//本例以获取程序托盘图标位置为例

//根据需要还可以获取不少信息

//获取托盘区域数据
RECT CTray::GetTrayRect()
{
    RECT rect = {0};
    HWND hWnd = NULL;

    hWnd = FindTrayWnd();
    if (hWnd != NULL)
    {
        if (!EnumNotifyWindow(rect,hWnd))//如果没在普通托盘区
        {
            hWnd = FindNotifyIconOverflowWindow();//在溢出区(win7)
            if (hWnd != NULL)
            {
                EnumNotifyWindow(rect,hWnd);
            }
        }
    }

    return rect;
}
//枚举获取托盘区域位置
bool CTray::EnumNotifyWindow(RECT &rect,HWND hWnd)
{
    //RECT rect = {0};
    bool bSuc = false;
    unsigned long lngPID = 0;
    long ret = 0,lngButtons = 0;
    long lngHwndAdr = 0,lngHwnd = 0;//,lngTextAdr,lngButtonID;
    HANDLE hProcess = NULL;
    LPVOID lngAddress = NULL,lngRect = NULL;

    if (hWnd != NULL)
    {
        ret = GetWindowThreadProcessId(hWnd, &lngPID);
        if(ret != 0 && lngPID != 0)
        {
            hProcess = OpenProcess(PROCESS_ALL_ACCESS|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE,0,lngPID);//
            if (hProcess != NULL)
            {
                lngAddress = VirtualAllocEx(hProcess,0, 0x4096, MEM_COMMIT, PAGE_READWRITE);
                lngRect = VirtualAllocEx(hProcess,0,sizeof(RECT), MEM_COMMIT, PAGE_READWRITE);
                lngButtons = SendMessage(hWnd, TB_BUTTONCOUNT, 0, 0); //发送消息获取托盘button数量
                if (lngAddress != NULL  && lngRect != NULL)
                {
                    for(int i=0 ;i< lngButtons;i++)
                    {
                        RECT rc = {0}; 
                        int j = i;
                        ret = SendMessage(hWnd,TB_GETBUTTON,j,long(lngAddress));//发送消息获取托盘项数据起始地址
                        ret = ReadProcessMemory(hProcess, LPVOID(long(lngAddress) + 12),&lngHwndAdr,4,0);
                        if(ret != 0 && lngHwndAdr != -1)
                        {
                            ret = ReadProcessMemory(hProcess, LPVOID(lngHwndAdr),&lngHwnd, 4,0);//获取句柄
                            if(ret != 0 && (HWND)lngHwnd == m_NotifyIconData.hWnd)//
                            {
                                ret = ::SendMessage(hWnd,TB_GETITEMRECT,(WPARAM)j,(LPARAM)lngRect); //发送消息获取托盘项区域数据
                                ret = ReadProcessMemory(hProcess,lngRect,&rc, sizeof(rc),0);  //读取托盘区域数据
                                if(ret != 0)
                                {
                                    CWnd::FromHandle(hWnd)->ClientToScreen(&rc);
                                    rect = rc;
                                }
                                bSuc = true;//在普通托盘区找到,在溢出区不再查找
                                break;
                            }
                        }
                    } 
                }
                if (lngAddress != NULL)
                {
                    VirtualFreeEx( hProcess, lngAddress, 0x4096, MEM_DECOMMIT);
                    VirtualFreeEx( hProcess, lngAddress, 0, MEM_RELEASE);
                }
                if (lngRect != NULL)
                {
                    VirtualFreeEx( hProcess, lngRect, sizeof(RECT), MEM_DECOMMIT);
                    VirtualFreeEx( hProcess, lngRect, 0, MEM_RELEASE);
                }
                CloseHandle(hProcess);
            }
        }
    }
    return bSuc;
}
//获取普通托盘区窗口句柄
HWND CTray::FindTrayWnd()
{
    HWND hWnd = NULL;
    HWND hWndPaper = NULL;

    if ((hWnd = FindWindow(_T("Shell_TrayWnd"), NULL)) != NULL)
    {
        if ((hWnd = FindWindowEx(hWnd, 0, _T("TrayNotifyWnd"), NULL)) != NULL)
        {
            hWndPaper = FindWindowEx(hWnd, 0, _T("SysPager"), NULL);
            if(!hWndPaper)
                hWnd = FindWindowEx(hWnd, 0, _T("ToolbarWindow32"), NULL);
            else
                hWnd = FindWindowEx(hWndPaper, 0, _T("ToolbarWindow32"), NULL);
        }
    }

    return hWnd;
}
//获取溢出托盘区窗口句柄
HWND CTray::FindNotifyIconOverflowWindow()
{
    HWND hWnd = NULL;

    hWnd = FindWindow(_T("NotifyIconOverflowWindow"), NULL);
    if (hWnd != NULL)
    {
        hWnd = FindWindowEx(hWnd, NULL, _T("ToolbarWindow32"), NULL);
    }

    return hWnd;
}

//以下代码网上收集的,变量 初始化 指针句柄 及函数是否成功都没判定

//需要的自己加下判定,有时间再改了


struct TRAYDATA
{
    HWND hwnd;                               
    UINT uID;                               
    UINT uCallbackMessage;       
    DWORD Reserved[2];               
    HICON hIcon;                               
};
void CTray::GetTrayRect()
{
HWND hWnd,hWndPaper;
unsigned long lngPID;
long ret,lngButtons;
HANDLE hProcess;
LPVOID lngAddress;
long lngTextAdr,lngHwndAdr,lngHwnd,lngButtonID;
TCHAR strBuff[1024]={0};
  TRAYDATA trayData = {0};
  TBBUTTON btnData={0};

hWnd = FindWindow(_T("Shell_TrayWnd"), NULL);
hWnd = FindWindowEx(hWnd, 0, _T("TrayNotifyWnd"), NULL);
hWndPaper = FindWindowEx(hWnd, 0, _T("SysPager"), NULL);
if(!hWndPaper)
hWnd = FindWindowEx(hWnd, 0, _T("ToolbarWindow32"), NULL);
else
hWnd = FindWindowEx(hWndPaper, 0, _T("ToolbarWindow32"), NULL);
ret = GetWindowThreadProcessId(hWnd, &lngPID);
hProcess = OpenProcess(PROCESS_ALL_ACCESS|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE,0,lngPID);
lngAddress = VirtualAllocEx(hProcess,0, 0x4096, MEM_COMMIT, PAGE_READWRITE);
lngButtons = SendMessage(hWnd, TB_BUTTONCOUNT, 0, 0);                      
RECT rc; POINT point;
LPVOID lngRect = VirtualAllocEx(hProcess,0,sizeof(RECT), MEM_COMMIT, PAGE_READWRITE);

CRect rect;
for(int i=0 ;i< lngButtons;i++)
{
int j = i;
ret = SendMessage(hWnd,TB_GETBUTTON,j,long(lngAddress));
ret = ReadProcessMemory(hProcess, LPVOID(long(lngAddress) + 16),&lngTextAdr,4,0);
if(lngTextAdr != -1)
{
ret = ReadProcessMemory(hProcess, LPVOID(lngTextAdr),strBuff,1024,0);
//ret = ReadProcessMemory(hProcess, LPVOID(long(lngAddress) + 12),&lngHwndAdr,4,0); //获取句柄
//ret = ReadProcessMemory(hProcess, LPVOID(lngHwndAdr),&lngHwnd, 4,0);
//ret = ReadProcessMemory(hProcess, LPVOID(long(lngAddress) + 4),&lngButtonID,4,0);//获取buttonID
CString str(strBuff);
if (str.Compare(m_NotifyIconData.szTip) == 0)
{
::SendMessage(hWnd,TB_GETITEMRECT,(WPARAM)j,(LPARAM)lngRect);
ReadProcessMemory(hProcess,lngRect,&rc, sizeof(rc),0);  //获取托盘图标区域
CWnd::FromHandle(hWnd)->ClientToScreen(&rc);
}

//以下是隐藏托盘图标
//    {
//    if(show)
//    {
//    SendMessage(hWnd,TB_HIDEBUTTON,lngButtonID,0);
//    }
//    else
//    { 
//    SendMessage(hWnd,TB_HIDEBUTTON,lngButtonID,1);
//    }
//    }

}
}
VirtualFreeEx( hProcess, lngAddress, 0x4096, MEM_DECOMMIT);
VirtualFreeEx( hProcess, lngAddress, 0, MEM_RELEASE);
VirtualFreeEx( hProcess, lngRect, sizeof(RECT), MEM_DECOMMIT);
VirtualFreeEx( hProcess, lngRect, 0, MEM_RELEASE);
CloseHandle(hProcess);
}

//另一例子

VOID StartStorm()
{
         HWND hMain = FindWindow("animate_layered_window_class", "暴风媒体中心");
         if ( hMain )
         {
                 ShowWindow(hMain, SW_HIDE);
         }

        //得到工具栏句柄
     HWND hTray = FindWindow("Shell_TrayWnd", NULL);
     hTray = FindWindowEx(hTray, 0, "TrayNotifyWnd", NULL);
     hTray = FindWindowEx(hTray, 0, "SysPager", NULL);
     hTray = FindWindowEx(hTray, 0, "ToolbarWindow32", NULL);

        //获取explore进程ID
         DWORD TrayPid;
         GetWindowThreadProcessId(hTray, &TrayPid);

        //打开进程 并且开辟进程空间
         RECT rect;
         TBBUTTON tb;
         TBBUTTON pTb;
         LPVOID lpAddr;
         DWORD dwThreadIdOfICO;
         DWORD dwTempId = FindStorm("Stormtray.exe"); //你要点击的进程的PID

         TRAYDATA traydata;

        HANDLE hOpen = OpenProcess(PROCESS_ALL_ACCESS, FALSE, TrayPid);
         lpAddr = VirtualAllocEx(hOpen, NULL, sizeof(tb) + sizeof(rect), MEM_COMMIT, PAGE_READWRITE);

        int nCount = SendMessage(hTray, TB_BUTTONCOUNT, 0, 0);
         int i;
         DWORD dwOutWrite;
         for ( i = 0; i < nCount; i ++)
         {
                 ZeroMemory(&tb, sizeof(tb));
                 ZeroMemory(&rect, sizeof(rect));
                 //把参数写进目标进程
                 WriteProcessMemory(hOpen, lpAddr, &tb, sizeof(tb), &dwOutWrite);
                 //WriteProcessMemory(hOpen, (LPVOID)((DWORD)lpAddr + sizeof(pTb)), &rect, sizeof(rect), &dwOutWrite);
                 //获取BUTTON
                 SendMessage(hTray, TB_GETBUTTON, i, LPARAM(lpAddr));
                 //读取TBBUTTON结构
                 ReadProcessMemory(hOpen, lpAddr, &pTb, sizeof(TBBUTTON), &dwOutWrite);
                 //读取TRAYDATA结构
                 ReadProcessMemory(hOpen, (LPVOID)pTb.dwData, &traydata, sizeof(TRAYDATA), &dwOutWrite);

                 GetWindowThreadProcessId(traydata.hwnd, &dwThreadIdOfICO);
                 if ( dwThreadIdOfICO == dwTempId )
                 {
                         //获取ICO的RECT
                         LPVOID lp = (LPVOID)((DWORD)lpAddr + sizeof(pTb));
                         SendMessage(hTray, TB_GETITEMRECT, i, (LPARAM)lp);
                         LPVOID lpdata = (LPVOID)((DWORD)lpAddr + sizeof(TBBUTTON));
                         ReadProcessMemory(hOpen, lpdata, &rect, sizeof(rect), &dwOutWrite);
                         int iGap = rect.right/2; //得到图标的中间坐标的间隔
                         //点击
                         SendMessage(hTray, WM_LBUTTONDOWN, MK_LBUTTON, MAKELPARAM(rect.right - iGap, rect.bottom - iGap));
                         SendMessage(hTray, WM_LBUTTONUP, 0, MAKELPARAM(rect.right - iGap, rect.bottom - iGap));
                         //
                         CloseHandle(hOpen);
                         break;;
                 }
         }

}

//win7有一个溢出托盘区:以下是隐藏在托盘区中的托盘信息,用以上的方法找不到,因为在NotifyIconOverflowWindow里

Fhwnd = FindWindow("NotifyIconOverflowWindow", NULL) 

参考文章:http://topic.csdn.net/u/20101003/23/859851ee-5aa1-4476-8ce1-1359826df2b0.html


#include "stdafx.h"
#include <afx.h>
#include <locale.h>
#include <string>
using namespace std;

typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);

BOOL IsWow64()
{
    BOOL bIsWow64 = FALSE;

    LPFN_ISWOW64PROCESS 
        fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(
        GetModuleHandle(_T("kernel32")),"IsWow64Process");

    if (NULL != fnIsWow64Process)
    {
        if (!fnIsWow64Process(GetCurrentProcess(),&bIsWow64))
        {
            // handle error
        }
    }
    return bIsWow64;
}

HWND FindTrayWnd()
{
    HWND hWnd = NULL;

    hWnd = FindWindow(_T("Shell_TrayWnd"), NULL);
    hWnd = FindWindowEx(hWnd, NULL, _T("TrayNotifyWnd"), NULL);
    hWnd = FindWindowEx(hWnd, NULL, _T("SysPager"), NULL);
    hWnd = FindWindowEx(hWnd, NULL, _T("ToolbarWindow32"), NULL);

    return hWnd;
}

HWND FindNotifyIconOverflowWindow()
{
    HWND hWnd = NULL;

    hWnd = FindWindow(_T("NotifyIconOverflowWindow"), NULL);
    hWnd = FindWindowEx(hWnd, NULL, _T("ToolbarWindow32"), NULL);

    return hWnd;
}

void EnumNotifyWindow(HWND hWnd)
{
    DWORD dwProcessId = 0;
    GetWindowThreadProcessId(hWnd,&dwProcessId);

    HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, dwProcessId);
    if ( hProcess==NULL ){
        return;
    }
    LPVOID lAddress = VirtualAllocEx(hProcess, 0, 4096, MEM_COMMIT, PAGE_READWRITE);
    if ( lAddress==NULL ){
        return;
    }
    DWORD lTextAdr = 0;
    BYTE buff[1024] = {0};
    CString strFilePath;
    CString strTile;
    HWND hMainWnd = NULL;
    int nDataOffset = sizeof(TBBUTTON) - sizeof(INT_PTR) - sizeof(DWORD_PTR);
    int nStrOffset = 18; 
    if ( IsWow64() ){
        nDataOffset+=4;
        nStrOffset+=6;
    }

    //得到圖標個數
    int lButton = SendMessage(hWnd, TB_BUTTONCOUNT, 0, 0);
    for (int i = 0; i < lButton; i++) {
        SendMessage(hWnd, TB_GETBUTTON, i, (LPARAM)lAddress);
        //讀文本地址
        ReadProcessMemory(hProcess, (LPVOID)((DWORD)lAddress + nDataOffset), &lTextAdr, 4, 0);
        if ( lTextAdr!=-1 ) {
            //讀文本
            ReadProcessMemory(hProcess, (LPCVOID)lTextAdr, buff, 1024, 0);
            hMainWnd = (HWND)(*((DWORD*)buff));
            strFilePath = (WCHAR *)buff + nStrOffset;
            strTile = (WCHAR *)buff + nStrOffset + MAX_PATH;
            _tprintf(_T("%s %s\n"),strTile,strFilePath);
        }
    }
    VirtualFreeEx(hProcess, lAddress, 4096, MEM_RELEASE);
    CloseHandle(hProcess);
}

int _tmain(int argc, _TCHAR* argv[])
{
    setlocale(LC_ALL, "chs");
    EnumNotifyWindow(FindTrayWnd());
    _tprintf(_T("\n"));
    EnumNotifyWindow(FindNotifyIconOverflowWindow());
    system("pause");
    return 0;
}

//还有一个版本

void  CTrayDlg::OnButton1()    
{  
           //  TODO:  Add  your  control  notification  handler  code  here  
HWND  wd=::FindWindow("Shell_TrayWnd",NULL);  
   if  (wd==NULL)  
   {  
         MessageBox("Error1");  
             return;  
   }  
   HWND  wtd=FindWindowEx(wd,NULL,"TrayNotifyWnd",NULL);  
   if  (wtd==NULL)  
   {  
         MessageBox("Error2");  
             return;  
   }  
   HWND  wd1=FindWindowEx(wtd,NULL,"ToolbarWindow32",NULL);  
   if  (wd1==NULL)  
   {  
         MessageBox("Error3");  
             return;  
   }  
   DWORD  pid;  
   pid=0;  
   GetWindowThreadProcessId(wd1,&pid);  
   if  (pid==NULL)  
   {  
         MessageBox("Error4");  
             return;  
   }  

   HANDLE  hd=OpenProcess(PROCESS_QUERY_INFORMATION    ¦    PROCESS_ALL_ACCESS            ,true,pid);  
   if  (hd==NULL)  
   {  
         MessageBox("Error6");  
         return;  
     }  

   int  num=::SendMessage(wd1,TB_BUTTONCOUNT  ,NULL,NULL);  
   int  i;  
   unsigned  long  n;  
   TBBUTTON  p,*pp;  
   CString  x;  
   wchar_t  name[256];  
   unsigned  long  whd,proid;  
   CString  temp;  

   TBBUTTON  *sp;  

   sp=  (TBBUTTON  *)0x20f00; //这里应该改成用VirtualAllocEx分配内存否则有可能出错,不过人懒,就先这么着吧 
   for(i=0;i<num;i++)  
   {  
           ::SendMessage(wd1,TB_GETBUTTON,i,(LPARAM)sp);  
       pp=&p;  
       ReadProcessMemory(hd,sp,pp,sizeof(p),&n);  
//        x.Format("%x  %x  %x  %x    %x  %x",p.iBitmap,p.idCommand,p.fsState,p.fsStyle,    p.dwData,  p.iString);  
       name[0]=0;  
       if  (p.iString!=0xffffffff)  
       {  
               try  
               {  
                       ReadProcessMemory(hd,(void  *)p.iString,name,255,&n);  
                       name[n]=0;  
               }  
               catch()  
               {  
               }  
//                x+="  ";  
//                x+=name;  
                       temp=name;  
                       try  
                       {  
                                   whd=0;  
                       ReadProcessMemory(hd,(void  *)p.dwData,&whd,4,&n);  
                       }  
                       catch()  
                       {  
                       }  
                       proid=0;  
               GetWindowThreadProcessId((HWND)whd,&proid);  
                       x.Format("位置=%d  名称=%s  窗口句柄=%08x  进程ID=%08x",  
                                         i,(LPCTSTR  )temp,whd,proid);  
               m_list.AddString(x);  
       }  
   }              
}

另一段收集

void   CTrayDlg::OnButton1()     
  {   
  //   TODO:   Add   your   control   notification   handler   code   here   
  HWND   wd=::FindWindow("Shell_TrayWnd",NULL);   
      if   (wd==NULL)   
      {   
            MessageBox("Error1");   
    return;   
      }   
      HWND   wtd=FindWindowEx(wd,NULL,"TrayNotifyWnd",NULL);   
      if   (wtd==NULL)   
      {   
            MessageBox("Error2");   
    return;   
      }   
      HWND   wd1=FindWindowEx(wtd,NULL,"ToolbarWindow32",NULL);   
      if   (wd1==NULL)   
      {   
            MessageBox("Error3");   
    return;   
      }   
      DWORD   pid;   
      pid=0;   
      GetWindowThreadProcessId(wd1,&pid);   
      if   (pid==NULL)   
      {   
            MessageBox("Error4");   
    return;   
      }   

      HANDLE   hd=OpenProcess(PROCESS_QUERY_INFORMATION   |     PROCESS_ALL_ACCESS ,true,pid);   
      if   (hd==NULL)   
      {   
            MessageBox("Error6");   
            return;   
        }   

      int   num=::SendMessage(wd1,TB_BUTTONCOUNT   ,NULL,NULL);   
      int   i;   
      unsigned   long   n;   
      TBBUTTON   p,*pp;   
      CString   x;   
      wchar_t   name[256];   
      unsigned   long   whd,proid;   
      CString   temp;   

      TBBUTTON   *sp;   

      sp=   (TBBUTTON   *)0x20f00;   
      for(i=0;i<num;i++)   
      {   
  ::SendMessage(wd1,TB_GETBUTTON,i,(LPARAM)sp);   
          pp=&p;   
          ReadProcessMemory(hd,sp,pp,sizeof(p),&n);   
  //         x.Format("%x   %x   %x   %x     %x   %x",p.iBitmap,p.idCommand,p.fsState,p.fsStyle,     p.dwData,   p.iString);   
          name[0]=0;   
          if   (p.iString!=0xffffffff)   
          {   
                  try   
                  {   
                          ReadProcessMemory(hd,(void   *)p.iString,name,255,&n);   
                          name[n]=0;   
                  }   
                  catch(...)   
                  {   
                  }   
  //                 x+="   ";   
  //                 x+=name;   
  temp=name;   
  try   
  {   
  whd=0;   
                          ReadProcessMemory(hd,(void   *)p.dwData,&whd,4,&n);   
  }   
  catch(...)   
  {   
  }   
  proid=0;   
                  GetWindowThreadProcessId((HWND)whd,&proid);   
  x.Format("位置=%d   名称=%s   窗口句柄=%08x   进程ID=%08x",   
        i,(LPCTSTR   )temp,whd,proid);   
                  m_list.AddString(x);   
          }   

      }   

  }   
最后修改:2020 年 06 月 27 日
如果觉得我的文章对你有用,请随意赞赏