如何实时检测win98系统中运行的应用程序(100分)

drank · 2000-11-13

我想设定一个HOOK使其能实时检测在win98系统中运行的应用程序。 我试过setwindowshookex(wh_cbt,spy,hinstance,0) 和 setwindowshookex(wh_shell,spy,hinstance,0)但结果是，只要一挂起，则任何应用程序 都无法运行。 spy 的代码如下： if code=HCBT_CREATEWND then   begin     messagebeep(mb_ok);     getwindowtext(wparam,@i,255);     form1.listbox1.Items.Add(strpas(@i));     result:=0;   end else   result:=callnexthookex(hookhandle,code,wparam,lparam); 请问该如何解决？？？？？？？

drank · 2000-11-14

有没有人可以回答我。

drank · 2000-11-15

为什么只有人浏览，却没人过来帮帮我，嫌分太少，我可再加。。。。。拜托

www · 2000-11-15

用findwindow查找程序的window不行吗?

drank · 2000-11-15

我需要实时监控,如果是隔几分钟找一次一会占用系统资源二无时效性

教父 · 2000-11-15

在Application.Onidle事件中用FindWindow来检查吧。

drank · 2000-11-16

to 教父    我不认为这是一个好办法，这样会占用很多系统资源，而且这种方式是主动的搜索，而不是 被动的应答，我需要的是被动应答。    我试过使用shell hook，但是用getwindowtext检测不到98自己的应用程序的窗口名字，且 运行ie后会死机。不知有什么api函数可检测运行的应用程序的文件名，及有什么办法可避免ie 运行死机。

教父 · 2000-11-16

在Application.Onidle事件中写代码虽然CPU的占用率为100％，但实际上并不会对系统造成太大的 影响。

drank · 2000-11-16

to 教父    不知有没有办法可帮我解决ie运行会死机的问题.

教父 · 2000-11-16

用Findwindows不会导致IE死机吧。 如果你非要用HOOK的方法的话我也没有试过，我再看看吧。

drank · 2000-11-16

to教父     今天我又试了试,死机没有了,不过一些系统的窗口如ie,我的电脑等,得不到窗口标题. 另外窗口标题是在不断变化的.最终我是要得到运行的应用程序的文件名,如iexplorer.exe, notepad.exe.不知你有否办法.

教父 · 2000-11-16

COPY一段内容给你，希望能对你有用。 Question I am using FindWindow() to locate a window handle and I am using PostMessage() to close the application. The problem is that I can't seem to close Acrobat Reader using FindWindow(nil, 'Acrobat Reader') and PostMessage() whenever Acrobat Reader has a file opened. Using winsight.exe, I noticed that Acrobat Reader changes its classname and window title whenever a PDF file is opened. How do I find Acrobat Reader's window handle and send a message to close the application when the classname and title change? Answer A: You should use Getwindow() to cycle thru all the various windows and search each one's name for acrobat reader, although this sounds like a chore it's really not too tough and happens instantaneously when you run the program. Here's the code to do it : (* Function to get the handle of Adobe Acrobat, could be applied to any  partial text window of a main program such as notepad, just change the "Acrobat Reader" to the appropriate thing you're looking for, it will return 0 if the window wasn't found will return the handle if it was found     *) Function GetAcrobatHwnd : word; var   hwndx :word;   PString : Pchar;   txtlength : integer;   posit : byte; begin{function}  hwndx := Getdesktopwindow;  GetWindow(hwndx,GW_CHild);  While not done do  begin  Txtlength := GetWindowText(hwndx,PString,255);  Posit := Pos("Acrobat Reader",Strpas(Pstring));         If Posit > 0 then (* Acrobat was found, make the result the handle *)         begin {if}           Result := hwndx;         done := true;         end;{if}   if hwndx = Getwindow(hwndx,GW_Hwndlast) then (* Acrobat Isn't Running *)     begin     Result := 0;     done := true;     end; hwndx := GetWindow(hwndx,GW_HWNDNEXT);  end;{while} end;{function GetAcrobatHwnd}

花花公子 · 2000-11-17

利用钩子程序吧,当程序打开时要触发窗口事件,当你发现了一个新的窗口句并时可以触发通知 这样不就可以了吗?

drank · 2000-11-17

谢谢各位关心!!!! 我已成功的用shell hook捕捉了窗口的创建事件,但任然有些问题,现提出来与大家讨论:    在我使用了挂起hook之后,应用程序的创建事件我能捕捉,但,凡是在钩子挂起之后运行的 应用程序,无论什么类型,只要进行了minimize 操作,就会隐藏hide起来.且在taskbar上也 找不到.只有用alt+tab切换才会出现.........不知什么问题.我把原代码贴上,请大家帮忙 研究. 以下是测试程序的原代码 unit testmain; interface uses   Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,   StdCtrls,tlhelp32, AppEvnts;   type   TForm1 = class(TForm)     Button1: TButton;     ListBox1: TListBox;     ApplicationEvents1: TApplicationEvents;     procedure Button1Click(Sender: TObject);     procedure FormCreate(Sender: TObject);     procedure FormClose(Sender: TObject; var Action: TCloseAction);     procedure ApplicationEvents1Message(var Msg: tagMSG;       var Handled: Boolean);   private     { Private declarations }       public     { Public declarations }   end; var   Form1: TForm1;   mymsg:dword; type EDLLLoadError=class(exception);                           implementation {$R *.DFM}   function createhook:bool; external 'mydll.dll' ; function freehook:bool; external 'mydll.dll' ; var hookhandle:hhook=0;     oldwinproc

ointer; procedure TForm1.Button1Click(Sender: TObject); begin close; end; function newproc(windowhandle:hwnd; themessage, paramw,paraml:longint):longint; stdcall; var     pid:integer;     ps:tprocessentry32;     hp:thandle;     filename:string;     isend:bool; begin     result:=0;  if themessage=mymsg then    begin     form1.listbox1.Items.Clear;     getwindowthreadprocessid(paramw,@pid);     hp:= createtoolhelp32snapshot(TH32CS_SNAPPROCESS,pid);     ps.dwsize:=sizeof(ps);         isend:=process32first(hp,ps);     while isend do      begin       filename:=ps.szExeFile;       form1.listbox1.Items.Add('w'+filename);       isend:=process32next(hp,ps);      end;     result:=0;    end  else    result:=callwindowproc(oldwinproc,form1.handle,themessage,paramw,paraml); end; procedure TForm1.FormCreate(Sender: TObject); var lb:bool;   begin   mymsg:=registerwindowmessage('cbtcreatewndmessage');   oldwinproc:=pointer(setwindowlong(form1.handle,gwl_wndproc,longint(@newproc))); lb:=createhook;   end; procedure TForm1.FormClose(Sender: TObject; var Action: TCloseAction); var lb:bool; begin lb:=freehook; end; procedure TForm1.ApplicationEvents1Message(var Msg: tagMSG;   var Handled: Boolean); var     pid:integer;     ps:tprocessentry32;     hp:thandle;     filename:string;     isend:bool; begin   if msg.message=mymsg then    begin     form1.listbox1.Items.Clear;     getwindowthreadprocessid(msg.wParam,@pid);     hp:= createtoolhelp32snapshot(TH32CS_SNAPPROCESS,pid);     ps.dwsize:=sizeof(ps);         isend:=process32first(hp,ps);     while isend do      begin       filename:=ps.szExeFile;       form1.listbox1.Items.Add('w'+filename);       isend:=process32next(hp,ps);      end;      showwindow(msg.wparam,SW_normal);    end;   end; end. 以下是dll中的原代码 unit cbt; interface uses messages,windows; function createhook:bool;stdcall; function freehook:bool;stdcall; function cbtcreatewndhook(  int: integer; // hook code                        WPARAM: longint;          // depends on hook code                         LPARAM: longint // depends on hook code                         &nbsp

:longint  stdcall;     implementation var hookhandle:hhook=0; function cbtcreatewndhook(  int: integer; // hook code                        WPARAM: longint;          // depends on hook code                         LPARAM: longint // depends on hook code                         &nbsp

:longint ; begin result:=0; if int=Hshell_WINDOWCREATED  then  begin   lparam:=getwindowlong(wparam,GWL_STYLE);   postmessage(HWND_BROADCAST,registerwindowmessage('cbtcreatewndmessage'),wparam,lparam);  end else  result:= callnexthookex(hookhandle,int,wparam,lparam); end; function createhook:bool; begin hookhandle:=setwindowshookex(wh_shell,cbtcreatewndhook,hinstance,0); result:=hookhandle<>0; end; function freehook:bool; begin result:=unhookwindowshookex(hookhandle); end; end. 以下是dll接口程序的代码 library mydll; { Important note about DLL memory management: ShareMem must be the   first unit in your library's USES clause AND your project's (select   Project-View Source) USES clause if your DLL exports any procedures or   functions that pass strings as parameters or function results. This   applies to all strings passed to and from your DLL--even those that   are nested in records and classes. ShareMem is the interface unit to   the BORLNDMM.DLL shared memory manager, which must be deployed along   with your DLL. To avoid using BORLNDMM.DLL, pass string information   using PChar or ShortString parameters. } uses   SysUtils,   Classes,   windows,   messages,   cbt in 'cbt.pas'; const   cbtgothandle=wm_user+101; {$R *.RES} exports  createhook,freehook,cbtcreatewndhook; begin end.

gcq · 2000-11-18

copy to see! waiting……

drank · 2000-11-22

网上没有人可帮我吗?

JELLYMAN · 2000-11-23

這樣搞掂! unit exelook; interface uses   Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,   StdCtrls; type   TForm1 = class(TForm)     Button1: TButton;     ListBox1: TListBox;     procedure Button1Click(Sender: TObject);   private     { Private declarations }   public     { Public declarations }   end; var   Form1: TForm1; implementation uses TLHelp32; {$R *.DFM} procedure TForm1.Button1Click(Sender: TObject); VAR    LPPE: TPROCESSENTRY32;    FOUND: BOOLEAN;    HAND:THANDLE; begin    Hand:= CreateToolhelp32Snapshot(TH32CS_SNAPALL,0);    found:= Process32First(Hand,lppe);    while found do    begin      listBox1.items.add(strPas(lppe.szExefile));      found:= Process32Next(hand,lppe);    end; end; end.

drank · 2000-11-24

to:jellyman    十分感谢，不过你所讲的内容对我早已不是问题，请帮我解决挂起hook后其他应用程序的 运行异常问题。见我最后一次提问。 to:gcq    研究的结果如何 to: everyone    各位，这是一个十分有趣的问题，肯定你没有碰倒过。搞定他有大奖。问题请见我最进 一次在本页上贴的帖子。

iamfly · 2000-11-24

不明白，干吗一定要用HOOK呢？用JELLYMAN的方法，绝对可以列出系统所有正在运行的程 序，包括了像BO、冰河之类的木马程序。如果说要如果系统一有程序运行或退出就自动更 新程序列表，那就做个定时刷新啊，虽说没HOOK实时，但在WIN2000中的那个任务管理器 也不是HOOK这种实时更新的。且，用HOOK来实时更新，有必要吗？我真的不明白

drank · 2000-11-25

各位高手： 我不想这样快就放弃这一课题，所以请正面回答我提出的问题。 我需要做到的效果是实时的检测应用程序的开启和关闭。拜托！！！！！

如何实时检测win98系统中运行的应用程序(100分)

drank

Unregistered / Unconfirmed

drank

Unregistered / Unconfirmed

drank

Unregistered / Unconfirmed

www

Unregistered / Unconfirmed

drank

Unregistered / Unconfirmed

教父

Unregistered / Unconfirmed

drank

Unregistered / Unconfirmed

教父

Unregistered / Unconfirmed

drank

Unregistered / Unconfirmed

教父

Unregistered / Unconfirmed

drank

Unregistered / Unconfirmed

教父

Unregistered / Unconfirmed

花花公子

Unregistered / Unconfirmed

drank

Unregistered / Unconfirmed

gcq

Unregistered / Unconfirmed

drank

Unregistered / Unconfirmed

JELLYMAN

Unregistered / Unconfirmed

drank

Unregistered / Unconfirmed

iamfly

Unregistered / Unconfirmed

drank

Unregistered / Unconfirmed

Similar threads