石头听了都会感动流泪的好声音。
　　淡淡的忧伤弥漫于晶莹剔透的钢琴声中，时间仿佛禁止，让我们暂时驻足，忘却迷失的现在，回望逝去的流年！
　　
　　依然是简朴淡淡的音乐，Holly用她那质朴声音带来了久违的感动!依然没有过多乐器，钢琴，小号，吉他，简单而又安
　　静。

　　有时候我们希望能够动态监视系统中任意进程/线程的创建与销毁。为了达到此目的我翻阅了 DDK 手册，发现其提供的 PsSetCreateProcessNotifyRoutine(),PsSetCreateThreadNotifyRoutine(),等函数可以实现此功能。这两个函数可以通过向系统注册一个 CALLBALCK 函数来监视进程/线程等操作。函数原形如下：

NTSTATUS
PsSetCreateProcessNotifyRoutine(
IN PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,
IN BOOLEAN Remove
);

VOID
(*PCREATE_PROCESS_NOTIFY_ROUTINE) (
IN HANDLE ParentId,
IN HANDLE ProcessId,
IN BOOLEAN Create
);


NTSTATUS
PsSetCreateThreadNotifyRoutine(
IN PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
);

VOID
(*PCREATE_THREAD_NOTIFY_ROUTINE) (
IN HANDLE ProcessId,
IN HANDLE ThreadId,
IN BOOLEAN Create
);

　　通过原形可以看出，其 CALLBACK 函数只提供了进程ID/线程ID。并没有提供进程名。那么我们要进一步通过进程ID来获取进程名。这需要用到一个未公开的函数 PsLookupProcessByProcessId()。函数原形如下：

NTSTATUS PsLookupProcessByProcessId(
IN ULONG ulProcId,
OUT PEPROCESS * pEProcess
);

　　函数输出的 EPROCESS 结构也是未公开的内核进程结构，很多人称其为 KPEB。EPROCESS 结构中的偏移 0x1FC 指向当前进程名的偏移。（这个结构虽然可以在驱动程序中直接使用。但没有公布其结构，网上有不少高手已将其结构给出。有兴趣可以自行搜索，或去 IFS DDK 中获取，这里因为结构太长，就不贴出来了）有了这个结构我们就可以从中得到进程名。NT系统还提供了一个函数可以动态监视进程装载映像。此函数可以得到进程加栽时所调用的 DLL 名称与全路径，还有一些映像信息。为我们获得更详细的进程装载信息提供了更好的帮助。

函数原形如下：

NTSTATUS
PsSetLoadImageNotifyRoutine(
IN PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
);

VOID
(*PLOAD_IMAGE_NOTIFY_ROUTINE) (
IN PUNICODE_STRING FullImageName,
IN HANDLE ProcessId, // where image is mapped
IN PIMAGE_INFO ImageInfo
);

typedef struct _IMAGE_INFO {
union {
ULONG Properties;
struct {
ULONG ImageAddressingMode : 8; //code addressing mode
ULONG SystemModeImage : 1; //system mode image
ULONG ImageMappedToAllPids : 1; //mapped in all processes
ULONG Reserved : 22;
};
};
PVOID ImageBase;
ULONG ImageSelector;
ULONG ImageSize;
ULONG ImageSectionNumber;
} IMAGE_INFO, *PIMAGE_INFO;

　　利用以上提供的函数与结构，我们便能实现一个进程/线程监视器。下面这段代码演示了如何实现此功能。

/*****************************************************************
文件名 : WssProcMon.c
描述 : 进程/线程监视器
作者 : sinister
最后修改日期 : 2002-11-02
*****************************************************************/

#include "ntddk.h"
#include "string.h"

#define ProcessNameOffset 0x1fc

static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS * pEProcess);
VOID ProcessCreateMon ( IN HANDLE hParentId, IN HANDLE PId,IN BOOLEAN bCreate);
VOID ThreadCreateMon (IN HANDLE PId, IN HANDLE TId, IN BOOLEAN bCreate);
VOID ImageCreateMon (IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo );

// 驱动入口
NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath )
{

UNICODE_STRING nameString, linkString;
PDEVICE_OBJECT deviceObject;
NTSTATUS status;
int i;

//建立设备
RtlInitUnicodeString( &nameString, L"\\Device\\WssProcMon" );

status = IoCreateDevice( DriverObject,
0,
&nameString,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&deviceObject );

if (!NT_SUCCESS( status ))
return status;

RtlInitUnicodeString( &linkString, L"\\DosDevices\\WssProcMon" );

status = IoCreateSymbolicLink (&linkString, &nameString);

if (!NT_SUCCESS( status ))
{
IoDeleteDevice (DriverObject->DeviceObject);
return status;
}

status = PsSetLoadImageNotifyRoutine(ImageCreateMon);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsSetLoadImageNotifyRoutine()\n");
return status;
}

status = PsSetCreateThreadNotifyRoutine(ThreadCreateMon);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsSetCreateThreadNotifyRoutine()\n");
return status;
}

status = PsSetCreateProcessNotifyRoutine(ProcessCreateMon, FALSE);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsSetCreateProcessNotifyRoutine()\n");
return status;
}

for ( i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) {

DriverObject->MajorFunction[i] = MydrvDispatch;
}

return STATUS_SUCCESS;

}



//处理设备对象操作

static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0L;
IoCompleteRequest( Irp, 0 );
return Irp->IoStatus.Status;
}


VOID ProcessCreateMon ( IN HANDLE hParentId, IN HANDLE PId,IN BOOLEAN bCreate )
{
PEPROCESS EProcess;
ULONG ulCurrentProcessId;
LPTSTR lpCurProc;
NTSTATUS status;

status = PsLookupProcessByProcessId( (ULONG)PId, &EProcess);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return ;
}

if ( bCreate )
{
lpCurProc = (LPTSTR)EProcess;
lpCurProc = lpCurProc + ProcessNameOffset;

DbgPrint( "CREATE PROCESS = PROCESS NAME: %s , PROCESS PARENTID: %d, PROCESS ID: %d, PROCESS ADDRESS %x:\n",
lpCurProc,
hParentId,
PId,
EProcess );
}

else
{

DbgPrint( "TERMINATED == PROCESS ID: %d\n", PId);

}

}

VOID ThreadCreateMon (IN HANDLE PId, IN HANDLE TId, IN BOOLEAN bCreate)
{

PEPROCESS EProcess;
ULONG ulCurrentProcessId;
LPTSTR lpCurProc;
NTSTATUS status;

status = PsLookupProcessByProcessId( (ULONG)PId, &EProcess);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return ;
}

if ( bCreate )
{
lpCurProc = (LPTSTR)EProcess;
lpCurProc = lpCurProc + ProcessNameOffset;

DbgPrint( "CREATE THREAD = PROCESS NAME: %s PROCESS ID: %d, THREAD ID: %d\n", lpCurProc, PId, TId );

}

else
{

DbgPrint( "TERMINATED == THREAD ID: %d\n", TId);

}

}

VOID ImageCreateMon (IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInf
o )
{
DbgPrint("FullImageName: %S,Process ID: %d\n",FullImageName->Buffer,ProcessId);
DbgPrint("ImageBase: %x,ImageSize: %d\n",ImageInfo->ImageBase,ImageInfo->ImageSize);
}

Option Explicit

Private Const STATUS_ACCESS_DENIED = &HC0000022
Private Const SECTION_MAP_WRITE = &H2
Private Const SECTION_MAP_READ = &H4
Private Const READ_CONTROL = &H20000
Private Const WRITE_DAC = &H40000
Private Const NO_INHERITANCE = 0
Private Const DACL_SECURITY_INFORMATION = &H4

Private Type UNICODE_STRING
Length As Integer
MaximumLength As Integer
Buffer As Long
End Type

Private Type OBJECT_ATTRIBUTES
Length As Long
RootDirectory As Long
ObjectName As Long
Attributes As Long
SecurityDeor As Long
SecurityQualityOfService As Long
End Type

Private Enum ACCESS_MODE
NOT_USED_ACCESS
GRANT_ACCESS
SET_ACCESS
DENY_ACCESS
REVOKE_ACCESS
SET_AUDIT_SUCCESS
SET_AUDIT_FAILURE
End Enum

Private Enum MULTIPLE_TRUSTEE_OPERATION
NO_MULTIPLE_TRUSTEE
TRUSTEE_IS_IMPERSONATE
End Enum

Private Enum TRUSTEE_FORM
TRUSTEE_IS_SID
TRUSTEE_IS_NAME
End Enum

Private Enum TRUSTEE_TYPE
TRUSTEE_IS_UNKNOWN
TRUSTEE_IS_USER
TRUSTEE_IS_GROUP
End Enum

Private Type TRUSTEE
pMultipleTrustee As Long
MultipleTrusteeOperation As MULTIPLE_TRUSTEE_OPERATION
TrusteeForm As TRUSTEE_FORM
TrusteeType As TRUSTEE_TYPE
ptstrName As String
End Type

Private Type EXPLICIT_ACCESS
grfAccessPermissions As Long
grfAccessMode As ACCESS_MODE
grfInheritance As Long
TRUSTEE As TRUSTEE
End Type

Private Enum SE_OBJECT_TYPE
SE_UNKNOWN_OBJECT_TYPE = 0
SE_FILE_OBJECT
SE_SERVICE
SE_PRINTER
SE_REGISTRY_KEY
SE_LMSHARE
SE_KERNEL_OBJECT
SE_WINDOW_OBJECT
SE_DS_OBJECT
SE_DS_OBJECT_ALL
SE_PROVIDER_DEFINED_OBJECT
SE_WMIGUID_OBJECT
End Enum

Private Declare Function SetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any) As Long
Private Declare Function GetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any, ppSecurityDeor As Long) As Long
Private Declare Function SetEntriesInAcl Lib "advapi32.dll" Alias "SetEntriesInAclA" (ByVal cCountOfExplicitEntries As Long, pListOfExplicitEntries As EXPLICIT_ACCESS, ByVal OldAcl As Long, NewAcl As Long) As Long
Private Declare Sub RtlInitUnicodeString Lib "NTDLL.DLL" (DestinationString As UNICODE_STRING, ByVal SourceString As Long)
Private Declare Function ZwOpenSection Lib "NTDLL.DLL" (SectionHandle As Long, ByVal DesiredAccess As Long, ObjectAttributes As color="#000000">Any) As Long
Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Any) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function MapViewOfFile Lib "kernel32" (ByVal hFileMappingObject As Long, ByVal dwDesiredAccess As Long, ByVal dwFileOffsetHigh As Long, ByVal dwFileOffsetLow As Long, ByVal dwNumberOfBytesToMap As Long) As Long
Private Declare Function UnmapViewOfFile Lib "kernel32" (lpBaseAddress As Any) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (lpVersionInformation As OSVERSIONINFO) As Long

Private Type OSVERSIONINFO
dwOSVersionInfoSize As Long
dwMajorVersion As Long
dwMinorVersion As Long
dwBuildNumber As Long
dwPlatformId As Long
szCSDVersion As String * 128
End Type

Private verinfo As OSVERSIONINFO

Private g_pMapPhysicalMemory As Long
Private g_hMPM As Long
Private aByte(3) As Byte

Public Function ChangeCurrentProcessID(FalsePID as long)

Dim thread As Long, process As Long, fw As Long, bw As Long
Dim lOffsetFlink As Long, lOffsetBlink As Long, lOffsetPID As Long

verinfo.dwOSVersionInfoSize = Len(verinfo)
If (GetVersionEx(verinfo)) <> 0 Then
If verinfo.dwPlatformId = 2 Then
If verinfo.dwMajorVersion = 5 Then
Select Case verinfo.dwMinorVersion
Case 0
lOffsetPID = &H9C
Case 1
lOffsetPID = &H84
End Select
End If
End If
End If

If OpenPhysicalMemory <> 0 Then
thread = GetData(&HFFDFF124)
process = GetData(thread + &H44)
SetData process+lOffsetPID , FalsePID
CloseHandle g_hMPM
End If
End Function

Private Sub SetPhyscialMemorySectionCanBeWrited(ByVal hSection As Long)
Dim pDacl As Long
Dim pNewDacl As Long
Dim pSD As Long
Dim dwRes As Long
Dim ea As EXPLICIT_ACCESS

GetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, pDacl, 0, pSD

ea.grfAccessPermissions = SECTION_MAP_WRITE
ea.grfAccessMode = GRANT_ACCESS
ea.grfInheritance = NO_INHERITANCE
ea.TRUSTEE.TrusteeForm = TRUSTEE_IS_NAME
ea.TRUSTEE.TrusteeType = TRUSTEE_IS_USER
ea.TRUSTEE.ptstrName = "CURRENT_USER" & vbNullChar

SetEntriesInAcl 1, ea, pDacl, pNewDacl

SetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0<
font color="#000000">, ByVal pNewDacl, 0

CleanUp:
LocalFree pSD
LocalFree pNewDacl
End Sub

Private Function OpenPhysicalMemory() As Long
Dim Status As Long
Dim PhysmemString As UNICODE_STRING
Dim Attributes As OBJECT_ATTRIBUTES

RtlInitUnicodeString PhysmemString, StrPtr("\Device\PhysicalMemory")
Attributes.Length = Len(Attributes)
Attributes.RootDirectory = 0
Attributes.ObjectName = VarPtr(PhysmemString)
Attributes.Attributes = 0
Attributes.SecurityDeor = 0
Attributes.SecurityQualityOfService = 0

Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE, Attributes)
If Status = STATUS_ACCESS_DENIED Then
Status = ZwOpenSection(g_hMPM, READ_CONTROL Or WRITE_DAC, Attributes)
SetPhyscialMemorySectionCanBeWrited g_hMPM
CloseHandle g_hMPM
Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE, Attributes)
End If

Dim lDirectoty As Long
verinfo.dwOSVersionInfoSize = Len(verinfo)
If (GetVersionEx(verinfo)) <> 0 Then
If verinfo.dwPlatformId = 2 Then
If verinfo.dwMajorVersion = 5 Then
Select Case verinfo.dwMinorVersion
Case 0
lDirectoty = &H30000
Case 1
lDirectoty = &H39000
End Select
End If
End If
End If

If Status = 0 Then
g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, 4, 0, lDirectoty, &H1000)
If g_pMapPhysicalMemory <> 0 Then OpenPhysicalMemory = g_hMPM
End If
End Function

Private Function LinearToPhys(BaseAddress As Long, addr As Long) As Long
Dim VAddr As Long, PGDE As Long, PTE As Long, PAddr As Long
Dim lTemp As Long

VAddr = addr
CopyMemory aByte(0), VAddr, 4
lTemp = Fix(ByteArrToLong(aByte) / (2 ^ 22))

PGDE = BaseAddress + lTemp * 4
CopyMemory PGDE, ByVal PGDE, 4

If (PGDE And 1) <> 0 Then
lTemp = PGDE And &H80
If lTemp <> 0 Then
PAddr = (PGDE And &HFFC00000) + (VAddr And &H3FFFFF)
Else
PGDE = MapViewOfFile(g_hMPM, 4, 0, PGDE And &HFFFFF000, &H1000)
lTemp = (VAddr And &H3FF000) / (2 ^ 12)
PTE = PGDE + lTemp * 4
CopyMemory PTE, ByVal PTE, 4

If (PTE And 1) <> 0 Then
PAddr = (PTE And &HFFFFF000) + (VAddr And &HFFF)
UnmapViewOfFile PGDE
End If
End If
End If

LinearToPhys = PAddr
End Function

Private Function GetData(addr As Long) As Long
Dim phys As Long, tmp As Long, ret As Long

color="#000000">phys = LinearToPhys(g_pMapPhysicalMemory, addr)
tmp = MapViewOfFile(g_hMPM, 4, 0, phys And &HFFFFF000, &H1000)
If tmp <> 0 Then
ret = tmp + ((phys And &HFFF) / (2 ^ 2)) * 4
CopyMemory ret, ByVal ret, 4

UnmapViewOfFile tmp
GetData = ret
End If
End Function

Private Function SetData(ByVal addr As Long, ByVal data As Long) As Boolean
Dim phys As Long, tmp As Long, x As Long

phys = LinearToPhys(g_pMapPhysicalMemory, addr)
tmp = MapViewOfFile(g_hMPM, SECTION_MAP_WRITE, 0, phys And &HFFFFF000, &H1000)
If tmp <> 0 Then
x = tmp + ((phys And &HFFF) / (2 ^ 2)) * 4
CopyMemory ByVal x, data, 4

UnmapViewOfFile tmp
SetData = True
End If
End Function

Private Function ByteArrToLong(inByte() As Byte) As Double
Dim i As Integer
For i = 0 To 3
ByteArrToLong = ByteArrToLong + inByte(i) * (&H100 ^ i)
Next i
End Function

方法一(兼容较好):

Option Explicit

Dim HookedLoadLibraryExW(0 To 9) As Long
Dim User32BaseAddress As Long, User32ImageSize As Long

Private Function FilterLoadLibraryExW(ByVal RetAddr As Long) As Long
[/font][font=Comic Sans MS]' You can do whatever you wanna do here - iceboy
[/font][font=Fixedsys]If RetAddr >= User32BaseAddress And RetAddr < User32BaseAddress + User32ImageSize Then Exit Function
FilterLoadLibraryExW = 1
End Function

Public Function TryHookLoadLibraryExW() As Boolean
Dim LoadLibraryExW As Long, Length As Long, Offset As Long

LoadLibraryExW = GetModuleHandleW(StrPtr("kernel32"))
LoadLibraryExW = GetProcAddress(LoadLibraryExW, "LoadLibraryExW")

If CharFromPtr(LoadLibraryExW) = &HE9 Then Exit Function

Do
Length = ade32_disasm(LoadLibraryExW + Offset)
If Length <= 0 Then Exit Function
Offset = Offset + Length
Loop While Offset < 5

If Offset > 11 Then Exit Function

User32BaseAddress = GetModuleHandleW(StrPtr("user32"))
User32ImageSize = DwordFromPtr(User32BaseAddress + &H3C)
User32ImageSize = DwordFromPtr(User32BaseAddress + User32ImageSize + &H50)

HookedLoadLibraryExW(0) = &HE82434FF
HookedLoadLibraryExW(1) = RetLng(AddressOf FilterLoadLibraryExW) - VarPtr(HookedLoadLibraryExW(2))
HookedLoadLibraryExW(2) = &H875C085
HookedLoadLibraryExW(3) = &HCC000CC2
HookedLoadLibraryExW(4) = &HCCCCCCCC

IcyMoveMemory VarPtr(HookedLoadLibraryExW(5)), LoadLibraryExW, Offset
CharToPtr VarPtr(HookedLoadLibraryExW(5)) + Offset, &HE9
DwordToPtr VarPtr(HookedLoadLibraryExW(5)) + Offset + 1, LoadLibraryExW - VarPtr(HookedLoadLibraryExW(5)) - 5

If IcyProtectVirtualMemoryEx(VarPtr(HookedLoadLibraryExW(0)), 44, PAGE_EXECUTE_READWRITE, VarPtr(Length)) < 0 Then Exit Function
If IcyProtectVirtualMemoryEx(LoadLibraryExW, 5, PAGE_EXECUTE_READWRITE, VarPtr(Length)) < 0 Then Exit Function
CharToPtr LoadLibraryExW, &HE9
DwordToPtr LoadLibraryExW + 1, VarPtr(HookedLoadLibraryExW(0)) - (LoadLibraryExW + 5)

TryHookLoadLibraryExW = True
End Function

方法二(通俗易懂):

Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Sub CopyMemory Lib "kernel32.dll" Alias "RtlMoveMemory" (ByVal Destination As Long, ByVal Source or="#0000FF">As Long, ByVal length As Long)
Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As Long) As Long

Dim NewAddr(7) As Byte
Dim OldAddr(7) As Byte
Dim pBaseAddr As Long

Private Sub HookLoadLibrary()
Dim hMod As Long

hMod = GetModuleHandle("kernel32")
pBaseAddr = GetProcAddress(hMod, "LoadLibraryExW")


CopyMemory VarPtr(NewAddr(1)), AddressOf LoadLibraryExWCallBack, 4 [/font][font=Comic Sans MS]'保存地址


' mov Eax, 我们的地址
' jmp Eax

[/font][font=Fixedsys]NewAddr(0) = &HB8
NewAddr(5) = &HFF
NewAddr(6) = &HE0
NewAddr(7) = &H0

CopyMemory VarPtr(OldAddr(0)), pBaseAddr, 8
WriteProcessMemory -1, ByVal pBaseAddr, NewAddr(0), 8, 0
End Sub

Private Function HookStatus(ByVal IsHook As Boolean) As Boolean
If IsHook Then
If WriteProcessMemory(-1, ByVal pBaseAddr, NewAddr(0), 8, 0) <> 0 Then HookStatus = False
Else
If WriteProcessMemory(-1, ByVal pBaseAddr, OldAddr(0), 8, 0) <> 0 Then HookStatus = False
End If
End Function

Public Function LoadLibraryExWCallBack(ByVal a As Long, ByVal b As Long, ByVal c As Long) As Long
Dim str As String, Ret As Long
Const Neet As String = "kernel32.dll advapi32.dll psapi.dll ntoskrnl.exe ntdll.dll vba6.dll" [/font][font=Comic Sans MS]'据蒜子说,系统本身的 dll 不带路径
[/font][font=Fixedsys]HookStatus False [/font][font=Comic Sans MS]'暂时恢复钩子
[/font][font=Fixedsys]str = String(lstrlen(a) * 2, 0)
CopyMemory StrPtr(str), ByVal a, lstrlen(a) * 2
str = Left$(str, lstrlen(a))
If Mid(str, 2, 1) <> ":" Then
[/font][font=Comic Sans MS]'由于 unicode 的问题,我们这里用 A,A 最终应该会调用 W,所以要恢复钩子
'如果需调用 W ,有个可爱的函数叫做 strptr
[/font][font=Fixedsys]Ret = LoadLibraryEx(str, b, c)
Else
Ret = 0
End If
HookStatus True [/font][font=Comic Sans MS]'再次 hook 该函数
[/font][font=Fixedsys]LoadLibraryExWCallBack = Ret
End Function

　　独特的嗓音，沙哑的质感，配上欢快的曲调，仿佛感受到了沙滩和海风的韵味，心情在这温暖的歌声里彻底放松。
　　偶然听见的歌，却是让我感觉非常舒畅，所以推荐给大家听听。
　　
　　可能也是我心情的缘故，今天被Boss误会了，心有点冷，有点伤。
　　加班加点到这么晚，果然很累。堪培拉的风，在这寒冷的晚上（下雨的说？还是心情的说？）唯一能我放松能让我感觉到阳光的旋律...

　　对“暖乐团”并不熟悉，百度后才知道，原来“暖”一直是带着梦想，用心在唱歌，用爱去生活，用快乐在传递的一个乐队组合。陌生的城市里，人与人之间的距离被钢筋水泥阻断，还有多少人能走进另一个人的心扉，还有多少人在孤独的夜晚感觉到寒冷。一个微笑，一个拥抱，这个世界就会变的很温暖。关爱他人，是暖对这个社会最诚挚的呼唤。在这样一个季节里，有暖有音乐在，你就不会寒冷，你就不会孤单。
　　
　　这一季，有音乐，有阳光，有爱，也有暖。

　　那个，过亚弥乃我还要多介绍吗？大家应该都知道了吧……好吧，我就点一下，一下下。过亚弥乃就是在宫崎骏的动画《猫的报恩》里面唱片尾曲《幻化成风》的那个~~这首歌中文有两个版本，一个是曾宝仪的《专注》，还有一个是梁静茹的《大手拉小手》，现在都知道了吧……其实我知道的也就这些，我是个懒人，懒得去搜她的资料了，只有一些大概的了解。恩，喜欢声音而已，不需要理由的，也不需要背景，我听歌都这样。

　　过亚弥乃给我的感觉呢，就是一个温和的邻家女孩，说实话，我第一次在宫大师的《猫的报恩》里听见这个声音的时候，顿时被惊艳到了，然后那片子我好久没删，就为了时不时拖到最后听下她的歌（宫崎骏的作品我都收藏的）。

　　她的声音是号称公认的治愈系声音，微有点沙哑，不高亢，也不低沉，就温和（废话），我发现这样的声音还适合我呢。虽然平常经常标榜自己有多变态，但看来我似乎还是不适合暴戾，抑或，也只是因为我抽了吧囧。不过长久以来，我喜欢温和的声音确实一直没有变的，虽然有时会见异思迁的喜欢一些高亢，或者粗犷，或者低沉的各种声音。那么总的来说，似乎她的声音还是满足我的需求的，她喜欢夏威夷四弦琴，这琴声音弹起来跟棉花有几分相似，也算是我喜欢的乐器，这样乐器，更加得让我坚定了对她邻家女孩的定位。（哎，要真邻家就好了……我天天缠着小亚姐姐给我唱歌……）

　　在她的音乐里，整个编曲上，恩，没错，大和弦……大和弦才治愈么囧，好吧，大和弦也是我一直喜欢的，她的歌听起来似乎就像一个很有很多美好经历的人，生活很广阔，色彩斑斓。所以我决定像她学习，这几天不宅，出去转转，适当的进行一下光合作用……


　　写的时候颠来倒去的，经常把某段扯上去，某段扯下来，因此如果有牛头不对马嘴的地方，纯属正常。

引用 Smallrascal 的话 (略有修改)：
　　某日遇到一例在 Vista 上安装 Mcafee 8.0 后蓝屏的情况，第一次安装失败之后不管在正常模式或是安全模式都无法完全卸载 Mcafee 8.0。网上逛了一圈发现了这个东东，刚安装完就提示 Mcafee 8.0 没有正常安装，需要卸载，而其他卸载软件通通败下阵来，根本检测不到，就更不用说卸载了，真是强势啊！

引用完毕，下面看看该微软的说明：
　　Microsoft 已更新了 Windows Installer 清理实用工具。利用 Windows Installer 清理实用工具，可以删除程序的 Windows Installer 配置信息。如果您遇到安装（安装程序）问题，可能需要删除程序的 Windows Installer 配置信息。例如，第一次安装程序时没有包括其中的某个组件，如果添加（或删除）此组件时遇到安装问题，您也许不得不删除该程序的 Windows Installer 配置信息。

　　卸载工具还是微软自家的强悍啊，有了这个免费绿色的清理工具就不需要其他市面上其他卸载工具了。

------------------------------------------

下面是来源于微软的官方下载链接：

文件下载： Windows Installer Clean Up 下载地址1 | Windows Installer Clean Up 下载地址2

　　一个蛮可爱的女生
　　略带稚嫩的声音却很有爆发力，唱出了恋人离去爱情不在身边，却只有睹物思人的那种无奈与伤感。
　　最初听到她的声音是她的那首 I REMEMBER 这是她的原创作品为了纪念她的母亲在生弟弟时因难产逝世。
　　这个女生对我杀伤力非常大....神奇般的，我们居然喜欢同样的歌手，她喜欢张悬，孙燕姿，艾薇儿，而我也一样喜欢这三人；更神奇般的，她还喜欢篮球，还是专长咯；最最最神奇的是....跟我我家老婆大人张的是一模一样～～哟吼吼...不管是身高，还是五官...相似°达９０了，哟吼吼~~~

**************************************************************************************
*
* 版权归 雨律在线 - YuLv.Net - JiaJia 所有
*
* 转载请务必注明来源于 Http://Www.YuLv.Net
*
* 加加唯一指定官方 YuLv.Net 建议用户到官方安全下载
*
**************************************************************************************

更新日志：
1、新增了启动软件自动最小化的选项
2、新增了全屏窗口化去标题的选项

　　WarKey++ 即 WarKey 加强版。虽是加强，但更简单。不管在操作和使用方面都比 WarKey 简单，不喜欢复杂改键的朋友很适用。

　　注：新增的全屏窗口化功能在小图标的右键菜单中

点击查看 : 在线多引擎杀软扫描报告
主文件名 : WarKey.exe
文件大小 : 184320 byte
MD5 : 9f594446ac81da2388ea0fc4765fd378
SHA1 : 413024900ceed567a9b36b62c31b18da026dbeb7

官方下载地址： WarKey++ 3.3 单文件绿色加强版 下载　　[雨律在线 - YuLv.Net]