用消息HOOK挂WH_CBT得到窗口改变消息,得到窗口ID,得到窗口主调用EXE文件路径,与d:\list_tmp.txt中做比较,如有匹配,则强行结束掉该进程.当然稍微修改也可以用其他得到的任意信息做匹配. 各路高人都建议用API HOOK,苦于对WINDOWS系统了解太少.终不得其解.悲哉悲哉.这里权当做一个消息HOOK入门的资料罢了.
mon.cpp:
代码:
// Dll.cpp : Defines the entry point for the DLL application. //mon.dll //By SysHu0teR //01.23.2006 //
//#include "StdAfx.h" #include "mon.h" #include <windows.h> #include <stdio.h> #include <stdlib.h> #include <tlhelp32.h> #define DEBUG
HINSTANCE hInst;
HHOOK glhHook=NULL; // 钩子句柄
//用来从PSAPI.DLL中获得EnumProcesses函数地址的"函数指针"; typedef BOOL (__stdcall *ENUMPROCESSES)( DWORD * lpidProcess, // array to receive the process identifiers DWORD cb, // size of the array DWORD * cbNeeded // receives the number of bytes returned );
//用来从PSAPI.DLL中获得EnumProcessMoudles函数地址的"函数指针"; typedef BOOL (__stdcall *ENUMPROCESSMODULES)( HANDLE hProcess, // handle to the process HMODULE * lphModule, // array to receive the module handles DWORD cb, // size of the array LPDWORD lpcbNeeded // receives the number of bytes returned
);
//用来从PSAPI.DLL中获得GetModulefileNameExA函数地址的"函数指针"; typedef DWORD (__stdcall *GETMODULEFILENAMEEX)( HANDLE hProcess, // handle to the process HMODULE hModule, // handle to the module LPTSTR lpFilename, // buffer that receives the path DWORD nSize // size of the buffer );
char list[256][256]={0}; //存储从list_tmp取出的被监视文件路径信息
char path[MAX_PATH]={0}; //存储GetModuleFileNameEx得到的EXE模块路径信息
void rdlist(void); //将list_tmp.txt内容读入list[] int proccmp(char *str); //查找list[]中是否存在str int KillProc(unsigned long pid); //杀掉PID指定的进程 LRESULT WINAPI msg(int nCode,WPARAM wParam,LPARAM lParam); //消息处理函数
BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch(ul_reason_for_call) { case DLL_PROCESS_ATTACH: {
// msgbox();//一些初始化代码 hInst=HINSTANCE(hModule); rdlist();
break;
}
case DLL_PROCESS_DETACH: {
//一些用于清理的代码
break;
} }
return TRUE; }
DLLEXPORT int CALLBACK installhook() {
//挂载钩子前先查看当前进程是否有违禁进程。 HINSTANCE hins; ENUMPROCESSES pEnumProcesses; ENUMPROCESSMODULES pEnumProcessModules; GETMODULEFILENAMEEX pGetModuleFileNameEx;
DWORD allproc[256]={0}; HANDLE ha=0; HMODULE hm=0; DWORD recv=0; int nRe=0; hins=LoadLibrary("psapi.dll"); if(hins==NULL) exit(1); pEnumProcesses=(ENUMPROCESSES)GetProcAddress(hins,"EnumProcesses"); pEnumProcessModules=(ENUMPROCESSMODULES)GetProcAddress(hins,"EnumProcessModules"); pGetModuleFileNameEx=(GETMODULEFILENAMEEX)GetProcAddress(hins,"GetModuleFileNameExA"); if(pEnumProcessModules ==0 && pGetModuleFileNameEx==0) return 0;
if(pEnumProcesses(allproc,sizeof(allproc),&recv)!=NULL) { //枚举系统进程 nRe=recv/sizeof(DWORD); for(int i=0;i<nRe;++i) { ha=OpenProcess(PROCESS_ALL_ACCESS,0,allproc[i]); //得到进程句柄 if(ha!=NULL) { pEnumProcessModules(ha,&hm,sizeof(hm),&recv); //得到进程第一个模块名,既EXE pGetModuleFileNameEx(ha,hm,path,sizeof(path)); //得到EXE文件路径 if(proccmp(path)) KillProc(allproc[i]); //杀掉进程 } } FreeLibrary(hins); CloseHandle(ha); }
//HOOK开始 glhHook=SetWindowsHookEx(WH_CBT,msg,hInst,0); if(glhHook) return TRUE; return FALSE; }
//卸载钩子函数 DLLEXPORT int CALLBACK uninstallhook() { if(UnhookWindowsHookEx(glhHook)==0) return FALSE; else return TRUE; }
//查找list[]中是否存在str int proccmp(char *str) { for(int i=0;i<256;i++) { if(stricmp(str,list[i])==0) return 1; } return 0; }
//将D:\\list_tmp.txt内容读入list[] void rdlist(void) { FILE *fp; // char fline[256]={0}; // unsigned long pid;
// char s[2]; fp=fopen("d:\\list_tmp.txt","r"); for(int i=0;i<256&&!feof(fp);++i) { fgets(list[i],255,fp); list[i][strlen(list[i])-1]=0; } fclose(fp); }
//杀掉PID指定的进程 int KillProc(unsigned long pid) {
HANDLE hp=OpenProcess(PROCESS_TERMINATE,0,pid); if(hp!=NULL && TerminateProcess(hp,0)!=NULL) return 1; return 0;
}
//HOOK消息处理函数 LRESULT WINAPI msg(int nCode,WPARAM wParam,LPARAM lParam) {
HWND hwnd; HANDLE handle; HMODULE hmod; ENUMPROCESSES pEnumProcesses; ENUMPROCESSMODULES pEnumProcessModules; GETMODULEFILENAMEEX pGetModuleFileNameEx; DWORD pid; DWORD r; //用来存储EnumProcessModules返回的字节数。 HINSTANCE hins=LoadLibrary("psapi.dll"); if(hins==NULL) exit(1); pEnumProcesses=(ENUMPROCESSES)GetProcAddress(hins,"EnumProcesses"); pEnumProcessModules=(ENUMPROCESSMODULES)GetProcAddress(hins,"EnumProcessModules"); pGetModuleFileNameEx=(GETMODULEFILENAMEEX)GetProcAddress(hins,"GetModuleFileNameExA"); if(pEnumProcessModules ==0 && pGetModuleFileNameEx==0) return 0; if(nCode>=0) { hwnd=GetForegroundWindow(); GetWindowThreadProcessId(hwnd,&pid); handle=OpenProcess(PROCESS_ALL_ACCESS,0,pid); pEnumProcessModules(handle,&hmod,sizeof(hmod),&r); pGetModuleFileNameEx(handle,hmod,path,sizeof(path)); if(proccmp(path)) KillProc(pid);
CloseHandle(handle); } FreeLibrary(hins); return CallNextHookEx((HHOOK)glhHook,nCode,wParam,lParam); }
主程序中在载入mon.dll后,只需要用installhook和uninstallhook来操作装载和卸载HOOK
[此贴被 SysHu0teR(syshunter) 在 01月26日21时21分 编辑过]
|