Writing plug-ins to lock the Word document window

Now the backdoor types of Trojans are very many, some of which are dedicated to Office documents to steal the target, I recently done some anti these Trojan work, in the work I basically implemented to prevent unknown programs using the office Automation interface to steal word content, But limited to the interests of the company I can only write some basically has been more mature and open technology, of course, including my design ideas, I think more or less will let you have harvested, you can arbitrarily reproduced articles, but please indicate the author and source, thank you!

First of all we know that OLE drag and drop is started by DoDragDrop, so you can prepare some parameters for DoDragDrop to use, the first thing I thought is to block the DoDragDrop call, and then I found that this will cause the Word document window inside the drag-and-drop operation is invalidated, This can give a very bad feeling, good protection software should be in the customer does not feel inconvenient situation to provide protection, and then I looked at the DoDragDrop parameters to find out what can be used, I found that it has four parameters:

IDataObject * PDATAOBJECT;

IDropSource * PDROPSOURCE;

DWORD Dwokeffect;

DWORD * PDWEFFECT;

The latter two parameters are essentially worthless, and I think of the GetData function of Hook IDataObject, but when programming OLE drop clients, the drag-and-drop is almost complete when I call COleDataObject's associated member function. The mouse is already on my program window.

And my idea now is that the drag-and-drop operation just left Word's document window, has not reached the External program window to let it fail, so the virtual function of hook IDataObject will not be, I can only study the last one has not studied the parameters Pdropsource, It's a idropsource type pointer, and I found it has a virtual function QueryContinueDrag look at MSDN and find out it seems to be what I'm looking for.

My understanding is that this function is a callback that lets the OLE drag-and-drop server have the opportunity to cancel the drag-and-drop operation after invoking DoDragDrop to start the OLE drag-and-drop operation, so I wrote a code hook to live DoDragDrop and further hooks the QueryContinueDrag virtual function of IDropSource from the DoDragDrop, I find that it will track the entire drag-and-drop operation as soon as this callback returns DRAGDROP_S_ Cancel the entire drag-and-drop operation will be canceled, so I just know whether the window under the current mouse is a document window is OK, once left the document window I let this callback return dragdrop_s_cancel cancel the entire drag-and-drop operation.

It's fun to do this without affecting the drag-and-drop operations inside the document window, and to stop the stuff inside the document window from dragging and dropping it into other programs, and it's basically not going to be inconvenient for the customer. Isn't it?

Is it possible to get a window handle from the mouse position? The answer is YES! The GetCursorPos function can return a point variable that indicates the current mouse position, while windowfrompoint can return a window handle at a point position. Write here I think almost already finished my train of thought, I do not know whether you can understand.

To summarize, use the ATL Wizard to generate a COM framework, add an ATL simple object, implement the _idtextensibility2 interface on this object, and Hook DoDragDrop in the _idtextensibility2 OnConnection API, which records the current document window handle when Word calls DoDragDrop, and hooks up the querycontinuedrag virtual function of the second parameter Pdropsource, QueryContinueDrag whether the window under the current mouse is still a document window (the document window handle that is recorded when comparing the handle to DoDragDrop), or if it is not, returns dragdrop_s_cance to cancel the drag-and-drop operation. and a warning message MessageBox, otherwise perform the original operation (let the drag-and-drop operation is normal).

Finally, don't forget to sign up for your word plugin (with Regsvr32). EXE), detailed key values and code details see the source program bar!

October 15, 2005 Night

Resources:

MSDN October 2001

Microsoft Office 2000/visual Basic Programmer ' s Guide

ATL Internals

Inside C + + Object Model

This article supporting source code