1、WH_CALLWNDPROC
1、WH_CALLWNDPROC和WH_CALLWNDPROCRET Hooks
WH_CALLWNDPROC and WH_CALLWNDPROCRET Hooks enable you to monitor the messages sent to the window procedure. The system calls the WH_CALLWNDPROC Hook subroutine before the message is sent to the receiving window procedure, and calls the WH_CALLWNDPROCRET Hook subroutine after the window procedure processes the message.
WH_CALLWNDPROCRET Hook passes the pointer to the CWPRETSTRUCT structure, and then passes it to the Hook subroutine. The CWPRETSTRUCT structure contains the return value from the window procedure that processes the message, as well as the message parameters associated with this message.
Before the following events, the system will call the WH_CBT Hook subroutine, these events include:
1. Window events such as activating, creating, destroying, minimizing, maximizing, moving, changing size, etc.;
2. Complete system instructions;
3. Move mouse and keyboard events from the system message queue;
4. Set the input focus event;
5. Synchronize system message queue events.
The return value of the Hook subroutine determines whether the system allows or prevents one of these operations.
Before the system calls the Hook subroutine associated with other Hooks in the system, the system calls the WH_DEBUG Hook subroutine. You can use this Hook to decide whether to allow the system to call Hook subroutines associated with other Hooks.
When the foreground thread of the application is idle, you can use the WH_FOREGROUNDIDLE Hook to perform low-priority tasks. When the foreground thread of the application roughly becomes idle, the system calls the WH_FOREGROUNDIDLE Hook subroutine.
The application uses the WH_GETMESSAGE Hook to monitor the message returned from the GetMessage or PeekMessage function. You can use WH_GETMESSAGE Hook to monitor mouse and keyboard input, and other messages sent to the message queue.
WH_JOURNALPLAYBACK Hook enables applications to insert messages into the system message queue. You can use this Hook to replay the continuous mouse and keyboard events recorded by using WH_JOURNALRECORD Hook. As long as WH_JOURNALPLAYBACK Hook has been installed, normal mouse and keyboard events are invalid.
WH_JOURNALPLAYBACK Hook is a global Hook, it cannot be used like a thread-specific Hook. WH_JOURNALPLAYBACK Hook returns a timeout value, this value tells the system how long to wait (in milliseconds) before processing the current message from the playback Hook. This allows Hook to control the playback of real-time events.
WH_JOURNALPLAYBACK are system-wide local hooks, they will not be injected into any travel address space. (It is estimated that the button wizard is made with this hook)
WH_JOURNALRECORD Hook is used to monitor and record input events. Typically, you can use this Hook to record continuous mouse and keyboard events, and then play them back by using WH_JOURNALPLAYBACK Hook.
WH_JOURNALRECORD Hook is a global Hook, it cannot be used like a thread-specific Hook.
WH_JOURNALRECORD are system-wide local hooks, they will not be injected into any travel address space.
In the application, WH_KEYBOARD Hook is used to monitor WM_KEYDOWN and WM_KEYUP messages, which are returned by GetMessage or PeekMessage function. You can use this Hook to monitor keyboard messages entered into the message queue.
WH_KEYBOARD_LL Hook monitors keyboard messages entered into the thread message queue.
WH_MOUSE Hook monitors the mouse message returned from the GetMessage or PeekMessage function. Use this Hook to monitor mouse messages entered into the message queue.
WH_MOUSE_LL Hook monitors mouse messages input to the thread message queue.
12、WH_MSGFILTER 和 WH_SYSMSGFILTER Hooks
WH_MSGFILTER and WH_SYSMSGFILTER Hooks allow us to monitor menus, scroll bars, message boxes, dialog messages and find that users use the ALT+TAB or ALT+ESC key combination to switch windows.
WH_MSGFILTER Hook can only monitor messages delivered to menus, scroll bars, message boxes, and messages delivered to dialog boxes created by applications that have Hook subroutines installed.
WH_SYSMSGFILTER Hook monitors all application messages.
WH_MSGFILTER and WH_SYSMSGFILTER Hooks allow us to filter messages during the pattern loop, which is equivalent to filtering messages in the main message loop. WH_MSGFILTER Hook can be called directly by calling the CallMsgFilter function. By using this function, the application can use the same code to filter messages during the pattern loop as in the main message loop.
Shell applications can use WH_SHELL Hook to receive important notifications. When the shell application is activated and when the top-level window is created or destroyed, the system calls the WH_SHELL Hook subroutine.
There are 5 situations in WH_SHELL:
1. As long as a top-level, unowned window is generated, activated, or destroyed;
2. When Taskbar needs to redraw a button;
3. When the system needs to display the minimized form of a program about the Taskbar;
4. When the current keyboard layout status changes;
5. When the user presses Ctrl+Esc to execute Task Manager (or the same level program).
By convention, shell applications do not receive WH_SHELL messages. Therefore, before the application can receive the WH_SHELL message, the application must call the SystemParametersInfo function to register itself.
Corresponding code for hook type:
WH_JOURNALRECORD = 0,
WH_JOURNALPLAYBACK = 1,
WH_KEYBOARD = 2,
WH_GETMESSAGE = 3,
WH_CALLWNDPROC = 4,
WH_CBT = 5,
WH_SYSMSGFILTER = 6,
WH_MOUSE = 7,
WH_HARDWARE = 8,
WH_DEBUG = 9,
WH_SHELL = 10,
WH_FOREGROUNDIDLE = 11,
WH_CALLWNDPROCRET = 12,
WH_KEYBOARD_LL = 13,
WH_MOUSE_LL = 14