Install the wh_shell hook to monitor new programs

1. Principle: Install the wh_shell hook to monitor new applications.

2. Objective: To learn the application of shell hooks for pure entertainment

3. Main Code:

Bool cmanagerhook: startshellhook (hwnd) <br/>{< br/> If (g_hwndmain = NULL) // first call <br/>{< br/> If (hwnd! = NULL) <br/>{< br/> g_hhookshell = setwindowshookex (wh_shell, shellhookproc, g_hdllinstance, 0); <br/> g_hwndmain = hwnd; </P> <p> return g_hhookshell? True: false; <br/>}< br/> return false; <br/>}< br/> else // g_hwndmain! = NULL <br/>{< br/> return true; <br/>}< br/>}

Bool cmanagerhook: destroyshellhook () <br/>{< br/> If (g_hhookshell = NULL) <br/>{< br/> return false; <br/>}</P> <p> unhookwindowshookex (g_hhookshell); <br/> return true; <br/>} 

Lresult callback shellhookproc (INT ncode, wparam, lparam) <br/>{< br/> If (g_hwndmain) <br/>{< br/> If (ncode = hshell_windowcreated) // windows created <br/>{< br/> // hshell_windowcreated for wh_shell, wparam passes the name of the window to open the creation, and lparam is invalid (0 ). <br/> postmessage (g_hwndmain, wm_shellhook, wparam, lparam); <br/>}< br/> return callnexthookex (g_hhookshell, ncode, wparam, lparam); <br/>} 

 

Void ctestshellhookdlg: onshellhook (wparam, lparam) <br/>{< br/> hwnd = (hwnd) wparam; </P> <p> If (m_hwndpre = NULL) <br/> {<br/> m_hwndpre = hwnd; <br/>}< br/> else if (m_hwndpre = hwnd) <br/>{< br/> return; <br/>}< br/> else <br/>{< br/> m_hwndpre = hwnd; <br/>}< br/> // The purpose of this operation is to prevent repeated interception of the same window Information </P> <p> cstring strtitle; <br/> :: getwindowtext (hwnd, strtitle. getbuffer (1024), 1024); // extract the window title <br/> Strtitle. releasebuffer (-1); </P> <p>: showwindow (hwnd, sw_hide ); // hide the form first-process the specified action after you select it </P> <p> DWORD dwprocessid; <br/> handle hprocess; <br/> char szfilepath [1024]; <br/> getwindowthreadprocessid (hwnd, & dwprocessid); <br/> hprocess = OpenProcess (process_all_access, false, dwprocessid); <br/> getmodulefilenameex (hprocess, null, szfilepath, 1024); // extract the application execution path </P> <p> cstring strtext; <br/> strtext = "program name:"; <br /> Strtext + = strtitle; <br/> strtext + = "/R/N"; <br/> strtext + = "execution path "; <br/> strtext + = szfilepath; <br/> strtext + = "/R/n/R/N"; </P> <p> cstring strcaption; <br/> strcaption = "warning"; <br/> strcaption + = strtitle; <br/> strcaption + = "try to execute. Is it allowed? "; </P> <p> If (idyes = MessageBox (strtext, strcaption, mb_yesno) // display the prompt information <br/>{< br/> :: showwindow (hwnd, sw_normal); // show when programs are allowed to run <br/> // hook is triggered every time showwindow is called <br/> writeinfotorecordfile (cstring ("policy: allow execution of "+ strtext); <br/>}< br/> else <br/>{< br/> terminateprocess (hprocess, 0 ); // otherwise, terminate the program execution <br/> writeinfotorecordfile (cstring ("policy: Disable execution" + strtext); <br/>}</P> <p>} 

4. Results