怎样让自己的程序进程不让别人强行关闭掉
2007-06-20 13:14
387 查看
作者:潘枫 技术交流QQ:598432467
完整源代码:http://download.csdn.net/source/196884
今天刚注册了CSDN用户,前面在这里学到了很多东西,一直也想自己写点什么,可注册了好多次居然不成功。呵,其它的题外话就不说了,我们今天要谈论的话题是“怎样让自己的程序进程不让别人强行关闭掉”。昨天公司让我写了一个软件,并且不能让别人结束这个程序的进程。前面看到我过一些相关的文章,有创建一个线程不停检测进程名(通过枚举进程列表)的方法,但我觉得这种方法可能有些占资源。还有将自己进程提升为系统进程的,这种我也没有试过,如果谁有这种方法的实现代码给我一份将不甚感激,我今天用到是另外一种方法,拦截API函数,有两种方法:
1.在强行关闭一个进程时系统调用的是
BOOL WINAPI TerminateProcess(
HANDLE hProcess,
UINT uExitCode
);
我们如果利用钩子拦截TerminateProcess这个API函数,在系统调用这个函数是先判断是不是我们不让关闭进程的句柄就行了。
2.在调用BOOL WINAPI TerminateProcess(
HANDLE hProcess,
UINT uExitCode
);之前系统必须要先用
HANDLE WINAPI OpenProcess(
DWORD dwDesiredAccess,
BOOL bInheritHandle,
DWORD dwProcessId
);在开进程的句柄,如果我们发现第一参数是PROCESS_TERMINATE方式,说明是要强行结束此进程,我们可以这以这种方打开的调用进程分析,看进程ID是不是我们不让关闭的进程的ID,下面我们着重来讲一下这种方法:
因为要用到钩子,所以们先来创建一个DLL工程,创建的过程我在这里就不说了。在这里我使用了windows核心编程里面的APIHOOK类,将这个类拷贝到工程目录下,加入自己的工程。
在DLL工程里加入一个WH_SHELL的钩子,它的作用是进程创建时将DLL文件插入到每一个进程里面,从而达到拦截API函数的目的。
下面是钩子实现部分代码:
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
// Defines
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
#pragma data_seg(".SHARED")
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
HHOOK glhHook = NULL; //安装勾子句柄
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
#pragma data_seg()
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
#pragma comment( linker, "/section:shared,rws" )
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
HINSTANCE glhInstance = NULL; //DLL实例句柄
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
BOOL APIENTRY DllMain( HANDLE hModule,
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
DWORD ul_reason_for_call,
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
LPVOID lpReserved
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
glhInstance = (HINSTANCE)hModule;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
return TRUE;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
static LRESULT WINAPI ShellHookProc(int code, WPARAM wParam, LPARAM lParam)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
return ::CallNextHookEx(glhHook, code, wParam, lParam);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
extern "C"__declspec(dllexport) BOOL StartHook(DWORD pid)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
BOOL bResult=FALSE;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
if(!glhHook)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
glhHook = SetWindowsHookEx(WH_SHELL,ShellHookProc,glhInstance, 0);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
if(glhHook!=NULL)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
bResult=TRUE;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
return bResult;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
extern "C"__declspec(dllexport) BOOL StopHook()
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
BOOL bResult=FALSE;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
if(glhHook)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
bResult= UnhookWindowsHookEx(glhHook);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
if(bResult)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
glhHook=NULL;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
return bResult;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
DLL文件插入其它进程里了,下面的工作就是替换OpenProcess函数了,
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
//...............................................................................................*/
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
typedef HANDLE (WINAPI *PFNOPENPROCESS)(DWORD,BOOL,DWORD);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
extern CAPIHook g_OpenProcess;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
// 自定义OpenProcess函数
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
HANDLE WINAPI Hook_OpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
//.............................................................................................../*
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
HANDLE WINAPI Hook_OpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
if(dwDesiredAccess == PROCESS_TERMINATE && dwProcessId == dwProcessId == lpData->dwProcessId/**//*这个值是不让关闭进程的ID*/)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
char sz[2048];
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
wsprintf(sz, "%d,%d,%d",dwDesiredAccess,dwProcessId,lpData->dwProcessId);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
MessageBox(NULL,sz,"d",MB_OK);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
return NULL;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
return ((PFNOPENPROCESS)(PROC)g_OpenProcess)(dwDesiredAccess,bInheritHandle,dwProcessId);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
}
// 挂钩OpenProcess函数
CAPIHook g_OpenProcess("kernel32.dll", "OpenProcess",(PROC)Hook_OpenProcess,TRUE);
把上面这代码加入到刚才创建的DLL里就行了。
刚才大家在查看上面代码时看到了lpData->dwProcessId这个参数,这就是我不让关闭的进程ID,那么这个值怎么得到呢。当然方法很多,可以通过窗口名获取窗口句柄
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
HWND hwnd = ::FindWindow(NULL,"你程序窗口名");
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
DWORD hpid;//进程ID
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
GetWindowThreadProcessId( hwnd , &hpid );
但如果你的进程没有窗口应该怎么办呢?那么就只能在进程运行时用::GetCurrentProcessId(); 取得,然后通过内存映射的方式传给DLL文件。如下面的代码
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
typedef struct SHWP_STRUCT_ ...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
DWORD dwProcessId;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
char szModuleFileName[MAX_PATH];
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
} SHWP_STRUCT, *LPSHWP_STRUCT;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
//全局变量定义
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
HANDLE hMapping;//内存映射名柄
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
LPSHWP_STRUCT lpData; //共享内存
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
int APIENTRY WinMain(HINSTANCE hInstance,
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
HINSTANCE hPrevInstance,
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
LPSTR lpCmdLine,
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
int nCmdShow)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
//创建内存共享
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
hMapping=CreateFileMapping((HANDLE)0xFFFFFFFF,NULL,PAGE_READWRITE,0,0x100,"PCMONITOR.");
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
if(hMapping != NULL)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
lpData=(LPSHWP_STRUCT)MapViewOfFile(hMapping,FILE_MAP_ALL_ACCESS,0,0,0);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
lpData->dwProcessId = ::GetCurrentProcessId(); //当前进程ID
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
...............................其它代码
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
}DLL里面的内存映射部分代码
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
//全局变量定义
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
HANDLE hMapping;//内存映射名柄
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
LPSHWP_STRUCT lpData; //共享内存
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
//........................................................................../*
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
BOOL APIENTRY DllMain( HANDLE hModule,
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
DWORD ul_reason_for_call,
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
LPVOID lpReserved
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
//创建内存共享
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
hMapping=CreateFileMapping((HANDLE)0xFFFFFFFF,NULL,PAGE_READWRITE,0,0x100,"PCMONITOR.");
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
if(hMapping != NULL)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
lpData=(LPSHWP_STRUCT)MapViewOfFile(hMapping,FILE_MAP_ALL_ACCESS,0,0,0);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
return TRUE;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
}
这样我们的进程在运行时它的进程ID通过lpData->dwProcessId = ::GetCurrentProcessId(); 得到并以内存映射的方式传给DLL文件。
DLL里面拦截了OpenProcess函数里面的DWORD dwProcessId参数,如果这个数据是我们自己进程的ID就直接反回一个NULL值,也就是打开我们进程失败,这样系统就没有办法掉用TerminateProcess强行关闭我们的进程了。如果我们直接拦截TerminateProcess函数,然后不管哪个函数掉用它直接返回TRUE值,那完了,你就永远没想在你机子上强行关闭任何程序,呵,我说的是强行,发送WM_CLOSE消息关了不算哟。
拦截TerminateProcess函数部分代码:
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
//...............................................................................................*/
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
typedef BOOL (WINAPI *PFNTERMINATEPROCESS)(HANDLE, UINT);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
extern CAPIHook g_TerminateProcess;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
BOOL WINAPI Hook_TerminateProcess(HANDLE hProcess, UINT uExitCode);// 自定义TerminateProcess函数
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
//.............................................................................................../*
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
// 自定义TerminateProcess函数
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
BOOL WINAPI Hook_TerminateProcess(HANDLE hProcess, UINT uExitCode)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
// 取得主模块的文件名称
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
char szPathName[MAX_PATH];
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
::GetModuleFileName(NULL, szPathName, MAX_PATH);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
// 构建发送给主窗口的字符串
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
char sz[2048];
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
wsprintf(sz, " 进程:(%d)%s 进程句柄:%X 退出代码:%d (%x)",::GetCurrentProcessId(), szPathName, hProcess, uExitCode,lpData->dwProcessId);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
MessageBox(NULL,sz,"d",MB_OK);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
return ((PFNTERMINATEPROCESS)(PROC)g_TerminateProcess)(hProcess, uExitCode);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
// 挂钩TerminateProcess函数
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
CAPIHook g_TerminateProcess("kernel32.dll", "TerminateProcess",(PROC)Hook_TerminateProcess,TRUE);
完整源代码:http://download.csdn.net/source/196884
今天刚注册了CSDN用户,前面在这里学到了很多东西,一直也想自己写点什么,可注册了好多次居然不成功。呵,其它的题外话就不说了,我们今天要谈论的话题是“怎样让自己的程序进程不让别人强行关闭掉”。昨天公司让我写了一个软件,并且不能让别人结束这个程序的进程。前面看到我过一些相关的文章,有创建一个线程不停检测进程名(通过枚举进程列表)的方法,但我觉得这种方法可能有些占资源。还有将自己进程提升为系统进程的,这种我也没有试过,如果谁有这种方法的实现代码给我一份将不甚感激,我今天用到是另外一种方法,拦截API函数,有两种方法:
1.在强行关闭一个进程时系统调用的是
BOOL WINAPI TerminateProcess(
HANDLE hProcess,
UINT uExitCode
);
我们如果利用钩子拦截TerminateProcess这个API函数,在系统调用这个函数是先判断是不是我们不让关闭进程的句柄就行了。
2.在调用BOOL WINAPI TerminateProcess(
HANDLE hProcess,
UINT uExitCode
);之前系统必须要先用
HANDLE WINAPI OpenProcess(
DWORD dwDesiredAccess,
BOOL bInheritHandle,
DWORD dwProcessId
);在开进程的句柄,如果我们发现第一参数是PROCESS_TERMINATE方式,说明是要强行结束此进程,我们可以这以这种方打开的调用进程分析,看进程ID是不是我们不让关闭的进程的ID,下面我们着重来讲一下这种方法:
因为要用到钩子,所以们先来创建一个DLL工程,创建的过程我在这里就不说了。在这里我使用了windows核心编程里面的APIHOOK类,将这个类拷贝到工程目录下,加入自己的工程。
在DLL工程里加入一个WH_SHELL的钩子,它的作用是进程创建时将DLL文件插入到每一个进程里面,从而达到拦截API函数的目的。
下面是钩子实现部分代码:
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
// Defines
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
#pragma data_seg(".SHARED")
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
HHOOK glhHook = NULL; //安装勾子句柄
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
#pragma data_seg()
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
#pragma comment( linker, "/section:shared,rws" )
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
HINSTANCE glhInstance = NULL; //DLL实例句柄
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
BOOL APIENTRY DllMain( HANDLE hModule,
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
DWORD ul_reason_for_call,
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
LPVOID lpReserved
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
glhInstance = (HINSTANCE)hModule;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
return TRUE;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
static LRESULT WINAPI ShellHookProc(int code, WPARAM wParam, LPARAM lParam)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
return ::CallNextHookEx(glhHook, code, wParam, lParam);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
extern "C"__declspec(dllexport) BOOL StartHook(DWORD pid)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
BOOL bResult=FALSE;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
if(!glhHook)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
glhHook = SetWindowsHookEx(WH_SHELL,ShellHookProc,glhInstance, 0);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
if(glhHook!=NULL)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
bResult=TRUE;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
return bResult;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
extern "C"__declspec(dllexport) BOOL StopHook()
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
BOOL bResult=FALSE;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
if(glhHook)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
bResult= UnhookWindowsHookEx(glhHook);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
if(bResult)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
glhHook=NULL;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
return bResult;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
DLL文件插入其它进程里了,下面的工作就是替换OpenProcess函数了,
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
//...............................................................................................*/
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
typedef HANDLE (WINAPI *PFNOPENPROCESS)(DWORD,BOOL,DWORD);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
extern CAPIHook g_OpenProcess;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
// 自定义OpenProcess函数
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
HANDLE WINAPI Hook_OpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
//.............................................................................................../*
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
HANDLE WINAPI Hook_OpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
if(dwDesiredAccess == PROCESS_TERMINATE && dwProcessId == dwProcessId == lpData->dwProcessId/**//*这个值是不让关闭进程的ID*/)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
char sz[2048];
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
wsprintf(sz, "%d,%d,%d",dwDesiredAccess,dwProcessId,lpData->dwProcessId);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
MessageBox(NULL,sz,"d",MB_OK);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
return NULL;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
return ((PFNOPENPROCESS)(PROC)g_OpenProcess)(dwDesiredAccess,bInheritHandle,dwProcessId);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
}
// 挂钩OpenProcess函数
CAPIHook g_OpenProcess("kernel32.dll", "OpenProcess",(PROC)Hook_OpenProcess,TRUE);
把上面这代码加入到刚才创建的DLL里就行了。
刚才大家在查看上面代码时看到了lpData->dwProcessId这个参数,这就是我不让关闭的进程ID,那么这个值怎么得到呢。当然方法很多,可以通过窗口名获取窗口句柄
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
HWND hwnd = ::FindWindow(NULL,"你程序窗口名");
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
DWORD hpid;//进程ID
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
GetWindowThreadProcessId( hwnd , &hpid );
但如果你的进程没有窗口应该怎么办呢?那么就只能在进程运行时用::GetCurrentProcessId(); 取得,然后通过内存映射的方式传给DLL文件。如下面的代码
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
typedef struct SHWP_STRUCT_ ...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
DWORD dwProcessId;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
char szModuleFileName[MAX_PATH];
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
} SHWP_STRUCT, *LPSHWP_STRUCT;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
//全局变量定义
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
HANDLE hMapping;//内存映射名柄
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
LPSHWP_STRUCT lpData; //共享内存
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
int APIENTRY WinMain(HINSTANCE hInstance,
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
HINSTANCE hPrevInstance,
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
LPSTR lpCmdLine,
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
int nCmdShow)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
//创建内存共享
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
hMapping=CreateFileMapping((HANDLE)0xFFFFFFFF,NULL,PAGE_READWRITE,0,0x100,"PCMONITOR.");
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
if(hMapping != NULL)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
lpData=(LPSHWP_STRUCT)MapViewOfFile(hMapping,FILE_MAP_ALL_ACCESS,0,0,0);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
lpData->dwProcessId = ::GetCurrentProcessId(); //当前进程ID
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
...............................其它代码
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
}DLL里面的内存映射部分代码
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
//全局变量定义
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
HANDLE hMapping;//内存映射名柄
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
LPSHWP_STRUCT lpData; //共享内存
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
//........................................................................../*
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
BOOL APIENTRY DllMain( HANDLE hModule,
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
DWORD ul_reason_for_call,
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
LPVOID lpReserved
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
//创建内存共享
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
hMapping=CreateFileMapping((HANDLE)0xFFFFFFFF,NULL,PAGE_READWRITE,0,0x100,"PCMONITOR.");
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
if(hMapping != NULL)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
lpData=(LPSHWP_STRUCT)MapViewOfFile(hMapping,FILE_MAP_ALL_ACCESS,0,0,0);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
return TRUE;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
}
这样我们的进程在运行时它的进程ID通过lpData->dwProcessId = ::GetCurrentProcessId(); 得到并以内存映射的方式传给DLL文件。
DLL里面拦截了OpenProcess函数里面的DWORD dwProcessId参数,如果这个数据是我们自己进程的ID就直接反回一个NULL值,也就是打开我们进程失败,这样系统就没有办法掉用TerminateProcess强行关闭我们的进程了。如果我们直接拦截TerminateProcess函数,然后不管哪个函数掉用它直接返回TRUE值,那完了,你就永远没想在你机子上强行关闭任何程序,呵,我说的是强行,发送WM_CLOSE消息关了不算哟。
拦截TerminateProcess函数部分代码:
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
//...............................................................................................*/
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
typedef BOOL (WINAPI *PFNTERMINATEPROCESS)(HANDLE, UINT);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
extern CAPIHook g_TerminateProcess;
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
BOOL WINAPI Hook_TerminateProcess(HANDLE hProcess, UINT uExitCode);// 自定义TerminateProcess函数
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
//.............................................................................................../*
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
// 自定义TerminateProcess函数
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
BOOL WINAPI Hook_TerminateProcess(HANDLE hProcess, UINT uExitCode)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
...{
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
// 取得主模块的文件名称
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
char szPathName[MAX_PATH];
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
::GetModuleFileName(NULL, szPathName, MAX_PATH);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
// 构建发送给主窗口的字符串
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
char sz[2048];
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
wsprintf(sz, " 进程:(%d)%s 进程句柄:%X 退出代码:%d (%x)",::GetCurrentProcessId(), szPathName, hProcess, uExitCode,lpData->dwProcessId);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
MessageBox(NULL,sz,"d",MB_OK);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
return ((PFNTERMINATEPROCESS)(PROC)g_TerminateProcess)(hProcess, uExitCode);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
}
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
// 挂钩TerminateProcess函数
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
CAPIHook g_TerminateProcess("kernel32.dll", "TerminateProcess",(PROC)Hook_TerminateProcess,TRUE);
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
相关文章推荐
- 怎样让自己的程序进程不让别人强行关闭掉
- 怎样让自己的程序进程不让别人强行关闭掉
- 如何把自己写的python程序给别人用
- C#杀死手动关闭控制台程序,遗留的进程
- Android 应用程序(APK) 如何获得系统签名权限 强制关闭程序(后台进程)
- 如何在程序中关闭别的进程中的DLL文件,让其释放掉
- shell脚本实现关闭指定程序名的进程
- C# 强制关闭当前程序进程(完全Kill掉不留痕迹)
- 自己电脑上的opencv程序如何在别人的电脑上运行(使用动态库)
- 多线程编程程序关闭了,但进程还在的解决方案
- 怎样在子线程中关闭本身的进程
- 关闭程序进程的批处理(千千静听)
- C# 关闭登录窗体,进入主窗体后,主窗体关闭,程序进程仍在运行的问题
- C# 关闭登录窗体,进入主窗体后,主窗体关闭,程序进程仍在运行的问题
- 怎样创建可以自启动的程序(程序可以重新启动自己)
- 怎样爱自己,就怎样爱别人
- 谈谈怎样将“别人的”变成“自己的”
- 怎样用命令查找别人用ssh登录自己本地主机
- 这个可以程序主要测试高级并发服务器程序怎样写会避免僵尸进程?