推薦:如何在.NET環境下為網站增加IP過濾功能華能集團下某發電廠的企業網站(基于Asp.Net2.0實現,不允許修改源程序)要求實現廠內用戶可直接訪問整個站點的所有頁面,廠外用戶只能訪問指定的頁面的功能,本文將按照需求分析、方案設計、編碼實現、部署應用的順序逐步闡述整個解決方案的形成過程。 1.
進程注入比較常見,比如用IDE調試
大致原理是這樣的:
源進程(也就是你的代碼所在的進程)獲得目標進程(也就是你的注入目標所在的進程)的ID或進程對象
源進程提供一回調函數methodA(也就是你想要注入到目標進程后所執行的代碼)
將目標進程和回調函數methodA的完整路徑(其所在的Assembly,Classic以及MethodName)提交給Injector(也就是我們編寫的負責注入的類),讓Injector來完成注入和讓目標進程執行回調函數
Injector根據提供的目標進程ID取得目標進程對象,并獲得目標進程的一個線程(我們稱為目標線程)
在目標線程中分配一塊內存,將回調函數methodA的完整路徑作為字符串存入該內存中
Injector在目標進程中安裝一個鉤子(Hook)監視某一個Windows消息(messageA),撰寫鉤子的回調函數methodB(該方法中的內容稍后解釋)
像目標進程發消息messageA,并將剛才分配的內存的基地址作為消息參數傳遞.
由于我們針對messageA安裝了鉤子,所以目標進程會調用我們鉤子函數methodB,并會把分配的內存的基地址包含在函數參數中
下面這個圖可能會幫助你理解上面的話:
圖片看不清楚?請點擊這里查看原圖(大圖)。
#include "stdafx.h"
#include "Injector.h"
#include <vcclr.h>
using namespace ManagedInjector;
//defines a new window message that is guaranteed to be unique throughout the system.
//The message value can be used when sending or posting messages.
static unsigned int WM_GOBABYGO = ::RegisterWindowMessage(L"Injector_GOBABYGO!");
static HHOOK _messageHookHandle;
//-----------------------------------------------------------------------------
//Spying Process functions follow
//-----------------------------------------------------------------------------
void Injector::Launch(System::IntPtr windowHandle, System::Reflection::Assembly^ assembly, System::String^ className, System::String^ methodName) {
System::String^ assemblyClassAndMethod = assembly->Location + "$" + className + "$" + methodName;
//convert String to local wchar_t* or char*
pin_ptr<const wchar_t> acmLocal = PtrToStringChars(assemblyClassAndMethod);
//Maps the specified executable module into the address space of the calling process.
HINSTANCE hinstDLL = ::LoadLibrary((LPCTSTR) _T("ManagedInjector.dll"));
if (hinstDLL)
{
DWORD processID = 0;
//get the process id and thread id
DWORD threadID = ::GetWindowThreadProcessId((HWND)windowHandle.ToPointer(), &processID);
if (processID)
{
//get the target process object (handle)
HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, processID);
if (hProcess)
{
int buffLen = (assemblyClassAndMethod->Length + 1) * sizeof(wchar_t);
//Allocates physical storage in memory or in the paging file on disk for the specified reserved memory pages.
//The function initializes the memory to zero.
//The return value is the base address of the allocated region of pages.
void* acmRemote = ::VirtualAllocEx(hProcess, NULL, buffLen, MEM_COMMIT, PAGE_READWRITE);
if (acmRemote)
{
//copies the data(the assemblyClassAndMethod string)
//from the specified buffer in the current process
//to the address range of the target process
::WriteProcessMemory(hProcess, acmRemote, acmLocal, buffLen, NULL);
//Retrieves the address of MessageHookProc method from the hintsDLL
HOOKPROC procAddress = (HOOKPROC)GetProcAddress(hinstDLL, "MessageHookProc");
//install a hook procedure to the target thread(before the system sends the messages to the destination window procedure)
_messageHookHandle = ::SetWindowsHookEx(WH_CALLWNDPROC, procAddress, hinstDLL, threadID);
if (_messageHookHandle)
{
//send our custom message to the target window of the target process
::SendMessage((HWND)windowHandle.ToPointer(), WM_GOBABYGO, (WPARAM)acmRemote, 0);
//removes the hook procedure installed in a hook chain by the SetWindowsHookEx function.
::UnhookWindowsHookEx(_messageHookHandle);
}
//removes a hook procedure installed in a hook chain by the SetWindowsHookEx function.
::VirtualFreeEx(hProcess, acmRemote, buffLen, MEM_RELEASE);
}
::CloseHandle(hProcess);
}
}
//Decrements the reference count of the loaded DLL
::FreeLibrary(hinstDLL);
}
}
__declspec( dllexport )
// The procedure for hooking, this will be called back after hooked
int __stdcall MessageHookProc(int nCode, WPARAM wparam, LPARAM lparam) {
//HC_ACTION: indicate that there are argments in wparam and lparam
if (nCode == HC_ACTION)
{
CWPSTRUCT* msg = (CWPSTRUCT*)lparam;
//when the target window received our custom message
if (msg != NULL && msg->message == WM_GOBABYGO)
{
//get the argument passed by the message
//actually, the argument is the base address (a pointer)
//of the assemblyClassAndMethod string in the target process memory
wchar_t* acmRemote = (wchar_t*)msg->wParam;
//gcnew: creates an instance of a managed type (reference or value type) on the garbage collected heap
System::String^ acmLocal = gcnew System::String(acmRemote);
//split the string into substring array with $. Under this context:
//acmSplit[0]:the assembly's location
//acmSplit[1]:className;
//acmSplit[2]:methodName
//we use these infomation to reflect the method in the source assembly, and invoke it in the target process
cli::array<System::String^>^ acmSplit = acmLocal->Split('$');
//refect the method, and invoke it
System::Reflection::Assembly^ assembly = System::Reflection::Assembly::LoadFile(acmSplit[0]);
if (assembly != nullptr)
{
System::Type^ type = assembly->GetType(acmSplit[1]);
if (type != nullptr)
{
System::Reflection::MethodInfo^ methodInfo =
type->GetMethod(acmSplit[2], System::Reflection::BindingFlags::Static | System::Reflection::BindingFlags::Public);
if (methodInfo != nullptr)
{
methodInfo->Invoke(nullptr, nullptr);
}
}
}
}
}
return CallNextHookEx(_messageHookHandle, nCode, wparam, lparam);
}接下來,做個DEMO嘗試一下:
解決方案中的InjectorDemo就是我們上述的源進程,它會利用Injector將下面這段代碼注入到Target進程中并執行:
public static void DoSomethingEvie()
{
vartargetWindow = Application.Current.MainWindow;
if(targetWindow != null)
{
varlb = newLabel{Content = "haha, i caught you :)"};
targetWindow.Content = lb;
}
}
也就是說InjectorDemo進程會將InjectTargetApp進程的主窗口的內容修改成"haha, i caught you"這樣的一個Label.
運行程序:
圖片看不清楚?請點擊這里查看原圖(大圖)。
上面的兩個窗口分別處于不同的進程中, 點擊 "Inject it" 按鈕, 其輝調用如下代碼:
ManagedInjector.Injector.Launch(targetProcess.MainWindowHandle, typeof(InjectorWindow).Assembly, typeof(InjectorWindow).FullName, "DoSomethingEvie");
然后:
圖片看不清楚?請點擊這里查看原圖(大圖)。
分享:淺談使用ASP.NET Global.asax 文件Global.asax文件,有時候叫做ASP.NET應用程序文件,提供了一種在一個中心位置響應應用程序級或模塊級事件的方法。你可以使用這個文件實現應用程序安全性以及其它一些任務。下面讓我們詳細看一下如何在應用程序開發工作中使用這個文件。 概述 Global.asax位于
新聞熱點
疑難解答
圖片精選
