SetWindowsHookEx
in [Visual C]
|
From: ama on 29 Dec 2005 05:22 > You *must* place your gHhook handle inside a shared section. You haven't > made the mistake that most make by failing to initialize it to NULL though > (failure to do this means it won't get placed in your new section). > > #pragma data_seg(".shared") > #pragma comment(linker, "/section:.shared,rws") > HHOOK gHook = NULL; > HWND ghTarget = NULL; > #pragma data_seg() thanks. yes i tried all that to no avail. Even used static for those variables. Since im using 0 for the thread ID and use the dll HINSTANCE when i call SetWindowsHookEx, i am aiming at a system hook but if this is the case doesnt this mean that the API has to somehow inject my HOOKPROC into ALL running programs before SetWindowsHookEx returns ? But i still only get notified for my own thread. This means the code works but somehow the HOOKPROC was not injected everywhere ? . It would be more usefull if somehow i could obtain the number of programs into wich i was injected rather then just a HHOOK value :-} thanks again
From: James Brown on 29 Dec 2005 06:24 "ama" <a.m.a(a)videotron.ca> wrote in message news:nNOsf.3750$vT1.7954(a)wagner.videotron.net... >> You *must* place your gHhook handle inside a shared section. You haven't >> made the mistake that most make by failing to initialize it to NULL >> though >> (failure to do this means it won't get placed in your new section). >> >> #pragma data_seg(".shared") >> #pragma comment(linker, "/section:.shared,rws") >> HHOOK gHook = NULL; >> HWND ghTarget = NULL; >> #pragma data_seg() > > thanks. > > yes i tried all that to no avail. Even used static for > those variables. > "static" will make no difference. Assuming that you copied the above code *exactly* then there should be nothing wrong. Download "PEVIEW" from: http://www.magma.ca/~wjr/ and inspect your final exe to make sure you really do have a ".shared" section, and for the "IMAGE_SECTION_HEADER .shared" section, the Characteristics field includes "IMAGE_SCN_MEM_SHARED" Note that it doesn't matter what the section is called, it is only the section-attributes that are important, and the fact that you instructed the compiler to keep your global variables in it. > Since im using 0 for the thread ID and use the dll HINSTANCE > when i call SetWindowsHookEx, i am aiming at a system hook > but if this is the case doesnt this mean that the API has > to somehow inject my HOOKPROC into ALL running programs > before SetWindowsHookEx returns ? "0" for thread-ID means "all threads" i.e. a system-hook. The API does not automatically inject into all programs. It sets the global hook on the current desktop, and then leaves it up to the Windows kernel to do all the hook-dispatching and DLL injecting - in all likelyhook SetWindowsHook returns before the DLL has been injected anywhere. Whenever a "hook event" needs to be dispatched to a specific thread Windows makes sure that your DLL is loaded into the relevant process first - and then calls the hook procedure in the context the remote process. This results in your DLL being gradually mapped into processes "system wide" rather than suddenly injecting into all processes at one go. > > But i still only get notified for my own thread. This means > the code works but somehow the HOOKPROC was not > injected everywhere ? . The DLL probably was injected system-wide, but if there is a problem with your shared-section, then the gHook variable (which contains the HHOOK value needed for CallNextHook) will hold a value of zero in remote processes and the hooking mechanism will fail. You need the shared section because the HHOOK global variable must be valid across all processes that map your DLL. At present there is a problem with your DLL. You haven't satisfied all of the conditions Windows requires before your hook will work system-wide. > > It would be more usefull if somehow i could obtain > the number of programs into wich i was injected rather then > just a HHOOK value :-} This information is not available to a usermode program. You need a kernel-mode debugger (such as WinDbg) to view all of the hooks installed in a system and even then its a fairly tedious process of manually poking around in kernel memory inspecting data-structures etc. You should put a "reference count" inside your shared section which gets incremented by your DllMain: #pragma data_seg (".shared") LONG gRefCount = 0; // other variables stay here as before #pragma data_seg() BOOL CALLBACK DllMain(......) { char buf[200]; switch(dwReason) { case DLL_PROCESS_ATTACH: InterlockedIncrement(&gRefCount); wsprintf(buf, "Loading into process %d count = %d\n", GetCurrentProcessId(), gRefCount); OutputDebugString(buf); break; case DLL_PROCESS_ATTACH: InterlockedDecrement(&gRefCount); wsprintf(buf, "Un-Loading from process %d count = %d\n", GetCurrentProcessId(), , gRefCount); OutputDebugString(buf); break; } return TRUE; } Notice the debug-trace calls in DllMain. Use DebugView from SysInternals to watch the messages being printed: http://www.sysinternals.com/Utilities/DebugView.html Also make sure that you have a corresponding "StopHook" exported function otherwise your hook will remain loaded system-wide and you will be unable to unload it to recompile etc. Use OutputDebugString trace-statements in your StartHook/StopHook functions to display the success of the hooking. James -- www.catch22.net Free Win32 Source and Tutorials
From: ama on 29 Dec 2005 06:44
> > But i still only get notified for my own thread. This means > the code works but somehow the HOOKPROC was not > injected everywhere ? . > to self : yes. because the variable that held the user defined message value was not shared !! ;-} now it works. |