VC global hook for program monitoring

Source: Internet
Author: User

 
 
Create a global hook program.

General program functions:
1. You can monitor programs running on your computer and record the time and name of the programs running on your computer;
2. You can dig out programs that are not automatically run as permitted by yourself. Most Trojans are secretly run by yourself.
2. It can prevent the execution of programs that you have specified, such as logging on to QQ and not playing games.
3. This program needs to be added to the Registry and run at system startup for monitoring purposes. The Registry is probably no stranger, here:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run

Program record result format:

17:31:25-[system startup-Windows XP 5.01.2600]
17:31:29 "cabinetwclass"-> "my computer"
17:31:59 "Red Alert"-> "Red Alert" (disable programs)
17:32:19 "mine clearance"-> "mine clearance" (disable programs)
17:32:35 "opusapp"-> "Microsoft Word"
17:32:50-[system shutdown-0 days, 0 hrs, 1 mins, 25 secs]

17:35:37-[system startup-Windows 98 SE 4.10.2222]
17:35:53 "mine clearance"-> "mine clearance" (disable programs)
17:36:05 "cabinetwclass"-> ""
17:36:31 "Red Alert"-> "Red Alert" (disable programs)
17:36:56 "explorewclass"-> ""
17:37:07-[system shutdown-0 days, 0 hrs, 1 mins, 30 secs]

You only need three files to run the program:
Hwhpapp.exe Executable File
Dynamic Link Library of hwhpdrv. dll installation hook
Hwhpapp. cfg disables software blacklist, which can be modified using notepad
The program will automatically generate a record file:
Hwhpapp. sys can be opened in notepad.

The program principle is as follows:

1. Hooks
Use the API function setwindowshookex () to install a global hook. The hook type is wh_shell.
The wh_shell hook monitors the creation or closure of the main windows of all applications.
The most typical application is the Windows status bar. When the program runs, the title of the main window is added to the status bar. When the program exits, It is deleted from the status bar.
If you intercept this hook, you can disable the display of the status bar, or make a status bar, or make a history record to record all programs that have run on your computer. If the program you run is not what you want, you can directly close it to prevent it from running.

Ii. Dynamic Link Library
Because the hook is global, you must define the hook to the dynamic link library of. dll, which involves creating a dynamic link library.

Iii. Shared Memory
Because the hooks are installed in the system and the hooks run in the operating system, they cannot use any global variables defined by your program!
In this case, what can be done? This program uses the shared memory technology and the API function createfilemapping () to create shared memory. This memory can be used in any running program, that is, any running program. EXE ,. DLL and other programs can use this memory. In this program, the tsharedmemory shared memory class in the victor serial VCL control is directly used.

Iv. Record Files and software blacklist files
Save all program records executed on your computer in a text file. Because the extension is. txt, it is easy to find, so the extension. sys is used.
The software blacklist file is stored in the. cfg file, because the. ini file is easily discovered and opened and modified.
These two files are saved in the same folder as your. EXE file and have the same name as the. exe file.

5. Ensure that only one program can run at a time
If you run two programs at the same time, the record files will be messy, so you must ensure that only one program can be run.
When your program is just starting to run, it is at the beginning of the winmain () function. You need to determine whether the program is running. If it is already running, you can exit directly.
The method for judging is very simple. It is to check whether the shared memory exists. If the shared memory exists, it is already running.

6. The program is invisible and cannot be displayed in the taskbar or task manager.
This is also very simple, as long as you add a sentence before the main program application-> Run:
Setwindowlong (Application-> handle, gwl_exstyle, getwindowlong (Application-> handle, gwl_exstyle) | ws_ex_toolwindow );
You can.

--------------------------------------------------------------------------------

Program Introduction
. Dll file: This is the code of the most critical HOOK:

# Include <VCL. h>
# Include "yb_base.h" // a header file in the victor serial control

# Define myappmark "victor_appmoni_20031612" // shared memory flag

Class _ export thookedprocs
{
Public:
Thookedprocs ();
~ Thookedprocs ();
Void winapi initfuncs (void );
Void winapi uninitfuncs (void );
PRIVATE:
Hhook hthishook; // Save the hook handle
Static lresult callback hookedshellproc (INT ncode, wparam, lparam );
};

// Define the Shared Data Structure
Typedef struct
{
Hhook; // the currently used hook
//... Other shared data can be added here
} Thookshareddata;

Thookedprocs: thookedprocs ()
{
Hthishook = NULL;
}

Thookedprocs ::~ Thookedprocs ()
{
Uninitfuncs ();
}

Void winapi thookedprocs: initfuncs (void)
{
Uninitfuncs ();
Hthishook = setwindowshookex (wh_shell, (hookproc) hookedshellproc, hinstance, 0 );
Tsharedmemory appmem (myappmark, 4096); // memory shared in the EXE file
Thookshareddata * hookshareddata = (thookshareddata *) (appmem. appinfo-> data); // shared data
Hookshareddata-> hhook = hthishook; // Save the hthishook to the shared memory.
}

Void winapi thookedprocs: uninitfuncs (void)
{
If (hthishook)
{
Unhookwindowshookex (hthishook );
Hthishook = NULL;
}
}

Lresult callback thookedprocs: hookedshellproc (INT ncode, wparam, lparam)
{
Tsharedmemory appmem (myappmark, 4096); // use the memory shared in the. exe file
If (appmem. Valid) if (appmem. exists) // if the shared memory exists
{
Hwnd hmainwnd = appmem. appinfo-> hmainform;

If (hmainwnd)
{
If (ncode = hshell_windowcreated)
{
Postmessage (hmainwnd, wm_usercmd, uc_winhook, wparam );
}
}
}

// The hthishook cannot be called in the hook. The hhook in the shared memory must be used.
Thookshareddata * hookshareddata = (thookshareddata *) (appmem. appinfo-> data); // shared data
Return callnexthookex (hookshareddata-> hhook, ncode, wparam, lparam );
}

--------------------------------------------------------------------------------

Main program code of the EXE file:

Winapi winmain (hinstance, hinstance, lpstr lpcmdline, INT)
{
If (! Appmem. Valid)
{
Return 1;
}
If (appmem. exists) // already exists (the program has been run and is running)
{
If (stricmp (lpcmdline, "/Show") = 0) // If the command line parameter/show is detected, the main window of the running program is displayed.
{
Postmessage (appmem. appinfo-> hmainform, wm_usercmd, uc_showwin, 0 );
}
Return 0;
}
Appmem. clearbuffer ();

Try
{
Application-> initialize ();
Application-> createform (_ classid (tformmain), & formmain );
// The following statement prevents display in the status bar and Task Manager
Setwindowlong (Application-> handle, gwl_exstyle, getwindowlong (Application-> handle, gwl_exstyle) | ws_ex_toolwindow );
Application-> Run ();
}
Catch (exception & exception)
{
Application-> showexception (& exception );
}
Catch (...)
{
Try
{
Throw exception ("");
}
Catch (exception & exception)
{
Application-> showexception (& exception );
}
}
Return 0;
}

--------------------------------------------------------------------------------

Main Window program:

Tsharedmemory appmem (myappmark, 4096); // defines the shared memory, which actually exists.

_ Fastcall tformmain: tformmain (tcomponent * owner)
: Tform (owner)
{
Appmem. appinfo-> hmainwnd = Application-> handle;
Appmem. appinfo-> hmainform = handle;
Writestartupmessage (); // Add the startup information to the record file
Postmessage (handle, wm_usercmd, uc_initwin, 0 );

Myhook = new thookedprocs;
Myhook-> initfuncs (); // install the hook
}
//---------------------------------------------------------------------------
_ Fastcall tformmain ::~ Tformmain ()
{
Myhook-> uninitfuncs (); // delete a hook
Delete myhook;
}
//---------------------------------------------------------------------------
Void _ fastcall tformmain: formclosequery (tobject * sender, bool & canclose)
{
Writeshudownmessage (); // Add the exit information to the record file
}
//---------------------------------------------------------------------------
Void _ fastcall tformmain: wndproc (messages: tmessage & message)
{
If (message. MSG = wm_usercmd)
{
If (message. wparam = uc_showwin)
{
Show ();
Appmem. activeappwnd ();
}
Else if (message. wparam = uc_initwin)
{
Hide ();
Left = (screen-> width-width)/2;
Top = (screen-> height-height)/2;
}
Else if (message. wparam = uc_winhook)
{
Winhookmessage (message. lparam );
}
}
Tform: wndproc (Message );
}
//---------------------------------------------------------------------------

Void _ fastcall tformmain: bnexitclick (tobject * sender)
{
Close ();
}
//---------------------------------------------------------------------------

Void _ fastcall tformmain: bnhideclick (tobject * sender)
{
Hide ();
}
//---------------------------------------------------------------------------
Void _ fastcall tformmain: createparams (Controls: tcreateparams & Params)
{
Tform: createparams (Params );
Params. Style = ws_overlapped | ws_dlgframe | ws_caption | ws_sysmenu;
Params. exstyle | = ws_ex_topmost;
Params. x = screen-> width-8;
Params. Y = screen-> height-8;
}
//---------------------------------------------------------------------------
Void _ fastcall tformmain: winhookmessage (Long Param)
{
Hwnd = (hwnd) Param;

Char szwincaption [256];
Char szwinclass [256];
Ansistring S;

Datetimex X;
S + = ansistring (). sprintf ("% 04d-% 02d-% 02d % 02d: % 02d: % 02d", X. year, X. month, X. day, X. hour, X. minute, X. second );

If (! Getwindowtext (hwnd, szwincaption, 256 ))
* Szwincaption = 0;
If (! Getclassname (hwnd, szwinclass, 256 ))
* Szwinclass = 0;
S + = "\" "+ ansistring (szwinclass) +" \ "-> \" "+ ansistring (szwincaption) + "\"";

If (! Validappcheck (hwnd, szwinclass, szwincaption ))
S + = "(disable programs )";
S + = "\ r \ n ";

Tbinfilefuncs: writelogfileinfo (trelpath (). Extension ("sys"). c_str (), S. c_str (); // The. SYS file with the same name as. exe

}
//---------------------------------------------------------------------------
Void _ fastcall tformmain: writestartupmessage (void)
{
Ansistring S;
Datetimex x = startuptime;
Tsysinfo Si;

S + = "========= copyright (c) Victor Chen ===== Email:
Victor@cppfans.com =============\ r \ n ";
S + = ansistring (). sprintf ("% 04d-% 02d-% 02d % 02d: % 02d: % 02d-", X. year, X. month, X. day, X. hour, X. minute, X. second );
S + = ansistring (). sprintf ("[system startup-% S % d. % 02d. % 04d] ", Si. OS-> osname, Si. OS-> majorver, Si. OS-> minorver, Si. OS-> buildnum );
S + = "\ r \ n ";

Tbinfilefuncs: writelogfileinfo (trelpath (). Extension ("sys"). c_str (), S. c_str (); // The. SYS file with the same name as. exe
}
//---------------------------------------------------------------------------
Void _ fastcall tformmain: writeshudownmessage (void)
{
Ansistring S;
Datetimex X;
Timex t; T. s000 = (X-startuptime) % (24*60*60 );
Int d = (X-startuptime)/(24*60*60 );

S + = ansistring (). sprintf ("% 04d-% 02d-% 02d % 02d: % 02d: % 02d-", X. year, X. month, X. day, X. hour, X. minute, X. second );
S + = ansistring (). sprintf ("[system shutdown-% d days, % d hrs, % d mins, % d secs]", D, T. hour, T. minute, T. second );
S + = "\ r \ n ";

Tbinfilefuncs: writelogfileinfo (trelpath (). Extension ("sys"). c_str (), S. c_str (); // The. SYS file with the same name as. exe
}
//---------------------------------------------------------------------------
Bool _ fastcall tformmain: validappcheck (hwnd, char * CLs, char * cap)
{
Tbinfile F;
F. filename = trelpath (). Extension ("cfg"); // The. cfg file with the same name as. exe
F. openmode = tbinfile: omread; // prepare to read the file.

If (F. exists) // if the file exists
{
Try
{
F. Active = true; // open the file
Char Aline [2048];
While (fgets (Aline, 2000, f) // read a line of text (Standard C function)
{
If (strnicmp (Aline, "class =", 6) = 0) // identify by Class Name
{
Tbinfilefuncs: deletespaces (Aline + 6, 1, 1); // remove Spaces
If (stricmp (Aline + 6, CLS) = 0)
{
Postmessage (hwnd, wm_close, 0, 0); // close the program
Return false;
}
}
Else if (strnicmp (Aline, "caption =", 8) = 0) // identify with title
{
Tbinfilefuncs: deletespaces (Aline + 8, 1, 1); // remove Spaces
If (stricmp (Aline + 8, Cap) = 0)
{
Postmessage (hwnd, wm_close, 0, 0); // close the program
Return false;
}
}
}
}
Catch (exception & E)
{
// Ignore the error message. You can also add the error message to an error message file.
}
}
Return true;
}

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.