用消息HOOK挂WH_CBT得到窗口改变消息,得到窗口ID,得到窗口主调用EXE文件路径,与d:\list_tmp.txt中做比较,如有匹配,则强行结束掉该进程.当然稍微修改也可以用其他得到的任意信息做匹配.
各路高人都建议用API HOOK,苦于对WINDOWS系统了解太少.终不得其解.悲哉悲哉.这里权当做一个消息HOOK入门的资料罢了.
mon.cpp:
代码:
// Dll.cpp : Defines the entry point for the DLL application.
//mon.dll
//By SysHu0teR
//01.23.2006
//
//#include "StdAfx.h"
#include "mon.h"
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <tlhelp32.h>
#define DEBUG
HINSTANCE hInst;
HHOOK glhHook=NULL; // 钩子句柄
//用来从PSAPI.DLL中获得EnumProcesses函数地址的"函数指针";
typedef BOOL (__stdcall *ENUMPROCESSES)(
DWORD * lpidProcess, // array to receive the process identifiers
DWORD cb, // size of the array
DWORD * cbNeeded // receives the number of bytes returned
);
//用来从PSAPI.DLL中获得EnumProcessMoudles函数地址的"函数指针";
typedef BOOL (__stdcall *ENUMPROCESSMODULES)(
HANDLE hProcess, // handle to the process
HMODULE * lphModule, // array to receive the module handles
DWORD cb, // size of the array
LPDWORD lpcbNeeded // receives the number of bytes returned
);
//用来从PSAPI.DLL中获得GetModulefileNameExA函数地址的"函数指针";
typedef DWORD (__stdcall *GETMODULEFILENAMEEX)(
HANDLE hProcess, // handle to the process
HMODULE hModule, // handle to the module
LPTSTR lpFilename, // buffer that receives the path
DWORD nSize // size of the buffer
);
char list[256][256]={0}; //存储从list_tmp取出的被监视文件路径信息
char path[MAX_PATH]={0}; //存储GetModuleFileNameEx得到的EXE模块路径信息
void rdlist(void); //将list_tmp.txt内容读入list[]
int proccmp(char *str); //查找list[]中是否存在str
int KillProc(unsigned long pid); //杀掉PID指定的进程
LRESULT WINAPI msg(int nCode,WPARAM wParam,LPARAM lParam); //消息处理函数
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch(ul_reason_for_call) {
case DLL_PROCESS_ATTACH: {
// msgbox();//一些初始化代码
hInst=HINSTANCE(hModule);
rdlist();
break;
}
case DLL_PROCESS_DETACH: {
//一些用于清理的代码
break;
}
}
return TRUE;
}
DLLEXPORT int CALLBACK installhook()
{
//挂载钩子前先查看当前进程是否有违禁进程。
HINSTANCE hins;
ENUMPROCESSES pEnumProcesses;
ENUMPROCESSMODULES pEnumProcessModules;
GETMODULEFILENAMEEX pGetModuleFileNameEx;
DWORD allproc[256]={0};
HANDLE ha=0;
HMODULE hm=0;
DWORD recv=0;
int nRe=0;
hins=LoadLibrary("psapi.dll");
if(hins==NULL)
exit(1);
pEnumProcesses=(ENUMPROCESSES)GetProcAddress(hins,"EnumProcesses");
pEnumProcessModules=(ENUMPROCESSMODULES)GetProcAddress(hins,"EnumProcessModules");
pGetModuleFileNameEx=(GETMODULEFILENAMEEX)GetProcAddress(hins,"GetModuleFileNameExA");
if(pEnumProcessModules ==0 && pGetModuleFileNameEx==0)
return 0;
if(pEnumProcesses(allproc,sizeof(allproc),&recv)!=NULL) { //枚举系统进程
nRe=recv/sizeof(DWORD);
for(int i=0;i<nRe;++i) {
ha=OpenProcess(PROCESS_ALL_ACCESS,0,allproc[i]); //得到进程句柄
if(ha!=NULL) {
pEnumProcessModules(ha,&hm,sizeof(hm),&recv); //得到进程第一个模块名,既EXE
pGetModuleFileNameEx(ha,hm,path,sizeof(path)); //得到EXE文件路径
if(proccmp(path))
KillProc(allproc[i]); //杀掉进程
}
}
FreeLibrary(hins);
CloseHandle(ha);
}
//HOOK开始
glhHook=SetWindowsHookEx(WH_CBT,msg,hInst,0);
if(glhHook)
return TRUE;
return FALSE;
}
//卸载钩子函数
DLLEXPORT int CALLBACK uninstallhook()
{
if(UnhookWindowsHookEx(glhHook)==0)
return FALSE;
else
return TRUE;
}
//查找list[]中是否存在str
int proccmp(char *str) {
for(int i=0;i<256;i++) {
if(stricmp(str,list[i])==0)
return 1;
}
return 0;
}
//将D:\\list_tmp.txt内容读入list[]
void rdlist(void) {
FILE *fp;
// char fline[256]={0};
// unsigned long pid;
// char s[2];
fp=fopen("d:\\list_tmp.txt","r");
for(int i=0;i<256&&!feof(fp);++i) {
fgets(list[i],255,fp);
list[i][strlen(list[i])-1]=0;
}
fclose(fp);
}
//杀掉PID指定的进程
int KillProc(unsigned long pid)
{
HANDLE hp=OpenProcess(PROCESS_TERMINATE,0,pid);
if(hp!=NULL && TerminateProcess(hp,0)!=NULL)
return 1;
return 0;
}
//HOOK消息处理函数
LRESULT WINAPI msg(int nCode,WPARAM wParam,LPARAM lParam)
{
HWND hwnd;
HANDLE handle;
HMODULE hmod;
ENUMPROCESSES pEnumProcesses;
ENUMPROCESSMODULES pEnumProcessModules;
GETMODULEFILENAMEEX pGetModuleFileNameEx;
DWORD pid;
DWORD r; //用来存储EnumProcessModules返回的字节数。
HINSTANCE hins=LoadLibrary("psapi.dll");
if(hins==NULL)
exit(1);
pEnumProcesses=(ENUMPROCESSES)GetProcAddress(hins,"EnumProcesses");
pEnumProcessModules=(ENUMPROCESSMODULES)GetProcAddress(hins,"EnumProcessModules");
pGetModuleFileNameEx=(GETMODULEFILENAMEEX)GetProcAddress(hins,"GetModuleFileNameExA");
if(pEnumProcessModules ==0 && pGetModuleFileNameEx==0)
return 0;
if(nCode>=0) {
hwnd=GetForegroundWindow();
GetWindowThreadProcessId(hwnd,&pid);
handle=OpenProcess(PROCESS_ALL_ACCESS,0,pid);
pEnumProcessModules(handle,&hmod,sizeof(hmod),&r);
pGetModuleFileNameEx(handle,hmod,path,sizeof(path));
if(proccmp(path))
KillProc(pid);
CloseHandle(handle);
}
FreeLibrary(hins);
return CallNextHookEx((HHOOK)glhHook,nCode,wParam,lParam);
}
主程序中在载入mon.dll后,只需要用installhook和uninstallhook来操作装载和卸载HOOK
[此贴被 SysHu0teR(syshunter) 在 01月26日21时21分 编辑过]
|
版主
论坛: 编程破解
标题: 窗口监视DLL