I always think that the hook is very deepest, recently studied, this is my code, which can be monitored which programs are running and destroyed.
This is a hook.
#ifndef ExehookApi # Define ExehookApi __Declspec (DLLIMPORT) # ENDIF # define user_msg ?? WM_USER 1 # define uc_appstart ?? 0x80000001 # define uc_Appdestroy? 0x80000002
ExehookApi Bool WinApi SetHook (HWND Hex);
This is a CPP file
#include
#define evEhookAPI __DECLSPEC (DLLEXPORT)
#include "exehook.h"
#pragma data_seg ("Shared") hHOOK? G_HPROC = NULL; hWND? g_hform = null; #pragma data_seg () # Pragma Comment (Linker, "/ Section: Shared, RWS") // DLLLL = NULL; / / LRESULT CALLBACK HookedShellProc (int nCode, wPARAM wParam, lPARAM lParam); LRESULT CALLBACK HookedShellProc (int nCode, wPARAM wParam, lPARAM lParam) {?? switch (nCode) {case HSHELL_WINDOWCREATED:?? ???? PostMessage (g_hForm, USER_MSG , UC_APPSTART, LPARAM (wParam)); ?? break; case HSHELL_WINDOWDESTROYED:??? ???? PostMessage (g_hForm, USER_MSG, UC_APPDESTROY, LPARAM (wParam)); ?? break;} return CallNextHookEx (g_hProc, nCode, wParam LPARAM);
BOOL WINAPI STHOOK (HWND HWNDEXE) {? BOOL BRET;? IF (hwndexe)? {??? g_hform = hwndexe; ?? g_hproc = setWindowsHookex (wh_Shell, (hookproc) hookedshellproc, g_hinstdll, 0);
?? Bret = (g_hproc! = null) ;?}? else? {?? Bret = unhookwindowshookex (g_hproc); ?? g_hproc = null; ?? g_hform = null;?}? return bret;}
Bool WinApi Dllmain (Hinstance Hinstdll, DWord Fdwreason, LPVOID LPVRESERVED) {? If (fdwreason == DLL_PROCESS_ATTACH) ??? g_hinstdll = hinstdll ;? return true;}
?
?
