谁有屏幕取词的delphi源代码,我头发都急白了(800里加急),收到源码再送100分 (50分)

  • 主题发起人 主题发起人 yfdciom
  • 开始时间 开始时间
Y

yfdciom

Unregistered / Unconfirmed
GUEST, unregistred user!
各位大哥,哪位有屏幕取词的delphi源代码,发到我的邮箱<br>&nbsp; swarmmail@163.net<br>小弟感激涕零。
 
收到邮件后根据代码质量再加100分,决不失言
 
Please read this: <br><br>屏幕抓词的技术实现 &nbsp; <br>&nbsp; <br>&nbsp; <br>  屏幕上的文字大都是由gdi32.dll的以下几个函数显示的:TextOutA、TextO<br>utW、ExtTextOutA、 <br>ExtTextOutW。实现屏幕抓词的关键就是截获对这些函数的调用,得到程序发给它<br>们的参数。 &nbsp;<br>&nbsp; <br>  我的方法有以下三个步骤: &nbsp;<br>&nbsp; <br>  一、得到鼠标的当前位置 &nbsp;<br>&nbsp; <br>  通过SetWindowsHookEx实现。 &nbsp;<br>&nbsp; <br>  二、向鼠标下的窗口发重画消息,让它调用系统函数重画 &nbsp;<br>&nbsp; <br>  通过WindowFromPoint,ScreenToClient,InvalidateRect 实现。 &nbsp;<br>&nbsp; <br>  三、截获对系统函数的调用,取得参数(以TextOutA为例) &nbsp;<br>&nbsp; <br>  1.仿照TextOutA作成自己的函数MyTextOutA,与TextOutA有相同参数和返回<br>值,放在系统钩子所在 <br>的DLL里。 &nbsp;<br>&nbsp; <br>  SysFunc1=(DWORD)GetProcAddress(GetModuleHandle("gdi32.dll"),"TextO<br>utA"); &nbsp;<br>&nbsp; <br>  BOOL WINAPI MyTextOutA(HDC hdc, int nXStart, int nYStart, LPCSTR l<br>pszString,int cbString) &nbsp;<br>&nbsp; <br>  { //输出lpszString的处理 &nbsp;<br>&nbsp; <br>return ((FARPROC)SysFunc1)(hdc,nXStart,nYStart,lpszString,cbString);} <br><br>&nbsp; <br>  2.由于系统鼠标钩子已经完成注入其它GUI进程的工作,我们不需要为注入再<br>做工作。 &nbsp;<br>&nbsp; <br>  如果你知道所有系统钩子的函数必须要在动态库里,就不会对“注入”感到<br>奇怪。当进程隐式或显式 <br>调用一个动态库里的函数时,系统都要把这个动态库映射到这个进程的虚拟地址<br>空间里(以下简称“地址空 <br>间”)。这使得DLL成为进程的一部分,以这个进程的身份执行,使用这个进程的<br>堆栈(见图1)。 &nbsp;<br>&nbsp; <br>&nbsp; &nbsp;<br>  图1 DLL映射到虚拟地址空间中 &nbsp;<br>&nbsp; <br>  对系统钩子来说,系统自动将包含“钩子回调函数”的DLL映射到受钩子函数<br>影响的所有进程的地址 <br>空间中,即将这个DLL注入了那些进程。 &nbsp;<br>&nbsp; <br>  3.当包含钩子的DLL注入其它进程后,寻找映射到这个进程虚拟内存里的各个<br>模块(EXE和DLL)的 <br>基地址。EXE和DLL被映射到虚拟内存空间的什么地方是由它们的基地址决定的。<br>它们的基地址是在链接 <br>时由链接器决定的。当你新建一个Win32工程时,VC++链接器使用缺省的基地址<br>0x00400000。可以通 <br>过链接器的BASE选项改变模块的基地址。EXE通常被映射到虚拟内存的0x0040000<br>0处,DLL也随之有 <br>不同的基地址,通常被映射到不同进程的相同的虚拟地址空间处。 &nbsp;<br>&nbsp; <br>  如何知道EXE和DLL被映射到哪里了呢? &nbsp;<br>&nbsp; <br>  在Win32中,HMODULE和HINSTANCE是相同的。它们就是相应模块被装入进程的<br>虚拟内存空间的 <br>基地址。比如: &nbsp;<br>&nbsp; <br>  HMODULE hmodule=GetModuleHandle(″gdi32.dll″); &nbsp;<br>&nbsp; <br>  返回的模块句柄强制转换为指针后,就是gdi32.dll被装入的基地址。 &nbsp;<br>&nbsp; <br>  关于如何找到虚拟内存空间映射了哪些DLL?我用如下方式实现: &nbsp;<br>&nbsp; <br>while(VirtualQuery (base, &mbi, sizeof (mbi))〉0) &nbsp; <br>&nbsp; <br>{ if(mbi.Type==MEM—IMAGE) &nbsp; <br>&nbsp; <br>ChangeFuncEntry((DWORD)mbi.BaseAddress,1); &nbsp; <br>&nbsp; <br>base=(DWORD)mbi.BaseAddress+mbi.RegionSize; } &nbsp;<br>&nbsp; <br>  4.得到模块的基地址后,根据PE文件的格式穷举这个模块的IMAGE—IMPORT—<br>DESCRIPTOR数组, <br>看是否引入了gdi32.dll。如是,则穷举IMAGE—THUNK—DATA数组,看是否引入了<br>TextOutA函数。 &nbsp;<br>&nbsp; <br>  5.如果找到,将其替换为相应的自己的函数。 &nbsp;<br>&nbsp; <br>  系统将EXE和DLL原封不动映射到虚拟内存空间中,它们在内存中的结构与磁<br>盘上的静态文件结构 <br>是一样的。即PE (Portable Executable) 文件格式。 &nbsp;<br>&nbsp; <br>  所有对给定API函数的调用总是通过可执行文件的同一个地方转移。那就是一<br>个模块(可以是EXE或 <br>DLL)的输入地址表(import address table)。那里有所有本模块调用的其它DLL的<br>函数名及地址。对其它DLL <br>的函数调用实际上只是跳转到输入地址表,由输入地址表再跳转到DLL真正的函数<br>入口。例如: &nbsp;<br>&nbsp; <br>&nbsp; &nbsp;<br>  图2 对MessageBox()的调用跳转到输入地址表,从输入地址表再跳转到Mess<br>ageBox函数 &nbsp;<br>&nbsp; <br>&nbsp; <br>&nbsp; <br>  IMAGE—IMPORT—DESCRIPTOR和IMAGE—THUNK—DATA分别对应于DLL和函数。<br>它们是PE <br>文件的输入地址表的格式(数据结构参见winnt.h)。 &nbsp;<br>&nbsp; <br>  BOOL ChangeFuncEntry(HMODULE hmodule) &nbsp;<br>&nbsp; <br>  { PIMAGE—DOS—HEADER pDOSHeader; &nbsp;<br>&nbsp; <br>  PIMAGE—NT—HEADERS pNTHeader; &nbsp;<br>&nbsp; <br>  PIMAGE—IMPORT—DESCRIPTOR pImportDesc; &nbsp;<br>&nbsp; <br>/?get system functions and my functions′entry?/ &nbsp;<br>&nbsp; <br>  pSysFunc1=(DWORD)GetProcAddress(GetModuleHandle(″gdi32.dll″),″T<br>extOutA″); &nbsp;<br>&nbsp; <br>  pMyFunc1= (DWORD)GetProcAddress(GetModuleHandle(″hookdll.dll″),″<br>MyTextOutA″); &nbsp;<br>&nbsp; <br>pDOSHeader=(PIMAGE—DOS—HEADER)hmodule; &nbsp;<br>&nbsp; <br>  if (IsBadReadPtr(hmodule, sizeof(PIMAGE—NT—HEADERS))) &nbsp;<br>&nbsp; <br>   return FALSE; &nbsp;<br>&nbsp; <br>  if (pDOSHeader-〉e—magic != IMAGE—DOS—SIGNATURE) &nbsp;<br>&nbsp; <br>   return FALSE; &nbsp;<br>&nbsp; <br>  pNTHeader=(PIMAGE—NT—HEADERS)((DWORD)pDOSHeader+(DWORD)pDOSHead<br>er-〉e— <br>lfanew); &nbsp;<br>&nbsp; <br>  if (pNTHeader-)Signature != IMAGE—NT—SIGNATURE) &nbsp;<br>&nbsp; <br>   return FALSE; &nbsp;<br>&nbsp; <br>  pImportDesc = (PIMAGE—IMPORT—DESCRIPTOR)((DWORD)hmodule+(DWORD)<br>pNTHeader <br>-)OptionalHeader.DataDirectory &nbsp;<br>&nbsp; <br>   [IMAGE—DIRECTORY—ENTRY—IMPORT].VirtualAddress); &nbsp;<br>&nbsp; <br>  if (pImportDesc == (PIMAGE—IMPORT—DESCRIPTOR)pNTHeader) &nbsp; <br>&nbsp; <br>return FALSE; &nbsp;<br>&nbsp; <br>  while (pImportDesc-)Name) &nbsp; <br>&nbsp; <br>  { PIMAGE—THUNK—DATA pThunk; &nbsp;<br>&nbsp; <br>  strcpy(buffer,(char?)((DWORD)hmodule+(DWORD)pImportDesc-)Name))<br>; &nbsp;<br>&nbsp; <br>CharLower(buffer); &nbsp;<br>&nbsp; <br>if(strcmp(buffer,"gdi32.dll")) &nbsp;<br>&nbsp; <br>{ pImportDesc++; &nbsp;<br>&nbsp; <br>continue; &nbsp;<br>&nbsp; <br>}else &nbsp; <br>&nbsp; <br>{ pThunk=(PIMAGE—THUNK—DATA)((DWORD)hmodule+(DWORD)pImportDesc-)Fi<br>rstThunk); &nbsp;<br>&nbsp; <br>while (pThunk-)u1.Function) &nbsp; <br>&nbsp; <br>{ if ((pThunk-)u1.Function) == pSysFunc1) &nbsp; <br>&nbsp; <br>{ VirtualProtect((LPVOID)(&pThunk-)u1.Function), &nbsp; <br>&nbsp; <br>   sizeof(DWORD),PAGE—EXECUTE—READWRITE, &dwProtect); &nbsp; <br>&nbsp; <br>   (pThunk-)u1.Function)=pMyFunc1; &nbsp;<br>&nbsp; <br>   VirtualProtect((LPVOID)(&pThunk-)u1.Function), sizeof(DWORD),dw<br>Protect,&temp); } &nbsp;<br>&nbsp; <br>pThunk++; } return 1;}}} &nbsp;<br>&nbsp; <br>  替换了输入地址表中TextOutA的入口为MyTextOutA后,截获系统函数调用的<br>主要部分已经完成,当 <br>一个被注入进程调用TextOutA时,其实调用的是MyTextOutA,只需在MyTextOutA<br>中显示传进来的字符 <br>串,再交给TextOutA处理即可。 <br>网易虚拟社区北京站 http://bj.netease.com
 
马飞涛有
 
http://delphi.mychangshu.com/ &nbsp;中搜索“取词”, 但是是C的,可参考一下嘛。
 
不要告诉我哪有下载的地址,把源码mail to me,货到给分。<br>马飞涛不提供源码
 
<br>大富翁论坛版权所有<br>&nbsp;问题:求Delphi版屏幕取词源代码,200分 ( 积分:200, 回复:4, 阅读:21 )<br>分类:Windows API ( 版主:amo, cAkk ) &nbsp;<br>来自:fevath, 时间:2002-3-22 3:13:00, ID:996179 [显示:小字体 | 大字体] &nbsp;<br>要那个截获TextOut的,要能工作的。<br>将截获的字(单个汉字)同时显示在调用程序的标题栏上即可(或者动态链接库自己处理,<br>显示在鼠标下方更好,如果这样我在加50分)<br>&nbsp;<br>&nbsp;<br>来自:zhihuali, 时间:2002-3-22 3:40:00, ID:996181 <br>转载:<br>-----------------------------------------------------------<br>1、添加form,在上面添加一个richedit,名字叫rich1<br>2、在form的onload事件中往rich1里面随便添加一段文字做测试用:<br>procedure TForm1.FormCreate(Sender: TObject);<br>begin<br>&nbsp; rich1.Lines.Add('cAkk is a good boy');<br>end;<br><br>3、定义rich1的onmousemove事件:<br>procedure TForm1.rich1MouseMove(Sender: TObject; Shift: TShiftState; X,Y: Integer);<br>var txt:String;<br>begin<br>&nbsp; txt:= RichWordOver(rich1, X, Y);<br>&nbsp; //截词结果显示在form的caption上<br>&nbsp; If Caption &lt;&gt; txt Then<br>&nbsp; &nbsp; &nbsp;Caption:= txt;<br>end;<br><br>4、定义函数RichWordOver<br><br>Function TForm1.RichWordOver(rch:trichedit; X,Y:integer):string;<br>var pt:tpoint;<br>&nbsp; &nbsp; pos,<br>&nbsp; &nbsp; start_pos,<br>&nbsp; &nbsp; end_pos:Integer;<br>&nbsp; &nbsp; ch,txt:String;<br>&nbsp; &nbsp; txtlen:Integer;<br>begin<br><br>&nbsp; &nbsp; pt.X:= X;<br>&nbsp; &nbsp; pt.Y:= Y;<br>&nbsp; &nbsp; pos:=rch.Perform(EM_CHARFROMPOS, 0, longint(@pt));<br>&nbsp; &nbsp; If pos &lt;= 0 Then Exit;<br>&nbsp; &nbsp; txt:= rch.Text;<br>&nbsp; &nbsp; For start_pos:= pos downTo 1 do<br>&nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; &nbsp; ch:=copy(rch.text,start_pos, 1);<br>&nbsp; &nbsp; &nbsp; &nbsp; If Not (<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ( (ch &gt;= '0') And (ch &lt;= '9') ) Or<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ( (ch &gt;= 'a') And (ch &lt;= 'z') ) Or<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ( (ch &gt;= 'A') And (ch &lt;= 'Z') ) Or<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (ch = '_')<br>&nbsp; &nbsp; &nbsp; &nbsp; ) Then break;<br>&nbsp; &nbsp; end;<br><br>&nbsp; &nbsp; inc(start_pos);<br><br>&nbsp; &nbsp; txtlen:= Length(txt);<br>&nbsp; &nbsp; For end_pos:= pos To txtlen do<br>&nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; &nbsp; ch:= copy(txt, end_pos, 1);<br>&nbsp; &nbsp; &nbsp; &nbsp; If Not (<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ( (ch &gt;= '0') And (ch &lt;= '9') ) Or<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ( (ch &gt;= 'a') And (ch &lt;= 'z') ) Or<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ( (ch &gt;= 'A') And (ch &lt;= 'Z') ) Or<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (ch = '_')<br>&nbsp; &nbsp; &nbsp; &nbsp; ) Then break;<br>&nbsp; &nbsp; end;<br>&nbsp; &nbsp; dec(end_pos);<br><br>&nbsp; &nbsp; If start_pos &lt;= end_pos Then<br>&nbsp; &nbsp; &nbsp; &nbsp; result:=copy(txt, start_pos, end_pos - start_pos + 1);<br>End;<br><br>&nbsp;<br>&nbsp;<br>来自:fevath, 时间:2002-3-22 7:16:00, ID:996197 <br>那么取非客户区的文字呢,我要监控整个系统,HOOK我已经做好了,只是不知道如何截获<br>TEXTOUT并获得其参数。不好意思ZhiHuaLi我想可能是我的问题问的可能不太清楚……<br>&nbsp;<br>&nbsp;<br>来自:jrq, 时间:2002-3-22 8:09:00, ID:996224 <br>&gt;&gt;HOOK我已经做好了<br>你可以将钩子编译为DLL~<br><br>下面是一个取词的源码:--转载 &nbsp;[:)][:)]<br>这是dll文件:<br>library dll_HookMouse;<br>uses<br>&nbsp; SysUtils,<br>&nbsp; Windows,<br>&nbsp; Classes,<br>&nbsp; Messages,<br>&nbsp; Math,<br>&nbsp; Dialogs,<br>&nbsp; U_Def in 'U_Def.pas';<br>{$R *.RES}<br>var<br>&nbsp; hMouseHook : HHOOK;<br>&nbsp; SpyInstalled : Boolean;<br>&nbsp; fTimerID : Cardinal;<br>&nbsp; pShMem : PShareMem;<br>&nbsp; hMappingFile : THandle;<br>function InstallSpy:Boolean; forward;<br>function UnWiseSpy:Boolean; forward;<br>function fExtTextOutA(theDC :HDC; nXStart, nYStart :integer; toOptions : Lon<br>gint; rect : PRect;<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lpStr :PAnsiChar; nCount :Longint; Dx: PInteger):BOOL;<br>&nbsp;stdcall;<br>var<br>&nbsp; dwBytes, dwCallingProc : DWORD;<br>&nbsp; pOldExtTextOut : _ExtTextOutA;<br>&nbsp; hModuleGDI : THandle;<br>&nbsp; poOri, poDC, poText, poMouse : TPoint;<br>&nbsp; Size : TSize;<br>begin<br>&nbsp; UnWiseSpy;<br>&nbsp; GetWindowThreadProcessID(pShMem^.hHookWnd, @dwCallingProc);<br>&nbsp; try<br>&nbsp; &nbsp; if pShMem^.bCanSpyNow and (dwCallingProc &lt;&gt; pShMem^.hProc) then<br>&nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; dwBytes := Min(nCount, MaxStringLen);<br>&nbsp; &nbsp; &nbsp; CopyMemory(@(pShMem^.fStrExtTextOutA), lpStr, dwBytes);<br>&nbsp; &nbsp; &nbsp; //Get lpStr Content<br>&nbsp; &nbsp; &nbsp; //The following codes for get the right text<br>&nbsp; &nbsp; &nbsp; GetDCOrgEx(theDC, poOri);<br>&nbsp; &nbsp; &nbsp; // 取得本窗口设备相关坐标原点的全局逻辑坐标<br>&nbsp; &nbsp; &nbsp; poDC.x := nXStart;<br>&nbsp; &nbsp; &nbsp; poDC.y := nYStart;<br>&nbsp; &nbsp; &nbsp; //<br>&nbsp; &nbsp; &nbsp; LPToDP(theDC, poDC, 1);<br>&nbsp; &nbsp; &nbsp; //全局逻辑坐标转化为设备相关坐标<br>&nbsp; &nbsp; &nbsp; GetCursorPos(poMouse);<br>&nbsp; &nbsp; &nbsp; poText.x := poDC.x + poOri.x;<br>&nbsp; &nbsp; &nbsp; poText.y := poDC.y + poOri.y;<br>&nbsp; &nbsp; &nbsp; if (GetTextAlign(theDC) and TA_UPDATECP) &lt;&gt; 0 then<br>&nbsp; &nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; &nbsp; GetCurrentPositionEx(theDC, @poOri);<br>&nbsp; &nbsp; &nbsp; &nbsp; poText.x := poText.x + poOri.x;<br>&nbsp; &nbsp; &nbsp; &nbsp; poText.y := poText.y + poOri.y;<br>&nbsp; &nbsp; &nbsp; end;<br>&nbsp; &nbsp; &nbsp; GetTextExtentPoint(theDC, lpStr, nCount, Size);<br>&nbsp; &nbsp; &nbsp; // 取得要输出的字符串的实际显示大小<br>&nbsp; &nbsp; &nbsp; if (poMouse.x &gt;= poText.x) and (poMouse.x &lt;= poText.x + Size.cx) and<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;(poMouse.y &gt;= poText.y) and (poMouse.y &lt;= poText.y + Size.cy) then<br>&nbsp; &nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; &nbsp; pShMem^.bCanSpyNow := False;<br>&nbsp; &nbsp; &nbsp; &nbsp; pShMem^.nTimePassed := -1;<br>&nbsp; &nbsp; &nbsp; end;<br>&nbsp; &nbsp; &nbsp; pShMem^.fStrExtTextOutA[dwBytes] := Chr(0);<br>&nbsp; &nbsp; &nbsp; FlushViewOfFile(pShMem, 0);<br>&nbsp; &nbsp; &nbsp; if dwCallingProc &lt;&gt; pShMem^.hProc then<br>&nbsp; &nbsp; &nbsp; &nbsp; PostMessage(pShMem^.hProcWnd, WM_MOUSEPT, 2, 2);<br>&nbsp; &nbsp; end;<br>&nbsp; &nbsp; if (dwCallingProc = pShMem^.hProc) or pShMem^.bHookExtTextOutA then<br>&nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; hModuleGDI := GetModuleHandle(PChar('GDI32'));<br>&nbsp; &nbsp; &nbsp; @pOldExtTextOut := GetProcAddress(hModuleGDI, PChar('ExtTextOutA'));<br>&nbsp; &nbsp; &nbsp; Result := pOldExtTextOut(theDC, nXStart, nYStart, toOptions, rect, lpS<br>tr, nCount, Dx);<br>&nbsp; &nbsp; end else<br>&nbsp; &nbsp; &nbsp; Result := True;<br>&nbsp; except<br>&nbsp; &nbsp; Result := False;<br>&nbsp; end;<br>&nbsp; SpyInstalled := True;<br>&nbsp; InstallSpy;<br>end;<br>function UnWiseSpy:Boolean;<br>var<br>&nbsp; dwBytesWritten, dwOldProtect : DWORD;<br>&nbsp; pOldExtTextOut : _ExtTextOutA;<br>&nbsp; hModuleGDI : THandle;<br>begin<br>&nbsp; hModuleGDI := GetModuleHandle(PChar('GDI32'));<br>&nbsp; @pOldExtTextOut := GetProcAddress(hModuleGDI, PChar('ExtTextOutA'));<br>&nbsp; if not VirtualProtect(@pOldExtTextOut, SizeOf(TLongJump), PAGE_EXECUTE_REA<br>DWRITE, @dwOldProtect) then<br>&nbsp; begin<br>&nbsp; &nbsp; Result := False;<br>&nbsp; &nbsp; Exit;<br>&nbsp; end;<br>&nbsp; if not WriteProcessMemory(GetCurrentProcess, @pOldExtTextOut, @pShMem^.pOl<br>dExtTextOutA, SizeOf(TLongJump), dwBytesWritten) then<br>&nbsp; begin<br>&nbsp; &nbsp; Result := False;<br>&nbsp; &nbsp; Exit;<br>&nbsp; end;<br>&nbsp; if not VirtualProtect(@pOldExtTextOut, SizeOf(TLongJump), dwOldProtect, @d<br>wBytesWritten) then<br>&nbsp; begin<br>&nbsp; &nbsp; Result := False;<br>&nbsp; &nbsp; Exit;<br>&nbsp; end;<br>&nbsp; Result := True;<br>end;<br>function InstallSpy:Boolean;<br>var<br>&nbsp; dwBytesWritten, dwOldProtect : DWORD;<br>&nbsp; ljHere : TLongJump;<br>&nbsp; pOldExtTextOut : _ExtTextOutA;<br>&nbsp; hModuleGDI : THandle;<br>begin<br>&nbsp; hModuleGDI := GetModuleHandle(PChar('GDI32'));<br>&nbsp; @pOldExtTextOut := GetProcAddress(hModuleGDI, PChar('ExtTextOutA'));<br>&nbsp; if not VirtualProtect(@pOldExtTextOut, SizeOf(TLongJump), PAGE_EXECUTE_REA<br>DWRITE, @dwOldProtect) then<br>&nbsp; begin<br>&nbsp; &nbsp; Result := False;<br>&nbsp; &nbsp; Exit;<br>&nbsp; end;<br>&nbsp; ljHere.JmpOp := CodeJump;<br>&nbsp; ljHere.Addr := Pointer( Cardinal(@fExtTextOutA) - Cardinal(@pOldExtTextOut<br>) - SizeOf(TLongJump) );<br>&nbsp; if not WriteProcessMemory(GetCurrentProcess, @pOldExtTextOut, @ljHere, Siz<br>eOf(TLongJump), dwBytesWritten) then<br>&nbsp; begin<br>&nbsp; &nbsp; Result := False;<br>&nbsp; &nbsp; Exit;<br>&nbsp; end;<br>&nbsp; if not VirtualProtect(@pOldExtTextOut, SizeOf(TLongJump), dwOldProtect, @d<br>wBytesWritten) then<br>&nbsp; begin<br>&nbsp; &nbsp; Result := False;<br>&nbsp; &nbsp; Exit;<br>&nbsp; end;<br>&nbsp; Result := True;<br>end;<br>function MouseHookProc(nCode : integer; wPar : WParam; lPar : LParam) : lRes<br>ult; stdcall;<br>var<br>&nbsp; pMouseInf : TMouseHookStruct;<br>begin<br>&nbsp; if (not SpyInstalled) and pShMem^.bHookExtTextOutA then<br>&nbsp; &nbsp; InstallSpy;<br>&nbsp; if SpyInstalled and (not pShMem^.bHookExtTextOutA) then<br>&nbsp; begin<br>&nbsp; &nbsp; UnwiseSpy;<br>&nbsp; &nbsp; SpyInstalled := False;<br>&nbsp; end;<br>&nbsp; pShMem^.nTimePassed := 0 ;<br>&nbsp; if (nCode &gt;= 0) and (wPar = WM_MOUSEMOVE) then<br>&nbsp; begin<br>&nbsp; &nbsp; pMouseInf := (PMouseHookStruct(lPar))^;<br>&nbsp; &nbsp; if (pShMem^.pMouse.x &lt;&gt; pMouseInf.pt.x) or<br>&nbsp; &nbsp; &nbsp; &nbsp;(pShMem^.pMouse.y &lt;&gt; pMouseInf.pt.y) then<br>&nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; if nCode = HC_NOREMOVE then<br>&nbsp; &nbsp; &nbsp; &nbsp; pShMem^.fStrMouseQueue := 'Not removed from the queue'<br>&nbsp; &nbsp; &nbsp; else &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;//then HC_ACTION<br>&nbsp; &nbsp; &nbsp; &nbsp; pShMem^.fStrMouseQueue := 'Removed from the queue';<br>&nbsp; &nbsp; &nbsp; pShMem^.pMouse := pMouseInf.pt;<br>&nbsp; &nbsp; &nbsp; pShMem^.hHookWnd := pMouseInf.hwnd;<br>&nbsp; &nbsp; &nbsp; PostMessage(pShMem^.hProcWnd, WM_MOUSEPT, 1, 1); //1 indicates mouse m<br>essage<br>&nbsp; &nbsp; end;<br>&nbsp; end;<br>&nbsp; FlushViewOfFile(pShMem, 0);<br>&nbsp; Result := CallNextHookEx(hMouseHook, nCode, wPar, lPar);<br>end;<br>procedure fOnTimer(theWnd : HWND; msg, idTimer : Cardinal; dwTime : DWORD);f<br>ar pascal; //CallBack Type<br>begin<br>&nbsp; if pShMem^.nTimePassed = -1 then<br>&nbsp; &nbsp; Exit;<br>&nbsp; pShMem^.nTimePassed := pShMem^.nTimePassed + 1;<br>&nbsp; if pShMem^.nTimePassed &gt; 21 then<br>&nbsp; begin<br>&nbsp; &nbsp; pShMem^.nTimePassed := 21;<br>&nbsp; &nbsp; FlushViewOfFile(pShMem, 0);<br>&nbsp; &nbsp; Exit;<br>&nbsp; end;<br>&nbsp; if pShMem^.nTimePassed &gt; 20 then<br>&nbsp; begin<br>&nbsp; &nbsp; pShMem^.bCanSpyNow := True;<br>&nbsp; &nbsp; FlushViewOfFile(pShMem, 0);<br>&nbsp; &nbsp; SetWindowPos(pShMem^.hWndPseudo, HWND_TOPMOST, pShMem^.pMouse.x, pShMem^<br>.pMouse.y, 1, 8, SWP_NOACTIVATE or SWP_SHOWWINDOW);<br>&nbsp; &nbsp; ShowWindow(pShMem^.hWndPseudo , SW_HIDE);<br>&nbsp; end;<br>end;<br>function MouseWndProc(theWnd : HWND; theMess : Cardinal; wPar : wParam; lPar<br>&nbsp;: lParam): LResult;stdcall;<br>begin<br>&nbsp; case theMess of<br>&nbsp; &nbsp; WM_CLOSE :<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;DestroyWindow(theWnd);<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;PostQuitMessage(0);<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; end;<br>&nbsp; &nbsp; else<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;begin<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Result := DefWindowProc(theWnd, theMess, wPar, lPar);<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Exit;<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;end;<br>&nbsp; end;<br>&nbsp; Result := 0;<br>end;<br>function InstallMouseHook(hInst : LongWord):Boolean;<br>begin<br>&nbsp; hMouseHook := SetWindowsHookEx(WH_MOUSE,<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;MouseHookProc,<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;GetModuleHandle(PChar('dll_HookMouse')),<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0);<br>&nbsp; if hMouseHook = 0 then<br>&nbsp; begin<br>&nbsp; &nbsp; Result := False;<br>&nbsp; &nbsp; Exit;<br>&nbsp; end;<br>&nbsp; pShMem^.hWndPseudo := CreateWindowEx(WS_EX_TOPMOST or WS_EX_TOOLWINDOW,<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;'ZL_MOUSE_WND_PSEUDO',<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;'ZL_MOUSE_WND_PSEUDO',<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;WS_CLIPSIBLINGS or WS_POPUP ,<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0, 0, 1, 8,<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0, 0,<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;hInst,<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;nil);<br>&nbsp; ShowWindow(pShMem^.hWndPseudo, SW_HIDE);<br>&nbsp; UpdateWindow(pShMem^.hWndPseudo);<br>&nbsp; fTimerID := SetTimer(0, 0, 10, @fOnTimer);<br>&nbsp; FlushViewOfFile(pShMem, 0);<br>&nbsp; Result := True;<br>end;<br>function UnWiseMouseHook:Boolean;<br>begin<br>&nbsp; KillTimer(0, fTimerID);<br>&nbsp; DestroyWindow(pShMem^.hWndPseudo);<br>&nbsp; if SpyInstalled then<br>&nbsp; &nbsp; UnWiseSpy;<br>&nbsp; pShMem^.bHookExtTextOutA := False;<br>&nbsp; FlushViewOfFile(pShMem, 0);<br>&nbsp; Result := UnHookWindowsHookEx(hMouseHook);<br>end;<br>procedure DllEntry(nReason : integer);<br>begin<br>&nbsp; case nReason Of<br>&nbsp; &nbsp; DLL_PROCESS_ATTACH:<br>&nbsp; &nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; &nbsp; hMappingFile := CreateFileMapping($FFFFFFFF,<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; nil,<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PAGE_READWRITE,<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0,<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; SizeOf(TShareMem),<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PChar(MappingFileName));<br>&nbsp; &nbsp; &nbsp; &nbsp; if hMappingFile&lt;&gt;0 then //if h..=0 , the work is done by OS<br>&nbsp; &nbsp; &nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; pShMem := PShareMem( MapViewOfFile(hMappingFile,<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;FILE_MAP_WRITE,<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0, //hi_order offset where mapp<br>ing begins<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0, //lo_order offset where mapp<br>ing begins<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0) ); //Size of the mapping<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if pShMem = nil then<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CloseHandle(hMappingFile);<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ShowMessage('Cannot create the Share Memory Block!');<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; end;<br>&nbsp; &nbsp; &nbsp; &nbsp; end else<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ShowMessage('Cannot create the Share Memory Block!');<br>&nbsp; &nbsp; &nbsp; end;<br>&nbsp; &nbsp; DLL_PROCESS_DETACH:<br>&nbsp; &nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; &nbsp; UnwiseSpy;<br>&nbsp; &nbsp; &nbsp; &nbsp; UnMapViewOfFile(pShMem);<br>&nbsp; &nbsp; &nbsp; &nbsp; CloseHandle(hMappingFile);<br>&nbsp; &nbsp; &nbsp; end;<br>&nbsp; &nbsp; else;<br>&nbsp; end;<br>end;<br>exports<br>&nbsp; MouseWndProc,<br>&nbsp; InstallMouseHook,<br>&nbsp; UnWiseMouseHook;<br>begin<br>&nbsp; DllProc := @DllEntry;<br>&nbsp; DllEntry(DLL_PROCESS_ATTACH);<br>end.<br>-------------- ----------------<br>下面是dll的接口文件:<br>unit U_Def;<br>interface<br>uses<br>&nbsp; Messages, Windows;<br>const<br>&nbsp; WM_MOUSEPT = WM_USER + 1000 + Ord('M') + Ord('P') + Ord('T');<br>&nbsp; MappingFileName = 'Mapping File By Raphael';<br>&nbsp; MaxStringLen = 50;<br>&nbsp; CodeJump = $E9909090;<br>type<br>&nbsp; PInt = ^integer;<br>&nbsp; _ExtTextOutA = function (theDC :HDC; nXStart, nYStart :integer; toOptions <br>: Longint; rect : PRect;<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;lpStr :PAnsiChar; nCount :integer; Dx : PInteger)<br>:BOOL; stdcall;<br>&nbsp; _PExtTextOutA = ^_ExtTextOutA;<br>&nbsp; TLongJump = packed record<br>&nbsp; &nbsp; JmpOp : Cardinal;<br>&nbsp; &nbsp; Addr : Pointer;<br>&nbsp; end;<br>&nbsp; TShareMem = packed record<br>&nbsp; &nbsp; hProcWnd : HWND; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; //The main window of the program<br>&nbsp; &nbsp; hHookWnd : HWND; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; //The window currently being hooked<br>&nbsp; &nbsp; hWndPseudo : HWND; &nbsp; &nbsp; &nbsp; &nbsp; //The pseudo window used to repaint the other<br>&nbsp;window<br>&nbsp; &nbsp; hProc : THandle; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; //The process ID of the main program<br>&nbsp; &nbsp; pMouse : TPoint; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; //the mouse position<br>&nbsp; &nbsp; fStrMouseQueue : array [0..MaxStringLen] of Char; //mouse info<br>&nbsp; &nbsp; nTimePassed : integer; &nbsp; &nbsp; //the time passed since last time's mousemove<br><br>&nbsp; &nbsp; bCanSpyNow : Boolean;<br>&nbsp; &nbsp; bHookExtTextOutA : Boolean;<br>&nbsp; &nbsp; pOldExtTextOutA : TLongJump;<br>&nbsp; &nbsp; fStrExtTextOutA : array [0..MaxStringLen] of Char;<br>&nbsp; end;<br>&nbsp; PShareMem = ^TShareMem;<br>implementation<br>end.<br>--------------------<br>下面是主窗体文件:<br>unit U_MouseHook;<br>interface<br>uses<br>&nbsp; Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,<br>&nbsp; StdCtrls, U_Def;<br>type<br>&nbsp; TF_MouseHook = class(TForm)<br>&nbsp; &nbsp; Label1: TLabel;<br>&nbsp; &nbsp; e_MouseInfo: TEdit;<br>&nbsp; &nbsp; btn_HookMouse: TButton;<br>&nbsp; &nbsp; Label2: TLabel;<br>&nbsp; &nbsp; e_ExtTextOutA: TEdit;<br>&nbsp; &nbsp; btn_HookExtTextOutA: TButton;<br>&nbsp; &nbsp; procedure btn_HookMouseClick(Sender: TObject);<br>&nbsp; &nbsp; procedure FormCreate(Sender: TObject);<br>&nbsp; &nbsp; procedure FormClose(Sender: TObject; var Action: TCloseAction);<br>&nbsp; &nbsp; procedure btn_HookExtTextOutAClick(Sender: TObject);<br>&nbsp; private<br>&nbsp; &nbsp; fWndClosed, fbMouseHookInstalled : Boolean;<br>&nbsp; &nbsp; hMapObj : THandle;<br>&nbsp; &nbsp; pShMem : PShareMem;<br>&nbsp; &nbsp; procedure getMouseInfo(var theMess:TMessage); message WM_MOUSEPT;<br>&nbsp; public<br>&nbsp; &nbsp; { Public declarations }<br>&nbsp; end;<br>function InstallMouseHook(hInst : LongWord) : Boolean; external 'dll_HookMouse.dll';<br>function UnWiseMouseHook : Boolean; external 'dll_HookMouse.dll';<br>function MouseWndProc(theWnd : HWND; theMess : Cardinal; wPar : wParam; lPar : lParam): LResult; stdcall; external 'dll_HookMouse.dll';<br>var<br>&nbsp; F_MouseHook: TF_MouseHook;<br>implementation<br>{$R *.DFM}<br>procedure TF_MouseHook.btn_HookMouseClick(Sender: TObject);<br>begin<br>&nbsp; if not fbMouseHookInstalled then<br>&nbsp; begin<br>&nbsp; &nbsp; fbMouseHookInstalled := InstallMouseHook(hInstance);<br>&nbsp; &nbsp; if fbMouseHookInstalled then<br>&nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; btn_HookMouse.Caption := 'Stop!';<br>&nbsp; &nbsp; &nbsp; btn_HookExtTextOutA.Enabled := True;<br>&nbsp; &nbsp; end &nbsp;else<br>&nbsp; &nbsp; &nbsp; ShowMessage('Cannot hook mouse!');<br>&nbsp; end else<br>&nbsp; begin<br>&nbsp; &nbsp; fbMouseHookInstalled := not UnWiseMouseHook;<br>&nbsp; &nbsp; if not fbMouseHookInstalled then<br>&nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; btn_HookMouse.Caption := 'Hook Mouse';<br>&nbsp; &nbsp; &nbsp; btn_HookExtTextOutA.Enabled := False;<br>&nbsp; &nbsp; &nbsp; btn_HookExtTextOutA.Caption := 'Hook ExtTextOutA';<br>&nbsp; &nbsp; &nbsp; pShMem^.bHookExtTextOutA := False;<br>&nbsp; &nbsp; &nbsp; FlushViewOfFile(pShMem, 0);<br>&nbsp; &nbsp; end else<br>&nbsp; &nbsp; &nbsp; ShowMessage('Cannot unhook mouse!');<br>&nbsp; end;<br>end;<br>procedure TF_MouseHook.getMouseInfo(var theMess : TMessage);<br>begin<br>&nbsp; if fWndClosed then<br>&nbsp; &nbsp; Exit;<br>&nbsp; if theMess.LParam = 1 then //Get the Mouse info to display<br>&nbsp; &nbsp; e_MouseInfo.Text := 'X:' + IntToStr(pShMem^.pMouse.x) + ' ' +<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 'Y:' + IntToStr(pShMem^.pMouse.y) + ' ' +<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 'HWND:0x' + IntToHex(pShMem^.hHookWnd, 8) + ' ' +<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; pShMem^.fStrMouseQueue<br>&nbsp; else if theMess.LParam = 2 then //Get the ExtTextOutA display<br>&nbsp; &nbsp; e_ExtTextOutA.Text := pShMem^.fStrExtTextOutA;<br>end;<br><br><br>procedure TF_MouseHook.FormCreate(Sender: TObject);<br>var<br>&nbsp; hModuleGDI : THandle;<br>&nbsp; wc : TWndClass;<br>begin<br>&nbsp; hMapObj := OpenFileMapping(FILE_MAP_WRITE, &nbsp; &nbsp; //Get full access of the mapping file<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;False, &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;//Not inheritable<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;LPCTSTR(MappingFileName)); &nbsp; //Name of the mapping file<br>&nbsp; if hMapObj = 0 then<br>&nbsp; begin<br>&nbsp; &nbsp; ShowMessage('Cannot locate the Share Memory Block!');<br>&nbsp; &nbsp; Halt;<br>&nbsp; end;<br>&nbsp; pShMem := PShareMem( MapViewOfFile(hMapObj,<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;FILE_MAP_WRITE,<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0, //hi_order offset where mapping begins<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0, //lo_order offset where mapping begins<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0) ); //Size of the mapping<br>&nbsp; if pShMem = nil then<br>&nbsp; begin<br>&nbsp; &nbsp; ShowMessage('Map File Mapping Failed! Error '+ IntToStr(GetLastError));<br>&nbsp; &nbsp; CloseHandle(hMapObj);<br>&nbsp; &nbsp; Halt;<br>&nbsp; end;<br>&nbsp; FillChar(pShMem^, SizeOf(TShareMem), 0);<br>&nbsp; hModuleGDI := GetModuleHandle(PChar('GDI32'));<br>&nbsp; if hModuleGDI = 0 then<br>&nbsp; begin<br>&nbsp; &nbsp; ShowMessage('Cannot get module GDI32! Error ' + IntToStr(GetLastError));<br><br>&nbsp; &nbsp; UnmapViewOfFile(pShMem);<br>&nbsp; &nbsp; CloseHandle(hMapObj);<br>&nbsp; &nbsp; Halt;<br>&nbsp; end;<br>&nbsp; CopyMemory(@pShMem^.pOldExtTextOutA, GetProcAddress(hModuleGDI, PChar('ExtTextOutA')), SizeOf(TLongJump));<br>&nbsp; pShMem^.hProcWnd := Self.Handle;<br>&nbsp; GetWindowThreadProcessID(Self.Handle, @pShMem^.hProc);<br>&nbsp; pShMem^.bHookExtTextOutA := False;<br>&nbsp; pShMem^.bCanSpyNow := False;<br>&nbsp; fbMouseHookInstalled := False;<br>&nbsp; FlushViewOfFile(pShMem, 0);<br>&nbsp; wc.style &nbsp; &nbsp; &nbsp; &nbsp; := 0;<br>&nbsp; wc.lpfnWndProc &nbsp; := TFNWndProc(@MouseWndProc);<br>&nbsp; wc.cbClsExtra &nbsp; &nbsp;:= 0;<br>&nbsp; wc.cbWndExtra &nbsp; &nbsp;:= 0;<br>&nbsp; wc.hInstance &nbsp; &nbsp; := HInstance;<br>&nbsp; wc.hIcon &nbsp; &nbsp; &nbsp; &nbsp; := 0 ;<br>&nbsp; wc.hCursor &nbsp; &nbsp; &nbsp; := 0 ;<br>&nbsp; wc.hbrBackground := 0 ;<br>&nbsp; wc.lpszMenuName &nbsp;:= nil;<br>&nbsp; wc.lpszClassName := 'ZL_MOUSE_WND_PSEUDO';<br>&nbsp; // register the class for the main window<br>&nbsp; Windows.RegisterClass(wc);<br>&nbsp; fWndClosed := False;<br>end;<br><br><br>procedure TF_MouseHook.FormClose(Sender: TObject;<br>&nbsp; var Action: TCloseAction);<br>begin<br>&nbsp; if fbMouseHookInstalled then<br>&nbsp; &nbsp; UnWiseMouseHook;<br>&nbsp; UnMapViewOfFile(pShMem);<br>&nbsp; CloseHandle(hMapObj);<br>&nbsp; Windows.UnRegisterClass('ZL_MOUSE_WND_PSEUDO', hInstance);<br>&nbsp; fWndClosed := True;<br>end;<br>procedure TF_MouseHook.btn_HookExtTextOutAClick(Sender: TObject);<br>begin<br>&nbsp; if pShMem^.bHookExtTextOutA then<br>&nbsp; &nbsp; btn_HookExtTextOutA.Caption := 'Hook ExtTextOutA'<br>&nbsp; else<br>&nbsp; &nbsp; btn_HookExtTextOutA.Caption := 'Stop!';<br>&nbsp; pShMem^.bHookExtTextOutA := not pShMem^.bHookExtTextOutA;<br>&nbsp; FlushViewOfFile(pShMem, 0);<br>end;<br>//RaiseLastWin32Error can be used to create a GetLastError<br>//Message<br>end.<br>---------------------------<br>我做的时候分析了一下,主要用了ExtTextOutA这个API。 &nbsp;<br>可以取词! &nbsp;<br>&nbsp;<br>&nbsp;<br>来自:jrq, 时间:2002-3-22 8:37:00, ID:996282 <br>[:)]<br>屏幕抓字技术揭密(转载)<br><br>屏幕抓字技术揭密 <br>----------深入WINDOWS内部探险手记 <br><br>郑州 马飞涛 <br><br>一 公开它! <br><br>四通利方和金山词霸的用户都曾见识过屏幕抓字技术,鼠标指哪就翻译哪个 <br>单 <br><br>词,这个技术看似简单,其实在WINDOWS系统中实现却是非常复杂和有趣的。 经 <br>过 <br><br>半年多的艰辛探索,笔者终于破解了其中的秘密,并在今天决定公开它,这个人 <br>人 <br><br>都曾见过但是却鲜有人知的秘密,这个只被几家软件公司垄断从未在公开的报刊 <br>资 <br><br>料披露过只言片语的秘密! <br>回想这半年多的探索,其中浸润了多少笔者的苦闷与欢乐,绝望与兴奋,挫 <br>折 <br><br>与收获,现在都终于有了结果:将屏幕抓字技术的秘密公开,献给孜孜不倦辛勤 <br>工 <br><br>作的程序员们。如果这样做能为国产软件事业的发展效微薄之力,对笔者来说, <br>也 <br><br>是一桩快事! <br><br>二 初识屏幕抓字 <br><br>最初知道屏幕抓字, 是在购买了〖英汉通〗软件之后。 当时笔者还只是一 <br>个 <br><br>VISUAL BASIC 的初学者, 对 WINDOWS 系统内部的知识了解并不多, 认为 <br>在 <br><br>WINDOWS系统中屏幕抓字的实现应该和DOS系统中的一样,调用一个DOS 中断取屏 <br>幕 <br><br>上的字符或直接读显示内存的内容就可以了。 <br><br>三 看似很简单,其实不然 <br><br>随着对WINDOWS系统的认识不断深入,才发现问题并不象想得那么简单。首先, <br><br>翻阅了WINODWS应用程序接口(API)中的上千个函数,并没有发现有一个现成的 <br>类 <br><br>似于getWordFromPoint()的函数;根据使用经验,经过判断发现屏幕抓字采用的 <br>也 <br><br>不是图像识别技术;翻阅了SDK的联机文档中没有,DDK的联机文档中也没有;显 <br>示 <br><br>卡编程接口的资料则很难获得,有的也只是CGA到VGA显存的基本知识。回想当时 <br>坐 <br><br>在机子前,面对一屏屏的联机资料(如果是纸,将堆积如山),感觉就是在黑暗 <br>中 <br><br>的大海里航行,没有方向,没有灯光,但强烈的兴趣紧抓着我,一定要把这个谜 <br>解 <br><br>开。 <br><br>四 选择合适的编程工具 <br><br>突然又有了一些新的想法: <br>可否试着截获WINDOWS中关于字符的消息呢? <br>DC(设备描述表)到底是什么? <br>WINDOWS的TextOut函数是否将TEXT放在DC的某个单元中? <br>显然,用VISUAL BASIC就力不从心了。在DOS中用TURBO C编程笔者还算熟练 <br>, <br><br>因此先尝试用VISUAL C++,但是奇慢的编译速度使人难以忍受, 高度抽象的类 <br>让 <br><br>人一头雾水,开发商务软件可能还行,但开发这样一个深入WINDOWS 内部的系统 <br>软 <br><br>件,望着一堆缠绕不清的类和消息,真有点牛刀宰鸡、刺刀耕田的感觉。 <br>最后选择了DELPHI,第一印象是编译速度真快,在我的祖父型386 机子上 <br>编 <br><br>译一个WINDOWS程序,速度和用TURBO <br>C的速度感觉差不多,真让人兴奋得爱不释手。 <br>随着不断使用,发觉DELPHI真是一个好的快速开发工具,(快速并不意味着简单 <br>粗 <br><br>糙,而是和WINDOWS系统有混然一体良好接口的表现)让初学者也很容易上手。 <br>调 <br><br>用各种WINDOWS 函数(包括很多未公开的函数)都非常直接迅速,用它来作开发 <br>工 <br><br>具,大有刺刀见红、一剑封喉的痛快感觉。 <br><br>五 山穷水尽疑无路 <br><br>随着对WINDOWS系统了解的深入,我逐渐明白了在向屏幕输出文字时,WINDO <br>WS <br><br>系统仅仅只是对某个应用程序发送WM_PAINT消息,告诉该应用程序窗口用户区已 <br>经 <br><br>“无效”而需要重画。具体的“绘制”工作(选择字体,颜色,文字)由应用程 <br>序 <br><br>完成。 <br>应用程序在处理WM_PAINT消息时,调用BeginPaint和EndPaint来获得和释放 <br>设 <br><br>备描述表,调用DrawText、ExtTextOut、 TextOut等函数在设备描述表中“绘制 <br>” <br><br>文字。 <br>应用程序“绘制”文字, 就象学生(应用程序)奉命(获得 WM_PAINT消息 <br>) <br><br>用老师(WINDOWS)提供的画笔(DrawText ExtTextOut TextOut等) 在黑板上画 <br>画 <br><br>一样,虽然大家能看到画的是什么字,但是画笔作为绘图工具并不知道画的是什 <br>么。 <br><br>老师(WINDOWS)不知道学生(应用程序)到底用什么字体,颜色,画哪些文字。 <br><br>   总之 ,WINDOWS并不知道应用程序“绘制”的是什么。“文字”对 WINDO <br>WS <br><br>来说只是画笔留在黑板(屏幕)上的粉笔印,只是绘画的痕迹。“文字”只存在 <br>于 <br><br>应用程序的模块中,对WINDOWS系统是“不可见”的。 <br>到处走投无路,真想掂5000块钱,跑到“英汉通”公司买回这个秘密。仔细 <br>一 <br><br>想,钱太少,就是多掂10倍,人家也不一定说。 <br><br>六 柳暗花明又一村 <br><br>经过再三考虑,我联想到在DOS系统中编程,会采取改变中断向量地址, 设 <br>置 <br><br>新的中断向量的技术:如果系统调用这个中断,就会先进入新的中断服务程序, <br>然 <br><br>后再调用原来的中断服务程序。 <br>那末,在WINDOWS系统中也采取这种技术,使系统如果调用某个函数, 先进 <br>入 <br><br>一个跟踪函数,取得原函数的参数,再调用原来的函数。听起来是否象病毒传染 <br>和 <br><br>发作?其实很多程序都采用过类似技术。大学毕业设计声卡时我就用过。 <br>至此, 我认识到应该放弃常规的思路, 采取一些技巧, 截获 TextOut <br>、 <br><br>ExtTextOut等函数,使之转向我的跟踪函数,在此查看应用程序(学生)的堆栈 <br>中 <br><br>传递给画笔(TextOut、ExtTextOut等函数)的参数, 从而获得应用程序要在屏 <br>幕 <br><br>上写的“文字”。 <br><br>七 “ 屏幕抓字”的实现 <br><br>1 用SetWindowsHookEx()安装鼠标钩子MouseProc; <br>2 在屏幕上移动鼠标时,系统就会调用鼠标钩子MouseProc; <br>3 进入MouseProc,获得鼠标的坐标(x,y), <br>设置对TextOut()、ExtTextOut()等的跟踪程序, <br>用invalidateRect()告诉系统该点(x,y)“失效”; <br>4 <br>系统发出WM_PAINT消息,指示该点(x,y)处的应用程序重绘“失效”的区域。 <br>5 负责绘制该点()的应用程序在受到 WM_PAINT 消息后, 就有机会调用 <br><br>TextOut()、 ExtTextOut()等函数。 <br>6 调用的函数被拦截进入跟踪程序:设置好了的跟踪程序截获了该次调用, <br>从 <br><br>应用程序的堆栈中取出 该点(x,y)“文字”的指针; <br>7 从应用程序的数据段中将“文字”指针的内容取出,即完成了一次“屏幕 <br>抓 <br><br>字”; <br>8 退出跟踪程序,返回到鼠标钩子MouseProc; <br>9 在MouseProc中解除对TextOut() ExtTextOut()的跟踪; <br>10 退出MouseProc鼠标钩子程序,控制权交给系统。 <br>11 在屏幕上移动鼠标,开始下一次“屏幕抓字”,返回步骤2。 <br><br>八 前景展望 <br>掌握了“屏幕抓字”的技术秘密,稍加改变,我们就可对WINDOWS 系统中 <br>的 <br><br>任意一个函数调用进行动态地拦截、跟踪、修改和恢复,就可让WINDOWS 系统中 <br>的 <br><br>任意一个函数按我们的设想工作,就可构造自己的外挂汉字平台,设计改变字体 <br>的 <br><br>放大镜、改变颜色的变色镜,保护视力的软件视保屏等等。 <br><br>九 后记 <br><br>希望此文能抛砖引玉,为大家编程时能找到捷径,开拓出新的思路; <br>对拦截、跟踪感兴趣的朋友也请来信交流切磋,如需DLL 或“抓字”的源 <br>代 码,敬请 与 mafeitao@371.net 联系; <br>如能得到“四通利方”、“金山词霸”、“英汉通”等公司的教导与指正 , <br><br>笔者不胜感激。<br><br><br>&nbsp;
 
//可以取TMemo里的单词<br>function IsSeparetor(ch:char):boolean;<br>function GetWord(pos:word):string;<br><br>function TForm1.GetWord(pos: word): string;<br>var<br>&nbsp; st:string;<br>&nbsp; pos1,pos2:word;<br>&nbsp; i:longint;<br>&nbsp; w:string;<br>begin<br>&nbsp; w:='';<br>&nbsp; pos1:=1;<br>&nbsp; getword:='';<br>&nbsp; st:=Memo1.lines.Text;<br>&nbsp; pos2:=length(st);<br>&nbsp; for i:=pos-1 downto 1 do<br>&nbsp; &nbsp; if IsSeparetor(st) then<br>&nbsp; &nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; &nbsp; pos1:=i+1;<br>&nbsp; &nbsp; &nbsp; &nbsp; break<br>&nbsp; &nbsp; &nbsp; end;<br>&nbsp; for i:=pos to pos2 do<br>&nbsp; &nbsp; if IsSeparetor(st) then<br>&nbsp; &nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; &nbsp; pos2:=i-1;<br>&nbsp; &nbsp; &nbsp; &nbsp; break;<br>&nbsp; &nbsp; &nbsp; end;<br>&nbsp; if pos1&lt;=pos2 then<br>&nbsp; &nbsp; begin<br>&nbsp; &nbsp; &nbsp; for i:=pos1 to pos2 do<br>&nbsp; &nbsp; &nbsp; &nbsp; w:=w+st;<br>&nbsp; &nbsp; &nbsp; &nbsp; GetWord:='单词'+w;<br>&nbsp; &nbsp; end;<br>end;<br><br>function TForm1.IsSeparetor(ch: char): boolean;<br>begin<br>&nbsp; IsSeparetor:=false;<br>&nbsp; if ch in [' ',',','.','?',#10,#13] then<br>&nbsp; &nbsp; IsSeparetor:=true<br>end;<br><br>procedure TForm1.Memo1MouseDown(Sender: TObject; Button: TMouseButton;<br>&nbsp; Shift: TShiftState; X, Y: Integer);<br>var<br>&nbsp; lc:longint;<br>&nbsp; CharPos:word;<br>begin<br>&nbsp; lc:=SendMessage(Memo1.Handle,EM_CHARFROMPOS,0,x+(y shl 16));<br>&nbsp; charpos:=word(lc);<br>&nbsp; Memo1.Hint:=GetWord(charpos);<br>end;
 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 鼠标屏幕取词技术的原理和实现 &nbsp; <br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 白瑜<br><br>&nbsp; &nbsp;“鼠标屏幕取词”技术是在电子字典中得到广泛地应用的,如四通利方和金山<br>词霸等软件,这个技术看似简单,其实在windows系统中实现却是非常复杂的,总<br>的来说有两种实现方式:<br>&nbsp; &nbsp; 第一种:采用截获对部分gdi的api调用来实现,如textout,textouta等。<br>&nbsp; &nbsp; 第二种:对每个设备上下文(dc)做一分copy,并跟踪所有修改上下文(dc)的<br>操作。 &nbsp; &nbsp; &nbsp;<br>&nbsp; &nbsp; 第二种方法更强大,但兼容性不好,而第一种方法使用的截获windowsapi的<br>调用,这项技术的强大可能远远超出了您的想象,毫不夸张的说,利用windowsapi<br>拦截技术,你可以改造整个操作系统,事实上很多外挂式windows中文平台就是<br>这么实现的!而这项技术也正是这篇文章的主题。<br>&nbsp; &nbsp; 截windowsapi的调用,具体的说来也可以分为两种方法:<br>&nbsp; &nbsp; 第一种方法通过直接改写winapi 在内存中的映像,嵌入汇编代码,使之被<br>调用时跳转到指定的地址运行来截获;第二种方法则改写iat(import address table<br>&nbsp;输入地址表),重定向winapi函数的调用来实现对winapi的截获。<br>&nbsp; &nbsp; 第一种方法的实现较为繁琐,而且在win95、98下面更有难度,这是因为虽<br>然微软说win16的api只是为了兼容性才保留下来,程序员应该尽可能地调用32位<br>的api,实际上根本就不是这样!win 9x内部的大部分32位api经过变换调用了同<br>名的16位api,也就是说我们需要在拦截的函数中嵌入16位汇编代码!<br>&nbsp; &nbsp; 我们将要介绍的是第二种拦截方法,这种方法在win95、98和nt下面运行都<br>比较稳定,兼容性较好。由于需要用到关于windows虚拟内存的管理、打破进程<br>边界墙、向应用程序的进程空间中注入代码、pe(portable executable)文件<br>格式和iat(输入地址表)等较底层的知识,所以我们先对涉及到的这些知识大<br>概地做一个介绍,最后会给出拦截部分的关键代码。<br>&nbsp; &nbsp; 先说windows虚拟内存的管理。windows9x给每一个进程分配了4gb的地址空<br>间,对于nt来说,这个数字是2gb,系统保留了2gb到 4gb之间的地址空间禁止进<br>程访问,而在win9x中,2gb到4gb这部分虚拟地址空间实际上是由所有的win32进<br>程所共享的,这部分地址空间加载了共享win32 dll、内存映射文件和vxd、内存<br>管理器和文件系统码,win9x中这部分对于每一个进程都是可见的,这也是win9x<br>操作系统不够健壮的原因。win9x中为16位操作系统保留了0到4mb的地址空间,<br>而在4mb到2gb之间也就是win32进程私有的地址空间,由于 每个进程的地址空间<br>都是相对独立的,也就是说,如果程序想截获其它进程中的api调用,就必须打<br>破进程边界墙,向其它的进程中注入截获api调用的代码,这项工作我们交给钩<br>子函数(setwindowshookex)来完成,关于如何创建一个包含系统钩子的动态链<br>接库,《电脑高手杂志》在第?期已经有过专题介绍了,这里就不赘述了。所有<br>系统钩子的函数必须要在动态库里,这样的话,当进程隐式或显式调用一个动态<br>库里的函数时,系统会把这个动态库映射到这个进程的虚拟地址空间里,这使得<br>dll成为进程的一部分,以这个进程的身份执行,使用这个进程的堆栈,也就是<br>说动态链接库中的代码被钩子函数注入了其它gui进程的地址空间(非gui进程,<br>钩子函数就无能为力了),当包含钩子的dll注入其它进程后,就可以取得映射<br>到这个进程虚拟内存里的各个模块(exe和dll)的基地址,如:<br>hmodule hmodule=getmodulehandle(“mypro.exe”);<br>在mfc程序中,我们可以用afxgetinstancehandle()函数来得到模块的基地址。<br>exe和dll被映射到虚拟内存空间的什么地方是由它们的基地址决定的。它们的基<br>地址是在链接时由链接器决定的。当你新建一个win32工程时,vc++链接器使<br>用缺省的基地址0x00400000。可以通过链接器的base选项改变模块的基地址。<br>exe通常被映射到虚拟内存的0x00400000处,dll也随之有不同的基地址,通常被<br>映射到不同进程的相同的虚拟地址空间处。<br>&nbsp; 系统将exe和dll原封不动映射到虚拟内存空间中,它们在内存中的结构与磁盘<br>上的静态文件结构是一样的。即pe (portable executable) 文件格式。我们得<br>到了进程模块的基地址以后,就可以根据pe文件的格式穷举这个模块的image_import_descriptor<br>数组,看看进程空间中是否引入了我们需要截获的函数所在的动态链接库,比如<br>需要截获“textouta”,就必须检查“gdi32.dll”是否被引入了。说到这里,我<br>们有必要介绍一下pe文件的格式,如右图,这是pe文件格式的大致框图,最前面<br>是文件头,我们不必理会,从pe file optional header后面开始,就是文件中各<br>个段的说明,说明后面才是真正的段数据,而实际上我们关心的只有一个段,那<br>就是“.idata”段,这个段中包含了所有的引入函数信息,还有iat(import address table)<br>的rva(relative virtual address)地址。<br>&nbsp; &nbsp;说到这里,截获windowsapi的整个原理就要真相大白了。实际上所有进程对<br>给定的api函数的调用总是通过pe文件的一个地方来转移的,这就是一个该模块<br>(可以是exe或dll)的“.idata”段中的iat输入地址表(import address table)<br>。在那里有所有本模块调用的其它dll的函数名及地址。对其它dll的函数调用实<br>际上只是跳转到输入地址表,由输入地址表再跳转到dll真正的函数入口。<br><br>具体来说,我们将通过image_import_descriptor数组来访问“.idata”段中引入<br>的dll的信息,然后通过image_thunk_data数组来针对一个被引入的dll访问该<br>dll中被引入的每个函数的信息,找到我们需要截获的函数的跳转地址,然后改<br>成我们自己的函数的地址……具体的做法在后面的关键代码中会有详细的讲解。<br>&nbsp; &nbsp;讲了这么多原理,现在让我们回到“鼠标屏幕取词”的专题上来。除了api函<br>数的截获,要实现“鼠标屏幕取词”,还需要做一些其它的工作,简单的说来,<br>可以把一个完整的取词过程归纳成以下几个步骤:<br>1. 安装鼠标钩子,通过钩子函数获得鼠标消息。<br>&nbsp; 使用到的api函数:setwindowshookex<br>2. 得到鼠标的当前位置,向鼠标下的窗口发重画消息,让它调用系统函数重画<br>窗口。<br>&nbsp; 使用到的api函数:windowfrompoint,screentoclient,invalidaterect<br>3. 截获对系统函数的调用,取得参数,也就是我们要取的词。<br>&nbsp; &nbsp;对于大多数的windows应用程序来说,如果要取词,我们需要截获的是<br>“gdi32.dll”中的“textouta”函数。<br>我们先仿照textouta函数写一个自己的mytextouta函数,如:<br>bool winapi mytextouta(hdc hdc, int nxstart, int nystart, lpcstr lpszstring,int cbstring)<br>{<br>&nbsp; &nbsp; &nbsp; &nbsp;// 这里进行输出lpszstring的处理<br>&nbsp; &nbsp; &nbsp; // 然后调用正版的textouta函数<br>}<br>&nbsp; &nbsp;把这个函数放在安装了钩子的动态连接库中,然后调用我们最后给出的<br>hookimportfunction函数来截获进程对textouta函数的调用,跳转到我们的<br>mytextouta函数,完成对输出字符串的捕捉。hookimportfunction的用法:<br><br>&nbsp;hookfuncdesc hd;<br>&nbsp;proc &nbsp; &nbsp; &nbsp; &nbsp; porigfuns;<br>&nbsp;hd.szfunc="textouta";<br>&nbsp;hd.pproc=(proc)mytextouta;<br>&nbsp;hookimportfunction (afxgetinstancehandle(),"gdi32.dll",&amp;hd,porigfuns);<br>下面给出了hookimportfunction的源代码,相信详尽的注释一定不会让您觉得理<br>解截获到底是怎么实现的很难,ok,let’s go:<br><br>///////////////////////////////////////////// begin ///////////////////////////////////////////////////////////////<br>#include &lt;crtdbg.h&gt;<br><br>// 这里定义了一个产生指针的宏<br>#define makeptr(cast, ptr, addvalue) (cast)((dword)(ptr)+(dword)(addvalue))<br><br>// 定义了hookfuncdesc结构,我们用这个结构作为参数传给hookimportfunction函数<br>typedef struct tag_hookfuncdesc<br>{<br>&nbsp; lpcstr szfunc; // the name of the function to hook.<br>&nbsp; proc pproc; &nbsp; &nbsp;// the procedure to blast in.<br>} hookfuncdesc , * lphookfuncdesc;<br><br>// 这个函数监测当前系统是否是windownt<br>bool isnt();<br><br>// 这个函数得到hmodule -- 即我们需要截获的函数所在的dll模块的引入描述符(import descriptor)<br>pimage_import_descriptor getnamedimportdescriptor(hmodule hmodule, lpcstr szimportmodule);<br><br>// 我们的主函数<br>bool hookimportfunction(hmodule hmodule, lpcstr szimportmodule, <br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;lphookfuncdesc pahookfunc, proc* paorigfuncs)<br>{<br>/////////////////////// 下面的代码检测参数的有效性 ////////////////////////////<br>&nbsp;_assert(szimportmodule);<br>&nbsp;_assert(!isbadreadptr(pahookfunc, sizeof(hookfuncdesc)));<br>#ifdef _debug<br>&nbsp;if (paorigfuncs) _assert(!isbadwriteptr(paorigfuncs, sizeof(proc)));<br>&nbsp;_assert(pahookfunc.szfunc);<br>&nbsp;_assert(*pahookfunc.szfunc != '/0');<br>&nbsp; &nbsp; &nbsp; &nbsp; _assert(!isbadcodeptr(pahookfunc.pproc));<br>#endif<br>&nbsp;if ((szimportmodule == null) || (isbadreadptr(pahookfunc, sizeof(hookfuncdesc))))<br>&nbsp;{<br>&nbsp; _assert(false);<br>&nbsp; setlasterrorex(error_invalid_parameter, sle_error);<br>&nbsp; return false;<br>&nbsp;}<br>//////////////////////////////////////////////////////////////////////////////<br><br>&nbsp;// 监测当前模块是否是在2gb虚拟内存空间之上<br>&nbsp;// 这部分的地址内存是属于win32进程共享的<br>&nbsp;if (!isnt() &amp;&amp; ((dword)hmodule &gt;= 0x80000000))<br>&nbsp;{<br>&nbsp; _assert(false);<br>&nbsp; setlasterrorex(error_invalid_handle, sle_error);<br>&nbsp; return false;<br>&nbsp;}<br>&nbsp; &nbsp; &nbsp;// 清零<br>&nbsp;if (paorigfuncs) memset(paorigfuncs, null, sizeof(proc)); <br><br>&nbsp;// 调用getnamedimportdescriptor()函数,来得到hmodule -- 即我们需要<br>&nbsp;// 截获的函数所在的dll模块的引入描述符(import descriptor)<br>&nbsp;pimage_import_descriptor pimportdesc = getnamedimportdescriptor(hmodule, szimportmodule);<br>&nbsp;if (pimportdesc == null)<br>&nbsp;return false; // 若为空,则模块未被当前进程所引入<br><br>&nbsp;// &nbsp;从dll模块中得到原始的thunk信息,因为pimportdesc-&gt;firstthunk数组中的原始信息已经<br>&nbsp;// &nbsp;在应用程序引入该dll时覆盖上了所有的引入信息,所以我们需要通过取得pimportdesc-&gt;originalfirstthunk<br>&nbsp;// &nbsp;指针来访问引入函数名等信息<br>&nbsp;pimage_thunk_data porigthunk = makeptr(pimage_thunk_data, hmodule, <br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;pimportdesc-&gt;originalfirstthunk);<br><br>&nbsp;// &nbsp;从pimportdesc-&gt;firstthunk得到image_thunk_data数组的指针,由于这里在dll被引入时已经填充了<br>&nbsp;// &nbsp;所有的引入信息,所以真正的截获实际上正是在这里进行的<br>&nbsp;pimage_thunk_data prealthunk = makeptr(pimage_thunk_data, hmodule, pimportdesc-&gt;firstthunk);<br><br>&nbsp;// &nbsp;穷举image_thunk_data数组,寻找我们需要截获的函数,这是最关键的部分!<br>&nbsp;while (porigthunk-&gt;u1.function)<br>&nbsp;{<br>&nbsp; // 只寻找那些按函数名而不是序号引入的函数<br>&nbsp; if (image_ordinal_flag != (porigthunk-&gt;u1.ordinal &amp; image_ordinal_flag))<br>&nbsp; {<br>&nbsp; &nbsp;// 得到引入函数的函数名<br>&nbsp; &nbsp;pimage_import_by_name pbyname = makeptr(pimage_import_by_name, hmodule,<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;porigthunk-&gt;u1.addressofdata);<br><br>&nbsp; &nbsp;// 如果函数名以null开始,跳过,继续下一个函数 &nbsp; <br>&nbsp; &nbsp;if ('/0' == pbyname-&gt;name[0])<br>&nbsp; &nbsp; continue;<br><br>&nbsp; &nbsp;// bdohook用来检查是否截获成功<br>&nbsp; &nbsp;bool bdohook = false;<br><br>&nbsp; &nbsp;// 检查是否当前函数是我们需要截获的函数<br>&nbsp; &nbsp;if ((pahookfunc.szfunc[0] == pbyname-&gt;name[0]) &amp;&amp;<br>&nbsp; &nbsp; (strcmpi(pahookfunc.szfunc, (char*)pbyname-&gt;name) == 0))<br>&nbsp; &nbsp;{<br>&nbsp; &nbsp; // 找到了!<br>&nbsp; &nbsp; if (pahookfunc.pproc)<br>&nbsp; &nbsp; bdohook = true;<br>&nbsp; &nbsp;}<br>&nbsp; &nbsp;if (bdohook)<br>&nbsp; &nbsp;{<br>&nbsp; &nbsp; // 我们已经找到了所要截获的函数,那么就开始动手吧<br>&nbsp; &nbsp; // 首先要做的是改变这一块虚拟内存的内存保护状态,让我们可以自由存取<br>&nbsp; &nbsp; memory_basic_information mbi_thunk;<br>&nbsp; &nbsp; virtualquery(prealthunk, &amp;mbi_thunk, sizeof(memory_basic_information));<br>&nbsp; &nbsp; _assert(virtualprotect(mbi_thunk.baseaddress, mbi_thunk.regionsize, <br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; page_readwrite, &amp;mbi_thunk.protect));<br><br>&nbsp; &nbsp; // 保存我们所要截获的函数的正确跳转地址<br>&nbsp; &nbsp; if (paorigfuncs)<br>&nbsp; &nbsp; &nbsp; paorigfuncs = (proc)prealthunk-&gt;u1.function;<br><br>&nbsp; &nbsp; // 将image_thunk_data数组中的函数跳转地址改写为我们自己的函数地址!<br>&nbsp; &nbsp; // 以后所有进程对这个系统函数的所有调用都将成为对我们自己编写的函数的调用<br>&nbsp; &nbsp; prealthunk-&gt;u1.function = (pdword)pahookfunc.pproc;<br><br>&nbsp; &nbsp; // 操作完毕!将这一块虚拟内存改回原来的保护状态<br>&nbsp; &nbsp; dword dwoldprotect;<br>&nbsp; &nbsp; _assert(virtualprotect(mbi_thunk.baseaddress, mbi_thunk.regionsize, <br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mbi_thunk.protect, &amp;dwoldprotect));<br>&nbsp; &nbsp; setlasterror(error_success);<br>&nbsp; &nbsp; return true;<br>&nbsp; &nbsp;}<br>&nbsp; }<br>&nbsp; // 访问image_thunk_data数组中的下一个元素<br>&nbsp; porigthunk++;<br>&nbsp; prealthunk++;<br>&nbsp;}<br>&nbsp;return true;<br>}<br><br>// getnamedimportdescriptor函数的实现<br>pimage_import_descriptor getnamedimportdescriptor(hmodule hmodule, lpcstr szimportmodule)<br>{<br>&nbsp;// 检测参数<br>&nbsp;_assert(szimportmodule);<br>&nbsp;_assert(hmodule);<br>&nbsp;if ((szimportmodule == null) || (hmodule == null))<br>&nbsp;{<br>&nbsp; _assert(false);<br>&nbsp; setlasterrorex(error_invalid_parameter, sle_error);<br>&nbsp; return null;<br>&nbsp;}<br><br>&nbsp;// 得到dos文件头<br>&nbsp;pimage_dos_header pdosheader = (pimage_dos_header) hmodule;<br><br>&nbsp;// 检测是否mz文件头<br>&nbsp;if (isbadreadptr(pdosheader, sizeof(image_dos_header)) || <br>&nbsp; (pdosheader-&gt;e_magic != image_dos_signature))<br>&nbsp;{<br>&nbsp; _assert(false);<br>&nbsp; setlasterrorex(error_invalid_parameter, sle_error);<br>&nbsp; return null;<br>&nbsp;}<br><br>&nbsp;// 取得pe文件头<br>&nbsp;pimage_nt_headers pntheader = makeptr(pimage_nt_headers, pdosheader, pdosheader-&gt;e_lfanew);<br><br>&nbsp;// 检测是否pe映像文件<br>&nbsp;if (isbadreadptr(pntheader, sizeof(image_nt_headers)) || <br>&nbsp; &nbsp;(pntheader-&gt;signature != image_nt_signature))<br>&nbsp;{<br>&nbsp; _assert(false);<br>&nbsp; setlasterrorex(error_invalid_parameter, sle_error);<br>&nbsp; return null;<br>&nbsp;}<br><br>&nbsp;// 检查pe文件的引入段(即 .idata section)<br>&nbsp;if (pntheader-&gt;optionalheader.datadirectory[image_directory_entry_import].virtualaddress == 0)<br>&nbsp; return null;<br><br>&nbsp;// 得到引入段(即 .idata section)的指针<br>&nbsp;pimage_import_descriptor pimportdesc = makeptr(pimage_import_descriptor, pdosheader,<br>&nbsp; pntheader-&gt;optionalheader.datadirectory[image_directory_entry_import].virtualaddress);<br><br>&nbsp;// 穷举pimage_import_descriptor数组寻找我们需要截获的函数所在的模块<br>&nbsp;while (pimportdesc-&gt;name)<br>&nbsp;{<br>&nbsp; pstr szcurrmod = makeptr(pstr, pdosheader, pimportdesc-&gt;name);<br>&nbsp; if (stricmp(szcurrmod, szimportmodule) == 0)<br>&nbsp; &nbsp; &nbsp; break; // 找到!中断循环<br>&nbsp; // 下一个元素<br>&nbsp; pimportdesc++;<br>&nbsp;}<br><br>&nbsp;// 如果没有找到,说明我们寻找的模块没有被当前的进程所引入!<br>&nbsp;if (pimportdesc-&gt;name == null)<br>&nbsp; return null;<br><br>&nbsp;// 返回函数所找到的模块描述符(import descriptor)<br>&nbsp;return pimportdesc;<br>}<br><br>// isnt()函数的实现<br>bool isnt()<br>{<br>&nbsp;osversioninfo stosvi;<br>&nbsp;memset(&amp;stosvi, null, sizeof(osversioninfo));<br>&nbsp;stosvi.dwosversioninfosize = sizeof(osversioninfo);<br>&nbsp;bool bret = getversionex(&amp;stosvi);<br>&nbsp;_assert(true == bret);<br>&nbsp;if (false == bret) return false;<br>&nbsp;return (ver_platform_win32_nt == stosvi.dwplatformid);<br>}<br>/////////////////////////////////////////////// end //////////////////////////////////////////////////////////////////////<br><br>&nbsp; &nbsp;不知道在这篇文章问世之前,有多少朋友尝试过去实现“鼠标屏幕取词”这<br>项充满了挑战的技术,也只有尝试过的朋友才能体会到其间的不易,尤其在探索<br>api函数的截获时,手头的几篇资料没有一篇是涉及到关键代码的,重要的地方<br>都是一笔代过,msdn更是显得苍白而无力,也不知道除了image_import_descriptor<br>和image_thunk_data,微软还隐藏了多少秘密,好在硬着头皮还是把它给攻克了,<br>希望这篇文章对大家能有所帮助。<br>
 
tieren.org/shellapi/homepage/hookshellapi.zip<br><br>要在2000/xp下。
 
我再说一下我的意思:<br>&nbsp; 我在作一个鼠标取词的东西,通过截获对TEXTOUT 等API函数的调用来达到屏幕取词的目的。<br>&nbsp; 我把一个用DELPHI编译好的EXE文件映射到内存<br>&nbsp; &nbsp;H:=CreateFile('C:/A.exe',GENERIC_READ,FILE_SHARE_READ,nil,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);<br>&nbsp; &nbsp;hMap:=CreateFileMapping(H,nil,PAGE_READONLY or SEC_COMMIT,0,0,nil);<br>&nbsp; &nbsp;hBase:=MapViewOfFile(hMap,FILE_MAP_READ,0,0,0);<br>&nbsp; &nbsp;if H=0 then exit;<br>&nbsp; &nbsp;// &nbsp;Finished Map File C:/A.exe<br><br><br>&nbsp; &nbsp;DOS:=PImageDosHeader(hBase);<br>&nbsp; &nbsp;if DOS.e_magic&lt;&gt;IMAGE_DOS_SIGNATURE then &nbsp;exit;<br>&nbsp; &nbsp;if IsBadReadPtr(DOS,Sizeof(DOS)) then exit;<br>&nbsp; &nbsp;NT:=PImageNTHeaders(DWORD(hBase)+DOS^._lfanew);<br>&nbsp; &nbsp;if NT.Signature&lt;&gt;IMAGE_NT_SIGNATURE then exit;<br>&nbsp; &nbsp;if IsBadReadPtr(DOS,Sizeof(NT)) then exit;<br>&nbsp; &nbsp;Memo1.Lines.Add('PE文件头基地址: '+IntToStr(Integer(hBase)));<br>&nbsp; &nbsp;//Obtained the PE_Header<br><br>&nbsp; &nbsp;RVA:=NT^.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;<br>&nbsp; &nbsp;Descripter:=PImageImportDescriptor(DWORD(hBase)+RVA);<br>&nbsp; &nbsp;//Obtained the Import_Tabel Address<br><br>&nbsp; &nbsp;//Enter Into the Import_Tabel<br>&nbsp; &nbsp;while Descripter^.Name&lt;&gt;0 do<br>&nbsp; &nbsp;begin<br>&nbsp; &nbsp; &nbsp;Memo1.Lines.Add('引入文件名: ');<br>&nbsp; &nbsp; &nbsp;DLlName:=pChar(DWORD(hBase)+Descripter^.Name); &nbsp; /////////此句出错////////////////<br>&nbsp; &nbsp; &nbsp;.<br>&nbsp; &nbsp; &nbsp;.<br>&nbsp; &nbsp; &nbsp;.<br>&nbsp; &nbsp; Inc(Descripter);<br><br>&nbsp; &nbsp;end;<br><br>
 
bbs.whnet.edu.cn <br>武汉白云黄鹤上有delphi的源码。。。
 
各位虾哥虾姐,告诉我哪有Delphi的屏幕取词源码下载,好吗?<br>不要贴几年以前的代码!
 
http://go4.163.com/lovejingtao/
 
其实源码都帖在了上面,能用,只是有些不尽人意的地方!<br>------------------<br>求Delphi版屏幕取词源代码<br>http://www.delphibbs.com/delphibbs/dispq.asp?LID=996179<br>不怕死机的壮士请进!! <br>http://www.delphibbs.com/delphibbs/dispq.asp?lid=518043<br>记事本用什么函数输出文字?比如:exttextout,textout等<br>http://www.delphibbs.com/delphibbs/dispq.asp?lid=1028948<br>求屏幕取词的DELPHI源代码,十万火急!!! <br>http://www.delphibbs.com/delphibbs/dispq.asp?lid=130987<br><br>这些都是的
 
: swarmmail@163.net ,已经发送。<br>----<br>&nbsp;1.运行程序<br>&nbsp;2.将2个按钮都点击一下<br>&nbsp;3.打开delphi,将鼠标放在delphi的编辑器中,<br>&nbsp; &nbsp;能够将选中的代码(或字母单词)显示在Label2后面的Edit中。
 
我的代码,可以发给你<br>不过有些问题我没有研究。<br>工作于2000下。
 
已经发给你了,注意查收
 
huyugan,我已经收到了,谢谢,待我研究之后再酌情处理。
 
5555,酌情处理啊?<br>偶可是费了些功夫啊,全是俺写的,<br>俺有一些请求:请不要散布,因为现在不好,好多地方要改,别人看到了回笑话的。<br>以后偶做好了,自然会发布天下的。<br>哦,我想起来了,我在mail中说了
 
后退
顶部