钩子检测程序,钩子查看程序

/*********************************************************************** filename: EnumHook.cpp author: cbntrt createdate: 2007.11.16 am modification log: 2007.11.16 am comment: this file is converted from EnumHook.asm written by [email protected] ************************************************************************/ #include <windows.h> #include <commctrl.h> #include <TLHELP32.h> #include "resource.h" #include <winioctl.h> #pragma comment(lib,"comctl32.lib") typedef struct _HOOK_INFO { HANDLE Handle; DWORD FuncOffset; DWORD FuncBaseAddr; DWORD iHook; }HOOK_INFO,*LPHOOK_INFO; BOOL CALLBACK DlgProc(HWND,UINT,WPARAM,LPARAM); BOOL OpenDevice(void); void CloseDevice(void); void Init(HWND hDlg); void Refresh(void); void InsertHookInfo(HWND,LPHOOK_INFO,DWORD); void GetHookModuleName(DWORD,char*); ////////////////////////////////////////////////////////second part end ////////////////////////////////////////////////////////third part //#define WH_MSGFILTER -1 //#define WH_JOURNALRECORD 0 //#define WH_JOURNALPLAYBACK 1 //#define WH_KEYBOARD 2 //#define WH_GETMESSAGE 3 //#define WH_CALLWNDPROC 4 //#define WH_CBT 5 //#define WH_SYSMSGFILTER 6 //#define WH_MOUSE 7 //#define WH_HARDWARE 8 //#define WH_DEBUG 9 //#define WH_SHELL 10 //#define WH_FOREGROUNDIDLE 11 #define IOCTL_GET_HOOKINFO CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_READ_ACCESS|FILE_WRITE_ACCESS) #define MAX_HOOKS 100 HINSTANCE hInst; HWND hList; HANDLE hDevice; char szHandle[]= "钩子句柄"; char szFunc[]= "钩子函数地址"; char szType[]= "钩子类型"; char szModule[]= "钩子所在模块"; char szFlags[13][19]={"WH_MSGFILTER ", "WH_JOURNALRECORD ", "WH_JOURNALPLAYBACK", "WH_KEYBORD ", "WH_GETMESSAGE ", "WH_CALLWNDPROC ", "WH_CBT ", "WH_SYSMSGFILTER ", "WH_MOUSE ", "WH_HARDWARE ", "WH_DEBUGE ", "WH_SHELL ", "WH_FOREGROUNDIDLE "}; int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) { hInst=::GetModuleHandle(NULL); BOOL bRet=OpenDevice(); if(bRet){ MessageBox(NULL,"Start Service Succeed","Success",MB_OK); } else{ MessageBox(NULL,"Failed to Start the Service!","ERR",MB_OK); } if(bRet){ ::DialogBoxParam(hInst,LPCTSTR(IDD_DIALOG_MAIN),NULL,DlgProc,NULL); ::InitCommonControls(); CloseDevice(); } ::ExitProcess(0); return 0; } BOOL CALLBACK DlgProc(HWND hDlg,UINT uMsg,WPARAM wParam,LPARAM lParam) { // RECT rect; switch(uMsg) { case WM_INITDIALOG: { Init(hDlg); } break; case WM_COMMAND: switch(LOWORD(wParam)) { case IDC_REFRESH: { MessageBox(hDlg,"refresh","receive message",MB_OK); SendMessage(hList,LVM_DELETEALLITEMS,0,0); Refresh(); } break; case IDC_CLOSE: { EndDialog(hDlg,0); } break; } break; } return 0; } BOOL OpenDevice(void) { HANDLE hSCManager=NULL,hService=NULL; char szDriverPath[MAX_PATH]; //打开驱动链接 hDevice=::CreateFile( ("\\\\.\\slEnumHook"), GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0,NULL); if(INVALID_HANDLE_VALUE!=hDevice){ return TRUE; } //如果上面的打开失败，则说明驱动没有安装或者没有启动 hSCManager=::OpenSCManager(NULL,NULL,SC_MANAGER_CREATE_SERVICE); if(0!=hSCManager){ //如果驱动已经安装了，则启动驱动程序 hService=OpenService(hSCManager, ("EnumHook"),SERVICE_START|DELETE); if(0!=hService){ ::StartService(hService,0,NULL); ::CloseServiceHandle(hService); }//如果驱动程序没有安装，则先安装，再启动 else{ ::GetFullPathName( ("EnumHook.sys"),sizeof(szDriverPath),szDriverPath,NULL); hService=::CreateService(hSCManager, ("EnumHook"), ("ZTS's Enumerate Global Windows Service"), SERVICE_START|DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, szDriverPath, NULL,NULL,NULL,NULL,NULL); if(0!=hService){ ::StartService(hService,0,NULL); ::CloseServiceHandle(hService); } } ::CloseServiceHandle(hSCManager); } //启动驱动程序后，再一次打开驱动链接，如果不出意外，这一次应该可以成功 hDevice=::CreateFile( "\\\\.\\slEnumHook", GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0,NULL); if(INVALID_HANDLE_VALUE==hDevice){ return FALSE; } return TRUE; } void CloseDevice(void) { HANDLE hSCManager,hService; SERVICE_STATUS sest; if(hDevice){ ::CloseHandle(hDevice); } hSCManager=::OpenSCManager(NULL,NULL,SC_MANAGER_CONNECT); if(NULL!=hSCManager){ hService=::OpenService(hSCManager, "EnumHook",SERVICE_STOP|DELETE); if(NULL!=hService){ ::ControlService(hService,SERVICE_CONTROL_STOP,&sest); ::DeleteService(hService); ::CloseServiceHandle(hService); } ::CloseServiceHandle(hSCManager); } } void Init(HWND hWnd) { LV_COLUMN lvc; hList=GetDlgItem(hWnd,IDC_LIST); //handle lvc.mask=LVCF_TEXT+LVCF_WIDTH; lvc.pszText=szHandle; lvc.cx=100; SendMessage(hList,LVM_INSERTCOLUMN,0,(long)(&lvc)); //func lvc.pszText=szFunc; lvc.cx=100; SendMessage(hList,LVM_INSERTCOLUMN,1,(long)(&lvc)); //type lvc.pszText=szType; lvc.cx=120; SendMessage(hList,LVM_INSERTCOLUMN,2,(long)(&lvc)); //module name lvc.pszText=szModule; lvc.cx=400; SendMessage(hList,LVM_INSERTCOLUMN,3,(long)(&lvc)); //设置扩展风格 SendMessage(hList,LVM_SETEXTENDEDLISTVIEWSTYLE,LVS_EX_FULLROWSELECT, LVS_EX_FULLROWSELECT); } void Refresh(void) { HOOK_INFO* lpHookInfo; DWORD dwByteReturned; DWORD dwHookNum; DWORD dwMaxHook=sizeof(HOOK_INFO)*MAX_HOOKS; lpHookInfo=(HOOK_INFO*)GlobalAlloc(GMEM_FIXED|GMEM_ZEROINIT,dwMaxHook); dwByteReturned=0; if(INVALID_HANDLE_VALUE==hDevice ){ MessageBox(NULL,"hDevice is not valid!","ERR",MB_OK); } BOOL bRet=::DeviceIoControl(hDevice,IOCTL_GET_HOOKINFO,0,0,lpHookInfo, dwMaxHook,&dwByteReturned,NULL); if(bRet){ MessageBox(NULL,"DeviceIoControl succeed!","Success",MB_OK); } else{ MessageBox(NULL,"DeviceIoControl call failed!","ERROR",MB_OK); } if(0!=dwByteReturned){ dwHookNum=dwByteReturned/(sizeof(HOOK_INFO)); DWORD i=0; while(i<dwHookNum){ InsertHookInfo(hList,lpHookInfo,i); lpHookInfo=(HOOK_INFO*)((DWORD)lpHookInfo+(sizeof(HOOK_INFO))); i++; } } else{ MessageBox(NULL,"Receive no hookinfo","error",MB_OK); } return; } void InsertHookInfo(HWND hWnd,HOOK_INFO* lpHookInfo,DWORD dwNum) { LV_ITEM lvi; char Buf[MAX_PATH]; HOOK_INFO* pHookInfo=lpHookInfo; //assume esi:ptr HOOK_INFO //assume edi:ptr char Buf //handle wsprintf(Buf, ("%08X"),pHookInfo->Handle); lvi.mask=LVIF_TEXT; lvi.iItem=dwNum; lvi.iSubItem=0; lvi.pszText=Buf; SendMessage(hWnd,LVM_INSERTITEM,0,(long)(&lvi)); //func DWORD dwFuncAddr=pHookInfo->FuncOffset+pHookInfo->FuncBaseAddr; wsprintf(Buf, ("%08X"),dwFuncAddr); lvi.iSubItem=1; lvi.pszText=Buf; SendMessage(hWnd,LVM_SETITEM,0,(long)(&lvi)); //type DWORD dwOffset=(pHookInfo->iHook+1)*19; char* pszFlags=(char*)(szFlags)+dwOffset; lvi.iSubItem=2; lvi.pszText=pszFlags; SendMessage(hWnd,LVM_SETITEM,0,(long)(&lvi)); //module name if(0!=pHookInfo->FuncBaseAddr){ memset(Buf,0,sizeof(Buf)); GetHookModuleName(pHookInfo->FuncBaseAddr,Buf); lvi.iSubItem=3; lvi.pszText=Buf; SendMessage(hWnd,LVM_SETITEM,0,(long)(&lvi)); } return; } void GetHookModuleName(DWORD dwBaseAddress,char* lpModuleName) { MODULEENTRY32 stModule; HANDLE hSnapshot; RtlZeroMemory(&stModule,sizeof(MODULEENTRY32)); stModule.dwSize=sizeof(MODULEENTRY32); hSnapshot=CreateToolhelp3