Hook api (1)-HOOK basics + one mouse HOOK instance, apihook

Source: Internet
Author: User

Hook api (1)-HOOK basics + one mouse HOOK instance, apihook

Hook api (1)-HOOK basics + one mouse HOOK instance

 

0x00 cause

Recently, I was working on a graduation project. One function is to monitor the clipboard and protect the process against termination. I originally wanted to implement it from the kernel layer, but I had no clue. Finally, we decided to start with the call layer, that is, to use the hook api technology to HOOK the corresponding API, so as to implement the expected functions. In this case, I began to learn about HOOK APIs.

 

0x01 what is HOOK API

HOOK (HOOK) is a mechanism similar to interrupt in Windows [24]. The HOOK mechanism allows applications to intercept and process Windows messages or specified events. When a specified message is sent, the HOOK program can capture the message before it reaches the target window, in this way, you can control the message, process or modify the message, and add the required functions. Hooks can be divided into thread hooks and system hooks according to the scope of use. Among them, system Hooks have considerable functions and can intercept, process, and monitor almost all Windows messages. This technology involves two important APIs: SetWindowsHookEx, installation hook, and UnHookWindowsHookEx.

The hook api technology used in this article is to intercept the call of a system or process to an API function, so that the API execution flow turns to the code segment we specify to implement the functions we need. Every process in Windows has its own address space, and the process can only call functions in its address space. Therefore, the key step to HOOK an API is, try to inject your code segment into the target process to further intercept the API called by the process. However, Microsoft does not provide hook api calling interfaces, which requires developers to program and implement by themselves. The well-known anti-virus software and firewall software all adopt hook api implementation.

Generally, the hook api consists of two parts: the DLL file for implementing the hook api and the main program for starting the injection. This article uses the hook api technology to intercept the API functions related to the clipboard, so as to monitor the clipboard content. It also uses this technology to implement the process anti-termination function. The DLL file supports the implementation of the hook api, and the main client program will inject the DLL with the hook api function into the target process during initialization with the loading of the mouse HOOK, the mouse hook here belongs to the system hook.

 

0x02 hook type 1. Category by event

There are several common types as follows:

(1) keyboard hooks and low-level keyboard hooks can monitor various keyboard messages.

(2) mouse hooks and low-level mouse hooks can monitor various mouse messages.

(3) Shell hooks can monitor various Shell event messages. For example, start and close an application.

(4) log hooks can record various event messages taken from the system message queue.

(5) The window hook monitors all messages sent from the system message queue to the target window.

In addition, there are some hooks for specific events for us to use, not to list them one by one.

 

The following describes common Hook types:

1. WH_CALLWNDPROC and WH_CALLWNDPROCRET Hooks

WH_CALLWNDPROC and WH_CALLWNDPROCRET Hooks allow you to monitor messages sent to the window process. The system calls the WH_CALLWNDPROC Hook sub-process before the message is sent to the receiving window, and calls the WH_CALLWNDPROCRET Hook sub-process after the message is processed in the window process. The WH_CALLWNDPROCRET Hook transmits the pointer to the CWPRETSTRUCT structure, and then passes the pointer to the Hook sub-program. The CWPRETSTRUCT structure contains the returned values from the window process for processing the message, and also contains the message parameters associated with the message.

 

2. WH_CBT Hook

Before the following events, the system calls the WH_CBT Hook sub-process. These events include:

1. Window events such as activation, creation, destruction, minimization, maximization, movement, and size change;

2. Complete system commands;

3. Move the mouse and keyboard events from the system message queue;

4. Set the input focus event;

5. Synchronize system message queue events.

The Return Value of the Hook sub-program determines whether the system allows or prevents one of these operations.

 

3. WH_DEBUG Hook

Before the system calls the Hook child program associated with other hooks, the system calls the WH_DEBUG Hook Child Program. You can use this Hook to determine whether to allow the system to call the Hook child program associated with other hooks.

 

4. WH_FOREGROUNDIDLE Hook

When the foreground thread of the application is idle, you can use the WH_FOREGROUNDIDLE Hook to execute low-priority tasks. When the foreground thread of an application changes to idle, the system calls the WH_FOREGROUNDIDLE Hook sub-thread.

 

5. WH_GETMESSAGE Hook

The application uses the WH_GETMESSAGE Hook to monitor messages returned from the GetMessage or PeekMessage function. You can use the WH_GETMESSAGE Hook to monitor mouse and keyboard input and other messages sent to the message queue.

 

6. WH_JOURNALPLAYBACK Hook

WH_JOURNALPLAYBACK Hook enables applications to insert messages to system message queues. You can use this Hook to play back consecutive mouse and keyboard events recorded by using the WH_JOURNALRECORD Hook. As long as the WH_JOURNALPLAYBACK Hook has been installed, normal mouse and keyboard events are invalid. The WH_JOURNALPLAYBACK Hook is a global Hook and cannot be used as a thread-specific Hook. WH_JOURNALPLAYBACK Hook returns a timeout value, which indicates how long (in milliseconds) the system will wait before processing the current message from the playback Hook ). This allows the Hook to control the playback of real-time events. WH_JOURNALPLAYBACK is system-wide local hooks, which will not be injected into any blank travel address. (It is estimated that the key-pushing wizard uses this hook)

 

7. WH_JOURNALRECORD Hook

The WH_JOURNALRECORD Hook is used to monitor and record input events. Typically, you can use this Hook to record consecutive mouse and keyboard events, and then play back the events by using the WH_JOURNALPLAYBACK Hook. The WH_JOURNALRECORD Hook is a global Hook and cannot be used as a thread-specific Hook. WH_JOURNALRECORD is system-wide local hooks, and it will not be injected into any blank travel address.

 

8. WH_KEYBOARD Hook

In the application, WH_KEYBOARD Hook is used to monitor WM_KEYDOWN and WM_KEYUP messages, which are returned through GetMessage or PeekMessage function. You can use this Hook to monitor keyboard messages that are input to the message queue.

 

9. WH_KEYBOARD_LL Hook

WH_KEYBOARD_LL Hook monitors keyboard messages that are input to the thread message queue.

 

10. WH_MOUSE Hook

WH_MOUSE Hook monitors the mouse messages returned from the GetMessage or PeekMessage function. Use this Hook to monitor the mouse messages that are input to the message queue.

 

11. WH_MOUSE_LL Hook

WH_MOUSE_LL Hook monitors the mouse messages that are input to the thread message queue.

 

12. WH_MSGFILTER and WH_SYSMSGFILTER Hooks

WH_MSGFILTER and WH_SYSMSGFILTER Hooks allow us to monitor menus, scroll bars, message boxes, and dialog box messages. We also find that users use ALT + TAB or ALT + ESC to switch the window. WH_MSGFILTER Hook can only monitor messages transmitted to menus, scroll bars, message boxes, and messages transmitted to the dialog box created by the application that has installed the Hook sub-program. WH_SYSMSGFILTER Hook monitors all application messages. WH_MSGFILTER and WH_SYSMSGFILTER Hooks allow us to filter messages during the pattern loop, which is equivalent to filtering messages in the primary message loop. Call the CallMsgFilter function to directly call the WH_MSGFILTER Hook. By using this function, the application can use the same code during the pattern loop to filter messages, as in the main message loop.

 

13. WH_SHELL Hook

Shell applications can use the WH_SHELL Hook to receive important notifications. When the shell application is activated and the top-level window is created or destroyed, the system calls the WH_SHELL Hook sub-program.

WH_SHELL has 5 favorites:

  • As long as a top-level, unowned window is generated, acted, or destroyed;
  • When Taskbar needs to re-draw a button;
  • When the system needs to display the minimal form of a program about Taskbar;
  • When the current keyboard layout status changes;
  • When you press Ctrl + Esc to execute Task Manager (or programs of the same level ).

By convention, shell applications do not receive WH_SHELL messages. Therefore, before the application can receive the WH_SHELL message, the application must call SystemParametersInfo function to register itself.

The above are 13 common hook types!

 

 

2. Classification by scope of use

There are mainly thread hooks and system hooks:

(1) The thread hook monitors the event messages of the specified thread.

(2) system hooks monitor the event messages of all threads in the system. Because system hooks affect all applications in the system, hook functions must be placed in an independent dynamic link library (DLL)

. This is a big difference between system hooks and thread hooks.

Notes:

(1) If a thread hook and a system hook are installed for the same event (such as a mouse message), the system automatically calls the thread hook and then calls the system hook.

(2) You can install multiple hooks for the same event message. These hooks form a hook chain. After processing the current Hook, you should pass the hook information to the next hook function. In addition, the recently installed hooks are placed at the beginning of the chain, and the earliest installed hooks are placed at the end, that is, the later hooks are added to obtain control.

(3) hooks, especially system hooks, consume message processing time and reduce system performance. Install the hook only when necessary. Uninstall the hook immediately after use.

 

Compile the hook program 0x03

You can write a hook program in three steps: Define the hook function, install the hook, and uninstall the hook.

 

1. Define Hook Functions

A hook function is a special callback function. After a specific event under hook monitoring occurs, the system calls the hook function for processing. Different events have different hook functions. The following uses the mouse hook function as an example to describe the prototype of the hook function:

Lresult callback HookProc (int nCode, WPARAM wParam, LPARAM lParam)

The wParam and lParam parameters contain the information of the hook message, such as the mouse position, status, and keyboard buttons. NCode contains information about the message itself, such as whether to remove the message from the message queue.

We first implement the custom function in the hook function, and then call the CallNextHookEx function to pass the hook information to the next hook function of the hook chain. The CallNextHookEx. prototype is as follows:

LRESULT CallNextHookEx (HHOOK hhk, int nCode, WPARAM wParam, LPARAM lParam)

The hhk parameter is the hook handle. NCode, wParam, and lParam are hook functions.

Of course, you can also discard the message by directly returning TRUE, thus blocking the transmission of the message.

 

2. Install hooks

When the program is initialized, call the SetWindowsHookEx function to install the hook. Its function prototype is:

HHOOK SetWindowsHookEx (int idHook, HOOKPROC lpfn, INSTANCE hMod, DWORD dwThreadId)

The idHook parameter indicates the hook type, which corresponds to the hook function type one by one. For example, WH_KEYBOARD indicates that the keyboard hook is installed, and WH_MOUSE indicates that the mouse hook is installed.

Lpfn is the address of the hook function.

HMod is the handle of the instance where the hook function is located. For a thread hook, this parameter is NULL. For a system hook, this parameter is the DLL handle of the hook function.

DwThreadId specifies the thread number monitored by the hook. For global hooks, this parameter is NULL.

SetWindowsHookEx returns the mounted hook handle.

 

3. Uninstall the hook

When you no longer use hooks, you must uninstall them in time. Simple function call:

BOOL UnhookWindowsHookEx (HHOOK hhk.

It is worth noting thatThe location of the hook function of the thread hook is very different from that of the system hook. Thread hooks are generally in the current thread or the thread derived from the current thread, and the system hooks must be placed in an independent dynamic link library, which is troublesome to implement.

0x04 an instance-low-level mouse hook Program

From Section 0x02, there are two types of mouse hooks: WH_MOUSE and WH_MOUSE_LL. WH_MOUSE_LL Hook and WH_MOUSE_LL Hook monitor the mouse messages that are input to the thread message queue. In this example, WH_MOUSE_LL is used.

 

As shown in the previous summary, the three steps for compiling the hook program are:

Lresult callback HookProc (int nCode, WPARAM wParam, LPARAM lParam)

HHOOK SetWindowsHookEx (int idHook, HOOKPROC lpfn, INSTANCE hMod, DWORD dwThreadId)

Note that the system hooks must be placed in an independent dynamic link library. Therefore, the program is divided into two parts: one is the dynamic link library of the hook program, which implements the mouse hook program; the other is the MFC operation form, which loads and uninstalls the DLL, that is, the DLL is tested.

 

Create a project --> Visual C ++ --> MFC DLL

Custom message

# Define WM_HOOKMSG WM_USER + 106 // custom message

 

Shared code segment, shared by all threads

# Pragma data_seg ("SHARED ")

Static HHOOK hhkMouse = NULL; // handle of the mouse hook

Static HINSTANCE g_hInstance = NULL; // instance handle of this DLL

Static HWND g_hWnd = NULL; // call the main window handle of the DLL.

# Pragma data_seg ()

# Pragma comment (linker, "/section: SHARED, rws ")

 

Define low-level mouse subfunctions

Lresult callback LowLevelMouseProc (int nCode, WPARAM wParam, LPARAM lParam)

{

// Send the mouse message to the main program

If (g_hWnd! = NULL & nCode = HC_ACTION)

{

: SendMessage (g_hWnd, WM_HOOKMSG, wParam, lParam );

}

 

Return CallNextHookEx (hhkMouse, nCode, wParam, lParam );

 

}

 

Install low-level mouse sub-functions to intercept all mouse messages of the system

Bool winapi StartHookMouse (HWND hwnd)

{

G_hWnd = hwnd;

HhkMouse = SetWindowsHookEx (WH_MOUSE_LL, LowLevelMouseProc, g_hInstance, 0 );

If (NULL = hhkMouse)

{

Return FALSE;

}

Else

{

Return TRUE;

}

 

}

 

Unmount a low-level mouse hook

Void winapi StopHookMouse ()

{

If (hhkMouse! = NULL)

{

: UnhookWindowsHookEx (hhkMouse );

}

}

 

Get your own DLL handle

// ChookDllApp Initialization

BOOL ChookDllApp: InitInstance ()

{

CWinApp: InitInstance ();

 

//

// Obtain its own dll handle

//

G_hInstance =: AfxGetInstanceHandle ();

 

Return TRUE;

}

 

HookDll. def file, hook loading and unmounting Functions

; HookDll. def: Declares the module parameters of the DLL.

 

LIBRARY "MouseHook"

 

EXPORTS

In this example, it can be explicitly exported.

StartHookMouse

StopHookMouse

 

Message Definition

# Define WM_MOUSEMSG wm_user+ 106

 

Add message ing

BEGIN_MESSAGE_MAP (ChookWindowDlg, CDialogEx)

//...... ......

 

ON_MESSAGE (WM_MOUSEMSG, & ChookWindowDlg: OnMouseMsg) // message ing

 

END_MESSAGE_MAP ()

 

Loading and uninstalling mouse hooks

HINSTANCE g_hInstanceDll = NULL;

//

// Start the mouse hook

//

Void ChookWindowDlg: OnBnClickedButtonStart ()

{

// TODO: add the control notification handler code here

G_hInstanceDll = LoadLibrary (_ T ("hookDll. dll "));

If (NULL = g_hInstanceDll)

{

AfxMessageBox (_ T ("failed to load hookDll. dll "));

Return;

}

Typedef BOOL (CALLBACK * StartHookMouse) (HWND hwnd );

StartHookMouse startHook;

StartHook = (StartHookMouse): GetProcAddress (g_hInstanceDll, "StartHookMouse ");

If (NULL = startHook)

{

AfxMessageBox (_ T ("failed to get StartHookMouse function "));

Return;

}

 

If (startHook (this-> m_hWnd ))

{

M_List.InsertItem (m_List.GetItemCount (), _ T ("0 "));

M_List.SetItemText (m_List.GetItemCount ()-1, 1, _ T ("0 "));

M_List.SetItemText (m_List.GetItemCount ()-1, 2, _ T ("the mouse hook is started successfully "));

}

Else

{

M_List.InsertItem (m_List.GetItemCount (), _ T ("0 "));

M_List.SetItemText (m_List.GetItemCount ()-1, 1, _ T ("0 "));

M_List.SetItemText (m_List.GetItemCount ()-1, 2, _ T ("failed to start the mouse hook "));

}

}

 

//

// Stop the mouse HOOK

//

Void ChookWindowDlg: OnBnClickedButtonHook ()

{

// TODO: add the control notification handler code here

Typedef VOID (CALLBACK * StopHookMouse )();

StopHookMouse stopHook;

G_hInstanceDll = LoadLibrary (_ T ("hookDll. dll "));

If (g_hInstanceDll = NULL)

{

AfxMessageBox (_ T ("DLL loading failed "));

Return;

}

 

StopHook = (StopHookMouse): GetProcAddress (g_hInstanceDll, "StopHookMouse ");

If (stopHook = NULL)

{

M_List.InsertItem (m_List.GetItemCount (), _ T ("0 "));

M_List.SetItemText (m_List.GetItemCount ()-1, 1, _ T ("0 "));

M_List.SetItemText (m_List.GetItemCount ()-, _ T ("failed to get the StopHookMouse function "));

Return;

}

Else

{

StopHook ();

M_List.InsertItem (m_List.GetItemCount (), _ T ("0 "));

M_List.SetItemText (m_List.GetItemCount ()-1, 1, _ T ("0 "));

M_List.SetItemText (m_List.GetItemCount ()-1, 2, _ T ("HOOKMOUSE stopped successfully "));

}

 

If (g_hInstanceDll! = NULL)

{

: FreeLibrary (g_hInstanceDll );

}

 

// Make sure that the last row of list control is visible

M_List.EnsureVisible (m_List.GetItemCount ()-1, FALSE );

 

}

 

 

Reference

Http://blog.csdn.net/arkblue/article/details/4307844

Http://blog.csdn.net/friendan/article/details/12168273

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.