我做了一个系统钩子用于截获删除文件的操作,安装钩子后可以正常拦截API,但是卸载钩子后系统老是出错,请大家帮我看一下原因在哪里。
安装钩子:
hHook=SetWindowsHookEx(WH_GETMESSAGE,(HOOKPROC)GetMsgProc,hmodDll,0);
在回调函数中修改函数地址:
HookAllAPI("kernel32.dll",GetProcAddress(GetModuleHandle("kernel32.dll"),
"DeleteFileW"),(PROC)&H_DeleteFileW,NULL);
HookAllAPI("kernel32.dll",GetProcAddress(GetModuleHandle("kernel32.dll"),
"DeleteFileA"),(PROC)&H_DeleteFileA,NULL);在卸载钩子的函数中这样写:
UnhookWindowsHookEx(hHook);
//
UnhookAllAPIHooks("kernel32.dll",GetProcAddress(GetModuleHandle("kernel32.dll"),
"DeleteFileW"),(PROC)&H_DeleteFileW,NULL);
UnhookAllAPIHooks("kernel32.dll",GetProcAddress(GetModuleHandle("kernel32.dll"),
"DeleteFileA"),(PROC)&H_DeleteFileA,NULL);
UnhookAllAPIHooks是对HookAllAPI的反操作,HookAllAPIhook所有进程。
安装钩子:
hHook=SetWindowsHookEx(WH_GETMESSAGE,(HOOKPROC)GetMsgProc,hmodDll,0);
在回调函数中修改函数地址:
HookAllAPI("kernel32.dll",GetProcAddress(GetModuleHandle("kernel32.dll"),
"DeleteFileW"),(PROC)&H_DeleteFileW,NULL);
HookAllAPI("kernel32.dll",GetProcAddress(GetModuleHandle("kernel32.dll"),
"DeleteFileA"),(PROC)&H_DeleteFileA,NULL);在卸载钩子的函数中这样写:
UnhookWindowsHookEx(hHook);
//
UnhookAllAPIHooks("kernel32.dll",GetProcAddress(GetModuleHandle("kernel32.dll"),
"DeleteFileW"),(PROC)&H_DeleteFileW,NULL);
UnhookAllAPIHooks("kernel32.dll",GetProcAddress(GetModuleHandle("kernel32.dll"),
"DeleteFileA"),(PROC)&H_DeleteFileA,NULL);
UnhookAllAPIHooks是对HookAllAPI的反操作,HookAllAPIhook所有进程。
HANDLE WINAPI H_FindFirstFileA(LPCTSTR szOldName , LPWIN32_FIND_DATAA szNewName)
{
char name[MAX_PATH] = {0};
strcat(name , szOldName);
strcat(name , "文件已隐藏!");
int len = strlen( protectPath );
int ret = StrCmpN( protectPath , szOldName , len );
if( ret == 0 )
{
MessageBox(NULL,name,"提示FindFirstFileA",MB_OK);
return (HANDLE)-1;
}
else
return FindFirstFileA( szOldName , szNewName );//返回原来的函数
}
//同上
HANDLE WINAPI H_FindFirstFileW(LPCWSTR szOldName , LPWIN32_FIND_DATAW szNewName)
{
int nLen = wcslen(szOldName)+1;
char *buf = new char[2*nLen];
WideCharToMultiByte(CP_ACP,0,szOldName,nLen,buf,2*nLen,NULL,NULL); char name[MAX_PATH] = {0};
strcat(name , buf);
strcat(name , "文件已隐藏!");
int len = strlen( protectPath );
int ret = StrCmpN( protectPath , buf , len );
if( ret == 0 )
{
MessageBox(NULL,name,"提示FindFirstFileW",MB_OK);
return (HANDLE)-1;
}
else
return FindFirstFileW( szOldName , szNewName );//返回原来的函数
}
希望受益的朋友给我顶一下,现在第一个问题还没有解决:卸载钩子后出错