扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
文件1--HOOKAPIFAR.ASM
; 完成钩子和挂钩DLL,完成向文件输出取词结果
.386
.model flat,stdcall
option casemap:none
;*********************************************************************************************************************
include e:\masm32\include\windows.inc
include e:\masm32\include\kernel32.inc
includelib e:\masm32\lib\kernel32.lib
include e:\masm32\include\user32.inc
includelib e:\masm32\lib\user32.lib
include e:\masm32\include\gdi32.inc
includelib e:\masm32\lib\gdi32.lib
;**********************************************************************************************************************
jmpinto struct;数据结构,用来存储跳转代码
a db ?
newapi dd ?
b db ?
d db ?
jmpinto ends
HookApi proto :DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
_SetWindowText proto :DWORD,:DWORD,:DWORD
NTextOutA PROTO :DWORD,:DWORD,:DWORD,:DWORD,:DWORD
NTextOutW PROTO :DWORD,:DWORD,:DWORD,:DWORD,:DWORD
NExtTextOutA PROTO :DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
NExtTextOutW PROTO :DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
_ptextout typedef PROTO :DWORD,:DWORD,:DWORD,:DWORD,:DWORD
ptextout typedef ptr _ptextout
_pexttextout typedef PROTO :DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
pexttextout typedef ptr _pexttextout
;***********************************************************************************************************************
.data?
hText dd ?
Hhost dd ?
.data
hHook dd 0
code_ta db 10 dup(0)
code_tw db 10 dup(0)
code_ea db 10 dup(0)
code_ew db 10 dup(0)
tajmpinto jmpinto<0,0,0,0>
twjmpinto jmpinto<0,0,0,0>
eajmpinto jmpinto<0,0,0,0>
ewjmpinto jmpinto<0,0,0,0>
OldTextOutA ptextout 0
OldTextOutW ptextout 0
OldExtTextOutA pexttextout 0
OldExtTextOutW pexttextout 0
hProcess dd ?
PHandle dd 0
PId dd 0
numused dd 0
szTextOutA db "TextOutA",0
szTextOutW db "TextOutW",0
szExtTextOutA db "ExtTextOutA",0
szExtTextOutW db "ExtTextOutW",0
szGdi32 db "gdi32.dll",0
szFile db "c:\dbg.debug",0
settext dd 0
FileHeader db 0ffh,0feh
;***************************************************************************************************************************************
.code
DllMain proc hInst:HINSTANCE,reason:DWORD,reserved1:DWORD;挂钩API
.if reason==DLL_PROCESS_ATTACH
push hInst
pop hProcess
invoke GetCurrentProcessId
mov PId,eax
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,PId
.if(eax==0)
mov eax,FALSE
ret
.endif
mov PHandle,eax
mov eax,hProcess
.if(eax!=Hhost);在我的XP下似乎只有最后一个函数是输出字符的,但为了扩展我保存了前三个的位置
; invoke HookApi,addr szGdi32,addr szTextOutA,addr NTextOutA,addr code_ta,addr OldTextOutA,addr tajmpinto
; invoke HookApi,addr szGdi32,addr szTextOutW,addr NTextOutW,addr code_tw,addr OldTextOutW,addr twjmpinto
; invoke HookApi,addr szGdi32,addr szExtTextOutA,addr NExtTextOutA,addr code_ea,addr OldExtTextOutA,addr eajmpinto
invoke HookApi,addr szGdi32,addr szExtTextOutW,addr NExtTextOutW,addr code_ew,addr OldExtTextOutW,addr ewjmpinto
.endif
mov eax,TRUE
ret
.elseif reason==DLL_PROCESS_DETACH;解除挂钩
mov eax,hProcess
.if(eax!=Hhost)
; invoke WriteProcessMemory,PHandle,OldTextOutA,addr code_ta,sizeof code_ta,addr numused
; invoke WriteProcessMemory,PHandle,OldTextOutW,addr code_tw,sizeof code_tw,addr numused
; invoke WriteProcessMemory,PHandle,OldExtTextOutA,addr code_ea,sizeof code_ea,addr numused
invoke WriteProcessMemory,PHandle,OldExtTextOutW,addr code_ew,sizeof code_ew,addr numused
.endif
mov eax,TRUE
ret
.endif
mov eax,TRUE
ret
DllMain endp
;/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
MouseProc proc nCode:DWORD,wParam:DWORD,lParam:DWORD;名为鼠标,其实是键盘钩子
local mousepos:POINT
local rect:RECT
LOCAL hWnd:HWND
.if wParam==VK_CONTROL;如果CONTROL被按下
invoke GetCursorPos,addr mousepos
invoke WindowFromPoint,mousepos.x,mousepos.y
mov hWnd,eax
invoke ScreenToClient,hWnd,addr mousepos
push mousepos.x
pop rect.left
push mousepos.y
pop rect.top
push mousepos.x
pop rect.right
inc rect.right
push mousepos.y
pop rect.bottom
inc rect.bottom
invoke InvalidateRect,hWnd,addr rect,TRUE ;发重画消息
.endif
invoke CallNextHookEx,hHook,nCode,wParam,lParam
ret
MouseProc endp
InstallHook proc _hStatic:DWORD,_Hhost;装钩子
push _Hhost
pop Hhost
push _hStatic
pop hText
invoke SetWindowsHookEx,WH_KEYBOARD,addr MouseProc,hProcess,NULL
mov hHook,eax
ret
InstallHook endp
UnInstallHook proc
invoke UnhookWindowsHookEx,hHook
ret
UnInstallHook endp
;/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
HookApi proc uses ebx edi esi szlib,szproc,lpfunc,lpbuffer,lpOld,lpjmpinto;挂钩API
;save first bits
local hDll,lpproc
local meminfo:MEMORY_BASIC_INFORMATION
local numdid
mov esi,lpjmpinto
assume esi:ptr jmpinto
invoke RtlZeroMemory,esi,sizeof jmpinto
mov [esi].a,0b8h
mov eax,lpfunc
mov [esi].newapi,eax
mov [esi].b,0ffh
mov [esi].d,0e0h
invoke LoadLibrary,szlib
mov hDll,eax
invoke GetProcAddress,hDll,szproc
mov edi,lpOld
mov dword ptr[edi],eax
invoke VirtualQueryEx,PHandle,[edi],addr meminfo,sizeof meminfo
invoke VirtualProtectEx,PHandle,meminfo.BaseAddress,0ah,PAGE_EXECUTE_READWRITE,addr meminfo.Protect
invoke GetLastError
invoke ReadProcessMemory,PHandle,[edi],lpbuffer,10,addr numdid
invoke WriteProcessMemory,PHandle,[edi],esi,sizeof jmpinto,addr numdid
ret
HookApi endp
;/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
_SetWindowText proc uses ebx edi esi hWnd,lpBuffer,cbCount;在C:\DBG.DEBUG中自启动之后截获的全部词句
local written
local lpMultiByteStr[256]:BYTE
local @end[2]:BYTE
invoke RtlZeroMemory,addr lpMultiByteStr,sizeof lpMultiByteStr
invoke CreateFile,addr szFile,GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,NULL,OPEN_EXISTING,NULL,NULL
mov hText,eax
;invoke WriteFile,hText,addr FileHeader,2,addr written,NULL
invoke SetFilePointer,hText,NULL,NULL,FILE_END
;invoke WideCharToMultiByte,CP_ACP,WC_COMPOSITECHECK,lpBuffer,255,addr lpMultiByteStr,sizeof lpMultiByteStr,NULL,NULL
invoke WriteFile,hText,lpBuffer,cbCount,addr written,NULL
;mov @end,0
;mov @end+1,'#'
;invoke WriteFile,hText,addr @end,2,addr written,NULL
invoke CloseHandle,hText
;SendMessage,hWnd,WM_CHAR,'#',1
ret
_SetWindowText endp
;/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
NTextOutA proc uses ebx edi esi hdc,nXStart,nYStart,lpString,cbString;四个被钩函数
pusha
invoke WriteProcessMemory,PHandle,OldTextOutA,addr code_ew,sizeof code_ew,addr numused
push cbString
mov eax,cbString
add cbString,eax
invoke GetAsyncKeyState,VK_CONTROL
and eax,8000h
.if eax
invoke _SetWindowText,hText,lpString,cbString
.endif
pop cbString
popa
invoke OldTextOutA,hdc,nXStart,nYStart,lpString,cbString
invoke WriteProcessMemory,PHandle,OldTextOutA,addr tajmpinto,sizeof tajmpinto,addr numused
ret
NTextOutA endp
NTextOutW proc uses ebx edi esi hdc,nXStart,nYStart,lpString,cbString
pusha
invoke WriteProcessMemory,PHandle,OldTextOutW,addr code_ew,sizeof code_ew,addr numused
push cbString
mov eax,cbString
add cbString,eax
invoke GetAsyncKeyState,VK_CONTROL
and eax,8000h
.if eax
invoke _SetWindowText,hText,lpString,cbString
.endif
pop cbString
popa
invoke OldTextOutW,hdc,nXStart,nYStart,lpString,cbString
invoke WriteProcessMemory,PHandle,OldTextOutW,addr twjmpinto,sizeof twjmpinto,addr numused
ret
NTextOutW endp
NExtTextOutA proc uses ebx edi esi hdc,X,Y,fuOptions,lprc,lpString,cbCount,lpDx
pusha
invoke WriteProcessMemory,PHandle,OldExtTextOutA,addr code_ew,sizeof code_ew,addr numused
push cbCount
mov eax,cbCount
add cbCount,eax
invoke GetAsyncKeyState,VK_CONTROL
and eax,8000h
.if eax
invoke _SetWindowText,hText,lpString,cbCount
.endif
pop cbCount
popa
invoke OldExtTextOutA,hdc,X,Y,fuOptions,lprc,lpString,cbCount,lpDx
invoke WriteProcessMemory,PHandle,OldExtTextOutA,addr ewjmpinto,sizeof eajmpinto,addr numused
ret
NExtTextOutA endp
NExtTextOutW proc uses ebx edi esi hdc,X,Y,fuOptions,lprc,lpString,cbCount,lpDx
pusha
invoke WriteProcessMemory,PHandle,OldExtTextOutW,addr code_ew,sizeof code_ew,addr numused
push cbCount
mov eax,cbCount
add cbCount,eax
invoke GetAsyncKeyState,VK_CONTROL
and eax,8000h
.if eax
invoke _SetWindowText,hText,lpString,cbCount
.endif
pop cbCount
popa
invoke OldExtTextOutW,hdc,X,Y,fuOptions,lprc,lpString,cbCount,lpDx
invoke WriteProcessMemory,PHandle,OldExtTextOutW,addr ewjmpinto,sizeof ewjmpinto,addr numused
ret
NExtTextOutW endp
end DllMain
文件2-HOOKAPIFAR.DEF
EXPORTS InstallHook
UnInstallHook
文件3-HOOKAPIFARMAIN.ASM-尚未完成的主界面,也是我求教的地方
.386
.model flat,stdcall
option casemap:none
;*********************************************************************************************************************
include e:\masm32\include\windows.inc
include e:\masm32\include\kernel32.inc
includelib e:\masm32\lib\kernel32.lib
include e:\masm32\include\user32.inc
includelib e:\masm32\lib\user32.lib
;**********************************************************************************************************************
DialogMain proto :DWORD,:DWORD,:DWORD,:DWORD
InstallHookA typedef proto :DWORD,:DWORD
InstallHookB typedef ptr InstallHookA
UnInstallHookA typedef proto
UnInstallHookB typedef ptr UnInstallHookA
;***********************************************************************************************************************
.const
IDD_MAIN equ 1000
IDC_WORD equ 1001
;***********************************************************************************************************************
.data?
numused dd ?
hProcess dd ?
hText dd ?
.data
FileHeader db 0ffh,0feh
szlib db "hookapifar.dll",0
hlib dd 0
InstallHook InstallHookB 0
UnInstallHook UnInstallHookB 0
szinstall db "InstallHook",0
szuninstall db "UnInstallHook",0
szClassNotePad db "Notepad",0
szFile db "c:\dbg.debug",0;这个文件输出最后的取词结果,可以用记事本打开看之
hNotepad dd ?
written dd 0
;***************************************************************************************************************************
.code
_main:
invoke GetModuleHandle,NULL
mov hProcess,eax
invoke LoadLibrary,addr szlib
mov hlib,eax
invoke GetLastError
invoke GetProcAddress,hlib,addr szinstall
mov InstallHook,eax
invoke GetProcAddress,hlib,addr szuninstall
mov UnInstallHook,eax
invoke CreateFile,addr szFile,GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,NULL,NULL
mov hText,eax
invoke WriteFile,hText,addr FileHeader,2,addr written,NULL;UNICODE的记事本文件头写入
invoke CloseHandle,hText
invoke DialogBoxParam,hProcess,IDD_MAIN,NULL,DialogMain,NULL
invoke ExitProcess,NULL
;///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
DialogMain proc uses ebx edi esi hWnd,uMsg,wParam,lParam
local _buffer[100]:BYTE
local hdc:HDC
local mousepos:POINT
local rect:RECT
local keystate[256]:BYTE
.if uMsg==WM_CLOSE
invoke EndDialog,hWnd,NULL
invoke UnInstallHook
.elseif uMsg==WM_INITDIALOG
invoke SetWindowPos,hWnd,HWND_TOPMOST,0,0,0,0,SWP_NOSIZE
invoke InstallHook,hText,hProcess
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
DialogMain endp
end _main
#include <e:\masm32\include\resource.h>
#define IDD_MAIN 1000
#define IDC_WORD 1001
文件四-HOOKAPIFAR.RC
IDD_MAIN DIALOG DISCARDABLE 0, 0, 187, 60
STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU
CAPTION "getword"
FONT 10, "System"
BEGIN
hookapifar.obj /Dll /Section:.bss,S /Def:f:\technique\hookapifar.def
EDITTEXT IDC_WORD,16,22,149,12,ES_LEFT
END
文件五:ML.BAT:
e:
cd masm32
cd bin
ml /c /coff /Zi /Cp f:\technique\hookapifarmain.asm
link /subsystem:windows /DEBUG /DEBUGTYPE:CV hookapifarmain.obj f:\technique\hookapifar.res
ml /c /coff /Zi /Cp f:\technique\hookapifar.asm
link /subsystem:windows /DEBUG /DEBUGTYPE:CV
编译时要保证MASM32在E盘中,或者改下我的程序中路径
这个程序不大,但已经竭尽我的全力(菜鸟哈),它可以取词,并把结果输出到C:\DBG.DEBUG文件中,大家可以打开看看
但这里我想问下做过的人,你们做的时候是如何拼接字串的?我的实验表明WINDOWS输出哪怕是屏幕上的图标的字符也要调用几次EXTTEXTOUTW那么如何去把一个一个字串拼成一个完整的呢?
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
现场直击|2021世界人工智能大会
直击5G创新地带,就在2021MWC上海
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
寻找自己的Flag
华为开发者大会2020(Cloud)- 科技行者