Basic HOOK knowledge (windows API, C ++)

 

Hook is a message processing mechanism provided by WINDOWS. It allows programmers to use sub-processes to monitor system messages and process messages before they reach the target.
The following describes winndows hooks and how to use it in a WINDOWS program.

About HOOKS
Using HOOK will reduce the system efficiency because it increases the workload for the system to process messages. We recommend that you use the HOOK only when necessary and immediately remove the HOOK after message processing is complete.
HOOK chain
WINDOWS provides several different types of HOOKS. Different HOOKS can process different messages. For example, the WH_MOUSE HOOK is used to monitor mouse messages.
WINDOWS maintains their respective HOOKS for these HOOKS. A hook chain is a callback function queue defined by an application. When a message of a type occurs, WINDOWS sends the message to the first function of the HOOK chain, after the first function completes processing the message, the function transmits the message to the next function in the linked list, in turn down. If a function in the chain does not send the message downward, the function following the chain table will not receive the message. (For some types of hooks, no matter whether or not the functions in the HOOK chain send messages downward, all HOOK functions associated with this type will receive messages sent by the system)
HOOK Process
To intercept specific messages, you can use the SetWindowsHookEx function to install your own HOOK function in this type of HOOK chain. The function syntax is as follows:
Public function MyHook (nCode, wParam, iParam) as long
'Add code
End function
MyHook can be named at will, and others cannot be changed. This function must be placed in the module section. NCode specifies the HOOK type. The value of wParam and iParam varies with nCode. It represents a specific action of a certain type of HOOK.
SetWindowsHookEx always places your HOOK function at the top of the HOOK chain. You can use the CallNextHookEx function to pass system messages to the next function in the HOOK chain.
[Comment] for some types of hooks, the system will send messages to all HOOK functions of the class. In this case, the CallNextHookEx statement in the HOOK function will be ignored.
The global HOOK function can intercept a specific message from all threads in the system (in this case, the HOOK function must be placed in the DLL ), the local HOOK function can intercept a specific message of a specified Thread (this HOOK function can be placed in DLL or application module segment ).
[Note] we recommend that you use the global HOOK function only during debugging. The global HOOK function reduces system efficiency and conflicts with other applications that use this type of HOOK.

HOOK type
WH_CALLWNDPROC and WH_CALLWNDPROCRET HOOK
WH_C ALLWNDPROC and WH_CALLWNDPROCRET HOOK can monitor the messages sent by SendMessage. The system calls WH_CALLWNDPROC before sending a message to the form process. After processing the message, the system calls WH_CALLWNDPROCRET.
The WH_CALLWNDPROCRET HOOK transmits a CWPRETSTRUCT structure address to the HOOK process. This structure contains some information after the form process processes system messages.
WH_CBT Hook
The system is activating, creating, destroying, minimizing, maximizing, moving, and changing the form. Before completing a system command, move the mouse or keyboard event from the system message queue; the WH_CBT HOOK is called before setting the input focus or before synchronizing the system message queue. You can intercept this type of HOOK during your HOOK process and return a value to tell the system whether to continue the above operation.
WH_DEBUG HOOK
The system will call WH_DEBUG before calling the HOOK process associated with a certain HOOK type. The application can use this HOOK to determine whether to allow the system to execute a certain type of HOOK.
Wh_foregroundidle hook
The system calls this hook when idle, and executes applications with lower priority in the background.
Wh_getmessage hook
Wh_getmessage hook allows the application to intercept messages of getmessage or peekmessage. The application uses the wh_getmessage hook to monitor the mouse, keyboard input, and other messages sent to the queue.
Wh_journalrecord hook
Wh_journalrecord hook enables applications to monitor input events. Typically, applications use this hook to record mouse and keyboard input events for future playback. The hook is a global hook and cannot be used in a specified thread.
Wh_journalplayback hook
The 'wh_journalplayback hook enables applications to insert messages to the system message queue. This Hook can play back previous mouse and keyboard input events recorded by the wh_journalrecord hook. When the wh_journalplayback hook is installed on the system, the mouse and keyboard input events are blocked. The hook is also a global hook and cannot be used in the specified thread.
The wh_journalplayback hook returns a pause time value, which tells the system that the system waits for several percent of the message to be played back. This allows the hook to control the time events during playback.
Wh_keyboard hook
Wh_keyboard hook enables applications to monitor wm_keydown and wm_keyup messages returned by getmessage and peekmessage. The application uses this hook to monitor the keyboard input sent to the message queue.
Wh_mouse hook
Wh_mouse hook allows the application to monitor messages returned by getmessage and peekmessage. The application uses this hook to monitor mouse input sent to the message queue.
WH_MSGFILTER and WH_SYSMSGFILTER Hooks
WH_MSGFILTER and WH_SYSMSGFILTER Hooks allow applications to monitor menus, scroll bars, message boxes, and dialog boxes. When you use ALT + TAB or ALT + ESC to switch the form, the HOOK can also intercept messages. WH_MSGFILTER only monitors the menu, scroll bar, message box, and dialog box in the application, while WH_SYSMSGFILTER can monitor these events in all applications in the system.
WH_SHELL Hook
A shell program can use the WH_SHELL Hook to receive important information. When a SHELL program is activated or the current form is created or destroyed, the system calls the WH_SHELL Hook process.