My hook study notes

zhaozj2021-02-16  50

About Hook 1, Basic Concept:

Hook, is a platform for the Windows message handling mechanism, which can be set up on top to monitor some of the messages for the specified window, and the monitored window can be created by other processes. When the message arrives, handle it before the target window handles the function. The hook mechanism allows applications to intercept the Window message or a specific event.

The hook is actually a block processing message, and it is hung into the system through the system call. Whenever a specific message is issued, the hook program will capture the message first before the destination window is not reached, that is, the hook function is controlled first. At this time, the hook function can be processed (changing) the message, or it can continue to pass the message without processing, and can also force the passage of the message.

Second, the operating mechanism:

1, hooks and hooks:

Each Hook has a list of pointers associated with it, called hooks, and is maintained by the system. The pointer of this list points to the specified, the application defined, the callback function called by the Hook subroutine, that is, the various processing substructions of the hook. When the message associated with the specified hook type occurs, the system passes this message to the Hook subtelift. Some hook subsidiaries can only monitor messages, or modify messages, or stop messages to avoid these messages to the next hook subsequence or destination window. Recently installed hooks are placed in the beginning of the chain, and the earliest installed hook is finally added, but the first to get control.

Windows does not require the unloading order of the hook subsidiary to be in contrast and installation sequence. Whenever there is a hook being uninstalled, Windows releases its usage, and updates the entire HOOK list. If the program is installed, it is over before the hook has not been unloaded, so the system will automatically uninstall the hook.

The hook subsidy is an application-defined callback function (Callback function), cannot be defined as a member function of a class, can only be defined as a normal C function. To monitor system or a particular type of event, these events can be associated with a particular thread, or events in the system.

The hook subsidiaries must follow the grammar below: LRESULT CALLBACK HOOKPROC (INT NCODE, WPARAM WPARAM, LPARAM LPARAM); HookProc is the name of the application definition.

The ncode parameter is the hook code, and the hook subsidiace uses this parameter to determine the task. The value of this parameter depends on the hook type, and each hook has its own hook code feature character set. The value of WPARAM and LPARAM parameters depends on the HOOK code, but their typical value is information about sending or receiving messages.

2, the installation and release of the hook:

Use the API function setWindowsHookex () to install a hook subscrote defined by an application to the hook list. The setWindowsHookex function is always installing the Hook subtertaine at the beginning of the hook chain. When the specified type of Hook monitored event occurs, the system is called the opening of the Hook chain with this hook. The hook subsections in each hook chain decide whether this event is passed to the next hook subsidy. The HOOK subsidiary transmission event needs to call the CallNextHooKex function to the next hook program. HHOOK SETWINDOWSHOKEX (Type of Int IDHOK, / / ​​hook, that is, the message type hookproc lpfn, // hook subscrotor. If the dwthreadId parameter is 0 // or a thread that is created by other processes, // LPFN must point to the hook subsequence in the DLL. In addition, the LPFN can point to a hook subscip code of the current process. The entry address of the hook function, call this function when the hook hook to any message. Hinstance HMOD, // Application Unit Handle. Identify the DLL of the subaudes included in the LPFN. // If the DWTHREADID identifies a thread created by the current process, // and the substructure is located in the current process, and the hmod must be null. / / Can set it very simple to set an instance handle of this application. DWORD DWTHREADID / / The identifier of the thread associated with the installed hook subrouts. // If 0, the hook substructure is associated with all threads, ie For the global hook.); The function successfully returns the handle of the hook subsidy, and the failure returns NULL. The above-mentioned hook subsequence is associated with thread refers to a message sent to the thread in a hook list simultaneously transmits the hook subsequence, and is processed by the hook subspening.

The hook function of the control power is called in the hook subscorner after completing the processing of the message, if you want that message continues to pass, then it must call an API function callNexthooKex in another SDK to pass it to perform the hook list. The next hook. This function is successfully returned to the return value of the next hook process in the hook chain, and the type of return value depends on the type of hook. The prototype of this function is as follows:

LResult CallnexthooKex (HHOOK HHK; INT NCODE; WPARAM WPARAM; LPARAM LPARAM;); HHK is the handle of the current hook, returned by the setWindowsHookex () function. Ncode is the event code for transmitting the hook process. WPARAM and LPARAM are WPARAM values ​​transmitted to the hook subsidiary, respectively, and the specific meaning is related to the hook type. The hook function can also discard the message by directly returning True and blocks the passage of the message. Otherwise, other applications where the hooks installing will not receive notifications of the hooks and may generate incorrect results.

The hook needs to uninstall using unHookWindowsHooKex () after use, otherwise it will cause trouble. The release hook is relatively simple, and UnHookWindowsHooKex () has only one parameter. The function prototype is as follows:

UnHookWindowsHookex (hHOOK hHK;); function successfully returns true, otherwise returns false.

3, some running mechanisms:

In the Win16 environment, the global data of the DLL is the same for each process loaded; in the Win32 environment, the situation has changed, and any object created in the DLL function (including variables) All of them are tongged with its threads or processes. When the process is loaded into the DLL, the operating system automatically maps the DLL address to the private space of the process, that is, the virtual address space of the process, and copying a copy of the global data of the DLL to the process space. That is to say, the same DLL's global data has the same DLL, but its value is not necessarily the same, but it does not interfere. Therefore, in the Win32 environment, you must share the data in multiple processes, you must make the necessary settings. The shared memory between the processes accessed access to the same DLL is implemented by the memory mapping file technology. You can also separate these data to be shared, placed in a separate data segment, and set the properties of the segment to sharing. These variables must be assigned to the initial value, otherwise the compiler will put the variables that are not assigned to the initial value in a data segment called uninitialized. #pragma data_seg The pre-processing instruction is used to set the shared data segment. For example: #pragma data_seg ("SharedDataname") hHOOK hHOOK = NULL; #pragma data_seg () All variables between #pragma data_seg ("SharedDataName" and #pragma data_seg () will be accessed all the processes of the DLL And sharing.

When the process is implicit or explicitly invoked in a dynamic library, the system must map this dynamic library to the virtual address space of this process (hereinafter referred to as "address space"). This makes the DLL a part of the process, executed as the process, using the stack of this process.

4, system hook and thread hook:

The last parameter of the setWindowsHooKex () function determines that the hook is a system hook or a thread hook. The thread hook is used to monitor the event message of the specified thread. Thread hook generally within the thread of the current thread or the current thread. System Hook Monitor Event Messages in All Things in the System. Because the system hook affects all applications in the system, the hook function must be placed in a separate dynamic link library (DLL). The system automatically maps the DLL containing the "hook callback function" to all processes affected by the hook function, and the DLL is injected into those processes.

Some explanations: (1) If you install both the thread hook again for the same event (such as a mouse message), the system will automatically call the thread hook, then call the system hook.

(2) Multiple hook processing can be installed on the same event message, which form a hook chain. The current hook processing should pass the hook information to the next hook function.

(3) Hooks, especially system hys, will consume message processing time, reduce system performance. The hook is only installed when necessary, and then uninstall it in time after use.

Third, hook type

Each type of Hook allows applications to monitor different types of system messaging mechanisms. All of the hook types that can be utilized will be described below.

1, WH_CallWndProc and WH_CallWndProcret Hooks

Wh_callwndproc and wh_callwndprocret hooks allow you to monitor messages sent to the window process. The system calls the WH_CallWndProc Hook subsess before the message is sent to the receiving window, and then call the WH_CallWndProcret Hook subsess after the window process is handled.

The Wh_CallWndProcret Hook passes the pointer to the CWPRETSTRUCT structure, and then passes to the hook subsequence. The CWPRETSTRUCT structure contains the return value from the window process from the processing message, and also includes message parameters associated with this message. 2, WH_CBT HOOK

Before the following events, the system calls the WH_CBT Hook subsidy, including: 1. Activation, establish, destroy, minimize, maximize, move, change the size of window events, etc. 2. Complete system instructions; 3. From system messages Moving mouse, keyboard events; set input focus events; 5. Synchronize system message queue events. The return value of the Hook subsidiary determines whether the system allows or prevents one of these operations.

3, WH_Debug hook

The system will call the WH_Debug hook subroutine before the HOOK subtext associated with other hooks in the system call system. You can use this hook to determine if the system is allowed to call the Hook subtrace associated with other hooks.

4, WH_ForegroundIdle Hook

When the front desk thread of the application is idle, you can use the WH_ForeGroundIdle Hook to perform low priority tasks. When the front desk thread of the application is about to become an idle state, the system calls the Wh_ForegroundIdle Hook subtrace.

5, WH_GetMessage Hook

The application uses the WH_GetMessage Hook to monitor the message returned from the GetMessage or PeekMessage function. You can use the WH_GetMessage Hook to monitor mouse and keyboard input, and other messages sent to the message queue.

6, WH_Journalplayback Hook HOOK

The Wh_Journalplayback Hook enables the application to insert a message to the system message queue. You can use this hook playback through the continuous mouse and keyboard events recorded by using WH_Journalrord Hook. As long as the WH_JournalPlayback Hook has been installed, normal mouse and keyboard events are invalid. Wh_journalplayback Hook is a global HOOK, it cannot be used like thread specific HOOK. WH_JournalPlayback Hook Returns a timeout value, this value tells the system how long (milliseconds) will be taken before processing the current message from the playback hook. This makes hooks to control the playback of real-time events. WH_JournalPlayback is System-Wide Local Hooks that will not be injected to any stroke location space.

7, WH_JournalRecord Hook

WH_JournalRecord hook is used to monitor and record an input event. Typically, this Hook records continuous mouse and keyboard events, and then play back by using the Wh_Journalplayback Hook. Wh_JournalRecord Hook is a global hook, which cannot be used like thread specific HOOK. WH_JournalRecord is System-Wide Local Hooks that will not be injected to any stroke location space.

8, WH_Keyboard HOOK

In the application, the Wh_keyboard hook is used to monitor the WM_KEYDOWN AND WM_KEYUP message, which is returned by GetMessage or PeekMessage Function. You can use this hook to monitor the keyboard message input to the message queue.

9, wh_keyboard_ll hook

WH_KEYBOARD_LL HOOK Monitor Enter the keyboard message in the thread message queue.

10, WH_MOUSE HOOK

WH_MOUSE Hook monitors the mouse message returned from the GetMessage or PeekMessage function. Use this Hook monitor to enter mouse messages in the message queue. 11, WH_MOUSE_LL HOOK

WH_MOUSE_LL HOOK Monitor Enter the mouse message in the thread message queue.

12, WH_MSGFILTER and WH_SYSMSGFILTER HOOKS

Wh_msgfilter and wh_sysmsgfilter hooks allow us to monitor menus, scroll bars, message boxes, dialog messages and discover users to switch the window using the Alt Tab OR Alt ESC Combination key. The WH_MSGFilter Hook can only monitor messages that are passed to the menu, scroll bar, message box, and the message that is passed to the dialog established by an application that has an Hook subtertaine. WH_SYSMSGFILTER Hook Monitor all application messages. WH_MSGFILTER and WH_SYSMSGFILTER hooks allow us to filter messages during the mode cycle, which is equivalent to filtering messages in the main message loop. WH_MSGFILTER HOOK can be called directly by calling CallMSGFilter Function. By using this function, the application can use the same code to filter messages during the mode cycle, just like the main message cycle.

13, WH_SHELL HOOK

The shell application can use the WH_SHELL HOOK to receive important notifications. When the shell application is activated and when the top window is established or destroyed, the system calls the WH_Shell Hook subsess. WH_SHELL has a total of 5 minutes: 1. As long as there is a top-level, the Unowned window is generated, works, or being destroyed; 2. When taskbar needs to swipe a button; 3. When the system needs to display a program about Taskbar Minimize form; 4. When the current keyboard layout status changes; 5. When the user presses Ctrl ESC to execute Task Manager (or the same level).

According to conventions, both the shell application does not receive the WH_SHELL message. Therefore, before the application is able to receive the Wh_Shell message, the application must call the SystemParametersInfo Function to register itself. Rivershan original in September 18, 2002

转载请注明原文地址:https://www.9cbs.com/read-26679.html

New Post(0)