GetWindowLong跨进程获取WndProc、DlgProc。。。

在看雪提问，没人回答，只能自己折腾。。。

标题虽然写是GetWindowLong，其实并不是GetWindowLong，只是按照GetWindowLong的内部实现改了下而已。。

下面代码Win7及以上可用。。。要想XP用，XP下必需暴力搜索user32.gSharedInfo，搜索方法：user32的入口点往下看，CsrCononToServer那个函数下面。。。或者参照网上那个枚举全局Hook的代码。

Private Declare Function GetWindowThreadProcessId& Lib "user32" (ByVal hWnd&, ByRef lpdwProcessId&)
Private Declare Function GetModuleHandleW& Lib "kernel32" (ByVal lpModuleName&)
Private Declare Function GetProcAddress& Lib "kernel32" (ByVal hModule&, ByVal lpProcName$)
Private Declare Function OpenProcess& Lib "kernel32" (ByVal dwDesiredAccess&, ByVal bInheritHandle As Boolean, ByVal dwProcessId&)
Private Declare Function OpenThread& Lib "kernel32" (ByVal dwDesiredAccess&, ByVal bInheritHandle As Boolean, ByVal dwThreadId&)
Private Declare Function ReadProcessMemory& Lib "kernel32" (ByVal hProcess&, ByVal lpBaseAddress&, ByVal lpBuffer&, ByVal nSize&, ByRef lpNumberOfBytesRead&)
Private Declare Function NtQueryInformationThread& Lib "ntdll" (ByVal ThreadHandle&, ByVal ThreadInformationClass&, ByVal ThreadInformation&, ByVal ThreadInformationLength&, ByRef ReturnLength&)
Private Declare Function CloseHandle& Lib "kernel32" (ByVal hObject&)
Private Function GetThreadTeb&(ByVal hThread&)
Dim tbi&(6)
If NtQueryInformationThread(hThread, 0, VarPtr(tbi(0)), 28, 0) = 0 Then GetThreadTeb = tbi(1)
End Function
Private Function GetHighValueForUser32&(ByVal hProcess&, ByVal hThread&)
Dim lpValue&
ReadProcessMemory hProcess, GetThreadTeb(hThread) + &H6E8, VarPtr(lpValue), 4, 0
GetHighValueForUser32 = lpValue
End Function
Private Function GetHWNDTablePointerInUser32SharedInfoEntry&(ByVal hProcess&)
Dim lpU32SharedInfo&
lpU32SharedInfo = GetProcAddress(GetModuleHandleW(StrPtr("user32.dll")), "gSharedInfo") + 4
ReadProcessMemory hProcess, lpU32SharedInfo, VarPtr(lpU32SharedInfo), 4, 0
GetHWNDTablePointerInUser32SharedInfoEntry = lpU32SharedInfo
End Function
Private Function MakeInfoPointerByRemote2UnknownForHWND&(ByVal hProcess&, ByVal hWnd&, ByVal unkHighValue&, ByVal unkPointer&)
Dim dwLowValue&, dwUnknownValue&, lpPointer&
dwLowValue = hWnd And &HFFFF&
dwLowValue = dwLowValue + dwLowValue * 2
lpPointer = unkPointer + dwLowValue * 4
ReadProcessMemory hProcess, lpPointer, VarPtr(dwUnknownValue), 4, 0
MakeInfoPointerByRemote2UnknownForHWND = dwUnknownValue - unkHighValue
End Function
Private Function GetRemoteProcessWndProc&(ByVal hProcess&, ByVal lpPointer&)
Dim lpfnWndProc&
ReadProcessMemory hProcess, lpPointer + &H60, VarPtr(lpfnWndProc), 4, 0
GetRemoteProcessWndProc = lpfnWndProc
End Function
Private Function GetRemoteProcessDlgProc&(ByVal hProcess&, ByVal lpPointer&)
Dim lpfnDlgProc&
ReadProcessMemory hProcess, lpPointer + &HCC, VarPtr(lpfnDlgProc), 4, 0 '//XP:+ &HA8
ReadProcessMemory hProcess, lpfnDlgProc, VarPtr(lpfnDlgProc), 4, 0
GetRemoteProcessDlgProc = lpfnDlgProc
End Function

Private Sub Form_Load()
Dim hProcess&, hThread&, tid&, pid&
tid = GetWindowThreadProcessId(197776, pid)
hThread = OpenThread(2032639, False, tid)
hProcess = OpenProcess(2035711, False, pid)
MsgBox Hex(GetRemoteProcessWndProc(hProcess, MakeInfoPointerByRemote2UnknownForHWND(hProcess, 197776, GetHighValueForUser32(hProcess, hThread), GetHWNDTablePointerInUser32SharedInfoEntry(hProcess))))
MsgBox Hex(GetRemoteProcessDlgProc(hProcess, MakeInfoPointerByRemote2UnknownForHWND(hProcess, 197776, GetHighValueForUser32(hProcess, hThread), GetHWNDTablePointerInUser32SharedInfoEntry(hProcess))))
CloseHandle hProcess
End Sub