Hooks in Windows systems have very powerful functions. Through this technology, almost all messages in Windows systems can be intercepted, monitored, and processed. This technology can be widely used in various software, especially software that requires monitoring, automatic recording and other system monitoring functions. This article discusses this topic, hoping to serve as a reference for readers.
1. Mechanism and type of hook
Windows applications are all message-driven, and the operation of the application depends on the type and content of the message it receives. Hooks are similar to the Dos interrupt interception processing mechanism. Hook is a platform of Windows message processing mechanism. By installing various hooks, the application can set up subroutines on it to monitor certain messages in the specified window and process the message before it reaches the target window.
In Windows, there are two types of hooks, one is the system hook (RemoteHook), which monitors messages within the entire system, and the other is the thread hook (LocalHook), which only intercepts messages within the process. For system hooks, the hook function (HookFunction) should be implemented in the dynamic link library (DLL) of the Windows system. For thread hooks, the hook function can be implemented in the DLL or in the corresponding application. . This is because when a developer creates a hook, Windows first creates a data structure in the system memory, which contains information about the hook, and then adds the structure to the existing hook list, and the new Hooks will be sorted in front of older hooks. When an event occurs, if a local hook is installed, the hook function in the current process will be called. If it is a remote hook, the system must insert the hook function into the address space of other processes. To do this, the hook function must be in a dynamic link library, so if you want to use a remote hook, you must put the hook Put the function into the dynamic link library. For the message types monitored by hooks, Windows provides a total of the following types: As shown in Table 1:
Table 1. Windows message types
Message type constant identifier | value | Message type | Scope of application |
WH_CALLWNDPROC | 4 | message to window | thread or system |
WH_CALLWNDPROCRET | 12 | The message returned by the window | thread or system |
WH_CBT | 5 | Messages such as window changes and focus settings | thread or system |
WH_DEBUG | 9 | Whether to execute Hooks of other Hooks | thread or system |
WH_FOREGROUNDIDLE | 11 | The foreground program is idle | thread or system |
WH_GETMESSAGE | 3 | Messages posted to the message queue | thread or system |
WH_JOURNAL PLAYBACK | 1 | Play back the recorded messages | system |
WH_JOURNALRECORD | 0 | Monitor and log input messages | system |
WH_KEYBOARD | 2 | Keyboard messages | thread or system |
WH_MOUSE | 7 | mouse message | thread or system |
WH_MSGFILTER | -1 | Menu scroll bars, dialog messages | thread or system |
WH_SHELL | 10 | shell messages | thread or system |
WH_SYSMSGFILTER | 6 | Menu scroll bars, dialog messages for all threads | system |
2. Implementation of hooks in VB programming
(1) Format of hook function (HOOK Function). Hook Function is actually a function. If it is a system hook, the function must be placed in the dynamic link library. This function has a certain parameter format, which is as follows in VB:
Private Function HookFunc(ByVal nCode As Long, ByVal wParam As Long, ByVal lParam As Long) As Long |
Among them, nCode represents the situation under which the hook is generated, and there are different sets of possible values depending on the hook; the parameters wParam and lParam return values include the content of the monitored message, which varies with the type of message monitored by the Hook. It differs depending on the value of nCode. For hook functions set with VB, the general framework form is as follows:
Private Function HookFunc(ByVal nCode As Long, ByVal wParam As Long, ByVal lParam As Long) As Long Select case of nCode case ncode<0:hookfunc=callnexthookex(hHookFunc, nCode, wParam, lParam) case value 1: Processing 1: HookFunc=X1 case2:Processing process 2:HookFunc=X1 … end select end Function |
The return value of the function. If the message is to be processed, pass 0, otherwise pass 1 and eat the message.
(2) Installation and execution of hooks. Several API functions are used to install hooks: You can use the API function SetWindowsHookEx() to install an application-defined hook subroutine into the hook list. The declaration of the SetWindowsHookEx() function is as follows:
Declare function SetWindowsHookEx Lib user32 Alias SetWindowsHookExA(ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long |
The idHook value is the message type it handles; the lpfn value is the address pointer of the hook subroutine. If the dwThreadId parameter is 0 or the identifier of a thread created by another process, lpfn must point to the hook subroutine in the DLL. In addition, lpfn can point to a hook subroutine code of the current process. The hMod value is the handle of the application, identifying the DLL that contains the subroutine pointed to by lpfn. If dwThreadId identifies a thread created by the current process and the subroutine code is located in the current process, hMod must be 0. The dwThreadId value is the identifier of the thread associated with the installed hook sub-process. If it is 0, the hook sub-process is associated with all threads. If the hook is installed successfully, the handle of the hook sub-process will be returned. If it fails, 0 will be returned.
In addition, the CallNextHookEx() function should generally be called in the hook subroutine to execute the next hook subroutine pointed to by the hook list. Otherwise, applications with other hooks installed will not receive hook notifications, resulting in incorrect results. The declaration of the CallNextHookEx() function is as follows:
Declare Function CallNextHookEx Libuser32 Alias CallNextHookEx(ByVal hHook As Long, ByVal ncode As Lonog, ByVal wParam As Long, lParam As Any) As Long |
The hHook value is the return value of SetWindowsHookEx(), and nCode, wParam, and lParam are the three parameters in the Hook function. Before the program terminates, the UnhookWindowsHookEx() function must be called to release the system resources associated with the hook. The UnhookWindowsEx() function is declared as follows:
Declare Function Unhook WindowsHookEx Lib user32 Alias Unhook WindowsHookEx(ByVal hHook As Long)As Long |
hHook is the return value when installing the hook, that is, the handle of the hook sub-process.
(3) Issues that should be paid attention to when installing hooks in VB. The lpfn parameter is the address of a HookFunc. VB stipulates that the HookFunc code must be placed in a standard .BAS module and passed in as Address Of HookFunc. It cannot be placed in a class module or attached to a form. superior. For RemoteHook, HookFunc should be included in the dynamic link library, so if you use RemoteHook in VB, you will also need to use two API functions: GetModuleHandle() and GetProcAddress(). Their declarations are as follows:
Declare Function GetModuleHandle Libkernel32 Alias GetModuleHandleA(ByVal lpModuleName As String) As Long Declare Function GetProcAddress Lib kernel32 Alias GetProcAddress(ByVal hModule As Long, ByVal lpProcName As String) As Long |
The hmod value is the module name handle containing the hook process. If it is LocalHook, the value can be Null (0 is passed in VB), and if it is RemoteHook, you can use GetModuleHandle (name.dll) to pass it in.