Install the wh_shell hook to monitor new programs

Source: Internet
Author: User

1. Principle: Install the wh_shell hook to monitor new applications.

2. Objective: To learn the application of shell hooks for pure entertainment

3. Main Code:

Bool cmanagerhook: startshellhook (hwnd) <br/>{< br/> If (g_hwndmain = NULL) // first call <br/>{< br/> If (hwnd! = NULL) <br/>{< br/> g_hhookshell = setwindowshookex (wh_shell, shellhookproc, g_hdllinstance, 0); <br/> g_hwndmain = hwnd; </P> <p> return g_hhookshell? True: false; <br/>}< br/> return false; <br/>}< br/> else // g_hwndmain! = NULL <br/>{< br/> return true; <br/>}< br/>}

Bool cmanagerhook: destroyshellhook () <br/>{< br/> If (g_hhookshell = NULL) <br/>{< br/> return false; <br/>}</P> <p> unhookwindowshookex (g_hhookshell); <br/> return true; <br/>} 

Lresult callback shellhookproc (INT ncode, wparam, lparam) <br/>{< br/> If (g_hwndmain) <br/>{< br/> If (ncode = hshell_windowcreated) // windows created <br/>{< br/> // hshell_windowcreated for wh_shell, wparam passes the name of the window to open the creation, and lparam is invalid (0 ). <br/> postmessage (g_hwndmain, wm_shellhook, wparam, lparam); <br/>}< br/> return callnexthookex (g_hhookshell, ncode, wparam, lparam); <br/>} 

 

Void ctestshellhookdlg: onshellhook (wparam, lparam) <br/>{< br/> hwnd = (hwnd) wparam; </P> <p> If (m_hwndpre = NULL) <br/> {<br/> m_hwndpre = hwnd; <br/>}< br/> else if (m_hwndpre = hwnd) <br/>{< br/> return; <br/>}< br/> else <br/>{< br/> m_hwndpre = hwnd; <br/>}< br/> // The purpose of this operation is to prevent repeated interception of the same window Information </P> <p> cstring strtitle; <br/> :: getwindowtext (hwnd, strtitle. getbuffer (1024), 1024); // extract the window title <br/> Strtitle. releasebuffer (-1); </P> <p>: showwindow (hwnd, sw_hide ); // hide the form first-process the specified action after you select it </P> <p> DWORD dwprocessid; <br/> handle hprocess; <br/> char szfilepath [1024]; <br/> getwindowthreadprocessid (hwnd, & dwprocessid); <br/> hprocess = OpenProcess (process_all_access, false, dwprocessid); <br/> getmodulefilenameex (hprocess, null, szfilepath, 1024); // extract the application execution path </P> <p> cstring strtext; <br/> strtext = "program name:"; <br /> Strtext + = strtitle; <br/> strtext + = "/R/N"; <br/> strtext + = "execution path "; <br/> strtext + = szfilepath; <br/> strtext + = "/R/n/R/N"; </P> <p> cstring strcaption; <br/> strcaption = "warning"; <br/> strcaption + = strtitle; <br/> strcaption + = "try to execute. Is it allowed? "; </P> <p> If (idyes = MessageBox (strtext, strcaption, mb_yesno) // display the prompt information <br/>{< br/> :: showwindow (hwnd, sw_normal); // show when programs are allowed to run <br/> // hook is triggered every time showwindow is called <br/> writeinfotorecordfile (cstring ("policy: allow execution of "+ strtext); <br/>}< br/> else <br/>{< br/> terminateprocess (hprocess, 0 ); // otherwise, terminate the program execution <br/> writeinfotorecordfile (cstring ("policy: Disable execution" + strtext); <br/>}</P> <p>} 

4. Results

 

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.