Hook learning

Others 2019-11-07 20:14:17 views: null

Hook learning

Hook learning
Windows message mechanism
HOOK mechanism
Hook kind
Kernel
Hook API
on efficiency HOOK
TOC

Windows message mechanism

  • Windows operating system is based on event-driven mechanism of communication between the various parts of the system are also each other by passing messages implemented
  • Under normal circumstances, the application can process messages sent from internal processes or from other processes over the news
  • If you need to in-process messaging intercept treatment must be taken HOOK. HOOK as the Windows operating system a very important one system interface, you can easily use it to intercept and process messages passed between other applications, and thus can perform specific functions some common applications difficult to achieve.
  • A hook block is actually processing the message by calling the system and put it into the system.


Capture messages from the OS to start processing, and finally returned to the OS scheduling a callback function, like walking a loop, I understand this is one of the reasons why it is called a "callback function". Next we want to HOOK it is between the second and third steps above carried out additional work.

HOOK mechanism

(Hooks) the nature HOOK was a program processing system for messages, calls through the system, which is linked into the system. There are many types of hooks, each hook is responsible for intercepting and processing appropriate message.
Hook mechanism allows an application to intercept and process messages sent to the specified window or a particular event, its monitoring window can also be either created by other processes within this process. Before issuing and reach the destination window at specific message, HOOK program first intercept this message and get control of it. At this time, various modifications can be intercepted message processing function in the hook, continues even forced to terminate transmission of the message.

How much HOOK is divided according to the type of HOOK, such WH_MOUSE, WH_KEYBOARD and so on. But each substantially HOOK by the system maintains a list of pointers, each of which is a pointer to handler HOOK, HOOK we call the subroutine.

  • When you call SetWindowsHookEx () at the beginning of the chain HOOK HOOK installation of a new sub-way, and sometimes when we do not understand the impact also said to be installing a new HOOK, HOOK is the oldest on the list of the last (somewhat similar to the stack )
  • When HOOK monitored message, the operating system calls at the beginning of the list first HOOK subroutine for processing, which is the last to join HOOK priority access control.
  • Here HOOK handler must be a callback function, and can not be defined as a class member function must be normal C functions.
  • Depending on the global hook can be divided into two categories hooks and threads its monitoring range, wherein the specified thread hook a thread ID (may be the current thread) when using the hook, only the thread monitor; the same global hook can All threads in a monitor window. The code in its own process space HOOK global nature here is still called by the thread HOOK trigger mechanism for processing, so we HOOK subroutine code must be mapped into the process where the thread of the address space, that is achieved by means of the DLL.

Hook species

Hook each type can enable applications to monitor different types of system message handling mechanism.

  1. WH_CALLWNDPROC和WH_CALLWNDPROCRET

HooksWH_CALLWNDPROC and WH_CALLWNDPROCRET Hooks so that you can monitor messages sent to the window procedure.
WH_CALLWNDPROC Hook system calls subroutine before receiving message to the window procedure and subroutine calls WH_CALLWNDPROCRET Hook processed after the message window procedure. Hook to pass a pointer to the CWPRETSTRUCT WH_CALLWNDPROCRET structure, and then passed to the child process Hook. CWPRETSTRUCT structure contains window procedure for processing messages from a return value, the message also includes the parameters associated with the message.

  1. WH_CBT Hook
    before the event, the system will call subroutine WH_CBT Hook, these events include: 1) activation, establishing, destruction, minimize, maximize, move, changing the size of the window and other events;
    2) instructions to complete the system;
    3 .) move the mouse from the system message queue, keyboard events;
    4) to set the input focus events;
    5) event synchronization system message queue.
    Hook subroutine return value to determine whether to allow or to prevent a system of these operations.
  2. WH_DEBUG
    Hook system call system before Hook Hook sub-way associated with the other, the system will call WH_DEBUG Hook sub-way. You can use this to decide whether to allow Hook Hook sub-way system call associated with the other Hook.
  3. WH_FOREGROUNDIDLE
    when Hook foreground thread when an application is idle, you can perform low-priority tasks WH_FOREGROUNDIDLE Hook. When the foreground thread application probably become idle, the system will call WH_FOREGROUNDIDLE Hook sub-way.
  4. The WH_GETMESSAGE
    Hook WH_GETMESSAGE Hook application uses to monitor the message returned from the function GetMessage or PeekMessage. You can use to monitor WH_GETMESSAGE Hook mouse and keyboard input, and other messages sent to the message queue.
  5. WH_JOURNALPLAYBACK
    HookWH_JOURNALPLAYBACK Hook enables applications to be inserted into the message system message queue. You can use this Hook continuous playback by using the mouse and keyboard events WH_JOURNALRECORD Hook recorded. As long as WH_JOURNALPLAYBACK Hook has been installed, the normal mouse and keyboard events is invalid. WH_JOURNALPLAYBACK Hook is a global Hook, as it can not use the same thread-specific Hook. WH_JOURNALPLAYBACK Hook return timeout value that tells the system before processing the current message from the playback Hook how long to wait (in milliseconds). This allows Hook can control playback of real-time events. WH_JOURNALPLAYBACK is system-wide local hooks, they will not be injected into any address space travel.
  6. WH_JOURNALRECORD
    HookWH_JOURNALRECORD Hook used to monitor and record input events. Typically, you can use this Hook consecutive record mouse and keyboard events, and then play back by using WH_JOURNALPLAYBACK Hook. WH_JOURNALRECORD Hook is a global Hook, as it can not use the same thread-specific Hook. WH_JOURNALRECORD is system-wide local hooks, they will not be injected into any address space travel.
  7. The WH_KEYBOARD
    Hook in an application, to monitor WH_KEYBOARD Hook WM_KEYDOWN and WM_KEYUP messages that are returned by the GetMessage or PeekMessage function. Hook this may be used to monitor the input to the keyboard message in the message queue.
  8. WH_KEYBOARD_LL
    HookWH_KEYBOARD_LL Hook thread to monitor the input message queue of the keyboard message.
  9. Hook WH_MOUSE
    WH_MOUSE Hook monitor mouse message returned from the function GetMessage or PeekMessage. Hook this input to monitor the use of the mouse in the message queue.
  10. Hook WH_MOUSE_LL
    WH_MOUSE_LL Hook monitors the input to the mouse message thread in the message queue.
  11. WH_MSGFILTER and WH_SYSMSGFILTER
    HooksWH_MSGFILTER WH_SYSMSGFILTER Hooks and so we can monitor menus, scroll bars, message box, the message box and the user found using ALT + TAB or ALT + ESC key combination to switch the window. WH_MSGFILTER Hook can only monitor messages passed to a menu, scroll bar, message box, and delivered to the message box created by the Hook sub-way application installation. WH_SYSMSGFILTER Hook monitors all application messages. WH_MSGFILTER WH_SYSMSGFILTER Hooks and filter messages so that we can model during a cycle, which is equivalent to filter messages in the main message loop. You can directly call WH_MSGFILTER Hook by calling CallMsgFilter function. By using this function, the application can use the same code pattern during a cycle to a filtered message, as in the main message loop.
  12. WH_SHELL Hook
    shell application can use WH_SHELL Hook to receive critical notifications. When the shell application is active and when created or destroyed top-level window, the system calls WH_SHELL Hook sub-way. There are five clock WH_SHELL cases: 1) As long as there is a top-level, unowned window is generated, act, or be destroyed;
    . 2) When the Taskbar is redrawn by a
    3) When the system needs to display on the Taskbar. in the form of a minimization procedure;
    . 4) when the current keyboard layout state change;
    5) when the program user to press Ctrl + Esc execute Task Manager (or same level).
    Conventionally, the housing is not received application message WH_SHELL. So, before application to receive WH_SHELL message, the application must call the SystemParametersInfo function register itself.

Kernel

Use Windows HOOK required core function much, only four:

  • SetWindowsHookEx (): Install a HOOK
  • Cheng HOOK: HOOK processing functions, such as GetMsgProc, KeyboardProc etc.
  • CallNextHookEx (): call the next HOOK HOOK chain subroutine
  • UnhookWindowsHookEx (): Uninstall a HOOK

Hook API

Hook API programming interface refers to Windows open to programmers, making it possible to control the operating system at the user level, which is generally the applications need to call the API to accomplish certain functions, Hook API means that in these applications before calling the first true system API can be intercepted, so some processing and then call the real API to completion.

HOOK divided into three types: LOCAL HOOK and REMOTE HOOK, there is a SYSTEM-WIDE LOCAL HOOK.

  • LOCAL HOOK refers to this program is the thread of the program HOOK.
  • REMOTE HOOK two forms: one is a particular thread to other programs; one is for the entire system.
    REMOTE HOOK must be packaged in a DLL. This is because REMOTE HOOK thread is for the entire system or other processes, therefore HOOK must be packaged into a DLL, it can be implanted to monitor other processes.
  • SYSTEM-WIDE LOCAL HOOK is a kind of special. It has REMOTE HOOK function, you can use LOCAL HOOK expression, in fact WH_JOURNALRECORD and WH_JOURNALPLAYBACK two kinds HOOK.
    The SYSTEM-WIDE LOCAL HOOK is used in another thread requests or get a hardware news an architecture, system, then the system will call the HOOK thread is installed, and the implementation of its FILTER FUNCTION. And then back to the requesting hardware news the rout. This architecture has a downside is that if the deal HOOK FILTER FUNCTION enter an infinite loop, then the whole system will stay recycling, you can not switch to another thread. To deal with this defect, WINDOW use a way to deal with: CTRL + ESC key is, if the user presses CTRL + ESC key, the system will send a message to WM_CANCELJOUNAL have put JOUNAL series HOOK thread above.

About HOOK efficiency

Use HOOK will reduce system efficiency, because it increases the amount of the workload of system messages. It is recommended when using HOOK where necessary, and after the message is processed immediately remove the HOOK. We recommend only using global HOOK function when debugging. HOOK function global efficiency of the system and conflicts in conjunction with other applications of such HOOK.

Guess you like

Origin www.cnblogs.com/volva/p/11815043.html
Recommended
The United States plans to restrict the export of large AI models to China and Russia
Apple to reach agreement with OpenAI to bring ChatGPT to iPhone
Ranking
whisper-webui installation tutorial is silky and easy to use
[Base] Laravel concepts laravel basis, the custom service provider: Contracts, ServiceContainer, ServiceProvider, Facades relations
Import torchvision error problem solving DLL: module not found
observer & watch & notify = pub & sub
A small turntable program [HTML + CSS + JS]
CorelDRAW 2018 shortcuts Daquan
Supervise el botón de menú para lograr un gatillo de presión prolongada
JS将时间秒转换成天小时分钟秒的字符串
RIP basic configuration
[Deleted] solution to a problem a few questions (Noip1994)
Daily
More
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)

Code World

© 2018 codetd.com