Example keywords of a complete hook program: hook, blocking, service
This is the test question for "Senior Windows Program Analyst" of xx company that I received when I was applying for a job. The specific requirements (that is, the description of my program) are:
1. The client program is named Client. Monitor the operation of the system. If you find that there is a "notepad" process (notepad.exe) or a "calculator" process (calc.exe) in the system, kill the process immediately and write the event to the database; periodically Check the database every 1 minute and upload event records that have not yet been uploaded to the server.
1. The target operating environment is Windows 2000 operating system.
2. Please design the program to serve the system.
3. The program must have anti-attack capabilities, including functions such as anti-deletion and resistance to forced termination of processes.
(1) Keep the program running continuously and prevent other programs from forcibly terminating the running of the current program;
(2) Protect the event database and main execution file from being deleted;
(3) If an abnormality is found (the process is terminated, the file is deleted, etc.), immediately force the program to be reloaded/run;
(4) If an abnormality is detected three times in a row, the daemon process will force the operating system to restart; after restarting the system, ensure that the program loads and runs normally.
(A) In order to realize the above functions, the program is not limited to the EXE form, and the implementation form can be decided by oneself according to the needs.
(B) The above functions are all implemented in the normal operating environment of Windows 2000 and under Administrator permissions. There is no need to consider Windows security mode or permissions and other issues.
4. Please use simple desktop databases, such as Access, xBase and other file databases.
5. Each generated event contains at least two pieces of information: the time of event occurrence and the event processing object.
The event data is stored in the database in the table tEvent. The tEvent table contains at least two fields:
(1) EventTime field: time/date type. Record the time the event occurred.
(2) EventTarget field: character type. Records the objects killed in the event. Objects to consider are the Notepad process and the Calculator process.
If you need other tables or fields, you can add them as needed.
6. The network data transmission format is customized. Please decide the specific content and format of transmission according to your needs, and there are no specific requirements. The client network needs to work in conjunction with the server network.
7. There is no limit on the development language and integrated development environment used, you can choose it yourself.
8. For the database connection method, please choose according to your needs.
2. The server-side program is named Server. Monitor the network, and once a client uploads data, the event information is immediately extracted and displayed in a list in the user interface.
1. The target operating environment is Windows 2000 operating system.
2. The program should be designed as an ordinary Windows 2000 GUI application. The user interface must contain at least one event information list, which contains at least three pieces of information: event occurrence time, event processing object, and event source.
(1) Event occurrence time: the same as the client event occurrence time.
(2) Event processing object: the same as the client event processing object.
(3) Event source: IP address of the client machine that uploaded the current event.
3. The network data transmission format is customized; works in conjunction with the client.
4. There is no limit on the development language and integrated development environment used, you can choose it yourself.
Instructions for running the program:
client.ini must be placed in the root directory of drive C. Other files can be placed anywhere, but survival.exe and client.exe must be placed in the same folder. Before starting survival.exe, please configure the server ip (interval_server) in client.ini. ), and then start ADServer.exe
Source code description 1. Server ADServer.exe
Because the server side is simple, let’s talk about the server side first:)
The job of the server is to receive data from the network and use TServerSocket blocking transmission. Every time TServerSocket receives a connection request from a client, it generates a TServerClientThread thread. You should create a new TWinSocketStream in this thread to read and write client data. The main code is written in the ClientExecute part of this thread.
There is no problem with TWinSocketStream writing data to the client, but reading data from the client (using the read method) often returns before finishing reading, even if you use WaitForData. So I wrote a waitDateComplete function to wait for the data to be read.
2. Client The client is a bit more troublesome. Client.exe is a service and survival.exe is an application. The two monitor each other. If one is shut down, the other will restart it. hookDll.dll is used for hooks. Global hooks must be written in independent dll modules (except for a few hooks, please refer to this article: http://www.pconline.com.cn/pcedu/empolder/gj/ vc/0403/340480.html).
Client.exe does not have a few lines of code. It mainly uses CreateProcess to start the process. Note that if the service wants to do things related to the windows shell, such as hooks used in hookdll.dll started by this program, the ServiceType must be set to stWin32 and the TService::Interactive property must be set to true.
survival.exe is used to start the service, load hookdll.dll, and report events to the server.
1. Starting the service requires three processes. First, open the service controller, which is the backend of the "service" in the management tool. Use OpenSCManager to obtain the service manager handle, and then use OpenService (service manager handle, service name, SERVICE_START | SERVICE_QUERY_STATUS) to obtain the handle of the specified service, and finally you can use StartService(...) to open the service. Note that at least the two permissions, SERVICE_START and SERVICE_QUERY_STATUS, must be obtained.
2. In terms of loading hookdll.dll, this program uses implicit linking, that is, using BCB's projectAdd to Project to import the dll's lib file. After importing, if the function of the dll is not called in the code, the dll will not be loaded. This program calls the beginTrace(HWND host) function to pass the window handle of survival.exe, and the dll sends some messages to survival.exe through this handle.
3. In terms of reporting events to the server, a TMSocketClient class was specially written, which is mainly responsible for the process of sending messages -> receiving message receipts. The main code is in TMSocketClient::Command (….). Compared with the code in ADServer.exe, it is very simple. Easy to read. By #define different command constants, this module can complete many types of transmission tasks. In fact, this module is a class I wrote in the past to simulate TNMFTP. It was simplified by deleting many #defines and used to transfer files in a virtual LAN (TNMFTP cannot work in a virtual LAN).
3. hookDll.dll
The code is very simple, just pay attention to one thing, that is, if N processes call the same dll, this dll will be copied N times. Generally speaking, different copies of these N dlls each have their own data segments. That is to say, the value of their same variable in each copy is different and does not interfere with each other. But in fact, Windows has left such a mechanism that allows us to declare such a variable in a dll and keep the data consistent among N instances of the dll, just like it is a pointer that transcends the process space. To declare such a variable, first create a .def file with the same name as the dll and write in the file:
SECTIONS
SHSEG READ WRITE SHARED
Then, declare the dll variables you want to share between processes as global variables, and initialize these variables. Note that the difference between sharing and not sharing is whether it is initialized!
This program refers to "Application of Hooks: Program Running Monitoring" on CCRun. Thanks to the author Victor Chen.
OK, it seems that’s basically all there is to explain. In addition, there are some useless variables in the program. I don’t have time to clean them up. Please forgive me:) Thank you for watching!
Expand
