一个钩子问题

qinqin772 2016-02-01 05:24:57
这几天在看《逆向工程核心原理》时遇到一个问题:
书中的源码如下:
-----------------exe文件----------------------
#include "stdio.h"
#include "conio.h"
#include "windows.h"

#define DEF_DLL_NAME "KeyHook.dll"
#define DEF_HOOKSTART "HookStart"
#define DEF_HOOKSTOP "HookStop"

typedef void (*PFN_HOOKSTART)();
typedef void (*PFN_HOOKSTOP)();

void main()
{
HMODULE hDll = NULL;
PFN_HOOKSTART HookStart = NULL;
PFN_HOOKSTOP HookStop = NULL;
char ch = 0;

// KeyHook.dll 로딩
hDll = LoadLibraryA(DEF_DLL_NAME);
if( hDll == NULL )
{
printf("LoadLibrary(%s) failed!!! [%d]", DEF_DLL_NAME, GetLastError());
return;
}

// export 함수 주소 얻기
HookStart = (PFN_HOOKSTART)GetProcAddress(hDll, DEF_HOOKSTART);
HookStop = (PFN_HOOKSTOP)GetProcAddress(hDll, DEF_HOOKSTOP);

// 후킹 시작
HookStart();

// 사용자가 'q' 를 입력할 때까지 대기
printf("press 'q' to quit!\n");
while( _getch() != 'q' ) ;

// 후킹 종료
HookStop();

// KeyHook.dll 언로딩
FreeLibrary(hDll);
}
--------------------------------

----------------------dll文件-----------------------
#include "stdio.h"
#include "windows.h"

#define DEF_PROCESS_NAME "notepad.exe"

HINSTANCE g_hInstance = NULL;
HHOOK g_hHook = NULL;
HWND g_hWnd = NULL;

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpvReserved)
{
switch( dwReason )
{
case DLL_PROCESS_ATTACH:
g_hInstance = hinstDLL;
break;

case DLL_PROCESS_DETACH:
break;
}

return TRUE;
}

LRESULT CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam)
{
char szPath[MAX_PATH] = {0,};
char *p = NULL;

if( nCode >= 0 )
{
// bit 31 : 0 => press, 1 => release
if( !(lParam & 0x80000000) )
{
GetModuleFileNameA(NULL, szPath, MAX_PATH);
p = strrchr(szPath, '\\');

// 현재 프로세스 이름을 비교해서 만약 notepad.exe 라면 0 아닌 값을 리턴함
// => 0 아닌 값을 리턴하면 메시지는 다음으로 전달되지 않음
if( !_stricmp(p + 1, DEF_PROCESS_NAME) )
return 1;
}
}

// 일반적인 경우에는 CallNextHookEx() 를 호출하여
// 응용프로그램 (혹은 다음 훅) 으로 메시지를 전달함
return CallNextHookEx(g_hHook, nCode, wParam, lParam);
}

#ifdef __cplusplus
extern "C" {
#endif
__declspec(dllexport) void HookStart()
{
g_hHook = SetWindowsHookEx(WH_KEYBOARD, KeyboardProc, g_hInstance, 0);
}

__declspec(dllexport) void HookStop()
{
if( g_hHook )
{
UnhookWindowsHookEx(g_hHook);
g_hHook = NULL;
}
}
#ifdef __cplusplus
}
#endif
--------------------------------------------------------------
编译运行后,按书中说道在windowsxp,win7/32位下没问题,

我在机器上运行了后(win7/64),出现了一个个问题
该程序 控制台窗口输入进一个字符就失去响应,其他的程序有的也同样是失去响应,只有少许程序,pdf,qq,notepad没有失去响应,为什么会出现这个样子呢?
...全文
196 6 打赏 收藏 转发到动态 举报
写回复
用AI写文章
6 条回复
切换为时间正序
请发表友善的回复…
发表回复
赵4老师 2016-02-03
  • 打赏
  • 举报
回复
只能建议楼主学习C/C++代码每句对应的64位汇编指令了。 VC调试时按Alt+8、Alt+7、Alt+6和Alt+5,打开汇编窗口、堆栈窗口、内存窗口和寄存器窗口看每句C对应的汇编、单步执行并观察相应堆栈、内存和寄存器变化,这样过一遍不就啥都明白了吗。 对VC来说,所谓‘调试时’就是编译连接通过以后,按F10或F11键单步执行一步以后的时候,或者在某行按F9设了断点后按F5执行停在该断点处的时候。
qinqin772 2016-02-02
  • 打赏
  • 举报
回复
引用 4 楼 bsnry 的回复:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms644990(v=vs.85).aspx SetWindowsHookEx can be used to inject a DLL into another process. A 32-bit DLL cannot be injected into a 64-bit process, and a 64-bit DLL cannot be injected into a 32-bit process. If an application requires the use of hooks in other processes, it is required that a 32-bit application call SetWindowsHookEx to inject a 32-bit DLL into 32-bit processes, and a 64-bit application call SetWindowsHookEx to inject a 64-bit DLL into 64-bit processes. The 32-bit and 64-bit DLLs must have different names.
我也看到了这个段子,说32-bit application call setwindowshookex to inject 32-bit dll into 32-bit process,我用peview特意看了的,都是32位的optionalheader 我点击processexplorer后按键就 失去响应
赵4老师 2016-02-02
  • 打赏
  • 举报
回复
32位Hook和64位Hook的区别有多大楼主想象得出来吗? WinAPIOverridehttp://jacquelin.potier.free.fr/winapioverride32/
bsnry 2016-02-02
  • 打赏
  • 举报
回复
https://msdn.microsoft.com/en-us/library/windows/desktop/ms644990(v=vs.85).aspx SetWindowsHookEx can be used to inject a DLL into another process. A 32-bit DLL cannot be injected into a 64-bit process, and a 64-bit DLL cannot be injected into a 32-bit process. If an application requires the use of hooks in other processes, it is required that a 32-bit application call SetWindowsHookEx to inject a 32-bit DLL into 32-bit processes, and a 64-bit application call SetWindowsHookEx to inject a 64-bit DLL into 64-bit processes. The 32-bit and 64-bit DLLs must have different names.
qinqin772 2016-02-01
  • 打赏
  • 举报
回复
引用 1 楼 bsnry 的回复:
WH_KEYBOARD The WH_KEYBOARD hook enables an application to monitor message traffic for WM_KEYDOWN and WM_KEYUP messages about to be returned by the GetMessage or PeekMessage function. You can use the WH_KEYBOARD hook to monitor keyboard input posted to a message queue. For more information, see the KeyboardProc callback function.
哥们,你这没有解决我的问题啊~ 我是想问下,那本书的作者既然实验过了的话,而我在notepad.exe中输入字符时,确确实实接收不到,但是没有失去响应,但是其他的程序我只要按键,结果那个程序就失去响应了,这个现象是什么原因造成的?·············不过仍感谢你
bsnry 2016-02-01
  • 打赏
  • 举报
回复
WH_KEYBOARD The WH_KEYBOARD hook enables an application to monitor message traffic for WM_KEYDOWN and WM_KEYUP messages about to be returned by the GetMessage or PeekMessage function. You can use the WH_KEYBOARD hook to monitor keyboard input posted to a message queue. For more information, see the KeyboardProc callback function.

3,881

社区成员

发帖
与我相关
我的任务
社区描述
C/C++ 其它技术问题
社区管理员
  • 其它技术问题社区
加入社区
  • 近7日
  • 近30日
  • 至今
社区公告
暂无公告

试试用AI创作助手写篇文章吧