C利用句柄操作窗口Word格式文档下载.docx
《C利用句柄操作窗口Word格式文档下载.docx》由会员分享,可在线阅读,更多相关《C利用句柄操作窗口Word格式文档下载.docx(9页珍藏版)》请在冰豆网上搜索。
}return().TrimEnd('
;
'
);
}privatestaticstringGetBaseMark(stringsMark){string[]sMarks=('
returnsMarks[-1].Split('
:
)[0];
}privatestaticstring[]GetChildMarks(stringsMark){string[]sMarks=('
string[]sChildMarks=newstring[-1];
for(inti=0;
i<
;
i++){sChildMarks[i]=sMarks[i];
}returnsChildMarks;
}.是不是都匹配foreach(IntPtrbaseHwndinbaseHwnds){IntPtrhandle=baseHwnd;
for(inti=-1;
i>
=0;
i--){string[]sChildMark=sChildMarks[i].Split('
try{handle=(handle,UnEscape(sChildMark[0]))[(sChildMark[1])];
}catch{break;
}if(i==0)returnnewWinHWND(handle);
}continue;
}returnnull;
}#region转义privatestaticstringEscape(stringarg){return("
"
\\:
).Replace("
"
\\;
}privatestaticstringUnEscape(stringarg){return("
}#endregionpublicstaticWinHWNDGetWinHWND(){returnnewWinHWND()));
}}
上全部代码,里面加了窗口的部分属性,扩展其他的属性,自己发挥吧,就是搞WinAPI
usingSystem;
usingusing;
using;
namespaceInformationCollectionDataFill{publicclassWinAPI{#regionWinodwsAPI[DllImport("
FindWindow"
)]privatestaticexternIntPtrFindWindow(stringIpClassName,stringIpWindowName);
FindWindowEx"
)]privatestaticexternIntPtrFindWindowEx(IntPtrhwndParent,IntPtrhwndChildAfter,stringlpszClass,stringlpszWindow);
SendMessage"
)]privatestaticexternintSendMessage(IntPtrhWnd,intMsg,IntPtrwParam,stringlParam);
GetParent"
)]publicstaticexternIntPtrGetParent(IntPtrhWnd);
CharSet=,ExactSpelling=true)]publicstaticexternIntPtrWindowFromPoint(Pointpt);
CharSet=]publicstaticexternintGetClassName(IntPtrhWnd,StringBuilderlpClassName,intnMaxCount);
CharSet=]publicstaticexternintGetWindowText(IntPtrhWnd,[Out,MarshalAs]StringBuilderlpString,intnMaxCount);
CharSet=]publicstaticexternintGetWindowRect(IntPtrhwnd,refRectanglerc);
CharSet=]publicstaticexternintGetClientRect(IntPtrhwnd,refRectanglerc);
CharSet=]publicstaticexternintMoveWindow(IntPtrhwnd,intx,inty,intnWidth,intnHeight,boolbRepaint);
CharSet=,SetLastError=true,ExactSpelling=true)]publicstaticexternintScreenToClient(IntPtrhWnd,refRectanglerect);
#endregion#region封装API方法ndexOf;
}privateRectangleGetRect(){if==null)returndefault(Rectangle);
RectangleclientSize=;
RectangleclientPoint=);
returnnewRectangle,,,;
}publicstaticWinHWNDGetWinHWND(){returnnewWinHWND()));
i++){sChildMarks[i]=sMarks[i];
}#endregion}}
效果:
Postsubject:
DllInjection
Thisismyoldtutorialondllinjection...peoplehavebeenaskingaboutthistopicabitrecently,so...hereitis:
DllInjectionTutorial
byDarawk
Introduction
TheCreateRemoteThreadmethod
TheSetWindowsHookExmethod
Thecodecavemethod
AppendixA-MethodsofobtainingaprocessID
AppendixB-MethodsofobtainingathreadID
AppendixC-CompleteCreateRemoteThreadexamplesourcecode
AppendixD-CompleteSetWindowsHookExexamplesourcecode
AppendixE-Completecodecaveexamplesourcecode
Inthistutoriali'
lltrytocoveralloftheknownmethods(oratleast,thosethatIknow=p)ofinjectingdll'
sintoaprocess.
DllinjectionisincrediblyusefulforTONSofstuff(gamehacking,functionhooking,codepatching,keygenning,unpacking,etc..).
Thoughtherearescatteredtutorialsonthesetechniquesavailablethroughouttheweb,Ihaveyettoseeanycompletetutorialsdetailing
allofthem(theremayevenbemoreouttherethanIhavehere,ofcourse),andcomparingtheirrespectivestrength'
sandweakness'
s.
Thisispreciselywhati'
llattempttodoforyouinthispaper.Youarefreetoreproduceorcopythispaper,solongasproper
creditisgivenandyoudon'
tmodifyitwithoutspeakingtomefirst.
I'
veusedthisintonsofstuff,andIonlyrecentlyrealizedthatalotofpeoplehaveneverseenit,orknowhowtodoit.
Ican'
ttakecreditforthinkingitup...Igotitfromanarticleoncodeproject,butit'
saneattrickthatIthinkmore
peopleshouldknowhowtouse.
Thetrickissimple,andelegant.ThewindowsAPIprovidesuswithafunctioncalledCreateRemoteThread().Thisallowsyou
tostartathreadinanotherprocess.Forourpurposes,i'
llassumeyouknowhowthreadingworks,andhowtousefunctionslike
CreateThread(ifnot,youcangohere).ThemaindisadvantageofthismethodisthatitwillworkonlyonwindowsNTandabove.
Topreventitfromcrashing,youshouldusethisfunctiontochecktomakesureyou'
reonanNT-basedsystem(thankstoCatIDfor
pointingthisout):
boolIsWindowsNT()
{
Now,normallywewouldwanttostartthethreadexecutingonsomeinternalfunctionoftheprocessthatweareinteractingwith.
However,toinjectadll,wehavetodosomethingalittlebitdifferent.
BOOLInjectDLL(DWORDProcessID){?
?
HANDLEProc;
?
charbuf[50]={0};
LPVOIDRemoteString,LoadLibAddy;
if(!
ProcessID)?
returnfalse;
Proc=OpenProcess(CREATE_THREAD_ACCESS,FALSE,ProcessID);
Proc)?
{?
sprintf(buf,"
OpenProcess()failed:
%d"
GetLastError());
MessageBox(NULL,buf,"
Loader"
NULL);
}?
LoadLibAddy=(LPVOID)GetProcAddress(GetModuleHandle("
),"
LoadLibraryA"
RemoteString=(LPVOID)VirtualAllocEx(Proc,NULL,strlen(DLL_NAME),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(Proc,(LPVOID)RemoteString,DLL_NAME,strlen(DLL_NAME),NULL);
CreateRemoteThread(Proc,NULL,NULL,(LPTHREAD_START_ROUTINE)LoadLibAddy,(LPVOID)RemoteString,NULL,NULL);
CloseHandle(Proc);
returntrue;
}
HHOOKSetWindowsHookEx(?
intidHook,?
HOOKPROClpfn,?
HINSTANCEhMod,?
DWORDdwThreadId);
LRESULTCALLBACKCBTProc(intnCode,WPARAMwParam,LPARAMlParam){?
returnCallNextHookEx(0,nCode,wParam,lParam);
};
HMODULEhDll;
unsignedlongcbtProcAddr;
hDll?
=LoadLibrary("
cbtProcAddr=GetProcAddress(hDll,"
CBTProc"
BOOLInjectDll(char*dllName){?
HMODULEhDll;
unsignedlongcbtProcAddr;
hDll?
=LoadLibrary(dllName);
cbtProcAddr=GetProcAddress(hDll,"
SetWindowsHookEx(WH_CBT,cbtProcAddr,hDll,GetTargetThreadIdFromWindow("
targetApp"
));
returnTRUE;
__declspec(naked)loadDll(void){?
_asm{?
void*dllString,*stub;
unsignedlongwowID;
HANDLEhProcess?
unsignedlongthreadID;
HANDLEhThread;
threadID=GetTargetThreadIdFromProcname(PROC_NAME);
hThread?
=OpenThread((THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_SUSPEND_RESUME),false,threadID);
SuspendThread(hThread);
=CONTEXT_CONTROL;
GetThreadContext(hThread,&
ctx);
oldIP?
=;
WeneedVirtualProtect(loadDll,stubLen,PAGE_EXECUTE_READWRITE,&
oldprot);
Sleep(8000);
VirtualFreeEx(hProcess,dllString,strlen(DLL_NAME),MEM_DECOMMIT);
VirtualFreeEx(hProcess,stub,stubLen,MEM_DECOMMIT);
CloseHandle(hProcess);
CloseHandle(hThread);
unsignedlongGetTargetProcessIdFromWindow(char*className,char*windowName){?
unsignedlongprocID;
HWNDtargetWnd;
targetWnd=FindWindow(className,windowName);
GetWindowThreadProcessId(targetWnd,&
procId);
returnprocID;
unsignedlongGetTargetProcessIdFromProcname(char*procName){?
PROCESSENTRY32pe;
HANDLEthSnapshot;
BOOLretval,ProcFound=false;
thSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(thSnapshot==INVALID_HANDLE_VALUE)?
MessageBox(NULL,"
Error:
unabletocreatetoolhelpsnapshot"
returnfalse;
=sizeof(PROCESSENTRY32);
retval=Process32First(thSnapshot,&
pe);
while(retval)?
if(StrStrI,procName))?
{?
ProcFound=true;
break;
}
retval
=Process32Next(thSnapshot,&
=sizeof(PROCESSENTRY32);
return;
unsignedlongGetTargetThreadIdFromWindow(char*className,char*windowName){?
HANDLEhProcess?
unsignedlongprocessId,pTID,threadID;
GetWindowThreadProcessId(ta
升级会员 