c++ 将dll注入cmd.exe监控命令
[英]c++ Inject dll to cmd.exe monitoring commands
问题描述
I try to inject a dll to cmd.exe which will hook the input commands and save them to file.
我尝试向 cmd.exe 注入一个 dll,它将挂钩输入命令并将它们保存到文件中。 i managed to do the injection and get some of the info i want using hook on WH_KEYBOARD.我设法进行了注入并使用 WH_KEYBOARD 上的钩子获取了一些我想要的信息。
how can i hook the input of cmd.exe process by other way rather then hook keyboard event?如何通过其他方式挂钩 cmd.exe 进程的输入而不是挂钩键盘事件?
1 个解决方案
解决方案1
2 2016-06-25 09:18:04
You can look through the WinAPI calls cmd.exe makes and find one that takes the command string as argument and hook it, eg with Microsoft Detours .您可以查看cmd.exe进行的 WinAPI 调用,并找到一个将命令字符串作为参数并将其挂钩的调用,例如使用Microsoft Detours 。 You could also hook cmd.exe 's internal functions but this is less portable.您也可以挂钩cmd.exe的内部功能,但这不太便携。
I loaded the cmd.exe I have on my Windows system (Windows 10 v1511 x86_64) into x64dbg and there are two calls to ReadConsoleW .我将 Windows 系统(Windows 10 v1511 x86_64)上的cmd.exe加载到x64dbg 中,并且有两次调用ReadConsoleW 。 The first one:第一个:
Address=00007FF6331A29CC
Disassembly=call qword ptr ds:[<&ReadConsoleW>]
Destination=cmd.&ReadConsoleW
is called after processing every command entered via the console.在处理通过控制台输入的每个命令后调用。
Per x64 fastcall convention , its second argument (The buffer) is pointed to by rdx .根据x64 快速调用约定,它的第二个参数(缓冲区)由rdx指向。 While it's formally an output parameter, prior to calling the function it points to a CRLF terminated copy of the entered command.虽然它在形式上是一个输出参数,但在调用该函数之前,它指向输入命令的 CRLF 终止副本。
You can either hook that call or trace back from there and find a more suitable place to hook.您可以挂钩该调用或从那里回溯并找到更合适的挂钩位置。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.