Shulou(Shulou.com)06/03 Report--

This article mainly introduces "how to debug HookMain.exe". In daily operation, I believe many people have doubts about how to debug HookMain.exe. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "how to debug HookMain.exe". Next, please follow the editor to study!

I. Program function

Open HookMain.exe in the tooled Windows XP, and then open notepad, and typing any messages into the keyboard will not appear in notepad, because HookMain.exe has KeyHook.dll loaded into the notepad process when notepad is opened. You can see it in process explorer.

Above is the notepad.exe process, and below is a portion of the loaded dynamic link library, which you can see on the penultimate line

HookMain.exe source code # include#include#include#define DEF_DLL_NAME "KeyHook.dll" # define DEF_HOOKSTART "HookStart" # define DEF_HOOKSTOP "HookStop" typedef void (* PFN_HOOKSTART) (); typedef void (* PFN_HOOKSTOP) (); void main () {HMODULE hDll = NULL;PFN_HOOKSTART HookStart = NULL;PFN_HOOKSTOP HookStop = NULL;char ch=0;// load dllhDll = LoadLibraryA (Dll_NAME); / / get the address of the exported function HookStart = (PFN_HOOKSTART) GetProcAddress (hDll,HOOK_START) HookStop = (PFN_HOOKSTOP) GetProcAddress (hDll,HOOK_STOP); / / start hookHookStart (); / / enter Q to exit hookprintf ("enter Q to exit hook!\ n"); while (1) {char h = getch (); putch (h); if (h = ='Q'); break;} / / end hookHookStop (); / / Uninstall dllFreeLibrary (hDll); return 0 Source code of KeyHook.dll / / KeyHook.cpp#include#include#define DEF_PROCESS_NAME "notepad.exe" HINSTANCE g_hInstance = NULL;HHOOK g_hHook = NULL;HWND g_hWnd = NULL;BOOL WINAPI DLLMain (HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpvReserved) {switch (dwReason) {case DLL_PROCESS_ATTACH: g_hInstance = hinstDLL; break; case DLL_PROCESS_DETACH: break;} return TRUE } LRESULT CALLBACK KeyboardProc (int nCode,WPARAM wParam,LPARAM lParam) {char szPath [Max _ PATH] = {0,}; char * p = NULL; if (nCode > = 0) {/ / bit 31:0 = key press,1 = key release if (! (lParam&0x80000000)) {GetModuleFileNameA (NULL,szPath,MAX_PATH); p = strrchr (szPath,'\\') / / compare the current process name. If it is notepad.exe, the message will not be passed to the application (or the next "hook") if (! _ stricmp (pumped 1Demo processes name)) return 1 }} / / if it is not notepad.exe, the CallNextHookEx () function is called to pass the message to the application (or the next hook) return CallNextHookEx (gambihHooklParam);} # ifdef _ _ cplusplusextern "C" {# endif__declspec (dllexport) void HookStart () {g_hHook = SetWindowsHookEx (WH_KEYBOARD,KeyboardProc,g_hInstance,0) } _ declspec (dllexport) void HookStop () {if (g_hHook) {UnhookWindowsHookEx (g_hHook); g_hHook = NULL;}} # ifdef _ cplusplus} # endif IV, what you have learned from these two pieces of source code

When writing a Dll file in C language, specify the export function with _ _ declspec

A CALLBACK is called a callback function and is a function that is specified to be called when a particular event occurs. Releasing the keyboard button here is this particular event.

A general understanding of the source code of the dll file

Debug HookMain.exe with OD

Open the program with OD and try to debug it

Based on my experience, I went directly to 00401000H of memory to find the location of main.

The book uses the method of key string retrieval, of course, the book is better, but all find the entry of the main function.

The assembly code for this main function is analyzed below.

From 00401000H to 0040102EH, the program calls LoadLibraryA to load KeyHook.dll, checks whether the load is successful, and gives the handle of the module to EAX. Here I guess that the function at 00401088H should be a pop-up function, which pops up when loading fails and tells the user that the module failed to load.

Pass the addresses of the two import functions to the two pointers from 0040102FH to 00401049H. I can't find the two pointers for the time being. I only know that the address of HookStart () is passed to EBX, because HookStart () is called immediately after the source program, and the function with the address at EBX is called immediately at the assembly.

From 0040104BH to 00401068H, the loaded HookStart () function is called first, then the printf () function at 00401088H is called, and then enters a loop. 71H represents Q, so exit the loop when Q is entered.

You can see here that the previous GetProAdress function passes the resulting address to EAX, and then passes the value of EAX to EBX and EDI, so at the end of the loop, call the HookStop () function at EDI directly.

Finally, release dll and release all stack space at the same time.

This is how this program assembler works. Let's study the principle of the HookStart () function, so we step into it at 0040104BH.

According to the book, 10001020 is the address of the hook process.

Debug KeyHook.dll in notepad.exe process with OD

First open notepad.exe (with OD) and set the interrupt to the new module in the debug settings

Then open HookMain.exe and tap the keyboard in notepad.exe. When you open OD, you find that dll has been injected.

Then double-click the found KeyHook.dll to enter debugging

Find the KeyboardProc () function at 10001020

The debugging is successful.

At this point, the study on "how to debug HookMain.exe" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.