最近写东西的时候,需要加上监控主机开机启动登录注销等信息,
解决的方法很多,比如Hook nt!NtExitWindowEx,拦截WM_ENDSESSION消息(部分)
其实,windows在NT4以上的平台已经引入了这种Notify机制,
要监控主机开机启动登录注销等信息,只需向系统注册即可,
我的解决方法分2个部分.
DemonApp.exe负责向windows注册.,实际上就是写注册表
DemonDll.dll提供具体实现
重启生效
这里贴出代码,供需要的同学参考
//启动监视
BOOL MyInstallDemon()
{
//注册表路径
const WCHAR szDemonRegPath[70]=_T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\MyDemon");
//相关监视函数名
const int MAX_DEMON_FUNCTION_LENGTH=30;
const WCHAR szLockFunction[MAX_DEMON_FUNCTION_LENGTH]=_T("DemonLock"); //锁定
const WCHAR szUnlockFunction[MAX_DEMON_FUNCTION_LENGTH]=_T("DemonUnlock"); //解锁
const WCHAR szLogonFunction[MAX_DEMON_FUNCTION_LENGTH]=_T("DemonLogon"); //登陆
const WCHAR szLogoffFunction[MAX_DEMON_FUNCTION_LENGTH]=_T("DemonLogoff"); //注销
const WCHAR szStartupFunction[MAX_DEMON_FUNCTION_LENGTH]=_T("DemonStartup"); //开机
const WCHAR szShutdownFunction[MAX_DEMON_FUNCTION_LENGTH]=_T("DemonShutdown"); //关机
const WCHAR szStartScreenSaverFunction[MAX_DEMON_FUNCTION_LENGTH]=_T("DemonStartScreenSaver"); //启动屏保
const WCHAR szStopScreenSaverFunction[MAX_DEMON_FUNCTION_LENGTH]=_T("DemonStopScreenSaver"); //关闭屏保
HKEY hDemonKey=NULL;
BOOL bReturnFlag=TRUE;
LONG lResultFlag=0;
DWORD Resvered=0;
LPTSTR lpclass=NULL;
DWORD dwOptions=REG_OPTION_NON_VOLATILE;
REGSAM samDesired=KEY_WRITE;
SECURITY_ATTRIBUTES SA;
SA.bInheritHandle=true;
SA.nLength=sizeof(SECURITY_ATTRIBUTES);
SA.lpSecurityDescriptor=NULL;
DWORD dwDisposition=REG_CREATED_NEW_KEY&®_OPENED_EXISTING_KEY;
lResultFlag=RegCreateKeyExW(HKEY_LOCAL_MACHINE,szDemonRegPath,Resvered,lpclass,dwOptions,\
samDesired,&SA,&hDemonKey,&dwDisposition);
if (ERROR_SUCCESS != lResultFlag)
{
if (NULL!=hDemonKey)
{
bReturnFlag=FALSE;
}
}
else
{
WCHAR szDemonDllPath[13]=_T("DemonDll.dll");
//设定异步- winlogon将使用新线程
DWORD dwAsynFlag=1;
lResultFlag=RegSetValueExW(hDemonKey,_T("Asynchronous"),0,REG_DWORD,(LPBYTE)&dwAsynFlag,sizeof(dwAsynFlag));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//设定dll的路径
lResultFlag=RegSetValueExW(hDemonKey,_T("DllName"),0,REG_EXPAND_SZ,(LPBYTE)szDemonDllPath,sizeof(szDemonDllPath));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//锁定
lResultFlag=RegSetValueExW(hDemonKey,_T("Lock"),0,REG_SZ,(LPBYTE)szLockFunction,sizeof(szLockFunction));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//解锁
lResultFlag=RegSetValueExW(hDemonKey,_T("Unlock"),0,REG_SZ,(LPBYTE)szUnlockFunction,sizeof(szUnlockFunction));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//登陆
lResultFlag=RegSetValueExW(hDemonKey,_T("Logon"),0,REG_SZ,(LPBYTE)szLogonFunction,sizeof(szLogonFunction));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//注销
lResultFlag=RegSetValueExW(hDemonKey,_T("Logoff"),0,REG_SZ,(LPBYTE)szLogoffFunction,sizeof(szLogoffFunction));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//开机
lResultFlag=RegSetValueExW(hDemonKey,_T("Startup"),0,REG_SZ,(LPBYTE)szStartupFunction,sizeof(szStartupFunction));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//关机
lResultFlag=RegSetValueExW(hDemonKey,_T("Shutdown"),0,REG_SZ,(LPBYTE)szShutdownFunction,sizeof(szShutdownFunction));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//启动屏保
lResultFlag=RegSetValueExW(hDemonKey,_T("StartScreenSaver"),0,REG_SZ,(LPBYTE)szStartScreenSaverFunction,sizeof(szStartScreenSaverFunction));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//关闭屏保
lResultFlag=RegSetValueExW(hDemonKey,_T("StopScreenSaver"),0,REG_SZ,(LPBYTE)szStopScreenSaverFunction,sizeof(szStopScreenSaverFunction));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
}
if (NULL!=hDemonKey)
{
RegCloseKey(hDemonKey);
}
return bReturnFlag;
}
相关的注册函数,需要自己写dll并导出.
如登录这个事件
//登陆
extern "C" __declspec(dllexport) void __cdecl DemonLogon(void)
{
HANDLE hLogFile=INVALID_HANDLE_VALUE;
hLogFile=CreateFileW(szLogFileName,GENERIC_WRITE,FILE_SHARE_WRITE|FILE_SHARE_READ,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if (INVALID_HANDLE_VALUE==hLogFile)
{
return;
}
DWORD dwPos=GetFileSize(hLogFile,NULL);
SetFilePointer(hLogFile,dwPos,NULL,FILE_BEGIN);
//时间
SYSTEMTIME NowTime={0};
GetSystemTime(&NowTime);
//事件
WCHAR szLogValue[MAX_PATH]={0};
wsprintfW(szLogValue,\
_T("%d-%d-%d %d:%d:%d.%d 登陆\r\n"),\
NowTime.wYear,NowTime.wMonth,NowTime.wDay,NowTime.wHour,NowTime.wMinute,NowTime.wSecond,NowTime.wMilliseconds,);
char szMuti[MAX_PATH]={0};
WideCharToMultiByte(CP_ACP,0,szLogValue,sizeof(szLogValue)/sizeof(WCHAR),szMuti,MAX_PATH,NULL,NULL);
dwSize=0;
WriteFile(hLogFile,szMuti,lstrlenA(szMuti),&dwSize,NULL);
if (INVALID_HANDLE_VALUE!=hLogFile)
{
CloseHandle(hLogFile);
}
}
最近写东西的时候,需要加上监控主机开机启动登录注销等信息,
解决的方法很多,比如Hook nt!NtExitWindowEx,拦截WM_ENDSESSION消息(部分)
其实,windows在NT4以上的平台已经引入了这种Notify机制,
要监控主机开机启动登录注销等信息,只需向系统注册即可,
我的解决方法分2个部分.
DemonApp.exe负责向windows注册.,实际上就是写注册表
DemonDll.dll提供具体实现
重启生效
这里贴出代码,供需要的同学参考
//启动监视
BOOL MyInstallDemon()
{
//注册表路径
const WCHAR szDemonRegPath[70]=_T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\MyDemon");
//相关监视函数名
const int MAX_DEMON_FUNCTION_LENGTH=30;
const WCHAR szLockFunction[MAX_DEMON_FUNCTION_LENGTH]=_T("DemonLock"); //锁定
const WCHAR szUnlockFunction[MAX_DEMON_FUNCTION_LENGTH]=_T("DemonUnlock"); //解锁
const WCHAR szLogonFunction[MAX_DEMON_FUNCTION_LENGTH]=_T("DemonLogon"); //登陆
const WCHAR szLogoffFunction[MAX_DEMON_FUNCTION_LENGTH]=_T("DemonLogoff"); //注销
const WCHAR szStartupFunction[MAX_DEMON_FUNCTION_LENGTH]=_T("DemonStartup"); //开机
const WCHAR szShutdownFunction[MAX_DEMON_FUNCTION_LENGTH]=_T("DemonShutdown"); //关机
const WCHAR szStartScreenSaverFunction[MAX_DEMON_FUNCTION_LENGTH]=_T("DemonStartScreenSaver"); //启动屏保
const WCHAR szStopScreenSaverFunction[MAX_DEMON_FUNCTION_LENGTH]=_T("DemonStopScreenSaver"); //关闭屏保
HKEY hDemonKey=NULL;
BOOL bReturnFlag=TRUE;
LONG lResultFlag=0;
DWORD Resvered=0;
LPTSTR lpclass=NULL;
DWORD dwOptions=REG_OPTION_NON_VOLATILE;
REGSAM samDesired=KEY_WRITE;
SECURITY_ATTRIBUTES SA;
SA.bInheritHandle=true;
SA.nLength=sizeof(SECURITY_ATTRIBUTES);
SA.lpSecurityDescriptor=NULL;
DWORD dwDisposition=REG_CREATED_NEW_KEY&®_OPENED_EXISTING_KEY;
lResultFlag=RegCreateKeyExW(HKEY_LOCAL_MACHINE,szDemonRegPath,Resvered,lpclass,dwOptions,\
samDesired,&SA,&hDemonKey,&dwDisposition);
if (ERROR_SUCCESS != lResultFlag)
{
if (NULL!=hDemonKey)
{
bReturnFlag=FALSE;
}
}
else
{
WCHAR szDemonDllPath[13]=_T("DemonDll.dll");
//设定异步- winlogon将使用新线程
DWORD dwAsynFlag=1;
lResultFlag=RegSetValueExW(hDemonKey,_T("Asynchronous"),0,REG_DWORD,(LPBYTE)&dwAsynFlag,sizeof(dwAsynFlag));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//设定dll的路径
lResultFlag=RegSetValueExW(hDemonKey,_T("DllName"),0,REG_EXPAND_SZ,(LPBYTE)szDemonDllPath,sizeof(szDemonDllPath));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//锁定
lResultFlag=RegSetValueExW(hDemonKey,_T("Lock"),0,REG_SZ,(LPBYTE)szLockFunction,sizeof(szLockFunction));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//解锁
lResultFlag=RegSetValueExW(hDemonKey,_T("Unlock"),0,REG_SZ,(LPBYTE)szUnlockFunction,sizeof(szUnlockFunction));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//登陆
lResultFlag=RegSetValueExW(hDemonKey,_T("Logon"),0,REG_SZ,(LPBYTE)szLogonFunction,sizeof(szLogonFunction));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//注销
lResultFlag=RegSetValueExW(hDemonKey,_T("Logoff"),0,REG_SZ,(LPBYTE)szLogoffFunction,sizeof(szLogoffFunction));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//开机
lResultFlag=RegSetValueExW(hDemonKey,_T("Startup"),0,REG_SZ,(LPBYTE)szStartupFunction,sizeof(szStartupFunction));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//关机
lResultFlag=RegSetValueExW(hDemonKey,_T("Shutdown"),0,REG_SZ,(LPBYTE)szShutdownFunction,sizeof(szShutdownFunction));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//启动屏保
lResultFlag=RegSetValueExW(hDemonKey,_T("StartScreenSaver"),0,REG_SZ,(LPBYTE)szStartScreenSaverFunction,sizeof(szStartScreenSaverFunction));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
//关闭屏保
lResultFlag=RegSetValueExW(hDemonKey,_T("StopScreenSaver"),0,REG_SZ,(LPBYTE)szStopScreenSaverFunction,sizeof(szStopScreenSaverFunction));
if (ERROR_SUCCESS != lResultFlag)
{
bReturnFlag=FALSE;
}
}
if (NULL!=hDemonKey)
{
RegCloseKey(hDemonKey);
}
return bReturnFlag;
}
相关的注册函数,需要自己写dll并导出.
如登录这个事件
//登陆
extern "C" __declspec(dllexport) void __cdecl DemonLogon(void)
{
HANDLE hLogFile=INVALID_HANDLE_VALUE;
hLogFile=CreateFileW(szLogFileName,GENERIC_WRITE,FILE_SHARE_WRITE|FILE_SHARE_READ,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if (INVALID_HANDLE_VALUE==hLogFile)
{
return;
}
DWORD dwPos=GetFileSize(hLogFile,NULL);
SetFilePointer(hLogFile,dwPos,NULL,FILE_BEGIN);
//时间
SYSTEMTIME NowTime={0};
GetSystemTime(&NowTime);
//事件
WCHAR szLogValue[MAX_PATH]={0};
wsprintfW(szLogValue,\
_T("%d-%d-%d %d:%d:%d.%d 登陆\r\n"),\
NowTime.wYear,NowTime.wMonth,NowTime.wDay,NowTime.wHour,NowTime.wMinute,NowTime.wSecond,NowTime.wMilliseconds,);
char szMuti[MAX_PATH]={0};
WideCharToMultiByte(CP_ACP,0,szLogValue,sizeof(szLogValue)/sizeof(WCHAR),szMuti,MAX_PATH,NULL,NULL);
dwSize=0;
WriteFile(hLogFile,szMuti,lstrlenA(szMuti),&dwSize,NULL);
if (INVALID_HANDLE_VALUE!=hLogFile)
{
CloseHandle(hLogFile);
}
}