Im trying to hook the keyboard with a dll injection in C. When i try GetProcAddress on the KeyboardProc function the GetProcAddress return NULL and GetLastError returns error 131. after that I get a DLL_PROCESS_DETACH. In windows website it says:
ERROR_NEGATIVE_SEEK
131 (0x83)
An attempt was made to move the file pointer before the beginning of the file.
I dont understand what is the problem in my code.
The injector I am using:
#include <Windows.h>
#include <stdio.h>
int main(int argc, char *argv[])
{
HMODULE dll = LoadLibrary((LPCSTR) "dll.dll");
if (dll == NULL)
{
printf("The DLL could not be found.\n");
FreeLibrary(dll);
return -1;
}
printf("The DLL was found.\n");
HOOKPROC addr = (HOOKPROC)GetProcAddress(dll, "KeyboardProc");
if (addr == NULL)
{
printf("The function was not found.\n");
FreeLibrary(dll);
return -1;
}
printf("The function was found.\n");
HHOOK handle = SetWindowsHookEx(WH_KEYBOARD, addr, dll, 0);
if (handle == NULL)
{
printf("The KEYBOARD could not be hooked.\n");
FreeLibrary(dll);
}
printf("Program successfully hooked.\nPress enter to unhook the function and stop the program.\n");
getchar();
UnhookWindowsHookEx(handle);
FreeLibrary(dll);
return 0;
}
The dll Im using:
#include <windows.h>
#include <stdio.h>
INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
switch (Reason)
{
case DLL_PROCESS_ATTACH:
MessageBox(0, (LPCSTR) "DLL attach function called.", (LPCSTR) "Dll injection", MB_OK);
break;
case DLL_PROCESS_DETACH:
MessageBox(0, (LPCSTR) "DLL detach function called.", (LPCSTR) "Dll injection", MB_OK);
break;
case DLL_THREAD_ATTACH:
MessageBox(0, (LPCSTR) "DLL thread attach function called.", (LPCSTR) "Dll injection", MB_OK);
break;
case DLL_THREAD_DETACH:
MessageBox(0, (LPCSTR) "DLL thread detach function called..", (LPCSTR) "Dll injection", MB_OK);
break;
}
return TRUE;
}
extern __declspec(dllexport) LRESULT CALLBACK KeyboardProc(int code, WPARAM wParam, LPARAM lParam)
{
if (code < 0)
{
return CallNextHookEx(NULL, code, wParam, lParam);
}
FILE *LOG;
LOG = fopen("LOG.txt", "a+");
if (wParam == WM_KEYDOWN)
{
fputs((char *)lParam, LOG);
fclose(LOG);
}
return CallNextHookEx(NULL, code, wParam, lParam);
}
Im using win10 and mingw. Both injector and dll are compiled as C.
Problem is simple:
extern __declspec(dllexport) LRESULT CALLBACK KeyboardProc(int code, WPARAM wParam, LPARAM lParam)
Most probably is defined in cpp file and as a result it is C++ function. C++ to allow function overloading is using name mangling, so your function is visible under a name which is result of mangling.
You have to force it to be a C function so name mangling is disabled.
So add extern "C" or make source to have C specific extension (compile it as C code). Your code is pure C.