Hook application: program operation monitoring

xiaoxiao2021-03-06  107

Hook application: Program operation monitoring (12,350 times)

Victor chen, (C enthusiast)

Program introduction:

Using this procedure: 1. You can monitor the program running in your computer, record the time and name of the program running in your computer; 2. You can prevent the execution of the disabled program you specified, such as do not play games. 3. This program needs to be added to the registry, running when the system is started, and achieve the purpose of monitoring. The registry is probably not strange, just here: hkey_local_machine / Software / Microsoft / Windows / CurrentVersion / Run program record format: 2003-02-03 17:31:25 - [System Startup - Windows XP 5.01.2600] 2003-02 -03 17:31:29 "Cabinetwclass" -> "My Computer" 2003-02-03 17:31:59 "Red Alert" -> "Red Alert" (T close the disabled program) 2003-02-03 17:32 : 19 "Made" -> "Made" (Close Disabled Procedure) 2003-02-03 17:32:35 "OpusApp" -> "Microsoft Word" 2003-02-03 17:32:50 - [System Shutdown - 0 Days, 0 HRS, 1 Mins, 25 Secs] 2003-02-03 17:35:37 - [System Startup - Windows 98 SE 4.10.2222] 2003-02-03 17:35:53 "Mine" -> "Minesweeper "(Close Disabled Procedure) 2003-02-03 17:36:05" Cabinetwclass "->" "2003-02-03 17:36:31" Red Alert "->" Red Alert "2003- 02-03 17:36:56 "Explorewclass" -> "" 2003-02-03 17:37:07 - [System shutdown - 0 days, 0 hrs, 1 mins, 30 seconds] program runs only three files: HWHPAPP.EXE executable HWHPDRV.DLL Installation Hook Dynamic Library HWHPAPP.cfg Disables Software Blacklist, available notepad modified program runs automatically generates record files: hwhpapp.sys can be opened with Notepad

Program principle: one. The hook uses the API function setWindowsHooKex () to install a global hook, the hook type is wh_shell. The Wh_Shell hook can monitor all the main windows of all applications to create or close. The most typical application is Windows status bar. When the program runs, the title of the main window is added to the status bar, and the program is deleted from the status bar. If you intercepted this hook, you can do the display of the status bar, or make yourself a status bar, or make a history, record all the programs that have been running in your computer. If the running program is not what you want, you can close this program directly to achieve the purpose of prohibiting running. two. Dynamic link library Because the hook is globally, this hook must be defined into the .dll's dynamic link library, which involves establishing a dynamic link library. three. Shared memory Since the hook is installed in the system, the hook run is inside the operating system, so this hook cannot use any global variables defined by your program! In this case, is there any way to solve it? Using shared memory technology in this program, you can create shared memory using the API function CreateFilemapping (), which can be used in any running program, which means this block can be used. RAM. The TsharedMemory shared memory class in the Victor serial port VCL control is used in this program. four. Record files and software Blacklist files save all program records performed in your computer in a text file, because the extension is .txt is easy to discover, so the extension .sys software blacklist is saved in .cfg file In the same way because the .ini file is easy to discover and open the modification. Both files are saved in the same folder with your .exe file and with the .exe file is the same name. Five. Guaranteed that your program can only run a two programs at the same time, record files will mess, so you must guarantee that you can only run one. When your program is starting to run, it is the beginning of the winmain () function, it is necessary to judge whether it has already been run, if it has been run, exit directly. The method of judging is very simple, that is, check whether the memory shared is existing. If you check the shared memory already exist, it is already running. six. The program is stealth, which cannot be displayed in the taskbar and task manager. This is also very simple, as long as the application-> run (); front plus one sentence: setWindowlong (Application-> Handle, GWL_EXSTYLE, GETWINDOWLONG (Application-> Handle , GWL_EXSTYLE) | WS_EX_TOOLWINDOW);

Program introduction .dll file: This is the most critical hook code: #include #include "yb_base.h" // Victor serial control 1 header file #define myappmark "Victor_Appmoni_20010612" // Shared memory flag class __export THookedProcs {public: THookedProcs (); ~ THookedProcs (); void WINAPI InitFuncs (void); void WINAPI UninitFuncs (void); private: HHOOK hThisHook; // save the hook handle static LRESULT CALLBACK HookedShellProc (int nCode, WPARAM wParam , LParam lparam;}; // Define shared data structure typedf struct {hhook; // Currently used hook // ... This can add other shared data} ThooksharedData; ThookedProcs :: thookedProcs () {hthishook = NULL;} THookedProcs :: ~ THookedProcs () {UninitFuncs ();} void WINAPI THookedProcs :: InitFuncs (void) {UninitFuncs (); hThisHook = SetWindowsHookEx (WH_SHELL, (HOOKPROC) HookedShellProc, hInstance, 0); TSharedMemory AppMem ( MyAppmark, 4096); // Memory THOOKSHAREDDATA * hooksharedData = (("AppMem.appinfo-> Data)); // Shared Data HooksharedData-> hHOOK = Hthishook; // Save Hthishook To share memory} Void WinAPI ThookedProcs :: unnitfuncs (void) {if (hthishook) {unhookwindowshookex (hthishook); hThisHook = NULL;}} LRESULT CALLBACK THookedProcs :: HookedShellProc (int nCode, WPARAM wParam, LPARAM lParam) {TSharedMemory AppMem (MYAPPMARK, 4096); // .EXE file in shared memory if (AppMem.Valid) if ( AppMem.Exists) // if shared memory is present {HWND hMainWnd = AppMem.AppInfo-> hMainForm; if (hMainWnd) {if (nCode == HSHELL_WINDOWCREATED) {PostMessage (hMainWnd, WM_USERCMD, UC_WINHOOK, wParam);}}}

// in Hook Lane can not be called hThisHook, must use shared memory inside hHook THookSharedData * HookSharedData = ((THookSharedData *) (AppMem.AppInfo-> Data)); // shared data return CallNextHookEx (HookSharedData-> hHook, nCode, WPARAM, LPARAM);

EXE file main program code: WinAPI WinMain (Hinstance, Hinstance, LPSTR LPCMDLINE, INT) {if (! AppMEM.Valid) {Return 1;}} IF (appMem.exists) // Existence (program has been running, And running) {IF (LPCMDLINE, "/ show") == 0) // If you monitor the command line parameter / show, the main window of the program that has been run is displayed {PostMem.appinfo-> Hmainform, WM_USERCMD, UC_SHOWIN, 0);} Return 0;} appMem.clearbuffler (); try {application-> initialize (); application-> createform (__ classid (tformmain), & flmain); // The following statement is to prevent display in status bar and task manager SetWindowLong (Application-> Handle, GWL_EXSTYLE, GetWindowLong (Application-> Handle, GWL_EXSTYLE) | WS_EX_TOOLWINDOW); Application-> Run ();} catch (Exception & exception) {Application-> ShowException (& exception);} Catch (...) {Try {Throw Exception ("");} Catch (Exception & Exception) {Application-> Showexception (& Exception);}} return 0;

Main window program: TsharedMemory AppMem (MyAppmark, 4096); // Defines the shared memory, this memory is really existing __fastcall tformmain :: tFormMain (tComponent * Owner: tform (ooWer) {appMem.appinfo-> hmainWnd = Application -> Handle; AppMem.appinfo-> hMainform = Handle; WriteStartupMessage (); // Add startup information in the record file PostMessage (Handle, WM_USERCMD, UC_INITWIN, 0);

MYHOOK = New ThookedProcs; myhook-> infuncs (); // Installation hook} // ------------------------------- -------------------------------------------__ fastcall tformmain :: ~ tFormmain () {Myhook-> uninitFuncs (); // Delete hook delete myhook;} // -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------- Void __fastcall tformmain :: FormCloseQuery (TOBJECT * Sender, Bool & CANCLOSE) {WriteshutDownMessage (); // Add to exit information in the record file} // ------------------------ -------------------------------------------------- -void __fastcall TFormMain :: WndProc (Messages :: TMessage & Message) {if (Message.Msg == WM_USERCMD) {if (Message.WParam == UC_SHOWWIN) {Show (); AppMem.ActiveAppWnd ();} else if (Message .Wparam == uc_initwin) {hide (); left = (screen-> width - width) / 2; TOP = (Screen-> Height - height) / 2;} else f (message.wparam == uc_winhook {WinHOKMESAGE (Message.lparam);}} TFORM :: WndProc (Message);} // ------------------------------- ------------------------------- ------------- void __fastcall tformmain :: bnexitclick (TOBJECT * Sender) {close ();} // ------------------------------------------------------------------------------ -------------------------------------------------- -------

Void __fastcall tformmain :: BnHideClick (TOBJECT * Sender) {hide ();} // -------------------------------------------------------------------------------------------- ------------------------------------------- void __fastcall tformain :: createparams (Controls :: TCreateParams & Params) {TForm :: CreateParams (Params); Params.Style = WS_OVERLAPPED | WS_DLGFRAME | WS_CAPTION | WS_SYSMENU; Params.ExStyle | = WS_EX_TOPMOST; Params.X = screen-> Width - 8; Params.Y = Screen-> HEIGHT - 8;} // ---------------------------------------- ----------------------------------- void __fastcall tformmain :: WinHOOKMESSAGE (long param) {hwnd hwnd = HWND) Param; Char SzwincAption [256]; ANSISUSTRING S;

DateTimex X; S = Ansistring (). Sprintf ("% 04D-% 02D-% 02D% 02D:% 02D:% 02D", x.year, x.month, x.day, x. Hour, x.minute , x.second);

IF (! getwindowtext (hwnd, szwincaption, 256)) * szwincaption = 0; if (! getClassName (hwnd, szwinclass, 256)) * szwinclass = 0; s = "/" Ansistring (szwinclass) "/" -> / "" Ansistring "/" "

IF (! ValidAppCheck (hwnd, szwinclass, szwincaption) s = "(Turning off Disabler)"; s = "/ r / n";

Tbinfilefuncs :: Writelogfileinfo ("sys"). C_str (), s.c_str ()); // and .exe's same name .sys // ---------------- -------------------------------------------------- --------------- void __fastcall tformmain :: WriteStartupMessage (void) {ANSISTRING S; DATETIMEX X = StartUptime; TsysInfo Si;

s = "========== CopyRight (c) Victor chen ===== email: Victor@cppfans.com =========== / r / n"; s = Ansistring (). Sprintf ("% 04D-% 02D-% 02D% 02D:% 02D:% 02D -", x.year, x.month, x.day, x.hour, x.minute, x.second ); S = ansistring (). Sprintf ("[system startup -% s% d.% 02d.% 04d]", si.os-> osname, si.os-> majorver, si.os-> minorver, Si.os-> buildnum; s = "/ r / n"; tbinfilefuncs :: writelogfileinfo (Trelpath (). EXTENSION ("SYS"). c_str (), s.c_str ()); // and .exe The same name .sys file} // ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ --------------------------------- void __fastcall tformmain :: WriteShutdownMessage (void) {ANSISTRING S; DATETIMEX X; TIMEX T; T.S000 = (x - startuptime)% (24 * 60 * 60); int D = (x - startuptime) / (24 * 60 * 60);

S = Ansistring (). Sprintf ("% 04D-% 02D-% 02D% 02D:% 02D:% 02D -", x.year, x.month, x.day, x. Hour, x.minute, x . SECOND); S = Ansistring (). Sprintf ("[System Shutdown -% D Days,% D HRS,% D Mins,% D Secs]", D, T. Hour, T.minute, T. Second ; S = "/ r / n";

Tbinfilefuncs :: Writelogfileinfo ("sys"). C_str (), s.c_str ()); // and .exe's same name .sys // ---------------- -------------------------------------------------- --------------- BOOL __FASTCALL TFORMMAIN :: ValidAppCall TFormMain :: ValidAppCheck (HWND HWND, Char * CLS, Char * CAP) {TBINFILE F; f.FileName = Trelpath (). EXTENSION ("cfg" ); // The same name with .cfg file f.Openmode = tbinfile :: omread; // Prepare read files

If (f.exists) // If the file exists {try {f.active = true; // Open file char aline [2048]; while (fgets (aline, 2000, f)) // read a line of text (standard C function ) {IF (ALINE, "Class =", 6) == 0) // Identify {TBINFILEFUNCS :: Deletespaces (ALINE 6, 1, 1); // Remove Space IF (Stricmp (ALINE 6, CLS) == 0) {PostMessage (hwnd, wm_close, 0, 0); // Close the program Return False;}} else f (Strnicmp (ALINE, "CAPTION =", 8) == 0) // Title Identification {TBINFILEFUNCS :: Deletespaces (ALINE 8, 1, 1); // Removal of space IF (Stricmp (ALINE 8, CAP) == 0) {PostMessage (hwnd, wm_close, 0, 0); // Close Program Return False;}}}} Catch (Exception & E) {// ignoring the error message, you can also add an error message to an error message}} Return true;} This program contains two project files: HWHPDRV. BPR Create a .dll Dynamic Link Library HWHPAPP.BPR Create .exe Application

Download the full program source code 436, 221 bytes (download 4262 times)

转载请注明原文地址:https://www.9cbs.com/read-124878.html

New Post(0)