C利用句柄操作窗口.docx
《C利用句柄操作窗口.docx》由会员分享,可在线阅读,更多相关《C利用句柄操作窗口.docx(9页珍藏版)》请在冰豆网上搜索。
C利用句柄操作窗口
C#
实现过程:
过程一:
找到当前鼠标位置的句柄
您的使用2个WinAPI(俺喜欢自己封装下来用):
ViewCode
[DllImport("",EntryPoint="GetCursorPos")]publicstaticexternboolGetCursorPos(outPointpt);[DllImport("",EntryPoint="WindowFromPoint")]publicstaticexternIntPtrWindowFromPoint(Pointpt);
ndexOf;}publicoverridestringToString(){StringBuilderresult=newStringBuilder();for(WinHWNDwinHandle=this;winHandle!
=null;winHandle={("{0}:
{1};",Escape,if==-1)break;}return().TrimEnd(';');}privatestaticstringGetBaseMark(stringsMark){string[]sMarks=(';');returnsMarks[-1].Split(':
')[0];}privatestaticstring[]GetChildMarks(stringsMark){string[]sMarks=(';');string[]sChildMarks=newstring[-1];for(inti=0;i<;i++){sChildMarks[i]=sMarks[i];}returnsChildMarks;}.是不是都匹配foreach(IntPtrbaseHwndinbaseHwnds){IntPtrhandle=baseHwnd;for(inti=-1;i>=0;i--){string[]sChildMark=sChildMarks[i].Split(':
');try{handle=(handle,UnEscape(sChildMark[0]))[(sChildMark[1])];}catch{break;}if(i==0)returnnewWinHWND(handle);}continue;}returnnull;}#region转义privatestaticstringEscape(stringarg){return(":
","\\:
").Replace(";","\\;");}privatestaticstringUnEscape(stringarg){return("\\:
",":
").Replace("\\;",";");}#endregionpublicstaticWinHWNDGetWinHWND(){returnnewWinHWND()));}}
上全部代码,里面加了窗口的部分属性,扩展其他的属性,自己发挥吧,就是搞WinAPI
ViewCode
usingSystem;usingusing;using;usingusing;using;namespaceInformationCollectionDataFill{publicclassWinAPI{#regionWinodwsAPI[DllImport("",EntryPoint="FindWindow")]privatestaticexternIntPtrFindWindow(stringIpClassName,stringIpWindowName);[DllImport("",EntryPoint="FindWindowEx")]privatestaticexternIntPtrFindWindowEx(IntPtrhwndParent,IntPtrhwndChildAfter,stringlpszClass,stringlpszWindow);[DllImport("",EntryPoint="SendMessage")]privatestaticexternintSendMessage(IntPtrhWnd,intMsg,IntPtrwParam,stringlParam);[DllImport("",EntryPoint="GetParent")]publicstaticexternIntPtrGetParent(IntPtrhWnd);[DllImport("",EntryPoint="GetCursorPos")]publicstaticexternboolGetCursorPos(outPointpt);[DllImport("",EntryPoint="WindowFromPoint",CharSet=,ExactSpelling=true)]publicstaticexternIntPtrWindowFromPoint(Pointpt);[DllImport("",CharSet=]publicstaticexternintGetClassName(IntPtrhWnd,StringBuilderlpClassName,intnMaxCount);[DllImport("",CharSet=]publicstaticexternintGetWindowText(IntPtrhWnd,[Out,MarshalAs]StringBuilderlpString,intnMaxCount);[DllImport("",CharSet=]publicstaticexternintGetWindowRect(IntPtrhwnd,refRectanglerc);[DllImport("",CharSet=]publicstaticexternintGetClientRect(IntPtrhwnd,refRectanglerc);[DllImport("",CharSet=]publicstaticexternintMoveWindow(IntPtrhwnd,intx,inty,intnWidth,intnHeight,boolbRepaint);[DllImport("",CharSet=,SetLastError=true,ExactSpelling=true)]publicstaticexternintScreenToClient(IntPtrhWnd,refRectanglerect);#endregion#region封装API方法ndexOf;}privateRectangleGetRect(){if==null)returndefault(Rectangle);RectangleclientSize=;RectangleclientPoint=);returnnewRectangle,,,;}publicstaticWinHWNDGetWinHWND(){returnnewWinHWND()));}publicoverridestringToString(){StringBuilderresult=newStringBuilder();for(WinHWNDwinHandle=this;winHandle!
=null;winHandle={("{0}:
{1};",Escape,if==-1)break;}return().TrimEnd(';');}privatestaticstringGetBaseMark(stringsMark){string[]sMarks=(';');returnsMarks[-1].Split(':
')[0];}privatestaticstring[]GetChildMarks(stringsMark){string[]sMarks=(';');string[]sChildMarks=newstring[-1];for(inti=0;i<;i++){sChildMarks[i]=sMarks[i];}returnsChildMarks;}.是不是都匹配foreach(IntPtrbaseHwndinbaseHwnds){IntPtrhandle=baseHwnd;for(inti=-1;i>=0;i--){string[]sChildMark=sChildMarks[i].Split(':
');try{handle=(handle,UnEscape(sChildMark[0]))[(sChildMark[1])];}catch{break;}if(i==0)returnnewWinHWND(handle);}continue;}returnnull;}#region转义privatestaticstringEscape(stringarg){return(":
","\\:
").Replace(";","\\;");}privatestaticstringUnEscape(stringarg){return("\\:
",":
").Replace("\\;",";");}#endregion}}
效果:
Postsubject:
DllInjection
Thisismyoldtutorialondllinjection...peoplehavebeenaskingaboutthistopicabitrecently,so...hereitis:
DllInjectionTutorial
byDarawk
Introduction
TheCreateRemoteThreadmethod
TheSetWindowsHookExmethod
Thecodecavemethod
AppendixA-MethodsofobtainingaprocessID
AppendixB-MethodsofobtainingathreadID
AppendixC-CompleteCreateRemoteThreadexamplesourcecode
AppendixD-CompleteSetWindowsHookExexamplesourcecode
AppendixE-Completecodecaveexamplesourcecode
Introduction
Inthistutoriali'lltrytocoveralloftheknownmethods(oratleast,thosethatIknow=p)ofinjectingdll'sintoaprocess.
DllinjectionisincrediblyusefulforTONSofstuff(gamehacking,functionhooking,codepatching,keygenning,unpacking,etc..).
Thoughtherearescatteredtutorialsonthesetechniquesavailablethroughouttheweb,Ihaveyettoseeanycompletetutorialsdetailing
allofthem(theremayevenbemoreouttherethanIhavehere,ofcourse),andcomparingtheirrespectivestrength'sandweakness's.
Thisispreciselywhati'llattempttodoforyouinthispaper.Youarefreetoreproduceorcopythispaper,solongasproper
creditisgivenandyoudon'tmodifyitwithoutspeakingtomefirst.
TheCreateRemoteThreadmethod
I'veusedthisintonsofstuff,andIonlyrecentlyrealizedthatalotofpeoplehaveneverseenit,orknowhowtodoit.
Ican'ttakecreditforthinkingitup...Igotitfromanarticleoncodeproject,butit'saneattrickthatIthinkmore
peopleshouldknowhowtouse.
Thetrickissimple,andelegant.ThewindowsAPIprovidesuswithafunctioncalledCreateRemoteThread().Thisallowsyou
tostartathreadinanotherprocess.Forourpurposes,i'llassumeyouknowhowthreadingworks,andhowtousefunctionslike
CreateThread(ifnot,youcangohere).ThemaindisadvantageofthismethodisthatitwillworkonlyonwindowsNTandabove.
Topreventitfromcrashing,youshouldusethisfunctiontochecktomakesureyou'reonanNT-basedsystem(thankstoCatIDfor
pointingthisout):
boolIsWindowsNT()
{
Now,normallywewouldwanttostartthethreadexecutingonsomeinternalfunctionoftheprocessthatweareinteractingwith.
However,toinjectadll,wehavetodosomethingalittlebitdifferent.
BOOLInjectDLL(DWORDProcessID){?
?
HANDLEProc;?
?
charbuf[50]={0};?
?
LPVOIDRemoteString,LoadLibAddy;?
?
if(!
ProcessID)?
?
?
?
returnfalse;?
?
Proc=OpenProcess(CREATE_THREAD_ACCESS,FALSE,ProcessID);?
?
if(!
Proc)?
?
{?
?
?
?
sprintf(buf,"OpenProcess()failed:
%d",GetLastError());?
?
?
?
MessageBox(NULL,buf,"Loader",NULL);?
?
?
?
returnfalse;?
?
}?
?
LoadLibAddy=(LPVOID)GetProcAddress(GetModuleHandle(""),"LoadLibraryA");?
?
RemoteString=(LPVOID)VirtualAllocEx(Proc,NULL,strlen(DLL_NAME),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);?
?
WriteProcessMemory(Proc,(LPVOID)RemoteString,DLL_NAME,strlen(DLL_NAME),NULL);?
?
CreateRemoteThread(Proc,NULL,NULL,(LPTHREAD_START_ROUTINE)LoadLibAddy,(LPVOID)RemoteString,NULL,NULL);?
?
?
?
?
?
CloseHandle(Proc);?
?
returntrue;}
HHOOKSetWindowsHookEx(?
?
?
?
?
?
intidHook,?
?
HOOKPROClpfn,?
?
HINSTANCEhMod,?
?
DWORDdwThreadId);
LRESULTCALLBACKCBTProc(intnCode,WPARAMwParam,LPARAMlParam){?
?
returnCallNextHookEx(0,nCode,wParam,lParam);};
HMODULEhDll;unsignedlongcbtProcAddr;hDll?
?
?
?
=LoadLibrary("");cbtProcAddr=GetProcAddress(hDll,"CBTProc");
BOOLInjectDll(char*dllName){?
?
HMODULEhDll;?
?
unsignedlongcbtProcAddr;?
?
hDll?
?
?
?
=LoadLibrary(dllName);?
?
cbtProcAddr=GetProcAddress(hDll,"CBTProc");?
?
?
SetWindowsHookEx(WH_CBT,cbtProcAddr,hDll,GetTargetThreadIdFromWindow("targetApp"));?
?
?
?
returnTRUE;}
__declspec(naked)loadDll(void){?
?
_asm{?
?
?
?
void*dllString,*stub;unsignedlongwowID;HANDLEhProcess?
?
unsignedlongthreadID;HANDLEhThread;threadID=GetTargetThreadIdFromProcname(PROC_NAME);hThread?
?
=OpenThread((THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_SUSPEND_RESUME),false,threadID);
SuspendThread(hThread);=CONTEXT_CONTROL;GetThreadContext(hThread,&ctx);oldIP?
?
=;WeneedVirtualProtect(loadDll,stubLen,PAGE_EXECUTE_READWRITE,&oldprot);?
?
Sleep(8000);VirtualFreeEx(hProcess,dllString,strlen(DLL_NAME),MEM_DECOMMIT);VirtualFreeEx(hProcess,stub,stubLen,MEM_DECOMMIT);CloseHandle(hProcess);CloseHandle(hThread);
unsignedlongGetTargetProcessIdFromWindow(char*className,char*windowName){?
?
unsignedlongprocID;?
?
HWNDtargetWnd;?
?
targetWnd=FindWindow(className,windowName); GetWindowThreadProcessId(targetWnd,&procId);?
?
?
?
?
returnprocID;}
unsignedlongGetTargetProcessIdFromProcname(char*procName){?
?
PROCESSENTRY32pe;?
?
HANDLEthSnapshot;?
?
BOOLretval,ProcFound=false;?
?
thSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);?
?
if(thSnapshot==INVALID_HANDLE_VALUE)?
?
{?
?
?
MessageBox(NULL,"Error:
unabletocreatetoolhelpsnapshot","Loader",NULL);?
?
?
returnfalse;?
?
}?
?
=sizeof(PROCESSENTRY32); retval=Process32First(thSnapshot,&pe);?
?
while(retval)?
?
{?
?
?
if(StrStrI,procName))?
?
?
{?
?
?
?
?
ProcFound=true;?
?
?
?
?
break;?
?
?
} retval =Process32Next(thSnapshot,&pe);?
?
?
=sizeof(PROCESSENTRY32);?
?
}?
?
return;}
unsignedlongGetTargetThreadIdFromWindow(char*className,char*windowName){?
?
HWNDtargetWnd;?
?
HANDLEhProcess?
?
unsignedlongprocessId,pTID,threadID;?
?
targetWnd=FindWindow(className,windowName); GetWindowThreadProcessId(ta
升级会员 