Enumeration of the global hook: a Threepenny mail: zhongts@163.com Date: 2005.6.19 first emphasize that code in this article is given only under WinXP SP2 testing by using other systems to understand the code of best friends , Then debug operation. If you don't have a system blue screen, don't find me. :) Click here to download the mouse hook, keyboard hooks, etc. You must be familiar. Friends programmed in the Windows environment must have hopped with them, such as intercepting passwords, what can be used. This article will introduce a way to enumerate all global hooks, find out what a dynamic library creates a hook (most global hooks need to be implemented by dynamic libraries). The following figure is all global hooks displayed after the program run, including the hook function in that dynamic library, that is, create a dynamic library of the hook. The hook handle shown in the figure refers to the handle in the current process, not a system range. For example, Mousehook adds a global mouse hook, then the handle of this hook in Explorer is different (this point I observed by Icesword), but all Mousehook adds hooks in Mousehook The .dll dynamic library. If you want to get the same result, you can enumerate global hooks for each process (not tried). L. In addition, if the mouse hook and the keyboard hook cannot display a dynamic library, you can move a mouse first, and you should display a few keyboards to refresh.
Write this article because there is a topic in the programming sector to say that the global hook caller, so thinking that all global hooks can be enumerated. But that theme seems to be said to be the caller of the hook, and it seems that the global hook refers to the hook of the hook API type, did not understand. In that theme, ZMWORM heroes seem to say that you can enumerate through a hook chain, but the heroes have not been detailed, I have not found symbols about the hook chain in the symbol file (I will only this The way to find system internal variables, such as the activity process chain can be found in this way), so preparing to slow down from the callnexthookex function to find the system how to find the next hook function. The method introduced in this article is this, and there is another important point that will be mentioned in the article). invoke PsGetCurrentThreadmov ebx, [eax 130h] mov _gptiCurrent, ebxinvoke DbgPrint, $ CTA0 ( "ETHREAD:% 08X, Win32Thread:% 08X / n"), eax, _gptiCurrentassume esi:! nothingmov ebx, -1.while ebx = 12invoke _PhkFirstValid , _gptiCurrent, ebxassume eax: ptr HOOK.while eaxpush eax; _PhkNextValid of parameters; obtained according to the following code mov edx win32k.sys the _xxxHkCallHook, [eax] .ihmodcmp edx, -1jz @Fmov esi, _gptiCurrent; esi -> ThreadInfomov ESI, [ESI 2CH]; ESI -> ProcessInfomov Edx, [ESI EDX * 4 0A8H]; EDX = [ESI] .ahmodLibloaded [hmod] @@: ----------- -------------------------- M2M [EDI] .Handle, [EAX] .hmodulem2M [EDI] .Funcoffset, [EAX] .Offpfnmov [ EDI] .funcbaseaddr, Edxm2M [EDI] .ihook, [eax] .ihook; ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----- Invoke DBGPrint, $ CTA0 ("Handle:% 08X Funcoffset:% 08X FuncBaseAddr:% 08X iHOK:% D iHMOD:% D / N"), /[EAX].hmodule, [EAX] .Offpfn, EDX, [EAX] .ihook, [eax] .ihmodcall _phknextvalidadd dwbytesreturned, sizeof hook_infoadd edi, sizeof hook_info.ndwinc ebx.Endw is given to the core code, first find the Win32Thread structure of the thread, you can call Win32 through this structure K.sys' internal functions _phkfirstvalid find the first hook function. Then enumerate all hook functions through the _phknextvalid function. Because the address of these two functions in each system is different, I use it directly after the disassembly code. This avoids errors due to different reasons for the system. However, I only run in WinXP SP2, not testing under other systems, if everyone can't run, I have to modify the source code. The _phkfirstvalid function receives two parameters, the first is the address of the Win32Thread structure, the second is the type of hook to enumerate, such as a mouse hook.
