|
利用CreateRemoteThread将dll写进excel.exe.利用SetWindowLong()改变excel中右键消息。dll源程序:#include <windows.h>
BOOL __stdcall DllMain(HANDLE,DWORD,LPVOID)
{
return TRUE;
}
/*
#pragma data_seg("shared")
#pragma data_seg()
#pragma comment(linker,"/SECTION:shared,rws")
*/
WNDPROC g_lpfnOldWndProc;
HWND g_hMsgWnd;
LRESULT APIENTRY HookExcelWndProc(HWND hWnd, UINT wMessage , WPARAM wParam, LPARAM lParam)
{
try
{
switch (wMessage)
{
case WM_RBUTTONDOWN:
MessageBox(g_hMsgWnd,"u click the r button","",MB_OK);
return 1;
break;
case WM_CLOSE:
::ExitProcess (0);
break;
default:
if (NULL == g_lpfnOldWndProc)
return DefWindowProc(hWnd,wMessage,wParam,lParam);
else
return CallWindowProc(g_lpfnOldWndProc,hWnd,wMessage,wParam,lParam);
}
}
catch(...)
{
}
return 0;
}
LRESULT __stdcall HookExcelRightMenu(HWND hwnd)
{
g_hMsgWnd = hwnd;
g_lpfnOldWndProc=(WNDPROC)::SetWindowLong(hwnd,GWL_WNDPROC,(LONG)HookExcelWndProc);
MSG msg;
while( ::GetMessage( &msg, NULL, 0, 0 ))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
return TRUE;
}
注入进程源程序:#include <windows.h>
#include <tlhelp32.h>
const int MAXINJECTSIZE = 10240;
typedef HMODULE (__stdcall * LPLOADLIBRARY)(LPCTSTR);
typedef FARPROC (__stdcall * LPGETPROCADDRESS)(HMODULE,LPCTSTR);
typedef BOOL (__stdcall * LPFREELIBRARY)(HMODULE);
typedef LRESULT (__stdcall * LPHookExcelRightMenu)(HWND);
typedef struct
{
LPLOADLIBRARY prcLoadLib;
LPGETPROCADDRESS prcGetProcAddr;
LPFREELIBRARY prcFreeLib;
TCHAR szLibPath[MAX_PATH+1];
HWND hInjectWnd;
}INJECT_DLL,*LPINJECT_DLL;
DWORD GetProcessIdFromName(LPCTSTR name)
{
PROCESSENTRY32 pe;
DWORD id = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
pe.dwSize = sizeof(PROCESSENTRY32);
if( !Process32First(hSnapshot,&pe) )
return 0;
do
{
pe.dwSize = sizeof(PROCESSENTRY32);
if( Process32Next(hSnapshot,&pe)==FALSE )
break;
if(stricmp(pe.szExeFile,name) == 0)
{
id = pe.th32ProcessID;
break;
}
} while(1);
CloseHandle(hSnapshot);
return id;
}
void EnableDebugPriv( void )
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if ( ! OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
return;
if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) )
{
CloseHandle( hToken );
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
CloseHandle( hToken );
}
#pragma check_stack(off)
static DWORD __stdcall ControlExcelThread(LPVOID lpVoid)
{
try
{
LPINJECT_DLL lpInject = (LPINJECT_DLL)lpVoid;
if (NULL == lpInject)
return -1;
HMODULE hMod = lpInject->prcLoadLib(lpInject->szLibPath);
if (NULL == hMod)
return -2;
LPHookExcelRightMenu lpHookExcelRightMenu;
lpHookExcelRightMenu = (LPHookExcelRightMenu)lpInject ->prcGetProcAddr (hMod,MAKEINTRESOURCE(1));
if ( !lpHookExcelRightMenu)
{
lpInject ->prcFreeLib (hMod);
return -3;
}
lpHookExcelRightMenu(lpInject->hInjectWnd);
lpInject ->prcFreeLib (hMod);
}
catch(...)
{
return -1;
}
return 0;
}
#pragma check_stack(on)
LRESULT InJectDllIntoProcess(LPCSTR pstrProcessName,HWND hwnd)
{
DWORD dwProcessID = 0;
// dwProcessID=GetProcessIdFromName(pstrProcessName);
GetWindowThreadProcessId(hwnd,&dwProcessID);
if ( dwProcessID < 1)
return -1;
EnableDebugPriv();
HANDLE hInjectTarget = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID);
if (!hInjectTarget)
return -2;
INJECT_DLL pstInjectDll ;
memset(&pstInjectDll,0x0,sizeof(INJECT_DLL));
HMODULE hModule = :oadLibrary (TEXT("kernel32"));
if (!hModule)
return -3;
pstInjectDll.prcLoadLib = (LPLOADLIBRARY)::GetProcAddress(hModule,TEXT("LoadLibraryA"));
pstInjectDll.prcFreeLib = (LPFREELIBRARY)::GetProcAddress(hModule,TEXT("FreeLibrary"));
pstInjectDll.prcGetProcAddr = (LPGETPROCADDRESS)::GetProcAddress (hModule,TEXT("GetProcAddress"));
pstInjectDll.hInjectWnd = hwnd;
lstrcpy(pstInjectDll.szLibPath ,TEXT("E:\\KDCP\\backup\\dll\\injectdll\\debug\\injectdll.dll"));
LPBYTE lpExcelAddr = (LPBYTE)::VirtualAllocEx (hInjectTarget,NULL,MAXINJECTSIZE,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
LPINJECT_DLL param = (LPINJECT_DLL) VirtualAllocEx( hInjectTarget, 0, sizeof(INJECT_DLL), MEM_COMMIT, PAGE_READWRITE );
WriteProcessMemory(hInjectTarget,lpExcelAddr,&ControlExcelThread,MAXINJECTSIZE,0);
WriteProcessMemory(hInjectTarget,param,&pstInjectDll,sizeof(INJECT_DLL),0);
DWORD dwThreadId = 0;
HANDLE hInjectThread;
try
{
hInjectThread= ::CreateRemoteThread (hInjectTarget,NULL,0,(LPTHREAD_START_ROUTINE)lpExcelAddr,param,0,&dwThreadId);
}
catch(...)
{
}
if (!hInjectThread)
dwThreadId = ::GetLastError ();
else
CloseHandle(hInjectThread);
CloseHandle(hInjectTarget);
::VirtualFreeEx (hInjectTarget,lpExcelAddr,0,MEM_RELEASE);
::VirtualFreeEx (hInjectTarget,param,0,MEM_RELEASE);
return 0;
}
void main()
{
HWND hwnd;
hwnd = FindWindowEx(NULL,NULL,"XLMAIN",NULL);
if (hwnd)
{
hwnd = FindWindowEx(hwnd,NULL,"XLDESK",NULL);
if (hwnd)
{
hwnd = FindWindowEx(hwnd,NULL,"EXCEL7",NULL);
InJectDllIntoProcess("excel.exe",hwnd);
}
}
} |
|