WH_CBT监控有窗体的进程创建

很久很久以前搜到以前博客的一篇文章，一个项目要求是在Windows Server 2008 x64 R2下监控有窗体的cmd/powershell创建，当时采用了WH_CBT应用层消息拦截的方法来监控进程创建。

 1 BOOL WINAPI SetHook(BOOL fInstall) {
 2 
 3     BOOL fOk;
 4     if (fInstall)
 5     {
 6 
 7         if (g_hhook == NULL)
 8         {
 9             //error
10         }
11         g_hhook = SetWindowsHookEx(WH_CBT, CBTProc, g_hinstDll, 0);
12         fOk = (g_hhook != NULL);
13     }
14     else 
15     {
16 
17         if (g_hhook != NULL)
18         {
19             // Can't uninstall if not installed
20         }
21         fOk = UnhookWindowsHookEx(g_hhook);
22         g_hhook = NULL;
23     }
24 
25     return(fOk);
26 }
27 
28 LRESULT CALLBACK CBTProc(int nCode, WPARAM wParam, LPARAM lParam)
29 {
30     static HWND g_hWndDialog = NULL;
31     switch (nCode)
32     {
33         case HCBT_CREATEWND:
34         {
35             HWND hWnd = (HWND)wParam;
36             LPCBT_CREATEWND pcbt = (LPCBT_CREATEWND)lParam;
37             LPCREATESTRUCT pcs = pcbt->lpcs;
38             if ((DWORD)(pcs->dwExStyle) == 0x40310)
39             {
40                 MessageBox(NULL, NULL, L"Shell open!", 0);
41                 g_hWndDialog = hWnd;
42             }
43             break;
44         }
45         default:
46             break;
47     }
48     return CallNextHookEx(g_hhook, nCode, wParam, lParam);
49 }