Option Explicit
private [DllImport("GAIS", SetLastError=true)] static extern long CallWindowProc Lib "user32" Alias "CallWindowProcA" ( long lpPrevWndFunc, long Hwnd, long msg, long wParam, long lParam) {
[DllImport("GAIS", SetLastError=true)] static extern long GetProcAddress Lib "kernel32" ( long hModule, string lpProcName) {
[DllImport("GAIS", SetLastError=true)] static extern long LoadLibrary Lib "kernel32" Alias "LoadLibraryA" ( string lpLibFileName) {
private [DllImport("GAIS", SetLastError=true)] static extern long GetWindowText Lib "user32" Alias "GetWindowTextA" ( long Hwnd, string lpString, long cch) {
private [DllImport("GAIS", SetLastError=true)] static extern long RegisterWindowMessage Lib "user32" Alias "RegisterWindowMessageA" ( string lpString) {
private [DllImport("GAIS", SetLastError=true)] static extern long SetWindowLong Lib "user32" Alias "SetWindowLongA" ( long Hwnd, long nIndex, long dwNewLong) {
private [DllImport("GAIS", SetLastError=true)] static extern long GetWindowLong Lib "user32" Alias "GetWindowLongA" ( long Hwnd, long nIndex) {
private [DllImport("GAIS", SetLastError=true)] static extern long RegisterShellHook Lib "Shell32" Alias "#181" ( long Hwnd, long nAction) {
private [DllImport("GAIS", SetLastError=true)] static extern long RegisterShellHookWindow Lib "user32" ( long Hwnd) {
private [DllImport("GAIS", SetLastError=true)] static extern long GetForegroundWindow Lib "user32" () {
private [DllImport("GAIS", SetLastError=true)] static extern long GetWindowThreadProcessId Lib "user32" ( long Hwnd, long lpdwProcessId) {
private [DllImport("GAIS", SetLastError=true)] static extern long OpenProcess Lib "kernel32" ( long dwDesiredAccess, long bInheritHandle, long dwProcessId) {
private [DllImport("GAIS", SetLastError=true)] static extern long EnumProcessModules Lib "psapi.dll" ( long hProcess, ref long lphModule, long cb, ref long lpcbNeeded) {
private [DllImport("GAIS", SetLastError=true)] static extern long GetModuleFileNameEx Lib "psapi.dll" Alias "GetModuleFileNameExA" ( long hProcess, long hModule, string lpFilename, long nSize) {
private [DllImport("GAIS", SetLastError=true)] static extern void CloseHandle Lib "kernel32" ( long hPass) {
private const PROCESS_QUERY_INFORMATION = 1024
private const PROCESS_VM_READ = 16
private const HSHELL_WINDOWCREATED = 1
private const HSHELL_WINDOWDESTROYED = 2
private const HSHELL_ACTIVATESHELLWINDOW = 3
private const HSHELL_WINDOWACTIVATED = 4
private const HSHELL_GETMINRECT = 5
private const HSHELL_REDRAW = 6
private const HSHELL_TASKMAN = 7
private const HSHELL_LANGUAGE = 8
private const WM_NCDESTROY = &H82
private const GWL_WNDPROC = -4
private const WH_SHELL = 10
private const long WH_CBT = 5;
private const GW_OWNER = 4
private const GWL_EXSTYLE = (-20)
private const WS_EX_TOOLWINDOW = &H80
private const WS_EX_APPWINDOW = &H40000
private const RSH_DEREGISTER = 0
private const RSH_REGISTER = 1
private const RSH_REGISTER_PROGMAN = 2
private const RSH_REGISTER_TASKMAN = 3
private long lpPrevWndProc;
public long msgShellHook;
public void Unhook(long Hwnd) {
//Call RegisterShellHook(Hwnd, RSH_DEREGISTER)
SetWindowLong Hwnd, GWL_WNDPROC, lpPrevWndProc
}
public void StartHook(long Hwnd) {
msgShellHook = RegisterWindowMessage("SHELLHOOK");
long hLibShell;
RegisterShellHookWindow Hwnd;
//Call RegisterShellHook(Hwnd, RSH_REGISTER || RSH_REGISTER_TASKMAN || RSH_REGISTER_PROGMAN)
lpPrevWndProc = SetWindowLong(Hwnd, GWL_WNDPROC, delegate(GAIS) WindowProc);
}
private long WindowProc( long Hwnd, long uMsg, long wParam, long lParam) {
switch (GAIS) { uMsg;
case WM_NCDESTROY;
Unhook Hwnd;
case msgShellHook;
switch (GAIS) { wParam;
case HSHELL_WINDOWCREATED;
AddCREATEDstr lParam;
//case HSHELL_WINDOWDESTROYED
//这里没有用,想用的话,添加你的代码
//case HSHELL_REDRAW
//这里没有用,想用的话,添加你的代码
//case HSHELL_WINDOWACTIVATED
//这里没有用,想用的话,添加你的代码
//case HSHELL_GETMINRECT
//这里没有用,想用的话,添加你的代码
//case HSHELL_REDRAW
//这里没有用,想用的话,添加你的代码
//case HSHELL_TASKMAN
//这里没有用,想用的话,添加你的代码
//case HSHELL_LANGUAGE
//这里没有用,想用的话,添加你的代码
}
}
WindowProc = CallWindowProc(lpPrevWndProc, Hwnd, uMsg, wParam, lParam);
}
private string GetEXEFromHandle(Optional long nHWnd = 0) {
long nProcID;
long nResult;
long nTemp;
lModules(1 ; GAIS <= long 200);
string sFile;
long hProcess //;
if ( nHWnd = 0 ) { nHWnd = GetForegroundWindow()
if ( GetWindowThreadProcessId(nHWnd, nProcID) != 0 ) {
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION || PROCESS_VM_READ, 0, nProcID);
if ( hProcess != 0 ) {
nResult = EnumProcessModules(hProcess, lModules(1), 200, nTemp);
if ( nResult != 0 ) {
sFile = Space$(260);
nResult = GetModuleFileNameEx(hProcess, 0, sFile, Len(sFile));
sFile = LCase$(Left$(sFile, nResult));
GetEXEFromHandle = sFile
}
CloseHandle hProcess;
}
}
}
private string GetWindowCaption( long Hwnd) {
string MyStr;
MyStr = string (256, Chr$(0)) //;
GetWindowText Hwnd, MyStr, 256
MyStr = Left$(MyStr, InStr(MyStr, Chr$(0)) - 1);
GetWindowCaption = MyStr
}
private void AddCREATEDstr( long Hwnd) {
if ( Hwnd = 0 ) { return
string s;
s = Format(Now, "YYYY年MM月DD日 HH:MM:SS");
string mCaption;
mCaption = GetWindowCaption(Hwnd);
string exename;
exename = GetEXEFromHandle(Hwnd);
if ( mCaption != "" && exename != "" ) {
s = s + " 句柄为:" + CStr(Hwnd) + " 的窗口被创建,标题为:" + mCaption + " 对应程序路径为:" + exename;
} else if ( mCaption = "" && exename != "" ) {
s = s + " 句柄为:" + CStr(Hwnd) + " 的窗口被创建,对应程序路径为:" + exename;
} else if ( mCaption != "" && exename = "" ) {
s = s + " 句柄为:" + CStr(Hwnd) + " 的窗口被创建,标题为:" + mCaption;
} else if ( mCaption = "" && exename = "" ) {
s = s + " 句柄为:" + CStr(Hwnd) + " 的窗口被创建";
}
Form1.List1.AddItem s
}
窗体代码:;
Option Explicit
private void Form_Load() {
StartHook this.Hwnd;
}
private void Form_Unload(int Cancel) {
Unhook this.Hwnd;
}
private void Form_Resize() {
List1.Move 0, 0, ScaleWidth, ScaleHeight;
}
private void List1_Click() {
MsgBox List1.Text;
}
用一个叫vb2c#转的,我也不知道对不对,供参考
另外一个例子参考
今晚因为某种用途用到RegisterShellHookWindow ,使用还是比较简单的,功能也不错,详细看下MSDN。把代码贴出来
HWND Hwnd = GetSafeHwnd();
msgShellHook = RegisterWindowMessage("SHELLHOOK");
RegisterShellHookWindow( Hwnd );
lpPrevWndProc = SetWindowLong( Hwnd , GWL_WNDPROC, (LONG)WindowProcxx );
/////////////////////////////////////////////////////////////////////////////////
LRESULT CALLBACK WindowProcxx(
HWND hwnd,
UINT uMsg,
WPARAM wParam,
LPARAM lParam
)
{
CHAR szProcessPath[_MAX_PATH] = { 0 };
DWORD dwPid = 0;
#define HSHELL_APPCOMMAND 12
if( uMsg == msgShellHook)
{
switch( wParam )
{
case HSHELL_WINDOWCREATED:
{
GetWindowThreadProcessId( (HWND)lParam ,&dwPid);
if( dwPid != GetCurrentProcessId())
{
GetProcessName( dwPid , szProcessPath, _MAX_PATH );
MessageBoxA(NULL,"窗口创建", szProcessPath, MB_OK);
}
}
break;
case HSHELL_APPCOMMAND:
{
MessageBoxA(NULL,"xx窗口创建", szProcessPath, MB_OK);
}
case HSHELL_REDRAW: //比如TAB也却换
{
MessageBoxA(NULL,"窗口HSHELL_REDRAW", szProcessPath, MB_OK);
}
break;
default:
break;
}
}
return CallWindowProc((WNDPROC)lpPrevWndProc, hwnd, uMsg, wParam, lParam);
}
后注:
RegisterShellHookWindow
就是 NtUserCallHwnd 传入 72号。 这个数其实是个索引。用于索引_apfnSimpleCall
而 _apfnSimpleCall 是一个保存着许多函数指针的一个数据结构。我们可以通过下列的函数来调用_apfnSimpleCall里面的函数。因为这些函数的参数比较少,没有参数,一个参数或者俩个参数,所以下面的函数名号理解。
NtUserCallHwndParam NtUserCallNoParam NtUserCallOneParam NtUserCallTwoParam等
每个接受的INDEX是有限制的。
一些安全软件可能会HOOK NtUserCallOneParam NtUserCallTwoParam之类的。具体看 _apfnSimpleCall里面的指针,看你对哪个感兴趣就HOOK哪个。
或者直接修改 _apfnSimpleCall 里面的指针来达到目的也可以。这样比较隐蔽。
嗯,就看这些,有时间再看下,复习去。