我的使用createremotethread控制excel右键的源程序

利用CreateRemoteThread将dll写进excel.exe.利用SetWindowLong()改变excel中右键消息。dll源程序：#include <windows.h>

BOOL __stdcall DllMain(HANDLE,DWORD,LPVOID)

{

return TRUE;

}

/*

#pragma data_seg("shared")

#pragma data_seg()

#pragma comment(linker,"/SECTION:shared,rws")

*/

WNDPROC g_lpfnOldWndProc;

HWND g_hMsgWnd;

LRESULT APIENTRY HookExcelWndProc(HWND hWnd, UINT wMessage , WPARAM wParam, LPARAM lParam)

{

try

{

switch (wMessage)

{

case WM_RBUTTONDOWN:

MessageBox(g_hMsgWnd,"u click the r button","",MB_OK);

return 1;

break;

case WM_CLOSE:

::ExitProcess (0);

break;

default:

if (NULL == g_lpfnOldWndProc)

return DefWindowProc(hWnd,wMessage,wParam,lParam);

else

return CallWindowProc(g_lpfnOldWndProc,hWnd,wMessage,wParam,lParam);

}

}

catch(...)

{

}

return 0;

}

LRESULT __stdcall HookExcelRightMenu(HWND hwnd)

{

g_hMsgWnd = hwnd;

g_lpfnOldWndProc=(WNDPROC)::SetWindowLong(hwnd,GWL_WNDPROC,(LONG)HookExcelWndProc);

MSG msg;

while( ::GetMessage( &msg, NULL, 0, 0 ))

{

TranslateMessage(&msg);

DispatchMessage(&msg);

}

return TRUE;

}

注入进程源程序:#include <windows.h>

#include <tlhelp32.h>

const int MAXINJECTSIZE = 10240;

typedef HMODULE (__stdcall * LPLOADLIBRARY)(LPCTSTR);

typedef FARPROC (__stdcall * LPGETPROCADDRESS)(HMODULE,LPCTSTR);

typedef BOOL (__stdcall * LPFREELIBRARY)(HMODULE);

typedef LRESULT (__stdcall * LPHookExcelRightMenu)(HWND);

typedef struct

{

LPLOADLIBRARY prcLoadLib;

LPGETPROCADDRESS prcGetProcAddr;

LPFREELIBRARY prcFreeLib;

TCHAR szLibPath[MAX_PATH+1];

HWND hInjectWnd;

}INJECT_DLL,*LPINJECT_DLL;

DWORD GetProcessIdFromName(LPCTSTR name)

{

PROCESSENTRY32 pe;

DWORD id = 0;

HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);

pe.dwSize = sizeof(PROCESSENTRY32);

if( !Process32First(hSnapshot,&pe) )

return 0;

do

{

pe.dwSize = sizeof(PROCESSENTRY32);

if( Process32Next(hSnapshot,&pe)==FALSE )

break;

if(stricmp(pe.szExeFile,name) == 0)

{

id = pe.th32ProcessID;

break;

}

} while(1);

CloseHandle(hSnapshot);

return id;

}

void EnableDebugPriv( void )

{

HANDLE hToken;

LUID sedebugnameValue;

TOKEN_PRIVILEGES tkp;

if ( ! OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )

return;

if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) )

{

CloseHandle( hToken );

return;

}

tkp.PrivilegeCount = 1;

tkp.Privileges[0].Luid = sedebugnameValue;

tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )

CloseHandle( hToken );

}

#pragma check_stack(off)

static DWORD __stdcall ControlExcelThread(LPVOID lpVoid)

{

try

{

LPINJECT_DLL lpInject = (LPINJECT_DLL)lpVoid;

if (NULL == lpInject)

return -1;

HMODULE hMod = lpInject->prcLoadLib(lpInject->szLibPath);

if (NULL == hMod)

return -2;

LPHookExcelRightMenu lpHookExcelRightMenu;

lpHookExcelRightMenu = (LPHookExcelRightMenu)lpInject ->prcGetProcAddr (hMod,MAKEINTRESOURCE(1));

if ( !lpHookExcelRightMenu)

{

lpInject ->prcFreeLib (hMod);

return -3;

}

lpHookExcelRightMenu(lpInject->hInjectWnd);

lpInject ->prcFreeLib (hMod);

}

catch(...)

{

return -1;

}

return 0;

}

#pragma check_stack(on)

LRESULT InJectDllIntoProcess(LPCSTR pstrProcessName,HWND hwnd)

{

DWORD dwProcessID = 0;

// dwProcessID=GetProcessIdFromName(pstrProcessName);

GetWindowThreadProcessId(hwnd,&dwProcessID);

if ( dwProcessID < 1)

return -1;

EnableDebugPriv();

HANDLE hInjectTarget = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID);

if (!hInjectTarget)

return -2;

INJECT_DLL pstInjectDll ;

memset(&pstInjectDll,0x0,sizeof(INJECT_DLL));

HMODULE hModule = ::LoadLibrary (TEXT("kernel32"));

if (!hModule)

return -3;

pstInjectDll.prcLoadLib = (LPLOADLIBRARY)::GetProcAddress(hModule,TEXT("LoadLibraryA"));

pstInjectDll.prcFreeLib = (LPFREELIBRARY)::GetProcAddress(hModule,TEXT("FreeLibrary"));

pstInjectDll.prcGetProcAddr = (LPGETPROCADDRESS)::GetProcAddress (hModule,TEXT("GetProcAddress"));

pstInjectDll.hInjectWnd = hwnd;

lstrcpy(pstInjectDll.szLibPath ,TEXT("E:\\KDCP\\backup\\dll\\injectdll\\debug\\injectdll.dll"));

LPBYTE lpExcelAddr = (LPBYTE)::VirtualAllocEx (hInjectTarget,NULL,MAXINJECTSIZE,MEM_COMMIT, PAGE_EXECUTE_READWRITE);

LPINJECT_DLL param = (LPINJECT_DLL) VirtualAllocEx( hInjectTarget, 0, sizeof(INJECT_DLL), MEM_COMMIT, PAGE_READWRITE );

WriteProcessMemory(hInjectTarget,lpExcelAddr,&ControlExcelThread,MAXINJECTSIZE,0);

WriteProcessMemory(hInjectTarget,param,&pstInjectDll,sizeof(INJECT_DLL),0);

DWORD dwThreadId = 0;

HANDLE hInjectThread;

try

{

hInjectThread= ::CreateRemoteThread (hInjectTarget,NULL,0,(LPTHREAD_START_ROUTINE)lpExcelAddr,param,0,&dwThreadId);

}

catch(...)

{

}

if (!hInjectThread)

dwThreadId = ::GetLastError ();

else

CloseHandle(hInjectThread);

CloseHandle(hInjectTarget);

::VirtualFreeEx (hInjectTarget,lpExcelAddr,0,MEM_RELEASE);

::VirtualFreeEx (hInjectTarget,param,0,MEM_RELEASE);

return 0;

}

void main()

{

HWND hwnd;

hwnd = FindWindowEx(NULL,NULL,"XLMAIN",NULL);

if (hwnd)

{

hwnd = FindWindowEx(hwnd,NULL,"XLDESK",NULL);

if (hwnd)

{

hwnd = FindWindowEx(hwnd,NULL,"EXCEL7",NULL);

InJectDllIntoProcess("excel.exe",hwnd);

}

}

}

• ·深入Java面向对象之预备篇(2.方法研究)
• ·Apache上部署Pro*c常见的一个错误
• ·Issues relating to use
• ·Flex2.5用户手册（二）
• ·Flex2.5用户手册（一）
• ·vc6.0调用excel xp,word 2k
• ·用.NET调用oracle的存储过程返回记录集
• ·绝对值函数Abs()的妙用
• ·Delphi Open Tools Api实例
• ·移动设备的Web应用程序开发----(例子)