我试图用C中的dll注入来挂接键盘。当我在KeyboardProc函数上尝试GetProcAddress时,GetProcAddress返回NULL,GetLastError返回错误131。之后我得到一个DLL_PROCESS_DETACH。在windows网站上说:
ERROR_NEGATIVE_SEEK
131 (0x83)
An attempt was made to move the file pointer before the beginning of the file.
我不明白我的代码有什么问题。
我使用的注射器:
#include <Windows.h>
#include <stdio.h>
int main(int argc, char *argv[])
{
HMODULE dll = LoadLibrary((LPCSTR) "dll.dll");
if (dll == NULL)
{
printf("The DLL could not be found.n");
FreeLibrary(dll);
return -1;
}
printf("The DLL was found.n");
HOOKPROC addr = (HOOKPROC)GetProcAddress(dll, "KeyboardProc");
if (addr == NULL)
{
printf("The function was not found.n");
FreeLibrary(dll);
return -1;
}
printf("The function was found.n");
HHOOK handle = SetWindowsHookEx(WH_KEYBOARD, addr, dll, 0);
if (handle == NULL)
{
printf("The KEYBOARD could not be hooked.n");
FreeLibrary(dll);
}
printf("Program successfully hooked.nPress enter to unhook the function and stop the program.n");
getchar();
UnhookWindowsHookEx(handle);
FreeLibrary(dll);
return 0;
}
我使用的dll:
#include <windows.h>
#include <stdio.h>
INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
switch (Reason)
{
case DLL_PROCESS_ATTACH:
MessageBox(0, (LPCSTR) "DLL attach function called.", (LPCSTR) "Dll injection", MB_OK);
break;
case DLL_PROCESS_DETACH:
MessageBox(0, (LPCSTR) "DLL detach function called.", (LPCSTR) "Dll injection", MB_OK);
break;
case DLL_THREAD_ATTACH:
MessageBox(0, (LPCSTR) "DLL thread attach function called.", (LPCSTR) "Dll injection", MB_OK);
break;
case DLL_THREAD_DETACH:
MessageBox(0, (LPCSTR) "DLL thread detach function called..", (LPCSTR) "Dll injection", MB_OK);
break;
}
return TRUE;
}
extern __declspec(dllexport) LRESULT CALLBACK KeyboardProc(int code, WPARAM wParam, LPARAM lParam)
{
if (code < 0)
{
return CallNextHookEx(NULL, code, wParam, lParam);
}
FILE *LOG;
LOG = fopen("LOG.txt", "a+");
if (wParam == WM_KEYDOWN)
{
fputs((char *)lParam, LOG);
fclose(LOG);
}
return CallNextHookEx(NULL, code, wParam, lParam);
}
我正在使用win10和mingw。注入器和dll都编译为C.
问题很简单:
extern __declspec(dllexport) LRESULT CALLBACK KeyboardProc(int code, WPARAM wParam, LPARAM lParam)
很可能是在cpp文件中定义的,因此它是C++函数。C++允许函数重载是使用名称篡改的,所以您的函数在名称下是可见的,这是篡改的结果。
您必须强制它是一个C函数,这样名称篡改就被禁用了。
因此,添加extern "C"或使源代码具有C特定的扩展(将其编译为C代码(。您的代码是纯C。