GetWindowLong跨进程获取WndProc、DlgProc

页面导航:首页 > 软件编程 > vb.net > GetWindowLong跨进程获取WndProc、DlgProc

GetWindowLong跨进程获取WndProc、DlgProc

来源: 作者: 时间:2016-01-18 16:54 【

标题虽然写是GetWindowLong,其实并不是GetWindowLong,只是按照GetWindowLong的内部实现改了下而已。。下面代码Win7及以上可用。。。要想XP用,XP下必需暴力搜索user32.gSharedInfo,搜索方法:us
标题虽然写是GetWindowLong,其实并不是GetWindowLong,只是按照GetWindowLong的内部实现改了下而已。。
 
下面代码Win7及以上可用。。。要想XP用,XP下必需暴力搜索user32.gSharedInfo,搜索方法:user32的入口点往下看,CsrCononToServer那个函数下面。。。或者参照网上那个枚举全局Hook的代码。
 
 
[vb] 
Private Declare Function GetWindowThreadProcessId& Lib "user32" (ByVal hWnd&, ByRef lpdwProcessId&)  
Private Declare Function GetModuleHandleW& Lib "kernel32" (ByVal lpModuleName&)  
Private Declare Function GetProcAddress& Lib "kernel32" (ByVal hModule&, ByVal lpProcName$)  
Private Declare Function OpenProcess& Lib "kernel32" (ByVal dwDesiredAccess&, ByVal bInheritHandle As Boolean, ByVal dwProcessId&)  
Private Declare Function OpenThread& Lib "kernel32" (ByVal dwDesiredAccess&, ByVal bInheritHandle As Boolean, ByVal dwThreadId&)  
Private Declare Function ReadProcessMemory& Lib "kernel32" (ByVal hProcess&, ByVal lpBaseAddress&, ByVal lpBuffer&, ByVal nSize&, ByRef lpNumberOfBytesRead&)  
Private Declare Function NtQueryInformationThread& Lib "ntdll" (ByVal ThreadHandle&, ByVal ThreadInformationClass&, ByVal ThreadInformation&, ByVal ThreadInformationLength&, ByRef ReturnLength&)  
Private Declare Function CloseHandle& Lib "kernel32" (ByVal hObject&)  
Private Function GetThreadTeb&(ByVal hThread&)  
Dim tbi&(6)  
If NtQueryInformationThread(hThread, 0, VarPtr(tbi(0)), 28, 0) = 0 Then GetThreadTeb = tbi(1)  
End Function  
Private Function GetHighValueForUser32&(ByVal hProcess&, ByVal hThread&)  
Dim lpValue&  
ReadProcessMemory hProcess, GetThreadTeb(hThread) + &H6E8, VarPtr(lpValue), 4, 0  
GetHighValueForUser32 = lpValue  
End Function  
Private Function GetHWNDTablePointerInUser32SharedInfoEntry&(ByVal hProcess&)  
Dim lpU32SharedInfo&  
lpU32SharedInfo = GetProcAddress(GetModuleHandleW(StrPtr("user32.dll")), "gSharedInfo") + 4  
ReadProcessMemory hProcess, lpU32SharedInfo, VarPtr(lpU32SharedInfo), 4, 0  
GetHWNDTablePointerInUser32SharedInfoEntry = lpU32SharedInfo  
End Function  
Private Function MakeInfoPointerByRemote2UnknownForHWND&(ByVal hProcess&, ByVal hWnd&, ByVal unkHighValue&, ByVal unkPointer&)  
Dim dwLowValue&, dwUnknownValue&, lpPointer&  
dwLowValue = hWnd And &HFFFF&  
dwLowValue = dwLowValue + dwLowValue * 2  
lpPointer = unkPointer + dwLowValue * 4  
ReadProcessMemory hProcess, lpPointer, VarPtr(dwUnknownValue), 4, 0  
MakeInfoPointerByRemote2UnknownForHWND = dwUnknownValue - unkHighValue  
End Function  
Private Function GetRemoteProcessWndProc&(ByVal hProcess&, ByVal lpPointer&)  
Dim lpfnWndProc&  
ReadProcessMemory hProcess, lpPointer + &H60, VarPtr(lpfnWndProc), 4, 0  
GetRemoteProcessWndProc = lpfnWndProc  
End Function  
Private Function GetRemoteProcessDlgProc&(ByVal hProcess&, ByVal lpPointer&)  
Dim lpfnDlgProc&  
ReadProcessMemory hProcess, lpPointer + &HCC, VarPtr(lpfnDlgProc), 4, 0 '//XP:+ &HA8   
ReadProcessMemory hProcess, lpfnDlgProc, VarPtr(lpfnDlgProc), 4, 0  
GetRemoteProcessDlgProc = lpfnDlgProc  
End Function  
  
Private Sub Form_Load()  
Dim hProcess&, hThread&, tid&, pid&  
tid = GetWindowThreadProcessId(197776, pid)  
hThread = OpenThread(2032639, False, tid)  
hProcess = OpenProcess(2035711, False, pid)  
MsgBox Hex(GetRemoteProcessWndProc(hProcess, MakeInfoPointerByRemote2UnknownForHWND(hProcess, 197776, GetHighValueForUser32(hProcess, hThread), GetHWNDTablePointerInUser32SharedInfoEntry(hProcess))))  
MsgBox Hex(GetRemoteProcessDlgProc(hProcess, MakeInfoPointerByRemote2UnknownForHWND(hProcess, 197776, GetHighValueForUser32(hProcess, hThread), GetHWNDTablePointerInUser32SharedInfoEntry(hProcess))))  
CloseHandle hProcess  
End Sub  
 
Tags:

文章评论

最 近 更 新
热 点 排 行
Js与CSS工具
代码转换工具

<