WINDOWS未公開函式揭密(2) (轉)
未公開揭密
這次介紹的是如何利用Windows未公開函式實現操作監視功能。利用該功能可以對Windows下的任何檔案操作,包括建立檔案、資料夾;刪除檔案;改變檔案大小等操作都可以紀錄在案。
首先來介紹實現上面操作的兩個未公開函式:SHChangeNotifyRegister和SHChangeNotifyDeregister,SHChangeNotifyRegister函式的定義如下:
Declare Function SHChangeNotifyRegister Lib “32" Alias “#2" _
(ByVal hWnd As Long, _
ByVal uFlags As SHCN_ItemFlags, _
ByVal dwEventID As SHCN_EventIDs,
ByVal uMsg As Long, _
ByVal cItems As Long, _
lpps As PIDLSTRUCT) As Long
其中引數hWnd指定接受系統通告的視窗控制程式碼,引數uMsg指定訊息值,如果函式成功,系統就會將hWnd指定的視窗加入到系統通告鏈中,並且返回系統通告控制程式碼。當有建立檔案等系統操作發生時,系統會向hWnd指定的視窗傳送uMsg訊息,關於其它引數,會在下面的中說明。函式SHChangeNotifyDeregister的定義如下:
Declare Function SHChange Notify Deregister Lib“shell32" Alias “#4" _
(ByVal hNotify As Long) As Boolean
其中引數hNotify指定系統通告的控制程式碼。
下面是操作的具體的VB範例:
首先建立一個新的工程,在Form1中加入一個TextBox。在Form1的程式碼視窗之中加入以下程式碼:
Option Explicit
Private Sub Form_Load()
If SubClass(hWnd) Then '改變Form1的訊息處理函式
If Is Then
Text1.Text = vbCrLf & _
“一個 Windows的檔案目錄操作即時監視程式," & vbCrLf & “可以監視在Explore中的重新命名、新建、刪除文" & _
vbCrLf & “件或目錄;改變檔案關聯;插入、取出CD和新增“& vbCrLf & "刪除共享都可以被該程式記錄下來。"
End If
Call SHNotify_Register(hWnd)
Else
Text1 =“系統不支援操作監視程式 :-)"
End If
Move Screen.Width - Width, Screen.Height - Height
End Sub
Private Function IsIDE() As Boolean
On Error GoTo Out
De.Print 1 / 0
Out:
IsIDE = Err
End Function
Private Sub Form_Unload(Cancel As Integer)
Call SHNotify_Unregister
Call UnSubClass(hWnd)
End Sub
Public Sub NotificationReceipt(wParam As Long, lParam As Long)
Dim sOut As String
Dim shns As SHNOTIFYSTRUCT
Dim sDisplayname1 As String
Dim sDisplayname2 As String
MoveMemory shns, ByVal wParam, Len(shns)
If shns.dwItem1 Then
sDisplayname1 = GetDisplayNameFromPIDL(shns.dwItem1)
End If
If shns.dwItem2 Then
sDisplayname2 = GetDisplayNameFromPIDL(shns.dwItem2)
End If
sOut = SHNotify_ GetEvent Str(sDisplayname1, sDisplayname2, lParam) & vbCrLf
Text1 = Text1 & sOut & vbCrLf
Text1.SelStart = Len(Text1)
End Sub
然後在工程中加入三個模組(Bas)檔案,將三個檔案分別儲存為mDef.Bas、mShell.Bas、mSub.Bas。在mDef.Bas中加入以下程式碼:
'mDef.Bas包含Shell操作的函式和資料型別的定義
Option Explicit
Declare Sub MoveMemory Lib “kernel32" Alias“RtlMoveMemory" (pDest As Any, _
p As Any, ByVal dwLength As Long)
Declare Sub CoTaskMemFree Lib “ole32.dll" (ByVal pv As Long)
Public Const MAX_PATH = 260
Public Const NOERROR = 0
'SHGetSpecialFolderLocation獲得某一個特殊的目錄的位置,如果函式呼叫成功返回NOERROR
'或者一個OLE錯誤
Declare Function SHGetSpecialFolderLocation Lib “shell32.dll" _
(ByVal hwndOwner As Long, _
ByVal nFolder As SHSpecialFolderIDs, _
pidl As Long) As Long
Public Enum SHSpecialFolderIDs
'列出所有Windows下特殊資料夾的ID
CSIDL_DESKTOP = &H0
CSIDL_INTE = &H1
CSIDL_PROGRAMS = &H2
CSIDL_CONTROLS = &H3
CSIDL_PRINTERS = &H4
CSIDL_PERSONAL = &H5
CSIDL_FAVORITES = &H6
CSIDL_STARTUP = &H7
CSIDL_RECENT = &H8
CSIDL_SENDTO = &H9
CSIDL_BITBUCKET = &HA
CSIDL_STARTMENU = &HB
CSIDL_DESKTOPDIRECTORY = &H10
CSIDL_DRIVES = &H11
CSIDL_NETWORK = &H12
CSIDL_NETHOOD = &H13
CSIDL_FONTS = &H14
CSIDL_TEMPLATES = &H15
CSIDL_COMMON_STARTMENU = &H16
CSIDL_COMMON_PROGRAMS = &H17
CSIDL_COMMON_STARTUP = &H18
CSIDL_COMMON_DESKTOPDIRECTORY = &H19
CSIDL_APPDATA = &H1A
CSIDL_PRINTHOOD = &H1B
CSIDL_ALTSTARTUP = &H1D
CSIDL_COMMON_ALTSTARTUP = &H1E
CSIDL_COMMON_FAVORITES = &H1F
CSIDL_INTERNET_CACHE = &H20
CSIDL_ = &H21
CSIDL_HISTORY = &H22
End Enum
'SHGetPathFromIDList函式將一個Item轉換為檔案路徑
Declare Function SHGetPathFromIDList Lib“shell32.dll" Alias “SHGetPathFromIDListA" _
(ByVal pidl As Long, _
ByVal pszPath As String) As Long
'SHGetFileInfoPidl函式獲得某個檔案的資訊。
Declare Function SHGetFileInfoPidl Lib “shell32" Alias“SHGetFileInfoA" (ByVal pidl As Long, _
ByVal dwFileAttributes As Long, _
pib As SHFILEINFOBYTE, _
ByVal cbFileInfo As Long, _
ByVal uFlags As SHGFI_flags) As Long
Public Type SHFILEINFOBYTE
hIcon As Long
iIcon As Long
dwAttributes As Long
szDisplayName(1 To MAX_PATH) As Byte
szTypeName(1 To 80) As Byte
End Type
Declare Function SHGetFileInfo Lib “shell32" Alias “SHGetFileInfoA" _
(ByVal pszPath As String, _
ByVal dwFileAttributes As Long, _
psfi As SHFILEINFO, _
ByVal cbFileInfo As Long, _
ByVal uFlags As SHGFI_flags) As Long
Public Type SHFILEINFO
hIcon As Long
iIcon As Long
dwAttributes As Long
szDisplayName As String * MAX_PATH
szTypeName As String * 80
End Type
Enum SHGFI_flags
SHGFI_LARGEICON = &H0
SHGFI_SMALLICON = &H1
SHGFI_OPENICON = &H2
SHGFI_SHELLICONSIZE = &H4
SHGFI_PIDL = &H8
SHGFI_USEFILEATTRIBUTES = &H10
SHGFI_ICON = &H100
SHGFI_DISPLAYNAME = &H200
SHGFI_TYPENAME = &H400
SHGFI_ATTRIBUTES = &H800
SHGFI_ICONLOCATION = &H1000
SHGFI_EXETYPE = &H2000
SHGFI_SYSICONINDEX = &H4000
SHGFI_LINKOVERLAY = &H8000
SHGFI_ED = &H10000
End Enum
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/10748419/viewspace-1001196/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- Windows未公開函式揭密——之一 (轉)Windows函式
- Windows未公開函式揭密——之二 (轉)Windows函式
- Windows未公開函式揭密——之三 (轉)Windows函式
- WINDOWS未開函式揭密(1) (轉)Windows函式
- 未公開的Windows網路工具 (轉)Windows
- Windows XP 六條未公開的秘技(轉)Windows
- 【引用】 PB絕對有用的未公開函式函式
- Windows拖動選單揭密 (轉)Windows
- Python私有函式和公開函式Python函式
- 部分未公開的Windows 2000核心功能呼叫 (轉)Windows
- WINDOWS鉤子函式(轉)Windows函式
- Windows函式錯誤處理 (轉)Windows函式
- XSL函式介紹(2)(轉)函式
- 測開之函式進階· 第2篇《純函式》函式
- 在Delphi中巧用WINDOWS 的API函式 (轉)WindowsAPI函式
- (譯) 函式式 JS #2: 函式!函式JS
- 部分未公開的Windows 2000核心功能呼叫(華中地區網路中心 TBsoft) (轉)Windows
- 【函式】oracle nvl2 函式函式Oracle
- [譯] React 未來之函式式 setStateReact函式
- [譯]React未來之函式式setStateReact函式
- 【函式】Oracle函式系列(2)--數學函式及日期函式函式Oracle
- 15個常用excel函式公式 excel函式辦公常用公式Excel函式公式
- Windows API GetUserNameEx 函式使用WindowsAPI函式
- [轉]OLAP 函式 (rows 2 preceding / unbounded preceding)函式
- constructor 未指向建構函式Struct函式
- 函式式JavaScript(2):如何打造“函式式”程式語言?函式JavaScript
- numtoyminterval函式——數字轉換函式函式
- 充分利用Windows API擴充套件Delphi函式 (轉)WindowsAPI套件函式
- 轉化函式函式
- 轉換函式函式
- fseek函式(轉)函式
- RegQueryValue函式 (轉)函式
- JavaScript 函式(轉)JavaScript函式
- 【譯】函式式的 setState 是 React 的未來函式React
- oracle日期函式(2)Oracle函式
- Oracle分析函式-2Oracle函式
- 函式式 Java 到函式式 Kotlin 的轉換函式JavaKotlin
- DB2日期與字串轉換函式DB2字串函式