反正代码不多,就直接贴出来算了,有不对的大家请多多指教
该程序是个Shell扩展,使用regsvr32注册,使用regsvr32 /u取消注册
ICopyHook就是监视目录复制的,IShellExecuteHook就是监视程序执行,在这个程序里面我把他们两个都实现了
/********************CopyHook.def********************/
LIBRARY "CopyHook.dll"
EXPORTS
DllGetClassObject PRIVATE
DllRegisterServer PRIVATE
DllUnregisterServer PRIVATE
DllCanUnloadNow PRIVATE
/********************DllMain.cpp********************/
#include <Windows.h>
#include <Stdio.h>
#include <Tchar.h>
#include <Shlobj.h>
#include <InitGuid.h>
#include "ShellHook.h"
#include "ShellHookFactory.h"
HMODULE g_hinst;
ULONG g_lLockNumber;
ULONG g_lRefThisDll;
HRESULT ClsidToString(REFCLSID clsid, LPTSTR lpszClsid, int cchClsid)
{
HRESULT result;
LPWSTR lpszStr;
if((result = StringFromCLSID(clsid, &lpszStr)) == S_OK)
{
#ifdef UNICODE
lstrcpyn(lpszClsid, lpszStr, cchClsid);
#else
WideCharToMultiByte(CP_OEMCP, 0, lpszStr, -1, lpszClsid, cchClsid, 0, 0);
#endif
CoTaskMemFree(lpszStr);
}
return result;
}
HRESULT RegisterClsid(LPTSTR lpszClsid, LPTSTR lpszModule)
{
HKEY hKey;
HKEY hSubKey;
TCHAR szSubKey[1024];
TCHAR szModel[] = _T("Apartment");
LSTATUS status;
lstrcpy(szSubKey, _T("CLSID\\"));
lstrcat(szSubKey, lpszClsid);
status = RegCreateKey(HKEY_CLASSES_ROOT, szSubKey, &hKey);
if(status == ERROR_SUCCESS)
{
status = RegCreateKey(hKey, _T("InProcServer32"), &hSubKey);
if(status == ERROR_SUCCESS)
{
RegSetValue(hSubKey, NULL, REG_SZ, lpszModule, 0);
RegSetValueEx(hSubKey, _T("ThreadingModel"), 0, REG_SZ, (BYTE*)szModel, sizeof(szModel));
RegCloseKey(hSubKey);
}
RegCloseKey(hKey);
}
return HRESULT_FROM_WIN32(status);
}
HRESULT UnRegisterClsid(LPTSTR lpszClsid)
{
TCHAR szSubKey[1024];
LSTATUS status;
lstrcpy(szSubKey, _T("CLSID\\"));
lstrcat(szSubKey, lpszClsid);
lstrcat(szSubKey, _T("\\InProcServer32"));
status = RegDeleteKey(HKEY_CLASSES_ROOT, szSubKey);
lstrcpy(szSubKey, _T("CLSID\\"));
lstrcat(szSubKey, lpszClsid);
status = RegDeleteKey(HKEY_CLASSES_ROOT, szSubKey);
return HRESULT_FROM_WIN32(status);
}
STDAPI DllGetClassObject (const CLSID &rclsid, const IID &riid, void **ppv)
{
if (rclsid == CLSID_MyShellHook)
{
CMyShellHookFactory *pFactory = new CMyShellHookFactory;
if (pFactory == NULL)
return E_OUTOFMEMORY ;
return pFactory->QueryInterface(riid, ppv);
}
return CLASS_E_CLASSNOTAVAILABLE;
}
STDAPI DllCanUnloadNow (void)
{
if (g_lRefThisDll == 0 && g_lLockNumber == 0)
return S_OK;
else
return S_FALSE;
}
STDAPI DllRegisterServer ()
{
TCHAR szClsid[64];
TCHAR szModule[MAX_PATH];
HKEY hKey;
ClsidToString(CLSID_MyShellHook, szClsid, 64);
if(RegCreateKey(HKEY_CLASSES_ROOT, _T("Directory\\shellex\\CopyHookHandlers\\zCopyHook"), &hKey) == ERROR_SUCCESS)
{
RegSetValue(hKey, NULL, REG_SZ, szClsid, 0);
RegCloseKey(hKey);
}
if(RegOpenKey(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks"), &hKey) == ERROR_SUCCESS)
{
RegSetValueEx(hKey, szClsid, 0, REG_SZ, NULL, 0);
RegCloseKey(hKey);
}
if(RegOpenKey(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"), &hKey) == ERROR_SUCCESS)
{
DWORD dwVal = 1;
RegSetValueEx(hKey, _T("EnableShellExecuteHooks"), 0, REG_DWORD, (LPBYTE)&dwVal, sizeof(DWORD));
RegCloseKey(hKey);
}
GetModuleFileName(g_hinst, szModule, MAX_PATH);
return RegisterClsid(szClsid, szModule);
}
STDAPI DllUnregisterServer ()
{
TCHAR szClsid[64];
HKEY hKey;
ClsidToString(CLSID_MyShellHook, szClsid, 64);
RegDeleteKey(HKEY_CLASSES_ROOT, _T("Directory\\shellex\\CopyHookHandlers\\zCopyHook"));
if(RegOpenKey(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks"), &hKey) == ERROR_SUCCESS)
{
RegDeleteValue(hKey, szClsid);
RegCloseKey(hKey);
}
if(RegOpenKey(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"), &hKey) == ERROR_SUCCESS)
{
RegDeleteValue(hKey, _T("EnableShellExecuteHooks"));
RegCloseKey(hKey);
}
return UnRegisterClsid(szClsid);
}
BOOL WINAPI DllMain (HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch(fdwReason)
{
case DLL_PROCESS_ATTACH://加载dll;
{
g_hinst = hinstDLL;
}
break;
case DLL_PROCESS_DETACH://释放dll
{
}
break;
case DLL_THREAD_ATTACH://新建线程
{
}
break;
case DLL_THREAD_DETACH://线程退出
{
}
break;
}
return TRUE;
}
/********************ShellHookFactory.h********************/
class CMyShellHookFactory : public IClassFactory
{
public:
CMyShellHookFactory();
~CMyShellHookFactory();
HRESULT STDMETHODCALLTYPE QueryInterface (REFIID iid, void **ppvObject);
ULONG STDMETHODCALLTYPE AddRef ();
ULONG STDMETHODCALLTYPE Release ();
HRESULT STDMETHODCALLTYPE CreateInstance (IUnknown *pUnkOuter, REFIID riid, void **ppvObject);
HRESULT STDMETHODCALLTYPE LockServer (BOOL fLock);
private:
ULONG m_lRefCount;
};
/********************ShellHookFactory.cpp********************/
#include <Windows.h>
#include <Stdio.h>
#include <Tchar.h>
#include <Shlobj.h>
#include <InitGuid.h>
#include "ShellHook.h"
#include "ShellHookFactory.h"
extern ULONG g_lLockNumber;
extern ULONG g_lRefThisDll;
CMyShellHookFactory::CMyShellHookFactory() : m_lRefCount(0)
{
}
CMyShellHookFactory::~CMyShellHookFactory()
{
}
HRESULT STDMETHODCALLTYPE CMyShellHookFactory::QueryInterface (REFIID iid, void **ppvObject)
{
if(iid == IID_IUnknown)
{
m_lRefCount++;
*ppvObject = this;
}
else if(iid == IID_IClassFactory)
{
m_lRefCount++;
*ppvObject = this;
}
else
{
*ppvObject = NULL;
return E_NOINTERFACE;
}
return S_OK;
}
ULONG STDMETHODCALLTYPE CMyShellHookFactory::AddRef ()
{
m_lRefCount++;
return m_lRefCount;
}
ULONG STDMETHODCALLTYPE CMyShellHookFactory::Release ()
{
m_lRefCount--;
if(m_lRefCount == 0)
delete this;
return m_lRefCount;
}
HRESULT STDMETHODCALLTYPE CMyShellHookFactory::CreateInstance(IUnknown *pUnkOuter, REFIID riid, void **ppvObject)
{
CMyShellHook *pObj;
*ppvObject = NULL;
if(pUnkOuter)
return CLASS_E_NOAGGREGATION;
pObj = new CMyShellHook();
if (pObj == NULL)
return E_OUTOFMEMORY ;
return pObj->QueryInterface(riid, ppvObject);
}
HRESULT STDMETHODCALLTYPE CMyShellHookFactory::LockServer(BOOL fLock)
{
if(fLock)
g_lLockNumber++;
else
g_lLockNumber--;
return NOERROR;
}
/********************ShellHook.h********************/
//{24c7f2bb-3f48-42eb-9d6f-81b756ea15ba}
DEFINE_GUID(CLSID_MyShellHook, 0x24c7f2bb, 0x3f48, 0x42eb, 0x9d, 0x6f, 0x81, 0xb7, 0x56, 0xea, 0x15, 0xba);
class CMyShellHook : public ICopyHook, public IShellExecuteHook
{
public:
CMyShellHook();
~CMyShellHook();
HRESULT STDMETHODCALLTYPE QueryInterface (REFIID iid, void **ppvObject);
ULONG STDMETHODCALLTYPE AddRef ();
ULONG STDMETHODCALLTYPE Release ();
UINT STDMETHODCALLTYPE CopyCallback (HWND hwnd, UINT wFunc, UINT wFlags, LPCTSTR pszSrcFile, DWORD dwSrcAttribs,
LPCTSTR pszDestFile, DWORD dwDestAttribs);
HRESULT STDMETHODCALLTYPE Execute (LPSHELLEXECUTEINFO pei);
private:
ULONG m_lRefCount;
};
/********************ShellHook.cpp********************/
#include <Windows.h>
#include <Stdio.h>
#include <Tchar.h>
#include <Shlobj.h>
#include <InitGuid.h>
#include "ShellHook.h"
extern ULONG g_lLockNumber;
extern ULONG g_lRefThisDll;
CMyShellHook::CMyShellHook() : m_lRefCount(0)
{
g_lRefThisDll++;
}
CMyShellHook::~CMyShellHook()
{
g_lRefThisDll--;
}
HRESULT STDMETHODCALLTYPE CMyShellHook::QueryInterface (REFIID iid, void **ppvObject)
{
if(iid == IID_IUnknown)
{
m_lRefCount++;
*ppvObject = this;
}
else if(iid == IID_IShellCopyHook)
{
m_lRefCount++;
*ppvObject = (ICopyHook *)this;
}
else if(iid == IID_IShellExecuteHook)
{
m_lRefCount++;
*ppvObject = (IShellExecuteHook *)this;
}
else
{
*ppvObject = NULL;
return E_NOINTERFACE;
}
return S_OK;
}
ULONG STDMETHODCALLTYPE CMyShellHook::AddRef ()
{
m_lRefCount++;
return m_lRefCount;
}
ULONG STDMETHODCALLTYPE CMyShellHook::Release ()
{
m_lRefCount--;
if(m_lRefCount == 0)
delete this;
return m_lRefCount;
}
UINT STDMETHODCALLTYPE CMyShellHook::CopyCallback (HWND hwnd, UINT wFunc, UINT wFlags, LPCTSTR pszSrcFile, DWORD dwSrcAttribs,
LPCTSTR pszDestFile, DWORD dwDestAttribs)
{
TCHAR szMsg[1024];
wsprintf(szMsg, _T("是否允许将目录从 %s 复制文件到 %s ?"), pszSrcFile, pszDestFile);
return MessageBox(NULL, szMsg, _T("提示"), MB_YESNO | MB_ICONQUESTION| MB_SETFOREGROUND);
}
HRESULT STDMETHODCALLTYPE CMyShellHook::Execute (LPSHELLEXECUTEINFO pei)
{
TCHAR szMsg[1024];
wsprintf(szMsg, _T("是否允许执行 %s %s ?"), pei->lpFile, pei->lpParameters);
return (MessageBox(NULL, szMsg, _T("提示"), MB_YESNO | MB_ICONQUESTION | MB_SETFOREGROUND) == IDYES) ? S_FALSE : S_OK;
}
顺便附上源码,我是64位win7的,在我的电脑上正常运行
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
