首页  编辑  

捕捉了窗口的创建

Tags: /超级猛料/Hook.钩子/   Date Created:

我已成功的用shell hook捕捉了窗口的创建事件,但任然有些问题,现提出来与大家讨论:

  在我使用了挂起hook之后,应用程序的创建事件我能捕捉,但,凡是在钩子挂起之后运行的

应用程序,无论什么类型,只要进行了minimize 操作,就会隐藏hide起来.且在taskbar上也

找不到.只有用alt+tab切换才会出现.........不知什么问题.我把原代码贴上,请大家帮忙

研究.

以下是测试程序的原代码

unit testmain;

interface

uses

 Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,

 StdCtrls,tlhelp32, AppEvnts;

type

 TForm1 = class(TForm)

   Button1: TButton;

   ListBox1: TListBox;

   ApplicationEvents1: TApplicationEvents;

   procedure Button1Click(Sender: TObject);

   procedure FormCreate(Sender: TObject);

   procedure FormClose(Sender: TObject; var Action: TCloseAction);

   procedure ApplicationEvents1Message(var Msg: tagMSG;

     var Handled: Boolean);

 private

   { Private declarations }

 public

   { Public declarations }

 end;

var

 Form1: TForm1;

 mymsg:dword;

type

EDLLLoadError=class(exception);

implementation

{$R *.DFM}

function createhook:bool; external 'mydll.dll' ;

function freehook:bool; external 'mydll.dll' ;

var hookhandle:hhook=0;

   oldwinproc:pointer;

procedure TForm1.Button1Click(Sender: TObject);

begin

close;

end;

function newproc(windowhandle:hwnd; themessage, paramw,paraml:longint):longint; stdcall;

var

   pid:integer;

   ps:tprocessentry32;

   hp:thandle;

   filename:string;

   isend:bool;

begin

   result:=0;

if themessage=mymsg then

  begin

   form1.listbox1.Items.Clear;

   getwindowthreadprocessid(paramw,@pid);

   hp:= createtoolhelp32snapshot(TH32CS_SNAPPROCESS,pid);

   ps.dwsize:=sizeof(ps);

   isend:=process32first(hp,ps);

   while isend do

    begin

     filename:=ps.szExeFile;

     form1.listbox1.Items.Add('w'+filename);

     isend:=process32next(hp,ps);

    end;

   result:=0;

  end

else

  result:=callwindowproc(oldwinproc,form1.handle,themessage,paramw,paraml);

end;

procedure TForm1.FormCreate(Sender: TObject);

var lb:bool;

begin

 mymsg:=registerwindowmessage('cbtcreatewndmessage');

 oldwinproc:=pointer(setwindowlong(form1.handle,gwl_wndproc,longint(@newproc)));

lb:=createhook;

end;

procedure TForm1.FormClose(Sender: TObject; var Action: TCloseAction);

var lb:bool;

begin

lb:=freehook;

end;

procedure TForm1.ApplicationEvents1Message(var Msg: tagMSG;

 var Handled: Boolean);

var

   pid:integer;

   ps:tprocessentry32;

   hp:thandle;

   filename:string;

   isend:bool;

begin

 if msg.message=mymsg then

  begin

   form1.listbox1.Items.Clear;

   getwindowthreadprocessid(msg.wParam,@pid);

   hp:= createtoolhelp32snapshot(TH32CS_SNAPPROCESS,pid);

   ps.dwsize:=sizeof(ps);

   isend:=process32first(hp,ps);

   while isend do

    begin

     filename:=ps.szExeFile;

     form1.listbox1.Items.Add('w'+filename);

     isend:=process32next(hp,ps);

    end;

    showwindow(msg.wparam,SW_normal);

  end;

end;

end.

以下是dll中的原代码

unit cbt;

interface

uses

messages,windows;

function createhook:bool;stdcall;

function freehook:bool;stdcall;

function cbtcreatewndhook(  int: integer;        // hook code

                      WPARAM: longint;          // depends on hook code

                       LPARAM: longint        // depends on hook code

                        ):longint  stdcall;

implementation

var hookhandle:hhook=0;

function cbtcreatewndhook(  int: integer;        // hook code

                      WPARAM: longint;          // depends on hook code

                       LPARAM: longint        // depends on hook code

                        ):longint ;

begin

result:=0;

if int=Hshell_WINDOWCREATED  then

begin

 lparam:=getwindowlong(wparam,GWL_STYLE);

 postmessage(HWND_BROADCAST,registerwindowmessage('cbtcreatewndmessage'),wparam,lparam);

end

else

result:= callnexthookex(hookhandle,int,wparam,lparam);

end;

function createhook:bool;

begin

hookhandle:=setwindowshookex(wh_shell,cbtcreatewndhook,hinstance,0);

result:=hookhandle<>0;

end;

function freehook:bool;

begin

result:=unhookwindowshookex(hookhandle);

end;

end.

以下是dll接口程序的代码

library mydll;

{ Important note about DLL memory management: ShareMem must be the

 first unit in your library's USES clause AND your project's (select

 Project-View Source) USES clause if your DLL exports any procedures or

 functions that pass strings as parameters or function results. This

 applies to all strings passed to and from your DLL--even those that

 are nested in records and classes. ShareMem is the interface unit to

 the BORLNDMM.DLL shared memory manager, which must be deployed along

 with your DLL. To avoid using BORLNDMM.DLL, pass string information

 using PChar or ShortString parameters. }

uses

 SysUtils,

 Classes,

 windows,

 messages,

 cbt in 'cbt.pas';

const

 cbtgothandle=wm_user+101;

{$R *.RES}

exports

createhook,freehook,cbtcreatewndhook;

begin

end.