为什么HOOK不到其它的进程?
// hookdll.cpp : Defines the initialization routines for the DLL.
//
#include "stdafx.h"
#include <afxdllx.h>
#include "hookdll.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
// 挂钩指定模块hMod对MessageBoxA的调用
BOOL SetHook(HMODULE hMod);
// 定义MessageBoxA函数原型
typedef int (WINAPI *PFNMESSAGEBOX)(HWND, LPCSTR, LPCSTR, UINT uType);
// 保存MessageBoxA函数的真实地址
PROC g_orgProc = (PROC)MessageBoxA;
#pragma data_seg (".shared")
HWND glhPrevTarWnd=NULL;
//上次鼠标所指的窗口句柄
HWND glhDisplayWnd=NULL;
//显示目标窗口标题编辑框的句柄
HHOOK glhHook=NULL;
//安装的鼠标钩子句柄
HINSTANCE glhInstance=NULL;
//DLL实例句柄
#pragma data_seg ()
#pragma comment(linker,"/SECTION:.shared,RWS")
LRESULT WINAPI MouseProc(int nCode,WPARAM wparam,LPARAM lparam);
// 用于替换MessageBoxA的自定义函数
int WINAPI MyMessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
{
return ((PFNMESSAGEBOX)g_orgProc)(hWnd, "终于HOOK到了,不好意思哈~~", "HOOK", uType);
}
static AFX_EXTENSION_MODULE HookdllDLL = { NULL, NULL };
extern "C" int APIENTRY
DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
// Remove this if you use lpReserved
UNREFERENCED_PARAMETER(lpReserved);
if (dwReason == DLL_PROCESS_ATTACH)
{
TRACE0("HOOKDLL.DLL Initializing!\n");
// Extension DLL one-time initialization
if (!AfxInitExtensionModule(HookdllDLL, hInstance))
return 0;
// Insert this DLL into the resource chain
// NOTE: If this Extension DLL is being implicitly linked to by
// an MFC Regular DLL (such as an ActiveX Control)
// instead of an MFC application, then you will want to
// remove this line from DllMain and put it in a separate
// function exported from this Extension DLL. The Regular DLL
// that uses this Extension DLL should then explicitly call that
// function to initialize this Extension DLL. Otherwise,
// the CDynLinkLibrary object will not be attached to the
// Regular DLL's resource chain, and serious problems will
// result.
new CDynLinkLibrary(HookdllDLL);
glhInstance=hInstance;
}
else if (dwReason == DLL_PROCESS_DETACH)
{
TRACE0("HOOKDLL.DLL Terminating!\n");
// Terminate the library before destructors are called
AfxTermExtensionModule(HookdllDLL);
}
return 1; // ok
}
Cmousehook::Cmousehook()
//类构造函数
{
}
Cmousehook::~Cmousehook()
//类析构函数
{
stophook();
}
BOOL Cmousehook::starthook(HWND hWnd)
//安装钩子并设定接收显示窗口句柄
{
glhHook=SetWindowsHookEx(WH_GETMESSAGE,MouseProc,glhInstance,0);
return 1;
}
BOOL Cmousehook::stophook()
//卸载钩子
{
BOOL bResult=FALSE;
if(glhHook)
{
bResult= UnhookWindowsHookEx(glhHook);
if(bResult)
{
glhPrevTarWnd=NULL;
glhDisplayWnd=NULL;//清变量
glhHook=NULL;
}
}
return bResult;
}
LRESULT WINAPI MouseProc(int nCode,WPARAM wparam,LPARAM lparam)
{
HWND hdlg=::FindWindow(0,"被HOOK的");//就是这里,如果是本进程的则可以HOOK到,而其它的就是不行
DWORD dwPIDWatched = ::SendMessage( hdlg, (WM_USER+100), 0, 0 ); //SetWindowsHookEx已经是全局的了
DWORD dwCurrentPID = GetCurrentProcessId();//可是还是不行,不知哪位高人指点一下呗
if(dwCurrentPID==dwPIDWatched)
{
SetHook(::GetModuleHandle(NULL));
HDC hdc=::GetDC(hdlg);
TextOut(hdc,50,50,"哈哈哈",strlen("哈哈哈"));
}
return CallNextHookEx(glhHook,nCode,wparam,lparam);
//继续传递消息
}
BOOL SetHook(HMODULE hMod)
{
IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)hMod;
IMAGE_OPTIONAL_HEADER * pOptHeader =
(IMAGE_OPTIONAL_HEADER *)((BYTE*)hMod + pDosHeader->e_lfanew + 24);
IMAGE_IMPORT_DESCRIPTOR* pImportDesc = (IMAGE_IMPORT_DESCRIPTOR*)
((BYTE*)hMod + pOptHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
// 在导入表中查找user32.dll模块。因为MessageBoxA函数从user32.dll模块导出
while(pImportDesc->FirstThunk)
{
char* pszDllName = (char*)((BYTE*)hMod + pImportDesc->Name);
if(lstrcmpiA(pszDllName, "user32.dll") == 0)
{
break;
}
pImportDesc++;
}
if(pImportDesc->FirstThunk)
{
// 一个IMAGE_THUNK_DATA就是一个双字,它指定了一个导入函数
// 调入地址表其实是IMAGE_THUNK_DATA结构的数组,也就是DWORD数组
IMAGE_THUNK_DATA* pThunk = (IMAGE_THUNK_DATA*)
((BYTE*)hMod + pImportDesc->FirstThunk);
while(pThunk->u1.Function)
{
// lpAddr指向的内存保存了函数的地址
DWORD* lpAddr = (DWORD*)&(pThunk->u1.Function);
if(*lpAddr == (DWORD)g_orgProc)
{
// 修改IAT表项,使其指向我们自定义的函数,相当于“*lpAddr = (DWORD)MyMessageBoxA;”
DWORD* lpNewProc = (DWORD*)MyMessageBoxA;
::WriteProcessMemory(::GetCurrentProcess(),
lpAddr, &lpNewProc, sizeof(DWORD), NULL);
return TRUE;
}
pThunk++;
}
}
return FALSE;
}
///////////////////////////////////////////////////////////////////////////////
LRESULT WINAPI MouseProc(int nCode,WPARAM wparam,LPARAM lparam)
{
HWND hdlg=::FindWindow(0,"被HOOK的");//就是这里,如果是本进程的则可以HOOK到,而其它的就是不行
DWORD dwPIDWatched = ::SendMessage( hdlg, (WM_USER+100), 0, 0 ); //SetWindowsHookEx已经是全局的了
DWORD dwCurrentPID = GetCurrentProcessId();//可是还是不行,不知哪位高人指点一下呗
if(dwCurrentPID==dwPIDWatched)
{
SetHook(::GetModuleHandle(NULL));
HDC hdc=::GetDC(hdlg);
TextOut(hdc,50,50,"哈哈哈",strlen("哈哈哈"));
}
return CallNextHookEx(glhHook,nCode,wparam,lparam);
//继续传递消息
}
为什么只对本进程有效呢?被HOOK的程序是我自己写的,调用的是MessageBoxA(),所以不存在MessageBoxW()的问题吧.