监控进程创建代码
#include "stdafx.h"
#include "apihook.h"
#include <stdio.h>
typedef BOOL (WINAPI *PFNCPW)(
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);
extern CAPIHook g_CreateProcessW;
BOOL WINAPI proxy_CreateProcessW(
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
)
LPSTR lpszName = new CHAR[ 255 ];
LPSTR lpszName1 = new CHAR[ 255 ];
//由于传入的是宽字符串,所以要做处理,,
//下面可以添加你要处理的代码,,我只是弹出对话框要求用户确认运行还是不运行
::WideCharToMultiByte( CP_ACP, 0, (unsigned short *)lpCommandLine, -1, lpszName1, 255, NULL, NULL );
::WideCharToMultiByte( CP_ACP, 0, (unsigned short *)lpApplicationName, -1, lpszName, 255, NULL, NULL );
OutputDebugString(lpszName);
OutputDebugString(lpszName1);
wsprintf(buf,"%s/r/n%s",lpszName,lpszName1);
if(MessageBox(NULL,buf,"注意",MB_YESNO|MB_ICONWARNING|MB_SYSTEMMODAL)
==IDNO)
return FALSE;
return ((PFNCPW)(PROC)g_CreateProcessW)(
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation
);
}
CAPIHook g_CreateProcessW("kernel32.dll", "CreateProcessW",
(PROC)proxy_CreateProcessW);
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
return TRUE;
}
#include "apihook.h"
#include <stdio.h>
typedef BOOL (WINAPI *PFNCPW)(
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);
extern CAPIHook g_CreateProcessW;
BOOL WINAPI proxy_CreateProcessW(
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
)
LPSTR lpszName = new CHAR[ 255 ];
LPSTR lpszName1 = new CHAR[ 255 ];
//由于传入的是宽字符串,所以要做处理,,
//下面可以添加你要处理的代码,,我只是弹出对话框要求用户确认运行还是不运行
::WideCharToMultiByte( CP_ACP, 0, (unsigned short *)lpCommandLine, -1, lpszName1, 255, NULL, NULL );
::WideCharToMultiByte( CP_ACP, 0, (unsigned short *)lpApplicationName, -1, lpszName, 255, NULL, NULL );
OutputDebugString(lpszName);
OutputDebugString(lpszName1);
wsprintf(buf,"%s/r/n%s",lpszName,lpszName1);
if(MessageBox(NULL,buf,"注意",MB_YESNO|MB_ICONWARNING|MB_SYSTEMMODAL)
==IDNO)
return FALSE;
return ((PFNCPW)(PROC)g_CreateProcessW)(
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation
);
}
CAPIHook g_CreateProcessW("kernel32.dll", "CreateProcessW",
(PROC)proxy_CreateProcessW);
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
return TRUE;
}