钩子教程 - 原理(十五) : JournalRecordProc
原文地址:http://www.zdexe.com/program/201004/589.html
方法10 : JournalRecordProc Function
The JournalRecordProc hook procedure is an application-defined or library-defined callback function used with the SetWindowsHookEx function. The function records messages the system removes from the system message queue. Later, an application can use a JournalPlaybackProc hook procedure to play back the messages.
JournalRecordProc钩子子程是与SetWindowsHookEx一起使用的、程序定义的或者库定义的回调函数。该方法记录系统从系统消息队列中移除的消息。过后,应用程序可以使用JournalPlaybackProc钩子子程回放这些消息。
The HOOKPROC type defines a pointer to this callback function.JournalRecordProc is a placeholder for the application-defined or library-defined function name.
HOOKPROC类型定义了指向该回调函数的指针。JournalRecordProc是程序定义的或者库定义的方法名字。
Syntax 语法
LRESULT CALLBACK JournalRecordProc(
int code,
WPARAM wParam,
LPARAM lParam
);
Parameters 参数
code :[in] Specifies how to process the message. If code is less than zero, the hook procedure must pass the message to the CallNextHookEx function without further processing and should return the value returned byCallNextHookEx. This parameter can be one of the following values.
指定如何处理消息。如果code小于0,钩子子程不对其进行任何进一步的处理,必须将消息传递给CallNextHookEx方法,并返回由CallNextHookEx方法返回的返回值。该参数可以是以下值之一:
1.HC_ACTION : The lParam parameter is a pointer to an EVENTMSG structure containing information about a message removed from the system queue. The hook procedure must record the contents of the structure by copying them to a buffer or file.
参数lParam 是一个指向EVENTMSG结构的指针,该结构包含从系统队列中移除的消息的信息。钩子子程应该通过将消息信息拷贝到缓冲区中或者文件中来记录内 容。
2.HC_SYSMODALOFF :A system-modal dialog box has been destroyed. The hook procedure must resume recording.
系统模式对话框已经被销毁。钩子子程必须恢复纪录。
3.HC_SYSMODALON :A system-modal dialog box is being displayed. Until the dialog box is destroyed, the hook procedure must stop recording.
系统模式对话框正在被显示。钩子子程应该停止记录,直到对话框被销毁。
wParam :This parameter is not used.
该参数未使用。
lParam :[in] Pointer to an EVENTMSG structure that contains the message to be recorded.
指向EVENTMSG结构的指针,其中包含即将被记录的消息。
Return Value 返回值
The return value is ignored. 被忽略。
Remarks 备注
A JournalRecordProc hook procedure must copy but not modify the messages. After the hook procedure returns control to the system, the message continues to be processed.
JournalRecordProc钩子子程应该复制而不是不修改消息。在钩子子程将控制全交还给系统后,消息将被继续处理。
Install the JournalRecordProc hook procedure by specifying the WH_JOURNALRECORD hook type and a pointer to the hook procedure in a call to the SetWindowsHookEx function.
通过下面方式安装该钩子子程:指定WH_JOURNALRECORD钩子类型;指定在调用SetWindowsHookEx方法的函数中指向钩子子程的指针。
A JournalRecordProc hook procedure does not need to live in a dynamic-link library. A JournalRecordProc hook procedure can live in the application itself. JournalRecordProc
钩子子程没必要生存在动态链接库中,可以在应用程序自身中生存。
Unlike most other global hook procedures, the JournalRecordProc andJournalPlaybackProc hook procedures are always called in the context of the thread that set the hook.
和其它全局钩子子程不一样,JournalRecordProca和JournalPlaybackProc钩子子程总是在设置钩子的线程的上下文中被调用。
An application that has installed a JournalRecordProc hook procedure should watch for the VK_CANCEL virtual key code (which is implemented as the CTRL+BREAK key combination on most keyboards). This virtual key code should be interpreted by the application as a signal that the user wishes to stop journal recording. The application should respond by ending the recording sequence and removing the JournalRecordProc hook procedure. Removal is important. It prevents a journaling application from locking up the system by hanging inside a hook procedure.
安装有JournalRecordProc钩子子程的应用程序应该监视VK_CANCEL虚拟键码(在多数键盘上就是像CTRL+BREAK一样实现的组合键)。虚拟键值应该被应用程序解释为用户希望停止日志记录的信号。应用程序应该通过结束记录队列或者移除JournalRecordProc钩子子程来响应用户的信号。可移除性是重要的,可以防止日志应用程序由于钩子子程内部的挂起而引起的系统锁死。
This role as a signal to stop journal recording means that a CTRL+BREAK key combination cannot itself be recorded. Since the CTRL+C key combination has no such role as a journaling signal, it can be recorded. There are two other key combinations that cannot be recorded: CTRL+ESC and CTRL+ALT+DEL. Those two key combinations cause the system to stop all journaling activities (record or playback), remove all journaling hooks, and post a WM_CANCELJOURNAL message to the journaling application.
CTRL+BREAK组合键扮演着停止日志记录的信号的角色,这意味着CTRL+BREAK组合键不能被自我记录。既然CTRL+C组合键没有扮演这样的角色,它就可以被记录。还有其它2种组合键不能被记录: CTRL+ESC 和CTRL+ALT+DEL。.这2种组合键引起系统停止所有日志活动(记录或者回放),移除所有日志钩子,传递WM_CANCELJOURNAL消息给日志记录应用程序。