The hooks in the Windows system have a considerable functionality that intercepts, monitors, and processing messages in almost all Windows systems through this technique. This technique can be widely used in various software, especially software that requires monitoring, automatic recording, etc. This paper explores this topic, hoping to play the role of the readers to the jade. First, the mechanism of the hook and the type of Windows application is based on message-driven, and the application's operation relies on the type and content of the message it obtained. The hook is similar to the DOS interrupt interception process. The hook is a platform for the Windows message processing mechanism, and the application can set a subroutine above to monitor some messages of the specified window, and process it before the message reaches the target window. In Windows, there are two types, one is a system hook, which monitors the entire system range, and the other is the thread hook (localhook), which intercepts only the internal information inside the process. For system hooks, the hook function (hookfunction) should be implemented in the dynamic link library (DLL) of the Windows system, and the hook function can be implemented in the DLL for the thread hook, or it can be implemented in the corresponding application. . This is because when the developer creates a hook, Windows first creates a data structure in the system memory, which contains the information of the hook, then add the structure to the existing hook table, and new The hook will be ranked in front of the old hook. When an event occurs, if a partial hook is installed, the hook function in the current process will be called. If it is a remote hook, the system must insert the hook function into the address space of other processes. To do this, you must ask the hook function to be in a dynamic link library, so if you want to use the remote hook, you must put the hook. The function is placed in the dynamic link library. For the message type monitored by the hook, WindWs provides the following types: Table 1 shows: Table 1, Windows Message Type
Message type constant identification
value
Message type
Scope of application
WH_CallWndProc
4
Message sent to the window
Thread or system
WH_CallWndProcret
12
Window returned message
Thread or system
WH_CBT
5
Window change, focus settings, etc.
Thread or system
WH_Debug
9
Do you perform other Hook hook
Thread or system
Wh_ForeGroundIdle
11
Front program free
Thread or system
WH_GetMessage
3
Message in the message queue
Thread or system
Wh_journalplayback
1
Place the message recorded
system
WH_JournalRecord
0
Monitor and record the input message
system
WH_KEYBOARD
2
Keyboard message
Thread or system
WH_MOUSE
Seduce
Mouse message
Thread or system
WH_MSGFILTER
-1
Menu scroll bar, dialog message
Thread or system
WH_SHELL
10
Housing program
Thread or system
WH_SYSMSGFILTER
6
All threads of menu scroll bar, dialog message
system
Second, the implementation of the hook function (hook function) in VB programming. The Hook Function is actually a function, if it is a system hook, the function must be placed in a dynamic link library. This function has a certain parameter format, in VB as follows:
Private function hookfunc (Byval Ncode As Long, Byval LParam as long) As long
Among them, what is the hook produced under the NCODE representative, with a different group of possible values, parameters WPARAM, LPARAM pass, including the monitored message content, which is the type of message monitored by HOOK Unlike NCODE values. For hook function of VB is set, the general form of a frame as follows: Private Function HookFunc (ByVal nCode As Long, ByVal wParam As Long, ByVal lParam As Long) As Long Select case of nCode case ncode <0: hookfunc = callnexthookex (hHookFunc , Ncode, WPARAM, LPARAM) Case Value 1: Process 1: Hookfunc = X1 Case2: Process Procedure 2: Hookfunc = x1 ... End SelectEnd Function
The transfer value of the function, if the message is to be processed, then zero 0, otherwise pass 1, eat the message. (2) Installation and implementation of hooks. Hook installation To use a few API functions: You can use the API function setWindowsHooKex () to install a hook subscription of an application to the hook list. The declaration of the setWindowsHooKex () function is as follows:
Declare function setwindowshookex lib "user32" alias "setwindowshookexa" (Byval LPFN As Long, Byval HMOD AS Long, BYVAL DWTHREADID AS Long) AS Long
The IDHOOK value is the type of message it processes; the LPFN value is the address pointer of the hook subroutine. If the DWTHREADID parameter is 0 or a thread of a thread created by another process, the LPFN must point to the hook subrout in the DLL. In addition, the LPFN can point to a hook subscip code of the current process. The HMOD value is the handle of the application, identifies the DLL of the subtextone indicated by LPFN. If the DWTHREADID identifies a thread created by the current process, and the substructure is located in the current process, and the HMOD must be 0. The DWTHREADID value is an identifier of the thread associated with the mounted hook substructure, if 0, the hook substructure is associated with all threads. The hook is installed, and the handle of the hook substru is returned, and the failure returns 0. In addition, the CallNextHooKex () function should generally be called in the hook subscriber to perform the next hook subscriber referred to in the hook linker, otherwise the application that is not installed will not receive the hook notification, resulting in an error result. The statement of the CallNexthooKex () function is as follows:
Declare function callnexthookex lib "user32" alias "callnexthookex" (Byval NCode As LONG, BYVAL WPARAM As Long, LParam as a "As long
The hHOOK value is the return value of SetWindowsHooKex (), NCODE, WPARAM, LPARAM is three parameters in the hook function. Before the program termination, you must call the UnHookWindowsHooKex () function to release system resources associated with the hook. The unHookWindowSex () function declaration is as follows:
Declare Function UnHook Windowshookex lib "User32" Alias "UnHook WindowsHookex (Byval HHOOK AS long) is the return value of the hook, the handle of the hook substructure. (3) The problem that the hooks in VB should pay attention to the problem. LPFN parameters are A hookfunc address, VB specification must put the hookfunc code in the standard .rable, and incorporated with "Address of hookfunc", not to put it in the class module, and you cannot attach it to the form For Remotehook, hookfunc should be included in the dynamic link library, so if you use Remotehook in VB, you also use getModuleHandle (), getProcAddress () two API functions, their declarations are as follows:
Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As LongDeclare Function GetProcAddress Lib "kernel32" Alias "GetProcAddress" (ByVal hModule As Long, ByVal lpProcName As String) As Long
The HMOD value is a module handle containing the hook process. If it is localhook, the value can be NULL (VB Mid 0), and if it is Remotehook, you can use the getModuleHandle ("Name .dll") to pass. Third, the interception of the instance-keyboard message is often used in the program development, and the input message will be monitored, and the monitored message should be processed, and the specific content composition of the keyboard hook parameters will be described below: if there is The keyboard message (WM_KEYUP or WM_KEYDOWN) will be processed, the system calls the keyboard hook. Ncode is hc_action or hc_noremove, if less than 0, requires the processing function to pass the message down. WPARAM represents the key key symbol constant, the A-key to the Z key is consistent with the corresponding value of the ASCII code, such as pressing the C button, the WPARAM value is 67. LPARAM with WM_KeyDown, with four bytes, including more content, the binary structure is as follows:
0
1
......
15
16
.........
twenty three
twenty four
25
......
Twist
29
30
31
0-15 (Key Repeat Count), key number of repetitions. 16-23 (Scan Code), the scan code of the button. 24-bit (Extended_Key Flag), extension key (key key on the digital keypad) flag, 1 is the extension button, otherwise it is reserved for 0.25-28 bits. 29-bit (Context Code), status description code, the ALT button is pressed, otherwise the previous key status is specified for the previous key status, if the message is issued, it is 1; The key is in the release state, a 0.31-bit (Transiton_StateFlag) state conversion flag, if the key is pressed to 1, if the button is released to 0. The hook in this example is used to monitor and record the button information in the application. In the program, the Alt F4 combination key is masked. Below is a part of the code: public hHOOK AS longprivate suborm_load () 'Program is installed when the program is started, and the specific hook program is included in this process when the program is started. This process is included in this process. In Module1 Public Function Mykbhook (Byval Ncode As Long, Byval WParam As Long, Byval LParam As Long) AS Longif Ncode> = 0 Thenopen "c: /keyfile.txt" for append as # 1 'Record the keyboard's operation in KeyFile The .txt file 'records the button, operation time, date operation, the button status, use 16 credit write # 1, wparam, hex (lparam), date, timeclose # 1mykbhook = 0' means to process this Message 'Shield Alt F4 Complete Key IF WPARAM = 115 And (LParam and & H20000000) <> 0 THENIF (LParam and & HC0000) = 0 THEN' Whether Alt F4 Operation Myhbhook = 1 'Hook Eat this message END if End IFEND IF Call CallNexthooKex (HHOOK, NCODE, WPARAM, LPARAM) is passed to the next hook END FUNCTION 'program to unload the hook private Sub Form_Unload (Cancel As Interger) Call UnHook WindowsHookex (HHOOK) End Sub
Fourth, the summary hook handler is Windows Advanced Programming Technology. General programmers use VC and other program design tools. This article shows that for VB, although many people think that they are non-professional design tools, high-grade technologies such as hooks are also Very convenient. In addition, it should be noted when using the hook, although the hook is relatively strong, but if the use of improper use will seriously affect the efficiency of the system, try to avoid using the system hook, and when not hook, the hook should be uninstalled in time.
