使用注入的 DLL 代码干扰 Win32 消息循环 (SetWindowsHookEx)
大家好!
经过几个小时的深入研究 Google,我终于来到了这里。我直接开门见山:我即将“刷新”我的 C/C++ 技能,并再次获得非托管世界的经验。作为一项“基本”任务,我开发了一个小型键盘记录器(只需使用 Windows API 的几行代码),但现在我想通过“隐形”功能来扩展它。因此,我将代码放入 Win32 DLL 您可以在此处找到内容。正如您会注意到的,其中有一个非常有问题的部分:
MSG msg;
BOOL bRet;
while( (bRet = GetMessage( &msg, NULL, 0, 0 )) != 0)
{
if (bRet == -1)
{
return FALSE;
}
else
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
}
是的,这是一个普通的消息循环 - 这在我的例子中引起了麻烦。我将此 DLL 注入到“受害者”可执行文件(例如 VLC 媒体播放器)中,以欺骗 AV/应用程序防火墙,到目前为止它有效,注入本身完美地通过了。现在出现了一个大问题:当然,无限的 while 循环现在冻结了整个目标应用程序(没有它,我的钩子回调永远不会被执行),这并不是真正计划好的......在深入浏览了一半的 MSDN 库并尝试了一个谷歌给了我很多“解决方案”;我放弃。
是否有可能评估“受害者”进程的消息循环而不阻塞它自己的业务,但提供我的键盘钩子回调来工作?
真诚的, 奈法留斯
Hello everybody!
After hours of penetrating Google I ended up here. I'll come straight to the point: I'm about to "refresh" my C/C++ skills and gain experience with the unmanaged world again. As a "basic" task I developed a little key logger (which are just a few lines with the Windows API) but now I want to extend it with a "stealth" feature. Therefor I threw the code into a Win32 DLL it's content you find here. As you will notice, there is a very problematic part in it:
MSG msg;
BOOL bRet;
while( (bRet = GetMessage( &msg, NULL, 0, 0 )) != 0)
{
if (bRet == -1)
{
return FALSE;
}
else
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
}
Yes, it's an ordinary message loop - which causes trouble in my case. I inject this DLL into a "victim" executable (e.g. VLC media player) to fool AV/Application firewalls and it works so far, the injection itself passes flawlessly. Now comes the big BUT: of course the endless while-loop now freezes the whole target application (without it, my hook callback never gets executed) which wasn't really planed... After diving through half of the MSDN library and trying a lot of "solutions" Google gave me; I give up.
Is it even possible to evaluate the message loop of the "victim" process without blocking it's own business but providing my keyboard hook callback to work?
Sincerely yours,
Nefarius
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
好的,首先,您在 dll 入口点函数中做了太多事情。一方面 - 这直接来自 MSDN - “在 DLL 入口点中可以执行的操作存在严重限制”。此外,在 dll 入口点中,加载程序锁被持有,因此无法加载/卸载其他库。因此,当您在 DLL 入口点中运行消息循环(通过调用InstallHook())时,您实际上是在向自行车辐条扔一根棍子,所以可以这么说。
现在,既然已经解决了这个问题,那么让它工作起来就非常简单了。加载 DLL 后,在 InstallHook 创建一个新线程,然后就可以开始了。现在,消息循环将位于它自己的线程中,并具有自己的消息队列(或者至少应该如此,Windows 消息传递仍然让我感到困惑)。
Okay, first off, you're doing way too much in your dll entry point function. For one thing - and this is straight from MSDN - "There are serious limits on what you can do in a DLL entry point". Also, while in the dll entry point the loader lock is held so no other libraries can be loaded/unloaded. So seeing as you're running your message loop (by calling InstallHook()) in the DLL entry point, you're really throwing a stick in the bicycle spokes, so the speak.
Now with that out of the way, getting it to work is pretty simple. When the DLL is loaded, create a new thread at InstallHook and you should be good to go. Now you're message loop will be in it's own thread with it's own message queue (or at least it should, windows messaging still kinda confuses me).
你不应该在那里有消息循环。您要注入的应用程序已经有一个消息循环(除非它是一个控制台应用程序,它无论如何都不处理消息)。当主机的消息循环像平常一样处理它的消息时,让你的钩子做它的事情。
You shouldn't have a message loop there. The application you're injecting into already has a message loop (unless it's a console app, which doesn't deal with messages anyway). Just let your hook do its thing when the host's message loop processes its messages as it normally would.