我的使用createremotethread控制excel右鍵的源程式 (轉)

我的使用createremotethread控制excel右鍵的源程式 (轉)[@more@]

利用CreateRemoteThread將dll寫進.exe.利用SetWindowLong()改變excel中右鍵訊息。dll源：#include <.h>

BOOL __stdcall DllMain(HANDLE,D,LPVOID)
{
 return TRUE;
}
/*
#pragma data_seg("shared")
#pragma data_seg()
#pragma comment(linker,"/SECTION:shared,rws")
*/
WNDPROC g_lpfnOldWndProc;
HWND  g_hMsgWnd;
LRESULT ENTRY HookExcelWndProc(HWND hWnd, UINT wMessage , WPARAM wParam, LPARAM lParam)
{ 
 try
 {
 switch (wMessage)
 {
 case WM_RBUTTONDOWN:
 MessageBox(g_hMsgWnd,"u click the r button","",MB_OK);
 return 1;
 break;
 case WM_CLOSE:
 ::ExitProcess (0);
 break;
 
 default:
 if (NULL == g_lpfnOldWndProc)
 return DefWindowProc(hWnd,wMessage,wParam,lParam);
 else
 return CallWindowProc(g_lpfnOldWndProc,hWnd,wMessage,wParam,lParam);
 }
 }
 catch(...)
 {
 }
 return 0;
}
LRESULT __stdcall HookExcelRightMenu(HWND hwnd)
{
 g_hMsgWnd = hwnd;
 g_lpfnOldWndProc=(WNDPROC)::SetWindowLong(hwnd,GWL_WNDPROC,(LONG)HookExcelWndProc);
  MSG msg;
 while( ::GetMessage( &msg, NULL, 0, 0 ))
 {
 TranslateMessage(&msg);
 DispatchMessage(&msg); 
 }
 return TRUE;
}
注入程式源程式:#include
#include
const int MAXINJECTSIZE = 10240;
typedef HMODULE (__stdcall  * LPLOADLIBRARY)(LPCTSTR);
typedef FROC (__stdcall * LPGETPROCADDRESS)(HMODULE,LPCTSTR);
typedef BOOL  (__stdcall * LPFREELIBRARY)(HMODULE);
typedef LRESULT (__stdcall * LPHookExcelRightMenu)(HWND);
typedef struct
{
 LPLOADLIBRARY prcLoadLib;
 LPGETPROCADDRESS prcGetProcAddr;
 LPFREELIBRARY prcFreeLib;
 TCHAR sPath[MAX_PATH+1];
 HWND  hInjectWnd;
}INJECT_DLL,*LPINJECT_DLL;
DWORD GetProcessIdFromName(LPCTSTR name)
{
   PROCESSENTRY32 pe;
 DWORD id = 0; 
 HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
 pe.dwSize = sizeof(PROCESSENTRY32);
 if( !Process32First(hSnapshot,&pe) )
 return 0; 
 do
 {
 pe.dwSize = sizeof(PROCESSENTRY32);
 if( Process32Next(hSnapshot,&pe)==FALSE )
 break;
 if(stricmp(pe.szExeFile,name) == 0)
 {
 id = pe.th32ProcessID;
 break;
 }
 
 } while(1); 
 CloseHandle(hSnapshot); 
 return id;
}
void EnableDePriv( void )
{
 HANDLE hToken;
 LUID sedebugnameValue;
 TOKEN_PRIVILEGES tkp;
 
 if ( ! OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
 return;
 if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) )
 {
 CloseHandle( hToken );
 return;
 }
 tkp.PrivilegeCount = 1;
 tkp.Privileges[0].Luid = sedebugnameValue;
 tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
 CloseHandle( hToken );
}
#pragma check_stack(off)
static DWORD __stdcall ControlExcelThread(LPVOID lpVoid)
{
 try
 {
 LPINJECT_DLL lpInject = (LPINJECT_DLL)lpVoid;
 if (NULL == lpInject)
 return -1;
 HMODULE hMod = lpInject->prcLoadLib(lpInject->szLibPath);
 if (NULL == hMod)
 return -2;
 LPHookExcelRightMenu  lpHookExcelRightMenu;
 lpHookExcelRightMenu = (LPHookExcelRightMenu)lpInject ->prcGetProcAddr (hMod,MAKEINTRE(1));
 if ( !lpHookExcelRightMenu)
 {
 lpInject ->prcFreeLib (hMod);
 return -3;
 }
 lpHookExcelRightMenu(lpInject->hInjectWnd);
 lpInject ->prcFreeLib (hMod);
 }
 catch(...)
 {
 return -1;
 }
 return 0;
}
#pragma check_stack(on)
LRESULT InJectDllIntoProcess(LPCSTR pstrProcessName,HWND hwnd)
{
 DWORD dwProcessID = 0;
// dwProcessID=GetProcessIdFromName(pstrProcessName);
 GetWindowThreadProcessId(hwnd,&dwProcessID);
 if ( dwProcessID < 1)
 return -1;
 EnableDebugPriv();
 HANDLE hInjectTarget =  OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID);
 if (!hInjectTarget)
 return -2;
 INJECT_DLL pstInjectDll ;
 memset(&pstInjectDll,0x0,sizeof(INJECT_DLL));
 HMODULE  hModule = ::LoadLibrary (TEXT("kernel32"));
 if (!hModule)
 return -3;
 pstInjectDll.prcLoadLib = (LPLOADLIBRARY)::GetProcAddress(hModule,TEXT("LoadLibraryA"));
 pstInjectDll.prcFreeLib = (LPFREELIBRARY)::GetProcAddress(hModule,TEXT("FreeLibrary"));
 pstInjectDll.prcGetProcAddr = (LPGETPROCADDRESS)::GetProcAddress (hModule,TEXT("GetProcAddress"));
 pstInjectDll.hInjectWnd = hwnd;
 lstrcpy(pstInjectDll.szLibPath ,TEXT("E:KDCPackupdllinjectdlldebuginjectdll.dll"));
 LPBYTE lpExcelAddr = (LPBYTE)::VirtualAllocEx (hInjectTarget,NULL,MAXINJECTSIZE,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 LPINJECT_DLL param = (LPINJECT_DLL) VirtualAllocEx( hInjectTarget, 0, sizeof(INJECT_DLL), MEM_COMMIT, PAGE_READWRITE );
 WriteProcessMemory(hInjectTarget,lpExcelAddr,&ControlExcelThread,MAXINJECTSIZE,0);
 WriteProcessMemory(hInjectTarget,param,&pstInjectDll,sizeof(INJECT_DLL),0);
 DWORD dwThreadId = 0;
 HANDLE hInjectThread;
 try
 {
  hInjectThread= ::CreateRemoteThread (hInjectTarget,NULL,0,(LPTHREAD_START_ROUTINE)lpExcelAddr,param,0,&dwThreadId);
 }
 catch(...)
 {
 }
 if (!hInjectThread)
 dwThreadId = ::GetLastError ();
 else
 CloseHandle(hInjectThread);
 CloseHandle(hInjectTarget);
 ::VirtualFreeEx (hInjectTarget,lpExcelAddr,0,MEM_RELEASE);
 ::VirtualFreeEx (hInjectTarget,param,0,MEM_RELEASE);
 return 0;
}
void main()
{
 HWND hwnd;
 hwnd = FindWindowEx(NULL,NULL,"XLMAIN",NULL);
 if (hwnd)
 {
 hwnd = FindWindowEx(hwnd,NULL,"XLDESK",NULL);
 if (hwnd)
 {
 hwnd = FindWindowEx(hwnd,NULL,"EXCEL7",NULL);
 InJectDllIntoProcess("excel.exe",hwnd);
 }
 }
}