怎样才能获知是哪个程序正使用钩子?(我动了所有积分!!!) ( 积分: 300 )

for33 · 2005-02-02

帮我

for33 · 2005-02-02

帮我

lichengbin · 2005-02-02

安装DEBUG钩子，钩子回调函数中，wParam代表被截获即将调用的钩子的类型，lParam为指向DEBUGHOOKINFO结构的指针。 typedef struct tagDEBUGHOOKINFO { // dh      DWORD  idThread;    DWORD  idThreadInstaller;    LPARAM lParam;    WPARAM wParam;    int    code; } DEBUGHOOKINFO;

missinwind · 2005-02-02

观注，想了解！[

]

for33 · 2005-02-02

可不可以详细点 比如举个例急需

lichengbin · 2005-02-02

var hkDebug: HHook; 安装：hkDebug := SetWindowsHookEx(WH_DEBUG, @DebugCallback, HInstance, 0); 卸载：UnhookWindowsHookEx(hkDebug); 回调函数： function DebugCallback(Code: UINT; WParam: WPARAM; LParam: LParam): LResult; stdcall; var  P: PDebugHookInfo; begin  if Code = HC_ACTION then  begin    P := PDebugHookInfo(LParam);    // WParam: 可以为WH_CALLWNDPROC, WH_CALLWNDPROCRET, WH_CBT, WH_DEBUG,    //         WH_GETMESSAGE, WH_JOURNALPLAYBACK, WH_JOURNALRECORD, WH_KEYBOARD,    //         WH_MOUSE, WH_MSGFILTER, WH_SHELL, WH_SYSMSGFILTER    // P.idThreadInstaller为安装钩子的线程ID，通过Toolhelp函数对系统线程进行枚举获得线程THREADENTRY32信息，    // 得到线程所属进程ID，再来个进程枚举，就知道是那个程序啦。  end;  Result := CallNextHookEx(hkDebug, Code, WParam, LParam); end; 注意：上面的钩子代码要放在DLL中。

for33 · 2005-02-02

可不可再详细点我是新手谢谢

for33 · 2005-02-03

// P.idThreadInstaller为安装钩子的线程ID，通过Toolhelp函数对系统线程进行枚举获得线程THREADENTRY32信息，    // 得到      ...线程所属进程ID，再来个进程枚举  ..  ，就知道是那个程序啦。 //////////// 怎么进程枚举

for33 · 2005-02-06

大家不要白进来了说几名

jingtao · 2005-02-14

2000以后无效.idThreadInstaller恒为0.只有从进程链表下手了.

SeekMyself · 2005-02-21

学习高手

lichengbin · 2005-02-28

最近正在研究不完整的Win2K源代码。 /***************************************************************************/ * xxxCallHook2 * * When you have an actual HOOK structure to call, you'd use this function. * It will check to see if the hook hasn't already been unhooked, and if * is it will free it and keep looking until it finds a hook it can call * or hits the end of the list.  We also make sure any needed DLLs are loaded * here.  We also check to see if the HOOK was unhooked inside the call * after we return. * * Note: Hooking server-side window procedures (such as the desktop and console * windows) can only be done by sending the hook message to the hooking app. * (This is because we must not load the hookproc DLL into the server process). * The hook types this can be done with are currently WH_JOURNALRECORD, * WH_JOURNALPLAYBACK, WH_KEYBOARD and WH_MOUSE : these are all marked as * HKF_INTERSENDABLE.  In order to prevent a global hooker from locking up the whole * system, the hook message is sent with a timeout.  To ensure minimal * performance degradation, the hooker process is set to foreground priority, * and prevented from being set back to background priority with the * TIF_GLOBALHOOKER bit in hooking thread's pti-&gt;flags. * Hooking emulated DOS apps is prevented with the TIF_DOSEMULATOR bit in the * console thread: this is because these apps typically hog the CPU so much that * the hooking app does not respond rapidly enough to the hook messsages sent * to it.  IanJa Nov 1994. * * History: * 02-07-91     DavidPe     Created. * 1994 Nov 02  IanJa       Hooking desktop and console windows. /***************************************************************************/ LRESULT xxxCallHook2(    PHOOK phkCall,    int nCode,    WPARAM wParam,    LPARAM lParam,    LPBOOL lpbAnsiHook) {    UINT        iHook;    PHOOK       phkSave;    LONG_PTR     nRet;    PTHREADINFO ptiCurrent;    BOOL        fLoadSuccess;    TL          tlphkCall;    TL          tlphkSave;    BYTE        bHookFlags;    BOOL        fMustIntersend;    CheckCritIn();    if (phkCall == NULL) {        return 0;    }    iHook = phkCall-&gt;iHook;    ptiCurrent = PtiCurrent();    /*     * Only low level hooks are allowed in the RIT context     * (This check used to be done in PhkFirstValid).     */    if (ptiCurrent == gptiRit) {        switch (iHook) {        case WH_MOUSE_LL:        case WH_KEYBOARD_LL: #ifdef REDIRECTION        case WH_HITTEST: #endif // REDIRECTION            break;        default:            return 0;        }    }    /*     * If this queue is in cleanup, exit: it has no business calling back     * a hook proc. Also check if hooks are disabled for the thread.     */    if (    ptiCurrent-&gt;TIF_flags & (TIF_INCLEANUP | TIF_DISABLEHOOKS) ||            ((ptiCurrent-&gt;rpdesk == NULL) && (phkCall-&gt;iHook != WH_MOUSE_LL))) {        return ampiHookError[iHook + 1];    }    /*     * Try to call each hook in the list until one is successful or     * we reach the end of the list.     */    do {        *lpbAnsiHook = phkCall-&gt;flags & HF_ANSI;        bHookFlags = abHookFlags[phkCall-&gt;iHook + 1];        /*         * Some WH_SHELL hook types can be called from console         * HSHELL_APPCOMMAND added for bug 346575 DefWindowProc invokes a shell hook         * for console windows if they don't handle the wm_appcommand message - we need the hook         * to go through for csrss.         */        if ((phkCall-&gt;iHook == WH_SHELL) && (ptiCurrent-&gt;TIF_flags & TIF_CSRSSTHREAD)) {            if ((nCode == HSHELL_LANGUAGE) || (nCode == HSHELL_WINDOWACTIVATED) ||                (nCode == HSHELL_APPCOMMAND)) {                bHookFlags |= HKF_INTERSENDABLE;            }        }        if ((phkCall-&gt;iHook == WH_SHELL) && (ptiCurrent-&gt;TIF_flags & TIF_SYSTEMTHREAD)) {            if ((nCode == HSHELL_ACCESSIBILITYSTATE) ) {                bHookFlags |= HKF_INTERSENDABLE;            }        }        fMustIntersend =            (GETPTI(phkCall) != ptiCurrent) &&            (                /*                 * We always want to intersend journal hooks.                 * CONSIDER (adams): Why? There's a performance hit by                 * doing so, so if we haven't a reason, we shouldn't                 * do it.                 *                 * we also need to intersend low level hooks. They can be called                 * from the desktop thread, the raw input thread AND also from                 * any thread that calls CallNextHookEx.                 */                (bHookFlags & (HKF_JOURNAL | HKF_LOWLEVEL))                /*                 * We must intersend if a 16bit app hooks a 32bit app                 * because we can't load a 16bit dll into a 32bit process.                 * We must also intersend if a 16bit app hooks another 16bit app                 * in a different VDM, because we can't load a 16bit dll from                 * one VDM into a 16bit app in another VDM (because that                 * VDM is actually a 32bit process).                 */                ||                (   GETPTI(phkCall)-&gt;TIF_flags & TIF_16BIT &&                    (   !(ptiCurrent-&gt;TIF_flags & TIF_16BIT) ||                        ptiCurrent-&gt;ppi != GETPTI(phkCall)-&gt;ppi)) #if defined(_WIN64)                /*                 * Intersend if a 64bit app hooks a 32bit app or                 * a 32bit app hooks a 64bit app.                 * This is necessary since a hook DLL can not be loaded                 * cross bit type.                 */                ||                (   (GETPTI(phkCall)-&gt;TIF_flags & TIF_WOW64) !=                    (ptiCurrent-&gt;TIF_flags & TIF_WOW64)               &nbsp

#endif /* defined(_WIN64) */                /*                 * We must intersend if a console or system thread is calling a hook                 * that is not in the same console or the system process.                 */                ||                (   ptiCurrent-&gt;TIF_flags & (TIF_CSRSSTHREAD | TIF_SYSTEMTHREAD) &&                    GETPTI(phkCall)-&gt;ppi != ptiCurrent-&gt;ppi)                /*                 * If this is a global and non-journal hook, do a security                 * check on the current desktop to see if we can call here.                 * Note that we allow processes with the SYSTEM_LUID to hook                 * other processes even if the other process says that it                 * doesn't allow other accounts to hook them.  We did this                 * because there was a bug in NT 3.x that allowed it and some                 * services were written to use it.                 */                ||                (   phkCall-&gt;flags & HF_GLOBAL &&                    !RtlEqualLuid(&GETPTI(phkCall)-&gt;ppi-&gt;luidSession, &ptiCurrent-&gt;ppi-&gt;luidSession) &&                    !(ptiCurrent-&gt;TIF_flags & TIF_ALLOWOTHERACCOUNTHOOK) &&                    !RtlEqualLuid(&GETPTI(phkCall)-&gt;ppi-&gt;luidSession, &luidSystem))                /*                 * We must intersend if the hooking thread is running in                 * another process and is restricted.                 */                ||                (   GETPTI(phkCall)-&gt;ppi != ptiCurrent-&gt;ppi &&                    IsRestricted(GETPTI(phkCall)-&gt;pEThread))             );        /*         * We're calling back... make sure the hook doesn't go away while         * we're calling back. We've thread locked here: we must unlock before         * returning or enumerating the next hook in the chain.         */        ThreadLockAlwaysWithPti(ptiCurrent, phkCall, &tlphkCall);        if (!fMustIntersend) {            /*             * Make sure the DLL for this hook, if any, has been loaded             * for the current process.             */            if ((phkCall-&gt;ihmod != -1) &&                    (TESTHMODLOADED(ptiCurrent, phkCall-&gt;ihmod) == 0)) {                BOOL bWx86KnownDll;                /*                 * Try loading the library, since it isn't loaded in this processes                 * context.  First lock this hook so it doesn't go away while we're                 * loading this library.                 */                bWx86KnownDll = (phkCall-&gt;flags & HF_WX86KNOWNDLL) != 0;                fLoadSuccess = (xxxLoadHmodIndex(phkCall-&gt;ihmod, bWx86KnownDll) != NULL);                /*                 * If the LoadLibrary() failed, skip to the next hook and try                 * again.                 */                if (!fLoadSuccess) {                    goto LoopAgain;                }            }            /*             * Is WH_DEBUG installed?  If we're not already calling it, do so.             */            if (IsHooked(ptiCurrent, WHF_DEBUG) && (phkCall-&gt;iHook != WH_DEBUG)) {                DEBUGHOOKINFO debug;                debug.idThread = TIDq(ptiCurrent);                debug.idThreadInstaller = 0; // TNND，微软就是可恶，非要给个0，就是不想让人知道钩子的安装者！                debug.code = nCode;                debug.wParam = wParam;                debug.lParam = lParam;                if (xxxCallHook(HC_ACTION, phkCall-&gt;iHook, (LPARAM)&debug, WH_DEBUG)) {                    /*                     * If WH_DEBUG returned non-zero, skip this hook and                     * try the next one.                     */                    goto LoopAgain;                }            }            /*             * Make sure the hook is still around before we             * try and call it.             */            if (HMIsMarkDestroy(phkCall)) {                goto LoopAgain;            }            /*             * Time to call the hook! Lock it first so that it doesn't go away             * while we're using it. Thread lock right away in case the lock frees             * the previous contents.             */ #if DBG            if (phkCall-&gt;flags & HF_GLOBAL) {                UserAssert(phkCall-&gt;ptiHooked == NULL);            } else {                UserAssert(phkCall-&gt;ptiHooked == ptiCurrent);            } #endif            phkSave = ptiCurrent-&gt;sphkCurrent;            ThreadLockWithPti(ptiCurrent, phkSave, &tlphkSave);            Lock(&ptiCurrent-&gt;sphkCurrent, phkCall);            if (ptiCurrent-&gt;pClientInfo)                ptiCurrent-&gt;pClientInfo-&gt;phkCurrent = phkCall;            nRet = xxxHkCallHook(phkCall, nCode, wParam, lParam);            Lock(&ptiCurrent-&gt;sphkCurrent, phkSave);            if (ptiCurrent-&gt;pClientInfo)                ptiCurrent-&gt;pClientInfo-&gt;phkCurrent = phkSave;            ThreadUnlock(&tlphkSave);            /*             * This hook proc faulted, so unhook it and try the next one.             */            if (phkCall-&gt;flags & HF_HOOKFAULTED) {                PHOOK   phkFault;                phkCall = PhkNextValid(phkCall);                phkFault = ThreadUnlock(&tlphkCall);                if (phkFault != NULL) {                    FreeHook(phkFault);                }                continue;            }            /*             * Lastly, we're done with this hook so it is ok to unlock it (it may             * get freed here!             */            ThreadUnlock(&tlphkCall);            return nRet;        } else if (bHookFlags & HKF_INTERSENDABLE) {            /*             * Receiving thread can access this structure since the             * sender thread's stack is locked down during xxxInterSendMsgEx             */            HOOKMSGSTRUCT hkmp;            int           timeout = 200; // 1/5 second !!!            hkmp.lParam = lParam;            hkmp.phk = phkCall;            hkmp.nCode = nCode;            /*             * Thread lock right away in case the lock frees the previous contents             */            phkSave = ptiCurrent-&gt;sphkCurrent;            ThreadLockWithPti(ptiCurrent, phkSave, &tlphkSave);            Lock(&ptiCurrent-&gt;sphkCurrent, phkCall);            if (ptiCurrent-&gt;pClientInfo)                ptiCurrent-&gt;pClientInfo-&gt;phkCurrent = phkCall;            /*             * Make sure we don't get hung!             */            if (bHookFlags & HKF_LOWLEVEL)                timeout = gnllHooksTimeout;            /*             * CONSIDER(adams): Why should a journaling hook be allowed to             * hang the console or a system thread? Will that interfere with             * the user's ability to cancel journaling through Ctrl+Esc?             */            if (((bHookFlags & HKF_LOWLEVEL) == 0) &&                (   (bHookFlags & HKF_JOURNAL) ||                    !(ptiCurrent-&gt;TIF_flags & (TIF_CSRSSTHREAD | TIF_SYSTEMTHREAD)))) {                nRet = xxxInterSendMsgEx(NULL, WM_HOOKMSG, wParam,                    (LPARAM)&hkmp, ptiCurrent, GETPTI(phkCall), NULL);            } else {                /*                 * We are a server thread (console/desktop) and we aren't                 * journalling, so we can't allow the hookproc to hang us -                 * we must use a timeout.                 */                INTRSENDMSGEX ism;                ism.fuCall     = ISM_TIMEOUT;                ism.fuSend     = SMTO_ABORTIFHUNG | SMTO_NORMAL;                ism.uTimeout   = timeout;                ism.lpdwResult = &nRet;                /*                 * Don't hook DOS apps connected to the emulator - they often                 * grab too much CPU for the callback to the hookproc to                 * complete in a timely fashion, causing poor response.                 */                if ((ptiCurrent-&gt;TIF_flags & TIF_DOSEMULATOR) ||                    FHungApp(GETPTI(phkCall), CMSHUNGAPPTIMEOUT) ||                    !xxxInterSendMsgEx(NULL, WM_HOOKMSG, wParam,                            (LPARAM)&hkmp, ptiCurrent, GETPTI(phkCall), &ism)) {                    nRet = ampiHookError[iHook + 1];                }                /*                 * If the low-level hook is eaten, the app may wake up from                 * MsgWaitForMultipleObjects, clear the wake mask, but not get                 * anything in GetMessage / PeekMessage and we will think it's                 * hung. This causes problems in DirectInput because then the                 * app may miss some hooks if FHungApp returns true, see bug                 * 430342 for more details on this.                 */                if ((bHookFlags & HKF_LOWLEVEL) && nRet) {                    SET_TIME_LAST_READ(GETPTI(phkCall));                }            }            Lock(&ptiCurrent-&gt;sphkCurrent, phkSave);            if (ptiCurrent-&gt;pClientInfo)                ptiCurrent-&gt;pClientInfo-&gt;phkCurrent = phkSave;            ThreadUnlock(&tlphkSave);            ThreadUnlock(&tlphkCall);            return nRet;        }        // fall-through LoopAgain:        phkCall = PhkNextValid(phkCall);        ThreadUnlock(&tlphkCall);    } while (phkCall != NULL);    return ampiHookError[iHook + 1]; }

刘麻子 · 2005-02-28

// TNND，微软就是可恶，非要给个0，就是不想让人知道钩子的安装者！ [

][

]

怎样才能获知是哪个程序正使用钩子?(我动了所有积分!!!) ( 积分: 300 )

for33

Unregistered / Unconfirmed

for33

Unregistered / Unconfirmed

lichengbin

Unregistered / Unconfirmed

missinwind

Unregistered / Unconfirmed

for33

Unregistered / Unconfirmed

lichengbin

Unregistered / Unconfirmed

for33

Unregistered / Unconfirmed

for33

Unregistered / Unconfirmed

for33

Unregistered / Unconfirmed

jingtao

Unregistered / Unconfirmed

SeekMyself

Unregistered / Unconfirmed

lichengbin

Unregistered / Unconfirmed

刘麻子

Unregistered / Unconfirmed

Similar threads