如何在Windows中挂接到应用程序和进程启动? [英] How to hook into application and process startup in windows?

问题描述

我正在尝试编写一个程序，该程序将挂接到应用程序启动并捕获命令行.不知道从哪里开始，因为我在Windows编程中非常绿. 希望有帮助 谢谢

I am trying to write a program that will hook into application startup and capture the commandline. Don't have an idea where to start as I am pretty green in windows programming. Would appreciate any help thanks

推荐答案

您没有提到您喜欢的编程语言，因此我将使用C#作为示例代码片段.

You didn't mention your prefered programming language, so I'll use C# for example snippets.

您可以启动一个进程并捕获/写入其标准IO流.

You can start a process and capture/write into its standard IO streams.

以下代码段，打开一个进程并捕获其 StdOut 流:

The following snippet, opens a process and captures its StdOut stream:

using (var process = Process.Start(new ProcessStartInfo(FileName = @"yourExecutablePath", UseShellExecute = false, RedirectStandardOutput = true)))
    using (var stdout = process.StandardOutput)
        Console.WriteLine(stdout.ReadToEnd());

---

编辑1

好像您想挂钩Windows API，例如 CreateProcess .

Looks like you want to hook Windows APIs like CreateProcess.

一种方法是编写内核驱动程序，并使用诸如SSTD修补之类的挂钩技术.但是编写内核驱动程序IMO很麻烦.

One way to do so is to write a kernel driver and use hooking techniques such as SSTD patching. But writing a kernel driver IMO is cumbersome.

在某些情况下，您可以使用用户级挂钩.有一些库可以为您提供帮助，包括: EasyHook ， Deviare 和 MS Detour .

In some cases you can use user-level hooks. There are a few libraries that might help you with that, including: EasyHook, Deviare, and MS Detour.

编辑2

您也可以按照建议 @David Heffernan 使用 WMI ，但这只会通知您之后，该过程开始了(与挂钩相反，它允许您在挂钩的函数之前被调用和/或覆盖该函数调用的情况下运行一些任意代码):

You can also use WMI as @David Heffernan suggested but it will only notify you AFTER the process gets started (as opposed to hooking, which allows you to run some arbitrary code BEFORE the hooked function gets called and/or override the function call):

using System.Management;

// Run this in another thread and make sure the event watcher gets disposed before exit

var start = new ManagementEventWatcher(new WqlEventQuery("SELECT * FROM Win32_ProcessStartTrace"));    

start.EventArrived += new EventArrivedEventHandler(delegate (object sender, EventArrivedEventArgs e) {
    console.WriteLine("Name: {0}, Command Line: {1}", e.NewEvent.Properties["ProcessName"].Value, e.NewEvent.Properties["Commandline"].Value);
});

start.Start()

这篇关于如何在Windows中挂接到应用程序和进程启动?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！