是否可以编写“访问剪贴板”监控程序?
[英]Is it possible to code an "access clipboard" monitoring program?
问题描述
Is there any possibility on Windows to create a programm ( C# or even C++, or any other language) which can be able to trace which process are using the clipboard ?
在 Windows 上是否有可能创建一个程序(C# 甚至 C++,或任何其他语言),它可以跟踪哪个进程正在使用剪贴板?
I have a malware who modify my clipboard when i paste ethereum adresses.我有一个恶意软件,它会在我粘贴以太坊地址时修改我的剪贴板。 No tools are able to detect this malware...since i'm programmer i would like to code a tool to help me to find the malicious process.没有任何工具能够检测到这个恶意软件......因为我是程序员,所以我想编写一个工具来帮助我找到恶意进程。
Any idea if it's possible ?知道是否可能吗?
Thanks a lot非常感谢
3 个解决方案
解决方案1
1 已采纳 2020-10-12 16:24:50
There is no Win32 API for monitoring access to the clipboard, only for detecting when changes are made to the clipboard's content.没有用于监视对剪贴板的访问的Win32 API,仅用于检测剪贴板内容的更改时间。
To do what you are asking for, you will have to write a DLL that directly hooks the Win32 OpenClipboard() function, such as with a detour , and then you can inject that DLL into all running processes, such as with SetWindowsHookEx() , AppInit_DLLs , etc. When your hook is called, it can communicate information about the calling process back to your main app as needed, such as the process ID .要做到你问什么,你将不得不编写直接挂钩的Win32 DLL中OpenClipboard()函数,如用迂回,然后你可以注入该DLL到所有正在运行的进程,如与SetWindowsHookEx() AppInit_DLLs等。当您的钩子被调用时,它可以根据需要将有关调用进程的信息传递回您的主应用程序,例如进程 ID 。
解决方案2
1 2020-10-12 22:23:06
You can find an existing and reputable tool that can do that for you: Sysmon v12.0 by SysInternals.您可以找到一个现有且信誉良好的工具,可以为您执行此操作: SysInternals 的 Sysmon v12.0 。
Although it doesn't mention it on the doc page, this states虽然它没有在文档页面上提到它, 但这说明
Sysmon 12 adds clipboard capturing
I sifted through some help and references and confirmed that the following config works:我筛选了一些帮助和参考资料,并确认以下配置有效:
<Sysmon schemaversion="4.40">
<CaptureClipboard />
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ClipboardChange onmatch="exclude">
</ClipboardChange>
</RuleGroup>
</EventFiltering>
</Sysmon>
You can view those captured events in the Windows Event Viewer, in您可以在 Windows 事件查看器中查看这些捕获的事件,在
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational . Applications and Services Logs/Microsoft/Windows/Sysmon/Operational .
In response to my copying text from the command prompt, I can see this logged event:为了响应我从命令提示符复制文本,我可以看到这个记录的事件:
Clipboard changed:
RuleName: -
UtcTime: 2020-10-12 22:08:45.505
ProcessGuid: {0509ed25-cd58-5f84-41a3-050000003500}
ProcessId: 20708
Image: C:\Windows\System32\cmd.exe
Session: 3
etc...
解决方案3
0 2020-10-12 22:59:09
Another option, for DIY programmers :)另一种选择,对于 DIY 程序员:)
From your code, copy something to the Clipboard with delay rendering:从您的代码中,使用延迟渲染将某些内容复制到剪贴板:
::SetClipboardData(CF_TEXT, NULL);
When someone (that malware?) would attempt to get that text, you will receive a WM_RENDERFORMAT message.当有人(那个恶意软件?)试图获取该文本时,您将收到WM_RENDERFORMAT消息。 If you place a breakpoint there and stop your execution, the calling program will be blocked on its GetClipboardData call or something like that.如果你在那里放置一个断点并停止你的执行,调用程序将在它的GetClipboardData调用或类似的东西上被阻止。
I didn't figure out where to go from here.我不知道从这里去哪里。 Enumerate all processes?枚举所有进程? Attach to each one with Debugger?用调试器附加到每个? Look at their call stack?看看他们的调用栈?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.