameToId(LPCTSTR lpszProcessName) { HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); PROCESSENTRY32 pe; pe.dwSize = sizeof(PROCESSENTRY32); if(!Process32First(hSnapshot, &pe)) { MessageBox(_T("The frist entry of the process list has not been copyied to the buffer"), _T("Notice"), MB_ICONINFORMATION | MB_OK); return 0; } while(Process32Next(hSnapshot, &pe)) //循环查找下一个进程 { if(!strcmp(lpszProcessName, pe.szExeFile)) //找到了 { return pe.th32ProcessID; } } return 0; } BOOL CpingmuquciDlg::InitHook(HANDLE hProcess) { //提升进程访问权限 if(!enableDebugPriv()) { printf("提升进程访问权限 Error!\n"); return -1; } //定义线程体的大小,实际分配的内存大小是页内存大小的整数倍 size_Func=1024*8; dwFunAddr = (DWORD)VirtualAllocEx(hProcess, NULL, size_Func, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if((LPVOID)dwFunAddr == NULL) { printf("申请线程内存失败!\n"); CloseHandle(hProcess); return FALSE; } size_Pramam=sizeof(RemoteParam); dwPramaAddr = (DWORD)VirtualAllocEx(hProcess, NULL, size_Pramam, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if((LPVOID)dwPramaAddr == NULL) { printf("申请参数内存失败!\n"); CloseHandle(hProcess); return FALSE; } // RemoteParam m_RParam; ZeroMemory(&m_RParam, sizeof(m_RParam)); HMODULE hKernel32 = LoadLibrary("kernel32.dll"); HMODULE hUser32 = LoadLibrary("user32.dll"); HMODULE hGdi32 = LoadLibrary("gdi32.dll"); m_RParam.dwTextOut = (DWORD)GetProcAddress(hGdi32, "TextOutW"); m_RParam.dwExtTextOut = (DWORD)GetProcAddress(hGdi32, "ExtTextOutW"); m_RParam.dwGetCurrentProcess = (DWORD)GetProcAddress(hKernel32, "GetCurrentProcess"); m_RParam.dwWriteProcessMemory = (DWORD)GetProcAddress(hKernel32, "WriteProcessMemory"); m_RParam.dwPostMessage = (DWORD)GetProcAddress(hUser32, "PostMessageW"); m_RParam.dwSendMessage = (DWORD)GetProcAddress(hUser32, "SendMessageW"); m_RParam.dwMessageBox = (DWORD)GetProcAddress(hUser32, "MessageBoxW"); m_RParam.bHookAlready=TRUE; m_RParam.hwnd=m_hwnd_hook; m_RParam.lpString=NULL; wchar_t str2[]={L"我拦截API成功了,哈哈^o^"}; ::wmemcpy_s(m_RParam.info,sizeof(m_RParam.info),str2,sizeof(str2)); for(int i=15; i<31; i++){m_RParam.info[i]=L'\0';} // unsigned char oldcode[10]; // unsigned char newcode[10]; int praadd = (int)dwPramaAddr; int threadadd = (int)dwFunAddr; newcode[4] = praadd>>24; newcode[3] = (praadd<<8)>>24; newcode[2] = (praadd<<16)>>24; newcode[1] = (praadd<<24)>>24; newcode[0] = 0x68; //0x68: push newcode[1..4],参数先压栈 int offsetaddr = threadadd - (int)m_RParam.dwExtTextOut - 10 ; newcode[9] = offsetaddr>>24; newcode[8] = (offsetaddr<<8)>>24; newcode[7] = (offsetaddr<<16)>>24; newcode[6] = (offsetaddr<<24)>>24; newcode[5] = 0xE8; //0xE8: call newcode[6..9],然后调用函数 for(int i = 0; i < 10; i++){m_RParam.newCode[i]=newcode[i];} CString str_oldcode; str_oldcode="m_RParam.NewCode: "; for(int i = 0; i< 10; i++){CString str;str.Format("0x%.2x ", m_RParam.newCode[i]);str_oldcode+=str;} str_oldcode+="\r\n"; DWORD dwRead = 0; if(!ReadProcessMemory(GetCurrentProcess(), (LPCVOID)m_RParam.dwExtTextOut, oldcode, 10, &dwRead)) { printf("read error"); CloseHandle(hProcess); FreeLibrary(hKernel32); FreeLibrary(hUser32); FreeLibrary(hGdi32); return FALSE; } strcat((char*)m_RParam.oldCode, (char*)oldcode); m_RParam.FunAddr = dwFunAddr; str_oldcode+="m_RParam.OldCode: "; for(int i = 0; i< 10; i++){CString str;str.Format("0x%.2x ", m_RParam.oldCode[i]);str_oldcode+=str;} str_oldcode+="\n"; DWORD dwWrite = 0; if(!WriteProcessMemory(hProcess, (LPVOID)dwFunAddr, (LPVOID)&HookTextOut, size_Func, &dwWrite)) { printf("WriteRemoteProcessesMemory Error 1 !\n"); CloseHandle(hProcess); FreeLibrary(hKernel32); FreeLibrary(hUser32); FreeLibrary(hGdi32); return FALSE; } if(!WriteProcessMemory(hProcess, (LPVOID)dwPramaAddr, (LPVOID)&m_RParam, sizeof(RemoteParam), &dwWrite)) { printf("WriteRemoteProcessesMemory Error 2 !\n"); CloseHandle(hProcess); FreeLibrary(hKernel32); FreeLibrary(hUser32); FreeLibrary(hGdi32); return FALSE; } FreeLibrary(hKernel32); FreeLibrary(hUser32); FreeLibrary(hGdi32); CString str; str.Format("m_RParam.dwExtTextOut:%.8x\r\nRParam.dwMessageBox:%.8x\r\nRParam.dwGetCurrentProcess:%.8x\r\nRParam.dwWriteProcessMemory:%.8x\r\nRParam.FunAddr:%.8x\r\ndwPramaAddr=%.8x\r\n", m_RParam.dwExtTextOut, m_RParam.dwMessageBox, m_RParam.dwGetCurrentProcess, m_RParam.dwWriteProcessMemory, m_RParam.FunAddr, dwPramaAddr); str+=str_oldcode; m_edit.SetWindowText(str); return TRUE; } BOOL CpingmuquciDlg::ClearHook(HANDLE hProcess) { HookOff(m_hProcess); VirtualFreeEx(m_hProcess, (LPVOID)dwFunAddr, 0, MEM_RELEASE); //MEM_DECOMMIT仅标示内存空间不可用,内存页还将存在。MEM_RELEASE完全回收。 VirtualFreeEx(m_hProcess, (LPVOID)dwPramaAddr, 0, MEM_RELEASE); //MEM_DECOMMIT仅标示内存空间不可用,内存页还将存在。MEM_RELEASE完全回收。 dwFunAddr=NULL; dwPramaAddr=NULL; m_hProcess=NULL; return TRUE; } BOOL CpingmuquciDlg::HookOn(HANDLE hProcess) { DWORD dwWrite=0; if(!WriteProcessMemory(hProcess, (LPVOID)m_RParam.dwExtTextOut, (LPVOID)newcode, 10, &dwWrite)) //挂上API钩子 { printf("WriteRemoteProcessesMemory Error 4 !\n"); return FALSE; } return TRUE; } BOOL CpingmuquciDlg::HookOff(HANDLE hProcess) { DWORD dwWrite=0; if(!WriteProcessMemory(hProcess, (LPVOID)m_RParam.dwExtTextOut, (LPVOID)oldcode, 10, &dwWrite)) //摘掉API钩子 { printf("WriteRemoteProcessesMemory Error 5 !\n"); return FALSE; } return TRUE; } void CpingmuquciDlg::OnBnClickedButton1() //打开API钩子 { m_hwnd_hook=this->GetSafeHwnd(); //将对话框设置为安装API钩子的元凶 m_mouse_hook.StartHook(m_hwnd_hook); //开启全局鼠标钩子 } void CpingmuquciDlg::OnBnClickedButton2() //关闭API钩子 { m_mouse_hook.StopHook(m_hwnd_hook); //关闭全局鼠标钩子 } afx_msg LRESULT CpingmuquciDlg::OnHookTextout(WPARAM wParam, LPARAM lParam) { wchar_t str[200]; ZeroMemory(str, sizeof(str)/sizeof(wchar_t)); RemoteParam RParam; ZeroMemory(&RParam, sizeof(RParam)); DWORD dwRead=0; if(!ReadProcessMemory(m_hProcess, (LPCVOID)dwPramaAddr, &RParam, sizeof(RParam), &dwRead)) { printf("read error"); CloseHandle(m_hProcess); return 1; } if(!ReadProcessMemory(m_hProcess, (LPCVOID)RParam.lpString, str, sizeof(str), &dwRead)) { printf("read error"); CloseHandle(m_hProcess); return 1; } char sss[400]; ZeroMemory(sss, sizeof(sss)/sizeof(char)); int len=WideCharToMultiByte(CP_ACP,0,str,-1,NULL,0,NULL,NULL); WideCharToMultiByte(CP_ACP,0,str,-1,sss,len,NULL,NULL); //宽字符转多字节字符 m_edit.SetWindowText(sss); //将截取来的字符串显示到对话框的文本框里面 return 0; } void CpingmuquciDlg::OnTimer(UINT_PTR nIDEvent) { // TODO: 在此添加消息处理程序代码和/或调用默认值 if(nIDEvent==TIME_ID_1) { this->KillTimer(TIME_ID_1); POINT pt; GetCursorPos(&pt); CWnd* pWnd=WindowFromPoint(pt); if(pWnd!=NULL) { HWND hwnd=pWnd->GetSafeHwnd(); DWORD dwProcessId=NULL; GetWindowThreadProcessId(hwnd, &dwProcessId); //获取进程ID if(dwProcessId!=NULL) { if(m_dwProcessId!=dwProcessId) { if(m_hProcess!=NULL){ClearHook(m_hProcess);} m_hProcess=OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ, FALSE, dwProcessId); m_dwProcessId=dwProcessId; InitHook(m_hProcess); } HookOn(m_hProcess); //挂上API钩子 RECT rc; rc.left=pt.x-2; rc.right=pt.x+2; rc.top=pt.y; rc.bottom=pt.y+4; pWnd->ScreenToClient(&rc); pWnd->InvalidateRect(&rc); //使矩形区域失效,放入WM_PAINT消息 pWnd->UpdateWindow(); //强制更新 HookOff(m_hProcess); //摘掉API钩子 } } } CDialogEx::OnTimer(nIDEvent); } afx_msg LRESULT CpingmuquciDlg::OnMyMousemove(WPARAM wParam, LPARAM lParam) { this->KillTimer(TIME_ID_1); this->SetTimer(TIME_ID_1,1000,NULL); //设置鼠标在屏幕某处停留1秒的时钟 return 0; }
=================================================
效果截图:
