可以在VC++中使用;非哥所作;哥整理并作说明;
1 弹出窗口类
CPopupTipWnd,封装了MFC CWnd类,创建窗口、显示窗口、隐藏窗口操作;
#include "stdafx.h"
#include "PwdSpy.h"
#include "PopupTipWnd.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
#define BORDER_X 5
#define BORDER_Y 5
//***********************************************
CPopupTipWnd::CPopupTipWnd()
{
m_pParentWnd = NULL;
}
//***********************************************
CPopupTipWnd::~CPopupTipWnd()
{
}
BEGIN_MESSAGE_MAP(CPopupTipWnd, CWnd)
//{{AFX_MSG_MAP(CPopupTipWnd)
//}}AFX_MSG_MAP
END_MESSAGE_MAP()
//***********************************************
BOOL CPopupTipWnd::Create(CWnd *pParentWnd)
{
_ASSERTE(pParentWnd);
m_pParentWnd = pParentWnd;
DWORD dwStyle = WS_BORDER | WS_POPUP;
DWORD dwExStyle = WS_EX_TOOLWINDOW | WS_EX_TOPMOST;
CString strWndClass = AfxRegisterWndClass(CS_SAVEBITS, 0, (HBRUSH)(COLOR_INFOBK + 1));
BOOL bCreated = CreateEx(dwExStyle,
strWndClass,
NULL,
dwStyle,
0, 0, 0, 0,
NULL, NULL, NULL);
return bCreated;
}
//***********************************************
void CPopupTipWnd::ShowPopupWindow(CString strText, CPoint point, CRect rect)
{
// If there is no password, instead hide the window and be done with it
if(strText.IsEmpty())
{
HidePopupWindow();
return;
}
CClientDC dc(this);
// Use same font as parent window
CFont *pOldFont = dc.SelectObject(m_pParentWnd->GetFont());
// Calculate the window size.
CSize sizeText = dc.GetTextExtent(strText);
CSize sizeWindow;
sizeWindow.cx = sizeText.cx + 2 * BORDER_X;
sizeWindow.cy = sizeText.cy + 2 * BORDER_Y;
// Draw information in window
dc.SetBkMode(TRANSPARENT);
dc.DrawText(strText, CRect(0, 0, sizeWindow.cx, sizeWindow.cy), DT_CENTER | DT_VCENTER | DT_SINGLELINE);
dc.SelectObject(pOldFont);
// Calculate window rectangle position on screen
CRect rectWindow;
rectWindow.left = rect.left;
rectWindow.right = rectWindow.left + sizeWindow.cx;
rectWindow.top = rect.top - (sizeWindow.cy + 20);
if(rectWindow.top <= 0)
rectWindow.top = rect.bottom + 20;
rectWindow.bottom = rectWindow.top + sizeWindow.cy;
// Display window
SetWindowPos(&wndTop,
rectWindow.left,
rectWindow.top,
rectWindow.Width(),
rectWindow.Height(),
SWP_SHOWWINDOW | SWP_NOACTIVATE);
}
//***********************************************
void CPopupTipWnd::HidePopupWindow(void)
{
ShowWindow(SW_HIDE);
}
//.h
#pragma once
class CPopupTipWnd : public CWnd
{
// Construction
public:
CPopupTipWnd();
virtual ~CPopupTipWnd();
virtual BOOL Create(CWnd *pParentWnd);
void ShowPopupWindow(CString strText, CPoint point, CRect rect);
void HidePopupWindow(void);
// Overrides
// ClassWizard generated virtual function overrides
//{{AFX_VIRTUAL(CPopupTipWnd)
//}}AFX_VIRTUAL
// Generated message map functions
protected:
CRect m_rectPos;
CWnd *m_pParentWnd;
//{{AFX_MSG(CPopupTipWnd)
//}}AFX_MSG
DECLARE_MESSAGE_MAP()
};
//{{AFX_INSERT_LOCATION}}
2 操作系统信息类
COSInfo,封装了Win32 API 操作系统信息相关API;
#include "stdafx.h"
#include "OSInfo.h"
//***********************************************
COSInfo::COSInfo()
{
ZeroMemory(&m_osvi, sizeof(OSVERSIONINFO));
m_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
if(!GetVersionEx(&m_osvi))
ZeroMemory(&m_osvi, sizeof(OSVERSIONINFO));
}
//***********************************************
COSInfo::~COSInfo()
{
}
//***********************************************
EOSType COSInfo::GetOSType(void) const
{
EOSType eOSType = eUnknown;
if(IsWindowsNT())
eOSType = eWinNT;
else if(IsWindows2000())
eOSType = eWin2000;
else if(IsWindowsXP())
eOSType = eWinXP;
else if(IsWindows2003())
eOSType = eWin2003;
else if(IsWindows95())
eOSType = eWin95;
else if(IsWindows98())
eOSType = eWin98;
else if(IsWindowsME())
eOSType = eWinME;
return eOSType;
}
//***********************************************
LPCTSTR COSInfo::GetOSString(void) const
{
struct OSTypeTableEntry
{
EOSType eOSType;
LPCTSTR szOSName;
}
static const OSLookupTable[] =
{
{eUnknown, _T("")}, // Undefined
{eWin95, _T("Windows 95")}, // Windows 95
{eWin98, _T("Windows 98")}, // Windows 98
{eWinME, _T("Windows ME")}, // Windows ME
{eWinNT, _T("Windows NT")}, // Windows NT
{eWin2000, _T("Windows 2000")}, // Windows 2000
{eWinXP, _T("Windows XP")}, // Windows XP
{eWin2003, _T("Windows 2003")} // Windows 2003
};
EOSType eOSType = GetOSType();
_ASSERTE(eOSType < sizeof(OSLookupTable) / sizeof(OSLookupTable[0]));
return OSLookupTable[eOSType].szOSName;
}
//***********************************************
bool COSInfo::IsWindows95(void) const
{
// Windows95 if:
// Major == 4 and Minor == 0 and PlatformId != NT
return (m_osvi.dwMajorVersion == 4 &&
m_osvi.dwMinorVersion == 0 &&
m_osvi.dwPlatformId != VER_PLATFORM_WIN32_NT) ? true : false;
}
//***********************************************
bool COSInfo::IsWindows98(void) const
{
// Windows98 if:
// Major >= 4 and Minor > 0 and PlatformId != NT
// (except Major == 4 and Minor == 90 which is ME)
// (note: Major == 4 and Minor == 0 is 95)
return (m_osvi.dwMajorVersion >= 4 &&
m_osvi.dwMinorVersion > 0 &&
m_osvi.dwPlatformId != VER_PLATFORM_WIN32_NT &&
!(m_osvi.dwMajorVersion == 4 && m_osvi.dwMinorVersion == 90)) ? true : false;
}
//***********************************************
bool COSInfo::IsWindowsME(void) const
{
// WindowsME if:
// Major == 4 and Minor == 90 and PlatformId != NT
return (m_osvi.dwMajorVersion == 4 &&
m_osvi.dwMinorVersion == 90 &&
m_osvi.dwPlatformId != VER_PLATFORM_WIN32_NT) ? true : false;
}
//***********************************************
bool COSInfo::IsWindowsNT(void) const
{
// WindowsNT4 if:
// Major == 4 and Minor == 0 and PlatformId == NT
return (m_osvi.dwMajorVersion == 4 &&
m_osvi.dwMinorVersion == 0 &&
m_osvi.dwPlatformId == VER_PLATFORM_WIN32_NT) ? true : false;
}
//***********************************************
bool COSInfo::IsWindows2000(void) const
{
// Windows2000 if:
// Major == 5 and Minor == 0 and PlatformId == NT
return (m_osvi.dwMajorVersion == 5 &&
m_osvi.dwMinorVersion == 0 &&
m_osvi.dwPlatformId == VER_PLATFORM_WIN32_NT) ? true : false;
}
//***********************************************
bool COSInfo::IsWindowsXP(void) const
{
// WindowsXP if:
// Major == 5 and Minor == 1 and PlatformId == NT
return (m_osvi.dwMajorVersion == 5 &&
m_osvi.dwMinorVersion == 1 &&
m_osvi.dwPlatformId == VER_PLATFORM_WIN32_NT) ? true : false;
}
//***********************************************
bool COSInfo::IsWindows2003(void) const
{
// Windows2003 if:
// Major == 5 and Minor == 2 and PlatformId == NT
return (m_osvi.dwMajorVersion == 5 &&
m_osvi.dwMinorVersion == 2 &&
m_osvi.dwPlatformId == VER_PLATFORM_WIN32_NT) ? true : false;
}
//***********************************************
bool COSInfo::IsNT(void) const
{
return (m_osvi.dwPlatformId == VER_PLATFORM_WIN32_NT) ? true : false;
}
//***********************************************
DWORD COSInfo::GetMajor(void) const
{
return m_osvi.dwMajorVersion;
}
//***********************************************
DWORD COSInfo::GetMinor(void) const
{
return m_osvi.dwMinorVersion;
}
//***********************************************
DWORD COSInfo::GetBuild(void) const
{
return m_osvi.dwBuildNumber;
}
//***********************************************
DWORD COSInfo::GetPlatformId(void) const
{
return m_osvi.dwPlatformId;
}
//***********************************************
LPCTSTR COSInfo::GetCSDString(void) const
{
return m_osvi.szCSDVersion;
}
//.h
#pragma once
typedef enum _EOSType
{
eUnknown = 0,
eWin95,
eWin98,
eWinME,
eWinNT,
eWin2000,
eWinXP,
eWin2003
} EOSType, *LPEOSType;
class COSInfo
{
public:
COSInfo();
virtual ~COSInfo();
EOSType GetOSType(void) const;
LPCTSTR GetOSString(void) const;
bool IsWindows95(void) const;
bool IsWindows98(void) const;
bool IsWindowsME(void) const;
bool IsWindowsNT(void) const;
bool IsWindows2000(void) const;
bool IsWindowsXP(void) const;
bool IsWindows2003(void) const;
bool IsNT(void) const;
DWORD GetMajor(void) const;
DWORD GetMinor(void) const;
DWORD GetBuild(void) const;
DWORD GetPlatformId(void) const;
LPCTSTR GetCSDString(void) const;
protected:
OSVERSIONINFO m_osvi;
};
3 代码注入CPP文件
包括线程函数,拷贝线程函数和注入数据到远程进程的函数;
/***************************************************************
Module name: InjCode.cpp
Copyright (c) 2003 Robert Kuster
Notice: If this code works, it was written by Robert Kuster.
Else, I don't know who wrote it.
Use it on your own risk. No responsibilities for
possible damages of even functionality can be taken.
***************************************************************/
#include <Windows.h>
#include "InjCode.h"
//---------------------------------------------------------------------
// INJDATA
// Notice: The data structure being injected.
//
typedef LRESULT (WINAPI *SENDMESSAGE)(HWND,UINT,WPARAM,LPARAM);
typedef struct {
HWND hwnd;
SENDMESSAGE fnSendMessage; // pointer to user32!SendMessage
BYTE pbText[128 * sizeof(TCHAR)];
} INJDATA, *PINJDATA;
//---------------------------------------------------------------------
// ThreadFunc
// Notice: - the code being injected;
// - the remote copy of this function retrieves the password;
//
// Return value: password length
//
static DWORD WINAPI ThreadFunc (INJDATA *pData)
{
// There must be less than a page-worth of local
// variables used in this function.
int nXferred = 0; // number of chars retrieved by WM_GETTEXT
// Get password
nXferred = pData->fnSendMessage( pData->hwnd, WM_GETTEXT,
sizeof(pData->pbText)/sizeof(TCHAR),
(LPARAM)pData->pbText );
pData->pbText [127 * sizeof(TCHAR)] = __TEXT('\0');
// The thread's exit code is the number
// of characters retrieved by WM_GETTEXT
return nXferred;
}
// This function marks the memory address after ThreadFunc.
// int cbCodeSize = (PBYTE) AfterThreadFunc - (PBYTE) ThreadFunc.
static void AfterThreadFunc (void) {
}
//---------------------------------------------------------------------
// GetTextRemote
// Notice: - copies ThreadFunc and INJDATA to the remote process;
// - starts the excecution of the remote ThreadFunc;
//
// Return value: password length;
//
int GetTextRemote (HANDLE hProcess, HWND hWnd, BYTE* pbString, bool fUnicode)
{
HINSTANCE hUser32;
INJDATA *pDataRemote; // the address (in the remote process) where INJDATA will be copied to;
DWORD *pCodeRemote; // the address (in the remote process) where ThreadFunc will be copied to;
HANDLE hThread = NULL; // the handle to the thread executing the remote copy of ThreadFunc;
DWORD dwThreadId = 0;
int nCharsXferred = 0; // number of chars retrieved by WM_GETTEXT in the remote thread;
DWORD dwNumBytesXferred = 0; // number of bytes written/read to/from the remote process;
__try {
hUser32 = GetModuleHandle(__TEXT("user32"));
if (hUser32 == NULL)
__leave;
// Initialize INJDATA and then
// copy it to the remote process
INJDATA DataLocal = {
hWnd,
(SENDMESSAGE) GetProcAddress(hUser32, fUnicode ? "SendMessageW" : "SendMessageA")
};
if( DataLocal.fnSendMessage == NULL )
__leave;
// 1. Allocate memory in the remote process for INJDATA
// 2. Write a copy of DataLocal to the allocated memory
pDataRemote = (INJDATA*) VirtualAllocEx( hProcess, 0, sizeof(INJDATA), MEM_COMMIT, PAGE_READWRITE );
if (pDataRemote == NULL)
__leave;
WriteProcessMemory( hProcess, pDataRemote, &DataLocal, sizeof(INJDATA), &dwNumBytesXferred );
// Calculate the number of bytes that ThreadFunc occupies
const int cbCodeSize = ((LPBYTE) AfterThreadFunc - (LPBYTE) ThreadFunc);
// 1. Allocate memory in the remote process for the injected ThreadFunc
// 2. Write a copy of ThreadFunc to the allocated memory
pCodeRemote = (PDWORD) VirtualAllocEx( hProcess, 0, cbCodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if (pCodeRemote == NULL)
__leave;
WriteProcessMemory( hProcess, pCodeRemote, &ThreadFunc, cbCodeSize, &dwNumBytesXferred );
// Start execution of remote ThreadFunc
hThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) pCodeRemote,
pDataRemote, 0 , &dwThreadId);
if (hThread == NULL)
__leave;
WaitForSingleObject(hThread, INFINITE);
// Get result (password) back
ReadProcessMemory( hProcess, pDataRemote, &DataLocal, sizeof(INJDATA), &dwNumBytesXferred);
if (fUnicode) wcscpy((LPWSTR) pbString, (LPCWSTR) DataLocal.pbText);
else strcpy((LPSTR) pbString, (LPCSTR) DataLocal.pbText);
}
__finally {
if ( pDataRemote != 0 )
VirtualFreeEx( hProcess, pDataRemote, 0, MEM_RELEASE );
if ( pCodeRemote != 0 )
VirtualFreeEx( hProcess, pCodeRemote, 0, MEM_RELEASE );
if ( hThread != NULL ) {
GetExitCodeThread(hThread, (PDWORD) &nCharsXferred);
CloseHandle(hThread);
}
}
// Return the number of chars retrieved
// by WM_GETTEXT in the remote thread.
return nCharsXferred;
}
///////////////////////////////////////////////////////////////////////////
int GetWindowTextRemoteA (HANDLE hProcess, HWND hWnd, LPSTR lpString)
{
return GetTextRemote (hProcess, hWnd, (BYTE*)lpString, false);
}
int GetWindowTextRemoteW (HANDLE hProcess, HWND hWnd, LPWSTR lpString)
{
return GetTextRemote (hProcess, hWnd, (BYTE*)lpString, true);
}
//////////////////////// End Of File //////////////////////////////////////
//.h
/***************************************************************
Module name: InjCode.h
Copyright (c) 2003 Robert Kuster
Notice: If this code works, it was written by Robert Kuster.
Else, I don't know who wrote it.
Use it on your own risk. No responsibilities for
possible damages of even functionality can be taken.
***************************************************************/
#if !defined INJCODE_H
#define INJCODE_H
int GetWindowTextRemoteA (HANDLE hProcess, HWND hWnd, LPSTR lpString);
int GetWindowTextRemoteW (HANDLE hProcess, HWND hWnd, LPWSTR lpString);
#ifdef UNICODE
#define GetWindowTextRemote GetWindowTextRemoteW
#else
#define GetWindowTextRemote GetWindowTextRemoteA
#endif // !UNICODE
#endif // !defined(INJCODE_H)
4 进程间共享内存封装类
封装了相关Win32 API;
// XShareMemory.cpp: implementation of the XShareMemory class.
//
//////////////////////////////////////////////////////////////////////
#include "stdafx.h"
#include "XShareMemory.h"
#ifdef _DEBUG
#undef THIS_FILE
static char THIS_FILE[]=__FILE__;
#define new DEBUG_NEW
#endif
//////////////////////////////////////////////////////////////////////
// Construction/Destruction
//////////////////////////////////////////////////////////////////////
XShareMemory::XShareMemory()
{
Init();
// Create(DEFAULT_FILENAME, DEFAULT_MAPNAME, DEFAULT_MAPSIZE);
}
XShareMemory::XShareMemory(char *szFileName, char *szMapName, DWORD dwSize)
{
Init();
Create(szFileName, szMapName, dwSize);
}
XShareMemory::~XShareMemory()
{
Destory();
}
void XShareMemory::Init()
{
m_hFile = NULL;
m_hFileMap = NULL;
m_hCreateMutex = NULL;
m_hOpenMutex = NULL;
m_lpFileMapBuffer = NULL;
m_pFileName = NULL;
m_pMapName = NULL;
m_dwSize = 0;
m_iCreateFlag = 0;
m_iOpenFlag = 0;
}
void XShareMemory::Destory()
{
if (m_lpFileMapBuffer)
{
UnmapViewOfFile(m_lpFileMapBuffer);
m_lpFileMapBuffer = NULL;
}
if (m_hFileMap)
{
CloseHandle(m_hFileMap);
m_hFileMap = NULL;
}
if (m_hFile && m_hFile != INVALID_HANDLE_VALUE)
{
CloseHandle(m_hFile);
m_hFile = NULL;
}
if(m_hCreateMutex)
{
CloseHandle(m_hCreateMutex);
m_hCreateMutex = NULL;
}
if(m_hOpenMutex)
{
CloseHandle(m_hOpenMutex);
m_hOpenMutex = NULL;
}
if (m_pFileName)
{
free(m_pFileName);
m_pFileName = NULL;
}
if (m_pMapName)
{
free(m_pMapName);
m_pMapName = NULL;
}
Init();
}
void XShareMemory::Create(char *szFileName, char *szMapName, DWORD dwSize)
{
ASSERT(m_iOpenFlag == 0);
if (m_iCreateFlag)
Destory();
char szMutexName[1000];
strcpy(szMutexName, szMapName);
strcat(szMutexName, "_MUTEX");
m_hCreateMutex = CreateMutex(NULL, FALSE, szMutexName);
if (szFileName)
m_pFileName = _strdup(szFileName);
if (szMapName)
m_pMapName = _strdup(szMapName);
else m_pMapName = _strdup(DEFAULT_MAPNAME);
if (dwSize > 0)
m_dwSize = dwSize;
else m_dwSize = DEFAULT_MAPSIZE;
if (m_pFileName)
{
// file
m_hFile = CreateFile(
m_pFileName,
GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL,
OPEN_ALWAYS,//OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
}
else
{
// system
m_hFile = (HANDLE)0xFFFFFFFF;
}
if (m_hFile)
{
m_hFileMap = CreateFileMapping(
m_hFile,
NULL,
PAGE_READWRITE,
0,
m_dwSize,
m_pMapName
);
//使只有一个CSFMServer对象能操作内存对象
//if (m_hFileMap != NULL && ERROR_ALREADY_EXISTS == GetLastError())
//{
// CloseHandle(m_hFileMap);
// m_hFileMap = NULL;
//}
}
if (m_hFileMap)
{
m_lpFileMapBuffer = MapViewOfFile(
m_hFileMap,
FILE_MAP_ALL_ACCESS,//FILE_MAP_WRITE|FILE_MAP_READ,
0,
0,
m_dwSize
);
}
m_iCreateFlag = 1;
}
bool XShareMemory::IsOpened()
{
return (m_iOpenFlag == 1)? true : false;
}
bool XShareMemory::IsCreated()
{
return (m_iCreateFlag == 1)? true : false;
}
void XShareMemory::Open(DWORD dwAccess, char *szMapName)
{
ASSERT(m_iCreateFlag == 0);
if (m_iOpenFlag)
Destory();
char szMutexName[1000];
strcpy(szMutexName, szMapName);
strcat(szMutexName, "_MUTEX");
m_hOpenMutex = OpenMutex(MUTEX_ALL_ACCESS, FALSE, szMutexName);
if(m_hOpenMutex == NULL)
return;
if (szMapName)
m_pMapName = _strdup(szMapName);
else m_pMapName = _strdup(DEFAULT_MAPNAME);
m_hFileMap = OpenFileMapping(
dwAccess,
TRUE,
m_pMapName
);
if (m_hFileMap)
{
m_lpFileMapBuffer = MapViewOfFile(
m_hFileMap,
dwAccess,
0,
0,
0
);
m_iOpenFlag = 1;
}
}
LPVOID XShareMemory::GetBuffer()
{
return (m_lpFileMapBuffer)?(m_lpFileMapBuffer):(NULL);
}
DWORD XShareMemory::GetSize()
{
return m_dwSize;
}
bool XShareMemory::Write(const char *pData, DWORD dwSize)
{
char *p = (char*)GetBuffer();
if(p)
{
HANDLE hMutex;
if(m_iCreateFlag)
hMutex = m_hCreateMutex;
else
hMutex = m_hOpenMutex;
::WaitForSingleObject(hMutex, INFINITE);
memcpy(p, pData, dwSize);
ReleaseMutex(hMutex);
return true;
}
else
return false;
}
bool XShareMemory::Read(char *pData, DWORD dwSize)
{
char *p = (char*)GetBuffer();
if(!p)
return false;
HANDLE hMutex;
if(m_iCreateFlag)
hMutex = m_hCreateMutex;
else
hMutex = m_hOpenMutex;
::WaitForSingleObject(hMutex, INFINITE);
memcpy(pData, p, dwSize);
ReleaseMutex(hMutex);
return true;
}
//.h
// XShareMemory.h: interface for the XShareMemory class.
//
//////////////////////////////////////////////////////////////////////
#if !defined(AFX_XSHAREMEMORY_H__32BEA564_49E7_4756_994E_AFC067505D25__INCLUDED_)
#define AFX_XSHAREMEMORY_H__32BEA564_49E7_4756_994E_AFC067505D25__INCLUDED_
#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000
#define DEFAULT_FILENAME NULL
#define DEFAULT_MAPNAME "_SFM_OBJ_"
#define DEFAULT_MAPSIZE (0xFFFF + 1)
// 进程间共享内存
class XShareMemory
{
public:
bool Read(char *pData, DWORD dwSize);
bool Write(const char *pData, DWORD dwSize);
XShareMemory();
XShareMemory(char *szFileName, char *szMapName, DWORD dwSize);
virtual ~XShareMemory();
void Create(char *szFileName, char *szMapName, DWORD dwSize); // 服务端:创建共享内存
void Open(DWORD dwAccess, char *szMapName); // 客户端:打开共享内存
LPVOID GetBuffer();
DWORD GetSize();
bool IsOpened();
bool IsCreated();
private:
void Destory();
void Init();
protected:
HANDLE m_hFile;
HANDLE m_hFileMap;
HANDLE m_hCreateMutex; // 互斥保护共享内存
HANDLE m_hOpenMutex; // 互斥保护共享内存
LPVOID m_lpFileMapBuffer;
char *m_pFileName;
char *m_pMapName;
DWORD m_dwSize;
int m_iCreateFlag; // 创建标志,服务器端
int m_iOpenFlag; // 打开标志,客户端
};
#endif // !defined(AFX_XSHAREMEMORY_H__32BEA564_49E7_4756_994E_AFC067505D25__INCLUDED_)