如何用hook实现监视对任意文件的读操作 rt,小弟想用hook实现对windows中文件读取(打开)操作进行监视,(不用hook也行)。windows中对文件的操作小弟知道有个shfoperation(名字好像是这个)。是不是hook这个函数就可以实现。如果有实现代码,另开贴送100分 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 以前C#很简单用FileSystemWatcher就可以了至于delphi我就随便铁代码了错了不要建议-------------------利用未公开函数实现Shell操作监视 TechnoFantasy(原作) 关键字 利用未公开函数实现Shell操作监视 利用未公开函数实现Shell操作监视 wwwa.applevb.com 在Windows下有一个未公开函数SHChangeNotifyRegister可以吧你的窗口添加到系统的系统消息监视链中,该函数在Delphi中的定义如下:Function SHChangeNotifyRegister(hWnd,uFlags,dwEventID,uMSG,cItems:LongWord; lpps:PIDLSTRUCT):integer;stdcall;external 'Shell32.dll' index 2;其中参数hWnd定义了监视系统操作的窗口得句柄,参数uFlags dwEventID定义监视操作参数,参数uMsg定义操作消息,参数cItems定义附加参数,参数lpps指定一个PIDLSTRUCT结构,该结构指定监视的目录。 当函数调用成功之后,函数会返回一个监视操作句柄,同时系统就会将hWnd指定的窗口加入到操作监视链中,当有文件操作发生时,系统会向hWnd发送uMsg指定的消息,我们只要在程序中加入该消息的处理函数就可以实现对系统操作的监视了。如果要退出程序监视,就要调用另外一个未公开得函数SHChangeNotifyDeregister来取消程序监视。 下面是使用Delphi编写的具体程序实现范例,首先建立一个新的工程文件,然后在Form1中加入一个Button控件和一个Memo控件,程序的代码如下: unit Unit1;interfaceuses Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls,shlobj,Activex;const SHCNE_RENAMEITEM = $1; SHCNE_CREATE = $2; SHCNE_DELETE = $4; SHCNE_MKDIR = $8; SHCNE_RMDIR = $10; SHCNE_MEDIAINSERTED = $20; SHCNE_MEDIAREMOVED = $40; SHCNE_DRIVEREMOVED = $80; SHCNE_DRIVEADD = $100; SHCNE_NETSHARE = $200; SHCNE_NETUNSHARE = $400; SHCNE_ATTRIBUTES = $800; SHCNE_UPDATEDIR = $1000; SHCNE_UPDATEITEM = $2000; SHCNE_SERVERDISCONNECT = $4000; SHCNE_UPDATEIMAGE = $8000; SHCNE_DRIVEADDGUI = $10000; SHCNE_RENAMEFOLDER = $20000; SHCNE_FREESPACE = $40000; SHCNE_ASSOCCHANGED = $8000000; SHCNE_DISKEVENTS = $2381F; SHCNE_GLOBALEVENTS = $C0581E0; SHCNE_ALLEVENTS = $7FFFFFFF; SHCNE_INTERRUPT = $80000000; SHCNF_IDLIST = 0; // LPITEMIDLIST SHCNF_PATHA = $1; // path name SHCNF_PRINTERA = $2; // printer friendly name SHCNF_DWORD = $3; // DWORD SHCNF_PATHW = $5; // path name SHCNF_PRINTERW = $6; // printer friendly name SHCNF_TYPE = $FF; SHCNF_FLUSH = $1000; SHCNF_FLUSHNOWAIT = $2000; SHCNF_PATH = SHCNF_PATHW; SHCNF_PRINTER = SHCNF_PRINTERW; WM_SHNOTIFY = $401; NOERROR = 0;type TForm1 = class(TForm) Button1: TButton; Memo1: TMemo; procedure FormClose(Sender: TObject; var Action: TCloseAction); procedure Button1Click(Sender: TObject); procedure FormCreate(Sender: TObject); private { Private declarations } procedure WMShellReg(var Message:TMessage);message WM_SHNOTIFY; public { Public declarations } end;type PSHNOTIFYSTRUCT=^SHNOTIFYSTRUCT; SHNOTIFYSTRUCT = record dwItem1 : PItemIDList; dwItem2 : PItemIDList; end;Type PSHFileInfoByte=^SHFileInfoByte; _SHFileInfoByte = record hIcon :Integer; iIcon :Integer; dwAttributes : Integer; szDisplayName : array [0..259] of char; szTypeName : array [0..79] of char; end; SHFileInfoByte=_SHFileInfoByte;Type PIDLSTRUCT = ^IDLSTRUCT; _IDLSTRUCT = record pidl : PItemIDList; bWatchSubFolders : Integer; end; IDLSTRUCT =_IDLSTRUCT;function SHNotify_Register(hWnd : Integer) : Bool;function SHNotify_UnRegister:Bool;function SHEventName(strPath1,strPath2:string;lParam:Integer):string;Function SHChangeNotifyDeregister(hNotify:integer):integer;stdcall; external 'Shell32.dll' index 4;Function SHChangeNotifyRegister(hWnd,uFlags,dwEventID,uMSG,cItems:LongWord; lpps:PIDLSTRUCT):integer;stdcall;external 'Shell32.dll' index 2;Function SHGetFileInfoPidl(pidl : PItemIDList; dwFileAttributes : Integer; psfib : PSHFILEINFOBYTE; cbFileInfo : Integer; uFlags : Integer):Integer;stdcall; external 'Shell32.dll' name 'SHGetFileInfoA';var Form1: TForm1; m_hSHNotify:Integer; m_pidlDesktop : PItemIDList;implementation{$R *.DFM}function SHEventName(strPath1,strPath2:string;lParam:Integer):string;var sEvent:String;begin case lParam of file://根据参数设置提示消息 SHCNE_RENAMEITEM: sEvent := '重命名文件'+strPath1+'为'+strpath2; SHCNE_CREATE: sEvent := '建立文件 文件名:'+strPath1; SHCNE_DELETE: sEvent := '删除文件 文件名:'+strPath1; SHCNE_MKDIR: sEvent := '新建目录 目录名:'+strPath1; SHCNE_RMDIR: sEvent := '删除目录 目录名:'+strPath1; SHCNE_MEDIAINSERTED: sEvent := strPath1+'中插入可移动存储介质'; SHCNE_MEDIAREMOVED: sEvent := strPath1+'中移去可移动存储介质'+strPath1+' '+strpath2; SHCNE_DRIVEREMOVED: sEvent := '移去驱动器'+strPath1; SHCNE_DRIVEADD: sEvent := '添加驱动器'+strPath1; SHCNE_NETSHARE: sEvent := '改变目录'+strPath1+'的共享属性'; SHCNE_ATTRIBUTES: sEvent := '改变文件目录属性 文件名'+strPath1; SHCNE_UPDATEDIR: sEvent := '更新目录'+strPath1; SHCNE_UPDATEITEM: sEvent := '更新文件 文件名:'+strPath1; SHCNE_SERVERDISCONNECT: sEvent := '断开与服务器的连接'+strPath1+' '+strpath2; SHCNE_UPDATEIMAGE: sEvent := 'SHCNE_UPDATEIMAGE'; SHCNE_DRIVEADDGUI: sEvent := 'SHCNE_DRIVEADDGUI'; SHCNE_RENAMEFOLDER: sEvent := '重命名文件夹'+strPath1+'为'+strpath2; SHCNE_FREESPACE: sEvent := '磁盘空间大小改变'; SHCNE_ASSOCCHANGED: sEvent := '改变文件关联'; else sEvent:='未知操作'+IntToStr(lParam); end; Result:=sEvent;end;function SHNotify_Register(hWnd : Integer) : Bool;var ps:PIDLSTRUCT;begin {$R-} Result:=False; If m_hSHNotify = 0 then begin file://获取桌面文件夹的Pidl if SHGetSpecialFolderLocation(0, CSIDL_DESKTOP, m_pidlDesktop)<> NOERROR then Form1.close; if Boolean(m_pidlDesktop) then begin ps.bWatchSubFolders := 1; ps.pidl := m_pidlDesktop; // 利用SHChangeNotifyRegister函数注册系统消息处理 m_hSHNotify := SHChangeNotifyRegister(hWnd, (SHCNF_TYPE Or SHCNF_IDLIST), (SHCNE_ALLEVENTS Or SHCNE_INTERRUPT), WM_SHNOTIFY, 1, ps); Result := Boolean(m_hSHNotify); end Else // 如果出现错误就使用 CoTaskMemFree函数来释放句柄 CoTaskMemFree(m_pidlDesktop); End; {$R+}end;function SHNotify_UnRegister:Bool;begin Result:=False; If Boolean(m_hSHNotify) Then file://取消系统消息监视,同时释放桌面的Pidl If Boolean(SHChangeNotifyDeregister(m_hSHNotify)) Then begin {$R-} m_hSHNotify := 0; CoTaskMemFree(m_pidlDesktop); Result := True; {$R-} End;end;procedure TForm1.WMShellReg(var Message:TMessage); file://系统消息处理函数var strPath1,strPath2:String; charPath:array[0..259]of char; pidlItem:PSHNOTIFYSTRUCT;begin pidlItem:=PSHNOTIFYSTRUCT(Message.wParam); file://获得系统消息相关得路径 SHGetPathFromIDList(pidlItem.dwItem1,charPath); strPath1:=charPath; SHGetPathFromIDList(pidlItem.dwItem2,charPath); strPath2:=charPath; Memo1.Lines.Add(SHEvEntName(strPath1,strPath2,Message.lParam)+chr(13)+chr(10));end;procedure TForm1.FormClose(Sender: TObject; var Action: TCloseAction);begin file://在程序退出的同时删除监视 if Boolean(m_pidlDesktop) then SHNotify_Unregister;end;procedure TForm1.Button1Click(Sender: TObject); file://Button1的Click消息begin m_hSHNotify:=0; if SHNotify_Register(Form1.Handle) then begin file://注册Shell监视 ShowMessage('Shell监视程序成功注册'); Button1.Enabled := False; end else ShowMessage('Shell监视程序注册失败');end;procedure TForm1.FormCreate(Sender: TObject);begin Button1.Caption := '打开监视';end;end. 运行程序,点击“打开监视”按钮,如果出现一个显示“Shell监视程序成功注册”的对话框,说明Form1已经加入到系 上面的代码运行没有成功procedure TForm1.Button1Click(Sender: TObject); file://Button1的Click消息file那里 是什么?我把它注释掉了 把这代码里面所有的 file: 去掉再试试^_^ 去掉了以后能通过编译,但是运行就出现access violation.没办法了 各位指点一下吧,实在不懂hook DataSet导出Execl格式问题 关于勾子回调函数中参数的问题 Delphi运行问题请教 图象导出的问题——高分相送 请教:如何给access数据库,文本字段赋空值?谢谢! 如何实现双屏显示(两个屏幕显示的内容不一样) 关于com+的,我是新手 sqlserver 2000 里建的表怎么是只读的呀 请问那里有好的编辑文本的类似于richview的控件。 这段代码如何简写呢? 不同网段 连接问题 再次感谢 constantine(飘遥的安吉儿) !
用FileSystemWatcher就可以了
至于delphi
我就随便铁代码了
错了不要建议
-------------------
利用未公开函数实现Shell操作监视 TechnoFantasy(原作)
关键字 利用未公开函数实现Shell操作监视
利用未公开函数实现Shell操作监视 wwwa.applevb.com 在Windows下有一个未公开函数SHChangeNotifyRegister可以吧你的窗口添加到系统的系统消息监视链中,该函数在Delphi
中的定义如下:
Function SHChangeNotifyRegister(hWnd,uFlags,dwEventID,uMSG,cItems:LongWord;
lpps:PIDLSTRUCT):integer;stdcall;external 'Shell32.dll' index 2;
其中参数hWnd定义了监视系统操作的窗口得句柄,参数uFlags dwEventID定义监视操作参数,参数uMsg定义操作消息,参数cItems
定义附加参数,参数lpps指定一个PIDLSTRUCT结构,该结构指定监视的目录。
当函数调用成功之后,函数会返回一个监视操作句柄,同时系统就会将hWnd指定的窗口加入到操作监视链中,当有文件操作发生
时,系统会向hWnd发送uMsg指定的消息,我们只要在程序中加入该消息的处理函数就可以实现对系统操作的监视了。
如果要退出程序监视,就要调用另外一个未公开得函数SHChangeNotifyDeregister来取消程序监视。
下面是使用Delphi编写的具体程序实现范例,首先建立一个新的工程文件,然后在Form1中加入一个Button控件和一个Memo控件,
程序的代码如下:
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
StdCtrls,shlobj,Activex;const
SHCNE_RENAMEITEM = $1;
SHCNE_CREATE = $2;
SHCNE_DELETE = $4;
SHCNE_MKDIR = $8;
SHCNE_RMDIR = $10;
SHCNE_MEDIAINSERTED = $20;
SHCNE_MEDIAREMOVED = $40;
SHCNE_DRIVEREMOVED = $80;
SHCNE_DRIVEADD = $100;
SHCNE_NETSHARE = $200;
SHCNE_NETUNSHARE = $400;
SHCNE_ATTRIBUTES = $800;
SHCNE_UPDATEDIR = $1000;
SHCNE_UPDATEITEM = $2000;
SHCNE_SERVERDISCONNECT = $4000;
SHCNE_UPDATEIMAGE = $8000;
SHCNE_DRIVEADDGUI = $10000;
SHCNE_RENAMEFOLDER = $20000;
SHCNE_FREESPACE = $40000;
SHCNE_ASSOCCHANGED = $8000000;
SHCNE_DISKEVENTS = $2381F;
SHCNE_GLOBALEVENTS = $C0581E0;
SHCNE_ALLEVENTS = $7FFFFFFF;
SHCNE_INTERRUPT = $80000000; SHCNF_IDLIST = 0; // LPITEMIDLIST
SHCNF_PATHA = $1; // path name
SHCNF_PRINTERA = $2; // printer friendly name
SHCNF_DWORD = $3; // DWORD
SHCNF_PATHW = $5; // path name
SHCNF_PRINTERW = $6; // printer friendly name
SHCNF_TYPE = $FF; SHCNF_FLUSH = $1000; SHCNF_FLUSHNOWAIT = $2000;
SHCNF_PATH = SHCNF_PATHW;
SHCNF_PRINTER = SHCNF_PRINTERW; WM_SHNOTIFY = $401;
NOERROR = 0;type
TForm1 = class(TForm)
Button1: TButton;
Memo1: TMemo;
procedure FormClose(Sender: TObject; var Action: TCloseAction);
procedure Button1Click(Sender: TObject);
procedure FormCreate(Sender: TObject);
private
{ Private declarations }
procedure WMShellReg(var Message:TMessage);message WM_SHNOTIFY;
public
{ Public declarations }
end;type PSHNOTIFYSTRUCT=^SHNOTIFYSTRUCT;
SHNOTIFYSTRUCT = record
dwItem1 : PItemIDList;
dwItem2 : PItemIDList;
end;Type PSHFileInfoByte=^SHFileInfoByte;
_SHFileInfoByte = record
hIcon :Integer;
iIcon :Integer;
dwAttributes : Integer;
szDisplayName : array [0..259] of char;
szTypeName : array [0..79] of char;
end;
SHFileInfoByte=_SHFileInfoByte;Type PIDLSTRUCT = ^IDLSTRUCT;
_IDLSTRUCT = record
pidl : PItemIDList;
bWatchSubFolders : Integer;
end;
IDLSTRUCT =_IDLSTRUCT;
function SHNotify_Register(hWnd : Integer) : Bool;
function SHNotify_UnRegister:Bool;
function SHEventName(strPath1,strPath2:string;lParam:Integer):string;Function SHChangeNotifyDeregister(hNotify:integer):integer;stdcall;
external 'Shell32.dll' index 4;
Function SHChangeNotifyRegister(hWnd,uFlags,dwEventID,uMSG,cItems:LongWord;
lpps:PIDLSTRUCT):integer;stdcall;external 'Shell32.dll' index 2;
Function SHGetFileInfoPidl(pidl : PItemIDList;
dwFileAttributes : Integer;
psfib : PSHFILEINFOBYTE;
cbFileInfo : Integer;
uFlags : Integer):Integer;stdcall;
external 'Shell32.dll' name 'SHGetFileInfoA';var
Form1: TForm1;
m_hSHNotify:Integer;
m_pidlDesktop : PItemIDList;implementation{$R *.DFM}function SHEventName(strPath1,strPath2:string;lParam:Integer):string;
var
sEvent:String;
begin
case lParam of file://根据参数设置提示消息
SHCNE_RENAMEITEM: sEvent := '重命名文件'+strPath1+'为'+strpath2;
SHCNE_CREATE: sEvent := '建立文件 文件名:'+strPath1;
SHCNE_DELETE: sEvent := '删除文件 文件名:'+strPath1;
SHCNE_MKDIR: sEvent := '新建目录 目录名:'+strPath1;
SHCNE_RMDIR: sEvent := '删除目录 目录名:'+strPath1;
SHCNE_MEDIAINSERTED: sEvent := strPath1+'中插入可移动存储介质';
SHCNE_MEDIAREMOVED: sEvent := strPath1+'中移去可移动存储介质'+strPath1+' '+strpath2;
SHCNE_DRIVEREMOVED: sEvent := '移去驱动器'+strPath1;
SHCNE_DRIVEADD: sEvent := '添加驱动器'+strPath1;
SHCNE_NETSHARE: sEvent := '改变目录'+strPath1+'的共享属性'; SHCNE_ATTRIBUTES: sEvent := '改变文件目录属性 文件名'+strPath1;
SHCNE_UPDATEDIR: sEvent := '更新目录'+strPath1;
SHCNE_UPDATEITEM: sEvent := '更新文件 文件名:'+strPath1;
SHCNE_SERVERDISCONNECT: sEvent := '断开与服务器的连接'+strPath1+' '+strpath2;
SHCNE_UPDATEIMAGE: sEvent := 'SHCNE_UPDATEIMAGE';
SHCNE_DRIVEADDGUI: sEvent := 'SHCNE_DRIVEADDGUI';
SHCNE_RENAMEFOLDER: sEvent := '重命名文件夹'+strPath1+'为'+strpath2;
SHCNE_FREESPACE: sEvent := '磁盘空间大小改变';
SHCNE_ASSOCCHANGED: sEvent := '改变文件关联';
else
sEvent:='未知操作'+IntToStr(lParam);
end;
Result:=sEvent;
end;function SHNotify_Register(hWnd : Integer) : Bool;
var
ps:PIDLSTRUCT;
begin
{$R-}
Result:=False;
If m_hSHNotify = 0 then begin
file://获取桌面文件夹的Pidl
if SHGetSpecialFolderLocation(0, CSIDL_DESKTOP,
m_pidlDesktop)<> NOERROR then
Form1.close;
if Boolean(m_pidlDesktop) then begin
ps.bWatchSubFolders := 1;
ps.pidl := m_pidlDesktop; // 利用SHChangeNotifyRegister函数注册系统消息处理
m_hSHNotify := SHChangeNotifyRegister(hWnd, (SHCNF_TYPE Or SHCNF_IDLIST),
(SHCNE_ALLEVENTS Or SHCNE_INTERRUPT),
WM_SHNOTIFY, 1, ps);
Result := Boolean(m_hSHNotify);
end
Else
// 如果出现错误就使用 CoTaskMemFree函数来释放句柄
CoTaskMemFree(m_pidlDesktop);
End;
{$R+}
end;function SHNotify_UnRegister:Bool;
begin
Result:=False;
If Boolean(m_hSHNotify) Then
file://取消系统消息监视,同时释放桌面的Pidl
If Boolean(SHChangeNotifyDeregister(m_hSHNotify)) Then begin
{$R-}
m_hSHNotify := 0;
CoTaskMemFree(m_pidlDesktop);
Result := True;
{$R-}
End;
end;procedure TForm1.WMShellReg(var Message:TMessage); file://系统消息处理函数
var
strPath1,strPath2:String;
charPath:array[0..259]of char;
pidlItem:PSHNOTIFYSTRUCT;
begin
pidlItem:=PSHNOTIFYSTRUCT(Message.wParam);
file://获得系统消息相关得路径
SHGetPathFromIDList(pidlItem.dwItem1,charPath);
strPath1:=charPath;
SHGetPathFromIDList(pidlItem.dwItem2,charPath);
strPath2:=charPath; Memo1.Lines.Add(SHEvEntName(strPath1,strPath2,Message.lParam)+chr(13)+chr(10));
end;procedure TForm1.FormClose(Sender: TObject; var Action: TCloseAction);
begin
file://在程序退出的同时删除监视
if Boolean(m_pidlDesktop) then
SHNotify_Unregister;
end;procedure TForm1.Button1Click(Sender: TObject); file://Button1的Click消息
begin
m_hSHNotify:=0;
if SHNotify_Register(Form1.Handle) then begin file://注册Shell监视
ShowMessage('Shell监视程序成功注册');
Button1.Enabled := False;
end
else
ShowMessage('Shell监视程序注册失败');
end;procedure TForm1.FormCreate(Sender: TObject);
begin
Button1.Caption := '打开监视';
end;end. 运行程序,点击“打开监视”按钮,如果出现一个显示“Shell监视程序成功注册”的对话框,说明Form1已经加入到系
procedure TForm1.Button1Click(Sender: TObject); file://Button1的Click消息
file那里 是什么?
我把它注释掉了
^_^