用注入的DLL代码(SetWindowsHookEx)干扰Win32消息循环
[英]Interfere Win32 message loop with injected DLL code (SetWindowsHookEx)
问题描述
Hello everybody! 
大家好!
After hours of penetrating Google I ended up here. 经过数小时的Google渗透,我终于来到了这里。 I'll come straight to the point: I'm about to "refresh" my C/C++ skills and gain experience with the unmanaged world again. 我要直截了当地指出:我将“刷新”我的C / C ++技能,并再次获得对非托管世界的经验。 As a "basic" task I developed a little key logger (which are just a few lines with the Windows API) but now I want to extend it with a "stealth" feature. 作为“基本”任务,我开发了一个小的按键记录器(与Windows API仅有几行),但是现在我想通过“隐身”功能对其进行扩展。 Therefor I threw the code into a Win32 DLL it's content you find here . 因此,我将代码放入Win32 DLL中,您可以在这里找到内容 。 As you will notice, there is a very problematic part in it: 您会注意到,其中有一个非常有问题的部分:
MSG msg;
BOOL bRet;
while( (bRet = GetMessage( &msg, NULL, 0, 0 )) != 0)
{
if (bRet == -1)
{
return FALSE;
}
else
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
}
Yes, it's an ordinary message loop - which causes trouble in my case. 是的,这是一个普通的消息循环-在我的情况下会引起麻烦。 I inject this DLL into a "victim" executable (eg VLC media player) to fool AV/Application firewalls and it works so far, the injection itself passes flawlessly. 我将此DLL注入“受害者”可执行文件(例如VLC媒体播放器)中,以欺骗AV / Application防火墙,并且到目前为止,该注入本身可以完美地通过。 Now comes the big BUT: of course the endless while-loop now freezes the whole target application (without it, my hook callback never gets executed) which wasn't really planed... After diving through half of the MSDN library and trying a lot of "solutions" Google gave me; 现在是大问题了:当然,无尽的while循环现在冻结了整个目标应用程序(如果没有它,我的钩子回调将永远不会执行),这并不是真正计划的……在探究了MSDN库的一半并尝试了一个Google给了我很多“解决方案”; I give up. 我放弃。
Is it even possible to evaluate the message loop of the "victim" process without blocking it's own business but providing my keyboard hook callback to work? 甚至可以评估“受害者”进程的消息循环而不会阻塞自己的事务,但可以提供我的键盘钩子回调函数来工作?
Sincerely yours, Nefarius 真诚的,Nefarius
2 个解决方案
解决方案1
4 已采纳 2010-10-29 11:30:18
Okay, first off, you're doing way too much in your dll entry point function. 好的,首先,您在dll入口点函数中做的太多了。 For one thing - and this is straight from MSDN - "There are serious limits on what you can do in a DLL entry point". 一方面-这直接来自MSDN-“在DLL入口点中可以执行的操作受到严格限制”。 Also, while in the dll entry point the loader lock is held so no other libraries can be loaded/unloaded. 同样,在dll入口点时,将保持加载程序锁,因此无法加载/卸载其他库。 So seeing as you're running your message loop (by calling InstallHook() ) in the DLL entry point, you're really throwing a stick in the bicycle spokes, so the speak. 因此,看到在DLL入口点运行消息循环时(通过调用InstallHook() ),您实际上是在自行车辐条上扔了一根棍子,所以说话。
Now with that out of the way, getting it to work is pretty simple. 现在解决了这个问题,使其工作非常简单。 When the DLL is loaded, create a new thread at InstallHook and you should be good to go. 加载DLL后,在InstallHook中创建一个新线程,您应该一切顺利。 Now you're message loop will be in it's own thread with it's own message queue (or at least it should, windows messaging still kinda confuses me). 现在,您的消息循环将进入它自己的线程和它自己的消息队列中(或者至少应该如此,Windows消息传递仍然让我感到困惑)。
case DLL_PROCESS_ATTACH:
CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)InstallHook, (void*)NULL, 0, NULL );
解决方案2
0 2010-10-28 23:18:16
You shouldn't have a message loop there. 您不应该在那里有一个消息循环。 The application you're injecting into already has a message loop (unless it's a console app, which doesn't deal with messages anyway). 您要注入的应用程序已经有一个消息循环(除非它是一个控制台应用程序,无论如何它都不处理消息)。 Just let your hook do its thing when the host's message loop processes its messages as it normally would. 当主机的消息循环按正常方式处理其消息时,只需让您的钩子执行其操作即可。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.