鉤子教程 - 原理(十五) : JournalRecordProc

標籤：

原文地址:http://www.zdexe.com/program/201004/589.html

方法10 : JournalRecordProc Function

The JournalRecordProc hook procedure is an application-defined or library-defined callback function used with the SetWindowsHookEx function. The function records messages the system removes from the system message queue. Later, an application can use a JournalPlaybackProc hook procedure to play back the messages.

　　JournalRecordProc鉤子子程是與SetWindowsHookEx一起使用的、程式定義的或者庫定義的回呼函數。該方法記錄系統從系統訊息佇列中移除的訊息。過後，應用程式可以使用JournalPlaybackProc鉤子子程回放這些訊息。

 

The HOOKPROC type defines a pointer to this callback function.JournalRecordProc is a placeholder for the application-defined or library-defined function name.

　　HOOKPROC類型定義了指向該回呼函數的指標。JournalRecordProc是程式定義的或者庫定義的方法名字。

Syntax 文法

LRESULT CALLBACK JournalRecordProc(      
        int code,

    WPARAM wParam,

    LPARAM lParam

);

Parameters 參數

code  ：[in] Specifies how to process the message. If code is less than zero, the hook procedure must pass the message to the CallNextHookEx function without further processing and should return the value returned byCallNextHookEx. This parameter can be one of the following values.

　　指定如何處理訊息。如果code小於0，鉤子子程不對其進行任何進一步的處理，必須將訊息傳遞給CallNextHookEx方法，並返回由CallNextHookEx方法返回的傳回值。該參數可以是以下值之一：

　　1．HC_ACTION  ： The lParam parameter is a pointer to an EVENTMSG structure containing information about a message removed from the system queue. The hook procedure must record the contents of the structure by copying them to a buffer or file.

　　　　參數lParam 是一個指向EVENTMSG結構的指標，該結構包含從系統隊列中移除的訊息的資訊。鉤子子程應該通過將訊息資訊拷貝到緩衝區中或者檔案中來記錄內　容。

　　2．HC_SYSMODALOFF ：A system-modal dialog box has been destroyed. The hook procedure must resume recording. 

　　　　系統強制回應對話方塊已經被銷毀。鉤子子程必須恢複紀錄。

　　3．HC_SYSMODALON ：A system-modal dialog box is being displayed. Until the dialog box is destroyed, the hook procedure must stop recording.

　　　　系統強制回應對話方塊正在被顯示。鉤子子程應該停止記錄，直到對話方塊被銷毀。

wParam ：This parameter is not used. 

　　該參數未使用。

lParam ：[in] Pointer to an EVENTMSG structure that contains the message to be recorded.

　　指向EVENTMSG結構的指標，其中包含即將被記錄的訊息。

Return Value  傳回值

　　The return value is ignored. 被忽略。

Remarks 備忘

A JournalRecordProc hook procedure must copy but not modify the messages. After the hook procedure returns control to the system, the message continues to be processed. 

　　JournalRecordProc鉤子子程應該複製而不是不修改訊息。在鉤子子程將控制全交還給系統後，訊息將被繼續處理。

 

Install the JournalRecordProc hook procedure by specifying the WH_JOURNALRECORD hook type and a pointer to the hook procedure in a call to the SetWindowsHookEx function.

　　通過下面方式安裝該鉤子子程：指定WH_JOURNALRECORD鉤子類型；指定在調用SetWindowsHookEx方法的函數中指向鉤子子程的指標。

 

A JournalRecordProc hook procedure does not need to live in a dynamic-link library. A JournalRecordProc hook procedure can live in the application itself. JournalRecordProc

　　鉤子子程沒必要生存在動態連結程式庫中，可以在應用程式自身中生存。

 

Unlike most other global hook procedures, the JournalRecordProc andJournalPlaybackProc hook procedures are always called in the context of the thread that set the hook. 

　　和其它全域鉤子子程不一樣，JournalRecordProca和JournalPlaybackProc鉤子子程總是在設定鉤子的線程的上下文中被調用。

 

An application that has installed a JournalRecordProc hook procedure should watch for the VK_CANCEL virtual key code (which is implemented as the CTRL+BREAK key combination on most keyboards). This virtual key code should be interpreted by the application as a signal that the user wishes to stop journal recording. The application should respond by ending the recording sequence and removing the JournalRecordProc hook procedure. Removal is important. It prevents a journaling application from locking up the system by hanging inside a hook procedure.

　　安裝有JournalRecordProc鉤子子程的應用程式應該監視VK_CANCEL虛擬鍵碼（在多數鍵盤上就是像CTRL+BREAK一樣實現的按鍵組合）。虛擬索引值應該被應用程式解釋為使用者希望停止日誌記錄的訊號。應用程式應該通過結束記錄隊列或者移除JournalRecordProc鉤子子程來響應使用者的訊號。可移除性是重要的，可以防止日誌應用程式由於鉤子子程內部的掛起而引起的系統鎖死。

 

This role as a signal to stop journal recording means that a CTRL+BREAK key combination cannot itself be recorded. Since the CTRL+C key combination has no such role as a journaling signal, it can be recorded. There are two other key combinations that cannot be recorded: CTRL+ESC and CTRL+ALT+DEL. Those two key combinations cause the system to stop all journaling activities (record or playback), remove all journaling hooks, and post a WM_CANCELJOURNAL message to the journaling application.

　　CTRL+BREAK按鍵組合扮演著停止日誌記錄的訊號的角色，這意味著CTRL+BREAK按鍵組合不能被自我記錄。既然CTRL+C按鍵組合沒有扮演這樣的角色，它就可以被記錄。還有其它2種按鍵組合不能被記錄： CTRL+ESC 和CTRL+ALT+DEL。.這2種按鍵組合引起系統停止所有日誌活動(記錄或者回放)，移除所有日誌鉤子，傳遞WM_CANCELJOURNAL訊息給日誌記錄應用程式。

鉤子教程 - 原理(十五) : JournalRecordProc