写一个注入进程后监视其文件写出操作的代码 用c语言 用SetWindowsHookEx

以下是一个简单的示例代码，可以注入进程并监视它的文件写出操作：

#include <windows.h>
#include <stdio.h>

// 全局钩子句柄
HHOOK g_hookHandle = NULL;

// 钩子回调函数
LRESULT CALLBACK HookProc(int nCode, WPARAM wParam, LPARAM lParam)
{
    // 判断是否为文件写出操作
    if (nCode == HC_ACTION && wParam == FILE_WRITE_DATA)
    {
        // 转换为文件写出参数结构体
        PFILE_WRITE_DATA pWriteData = (PFILE_WRITE_DATA)lParam;

        // 输出文件名和写出数据大小
        printf("File write: %ls, size: %d\n", pWriteData->FileName, pWriteData->Size);
    }

    // 调用下一个钩子或默认钩子
    return CallNextHookEx(g_hookHandle, nCode, wParam, lParam);
}

int main()
{
    // 注入进程句柄和DLL路径
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 1234);
    wchar_t dllPath[] = L"C:\\MyHook.dll";

    // 在目标进程中加载DLL并获取模块句柄
    LPVOID pRemoteDllPath = VirtualAllocEx(hProcess, NULL, sizeof(dllPath), MEM_COMMIT, PAGE_READWRITE);
    WriteProcessMemory(hProcess, pRemoteDllPath, dllPath, sizeof(dllPath), NULL);
    HMODULE hRemoteDll = LoadLibraryEx(L"kernel32.dll", NULL, LOAD_WITH_ALTERED_SEARCH_PATH);
    FARPROC pLoadLibraryW = GetProcAddress(hRemoteDll, "LoadLibraryW");
    HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pLoadLibraryW, pRemoteDllPath, 0, NULL);
    WaitForSingleObject(hRemoteThread, INFINITE);
    VirtualFreeEx(hProcess, pRemoteDllPath, sizeof(dllPath), MEM_RELEASE);

    // 设置全局钩子
    g_hookHandle = SetWindowsHookEx(WH_SHELL, HookProc, hRemoteDll, 0);

    // 等待钩子消息
    MSG msg;
    while (GetMessage(&msg, NULL, 0, 0))
    {
        TranslateMessage(&msg);
        DispatchMessage(&msg);
    }

    // 卸载全局钩子
    UnhookWindowsHookEx(g_hookHandle);

    // 关闭进程句柄
    CloseHandle(hProcess);

    return 0;
}

以上代码中，HookProc函数是钩子回调函数，当接收到文件写出操作时，输出文件名和写出数据大小。在main函数中，首先注入目标进程并加载DLL，然后设置全局钩子，等待钩子消息。在接收到WM_QUIT消息后，卸载全局钩子并关闭进程句柄。请注意，需要将MyHook.dll编译成DLL文件并与程序一起使用。