c利用句柄操作窗口Word下载.docx
《c利用句柄操作窗口Word下载.docx》由会员分享,可在线阅读,更多相关《c利用句柄操作窗口Word下载.docx(19页珍藏版)》请在冰豆网上搜索。
for(WinHWNDwinHandle=this;
winHandle!
=null;
winHandle=
("
{0}:
{1};
if==-1)break;
return().TrimEnd('
;
'
);
privatestaticstringGetBaseMark(stringsMark)
string[]sMarks=('
returnsMarks[-1].Split('
:
)[0];
privatestaticstring[]GetChildMarks(stringsMark)
string[]sChildMarks=newstring[-1];
for(inti=0;
i<
;
i++)
sChildMarks[i]=sMarks[i];
returnsChildMarks;
.是不是都匹配
foreach(IntPtrbaseHwndinbaseHwnds)
IntPtrhandle=baseHwnd;
for(inti=-1;
i>
=0;
i--)
string[]sChildMark=sChildMarks[i].Split('
try
handle=(handle,UnEscape(sChildMark[0]))[(sChildMark[1])];
catch
break;
if(i==0)returnnewWinHWND(handle);
continue;
returnnull;
#region转义
privatestaticstringEscape(stringarg)
return("
"
\\:
).Replace("
"
\\;
privatestaticstringUnEscape(stringarg)
#endregion
publicstaticWinHWNDGetWinHWND()
returnnewWinHWND()));
上全部代码,里面加了窗口的部分属性,扩展其他的属性,自己发挥吧,就是搞WinAPI
usingSystem;
using
using;
namespaceInformationCollectionDataFill
{
publicclassWinAPI
#regionWinodwsAPI
FindWindow"
privatestaticexternIntPtrFindWindow(stringIpClassName,stringIpWindowName);
FindWindowEx"
privatestaticexternIntPtrFindWindowEx(IntPtrhwndParent,IntPtrhwndChildAfter,stringlpszClass,stringlpszWindow);
SendMessage"
privatestaticexternintSendMessage(IntPtrhWnd,intMsg,IntPtrwParam,stringlParam);
GetParent"
publicstaticexternIntPtrGetParent(IntPtrhWnd);
CharSet=,ExactSpelling=true)]
CharSet=]
publicstaticexternintGetClassName(IntPtrhWnd,StringBuilderlpClassName,intnMaxCount);
publicstaticexternintGetWindowText(IntPtrhWnd,[Out,MarshalAs]StringBuilderlpString,intnMaxCount);
publicstaticexternintGetWindowRect(IntPtrhwnd,refRectanglerc);
publicstaticexternintGetClientRect(IntPtrhwnd,refRectanglerc);
publicstaticexternintMoveWindow(IntPtrhwnd,intx,inty,intnWidth,intnHeight,boolbRepaint);
CharSet=,SetLastError=true,ExactSpelling=true)]
publicstaticexternintScreenToClient(IntPtrhWnd,refRectanglerect);
#region封装API方法
ndexOf;
privateRectangleGetRect()
if==null)returndefault(Rectangle);
RectangleclientSize=;
RectangleclientPoint=);
returnnewRectangle,,,;
sChildMarks[i]=sMarks[i];
}
效果:
Postsubject:
DllInjection
Thisismyoldtutorialondllinjection...peoplehavebeenaskingaboutthistopicabitrecently,so...hereitis:
DllInjectionTutorial
byDarawk
Introduction
TheCreateRemoteThreadmethod
TheSetWindowsHookExmethod
Thecodecavemethod
AppendixA-MethodsofobtainingaprocessID
AppendixB-MethodsofobtainingathreadID
AppendixC-CompleteCreateRemoteThreadexamplesourcecode
AppendixD-CompleteSetWindowsHookExexamplesourcecode
AppendixE-Completecodecaveexamplesourcecode
Inthistutoriali'
lltrytocoveralloftheknownmethods(oratleast,thosethatIknow=p)ofinjectingdll'
sintoaprocess.
DllinjectionisincrediblyusefulforTONSofstuff(gamehacking,functionhooking,codepatching,keygenning,unpacking,etc..).
Thoughtherearescatteredtutorialsonthesetechniquesavailablethroughouttheweb,Ihaveyettoseeanycompletetutorialsdetailing
allofthem(theremayevenbemoreouttherethanIhavehere,ofcourse),andcomparingtheirrespectivestrength'
sandweakness'
s.
Thisispreciselywhati'
llattempttodoforyouinthispaper.Youarefreetoreproduceorcopythispaper,solongasproper
creditisgivenandyoudon'
tmodifyitwithoutspeakingtomefirst.
I'
veusedthisintonsofstuff,andIonlyrecentlyrealizedthatalotofpeoplehaveneverseenit,orknowhowtodoit.
Ican'
ttakecreditforthinkingitup...Igotitfromanarticleoncodeproject,butit'
saneattrickthatIthinkmore
peopleshouldknowhowtouse.
Thetrickissimple,andelegant.ThewindowsAPIprovidesuswithafunctioncalledCreateRemoteThread().Thisallowsyou
tostartathreadinanotherprocess.Forourpurposes,i'
llassumeyouknowhowthreadingworks,andhowtousefunctionslike
CreateThread(ifnot,youcangohere).ThemaindisadvantageofthismethodisthatitwillworkonlyonwindowsNTandabove.
Topreventitfromcrashing,youshouldusethisfunctiontochecktomakesureyou'
reonanNT-basedsystem(thankstoCatIDfor
pointingthisout):
boolIsWindowsNT()
Now,normallywewouldwanttostartthethreadexecutingonsomeinternalfunctionoftheprocessthatweareinteractingwith.
However,toinjectadll,wehavetodosomethingalittlebitdifferent.
BOOLInjectDLL(DWORDProcessID)
HANDLEProc;
charbuf[50]={0};
LPVOIDRemoteString,LoadLibAddy;
if(!
ProcessID)
returnfalse;
Proc=OpenProcess(CREATE_THREAD_ACCESS,FALSE,ProcessID);
Proc)
sprintf(buf,"
OpenProcess()failed:
%d"
GetLastError());
MessageBox(NULL,buf,"
Loader"
NULL);
LoadLibAddy=(LPVOID)GetProcAddress(GetModuleHandle("
),"
LoadLibraryA"
RemoteString=(LPVOID)VirtualAllocEx(Proc,NULL,strlen(DLL_NAME),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(Proc,(LPVOID)RemoteString,DLL_NAME,strlen(DLL_NAME),NULL);
CreateRemoteThread(Proc,NULL,NULL,(LPTHREAD_START_ROUTINE)LoadLibAddy,(LPVOID)RemoteString,NULL,NULL);
?
CloseHandle(Proc);
returntrue;
HHOOKSetWindowsHookEx(?
intidHook,
HOOKPROClpfn,
HINSTANCEhMod,
DWORDdwThreadId
LRESULTCALLBACKCBTProc(intnCode,WPARAMwParam,LPARAMlParam)
returnCallNextHookEx(0,nCode,wParam,lParam);
};
HMODULEhDll;
unsignedlongcbtProcAddr;
hDll=LoadLibrary("
cbtProcAddr=GetProcAddress(hDll,"
CBTProc"
BOOLInjectDll(char*dllName)
HMODULEhDll;
unsignedlongcbtProcAddr;
hDll=LoadLibrary(dllName);
cbtProcAddr=GetProcAddress(hDll,"
?
SetWindowsHookEx(WH_CBT,cbtProcAddr,hDll,GetTargetThreadIdFromWindow("
targetApp"
));
returnTRUE;
__declspec(naked)loadDll(void)
_asm{
Weneed
VirtualProtect(loadDll,stubLen,PAGE_EXECUTE_READWRITE,&
oldprot);
#defineCREATE_THREAD_ACCESS(PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ)
BOOLWriteProcessBYTES(HANDLEhProcess,LPVOIDlpBaseAddress,LPCVOIDlpBuffer,SIZE_TnSize);
BOOLLoadDll(char*procName,char*dllName);
BOOLInjectDLL(DWORDProcessID,char*dllName);
unsignedlongGetTargetProcessIdFromProcname(char*procName);
//checkcurrentversionofWindows
DWORDversion=GetVersion();
//parsereturn
DWORDmajorVersion=(DWORD)(LOBYTE(LOWORD(version)));
DWORDminorVersion=(DWORD)(HIBYTE(LOWORD(version)));
intWINAPIWinMain(HINSTANCEhInstance,HINSTANCEhPrevInstance,LPSTRlpCmdLine,intnCmdShow)
if(IsWindowsNT())
LoadDll(PROCESS_NAME,DLL_NAME);
else
MessageBox(0,"
Yoursystemdoesnotsupportthismethod"
Error!
0);
return0;
BOOLLoadDll(char*procName,char*dllName)
DWORDProcID=0;
ProcID=GetProcID(procName);
(InjectDLL(ProcID,dllName)))
MessageBox(NULL,"
Processlocated,butinjectionfailed"
BOOLInjectDLL(DWORDProcessID,char*dllName)
Proc=OpenProcess(CREATE_THREAD_ACCESS,FALSE,Proc