老是觉得钩子很深奥,最近研究了一下,这是我得代码,可以监视哪些程序被运行以及被销毁。
这是钩子得头文件
#ifndef EXEHOOKAPI
#define EXEHOOKAPI __declspec(dllimport)
#endif
#define USER_MSG WM_USER+1
#define UC_APPSTART 0x80000001
#define UC_APPDESTROY 0x80000002
EXEHOOKAPI BOOL WINAPI SetHook(HWND hExe);
这是cpp文件
#include <windows.h>
#define EXEHOOKAPI __declspec(dllexport)
#include "ExeHook.h"
#pragma data_seg("shared")
HHOOK g_hProc =NULL;
HWND g_hForm = NULL;
#pragma data_seg()
#pragma comment(linker, "/section:shared,rws")
// DLL¾ä±ú
HINSTANCE g_hInstDLL = NULL;
//LRESULT CALLBACK HookedShellProc(int nCode, WPARAM wParam, LPARAM lParam);
LRESULT CALLBACK HookedShellProc(int nCode, WPARAM wParam, LPARAM lParam)
{
switch(nCode)
{
case HSHELL_WINDOWCREATED:
PostMessage(g_hForm,USER_MSG,UC_APPSTART,LPARAM(wParam));
break;
case HSHELL_WINDOWDESTROYED:
PostMessage(g_hForm,USER_MSG,UC_APPDESTROY,LPARAM(wParam));
break;
}
return CallNextHookEx(g_hProc, nCode, wParam, lParam);
}
BOOL WINAPI SetHook(HWND hwndExe)
{
BOOL bRet;
if(hwndExe)
{
g_hForm=hwndExe;
g_hProc=SetWindowsHookEx(WH_SHELL, (HOOKPROC) HookedShellProc, g_hInstDLL, 0);
bRet = (g_hProc!=NULL);
}
else
{
bRet=UnhookWindowsHookEx(g_hProc);
g_hProc=NULL;
g_hForm=NULL;
}
return bRet;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
if (fdwReason == DLL_PROCESS_ATTACH)
g_hInstDLL = hinstDLL;
return TRUE;
}